23542300x8000000000000000320271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:47.591{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A621B8FAD832764B794B8E91043F993,SHA256=CA62C8E5D89362086534735B3AC31C9FB599BDA52534E770D2AA158D64F50BFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.410{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7023EAC74833A625AD1FF676654E00E1,SHA256=7F7702B9A401BCBE13BE0B60F432BDCCCBF33CBA05F6B0BFFA037951AAE6EFBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:47.008{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230127093814-099MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.238{45AAC21C-B353-63D3-A903-00000000BC02}60483292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.061{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B353-63D3-A903-00000000BC02}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.061{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.061{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.061{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.061{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.061{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B353-63D3-A903-00000000BC02}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000446575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.061{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B353-63D3-A903-00000000BC02}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000446574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.062{45AAC21C-B353-63D3-A903-00000000BC02}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000446573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.014{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49E038AC08E30C91BED56E8D4CE64EDA,SHA256=D9CF0DD7C6BF58C748AC98C7B30FBF0AD19F46182F032A12A6A7F2D67A522CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:48.691{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC4C4F082969EAD567A2D61BAFB31615,SHA256=3400367DAE731A6AB70E62A4676F25BD706C4C6AC78D8363BFA0EC977BC40BC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:46.244{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52636-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000446587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:46.244{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52636-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000446586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:44.707{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52635-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000446585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:48.501{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48B987C5074B18BB08197DCC4C8C3FA7,SHA256=750174A362ED86C94FCAA64F39778D3A745A57B47685FD341A11F164B529A4B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:48.080{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=28DEA663624D00EA97EE6E1820AFA363,SHA256=B6C036D089F2F489341C2D28819A1A3F2345CACC7C51C028B4A1F86E911F1BA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:49.778{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B18E65A5359D32DA150C7B1F1E093D7D,SHA256=0150794E3C51A7BC1EF13C4D2E8BC1772C2668DF54D3553CA57D2E9F811A7A9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.922{45AAC21C-B355-63D3-AB03-00000000BC02}42125980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.719{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B355-63D3-AB03-00000000BC02}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.719{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.719{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.719{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.719{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.719{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B355-63D3-AB03-00000000BC02}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000446600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.719{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B355-63D3-AB03-00000000BC02}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000446599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.720{45AAC21C-B355-63D3-AB03-00000000BC02}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000446598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.594{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F51C12ABE99C8E1D12ECF2650E195465,SHA256=046E99F748FE0399CC2839429093883ACA7EFFF31F4B8BF055558D4F148F2435,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:46.294{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50921-false10.0.1.12-8000- 10341000x8000000000000000446597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.380{45AAC21C-B355-63D3-AA03-00000000BC02}24284872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.191{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B355-63D3-AA03-00000000BC02}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.191{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.191{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.191{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B355-63D3-AA03-00000000BC02}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000446592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.191{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.191{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.191{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B355-63D3-AA03-00000000BC02}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000446589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.190{45AAC21C-B355-63D3-AA03-00000000BC02}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:50.990{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C45B7EF8698BF101EDDF9BBF548307C,SHA256=41E6E195FAA5CD48DB1B83D6A9C406F2B84A19B801BF8CCBD0F42A57176B7F04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.676{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=544352C22D8C5ACD396C58D4AA1AF4A5,SHA256=AD57D1425138AA3C4C69DAF113FB1F1147B714AC033AD811FCC928AAB7E94D55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.558{45AAC21C-B356-63D3-AC03-00000000BC02}26242476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.347{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B356-63D3-AC03-00000000BC02}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.347{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.347{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.347{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.347{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.347{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B356-63D3-AC03-00000000BC02}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000446609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.347{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B356-63D3-AC03-00000000BC02}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000446608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.348{45AAC21C-B356-63D3-AC03-00000000BC02}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000446626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:51.780{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=021F65E070621DF26671610B5746422A,SHA256=1A0C27892C4D8B5523844ADE7C7DC77A145F593F1B5D50FF8BD2DA4273CB0131,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:51.764{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B357-63D3-AD03-00000000BC02}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:51.764{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:51.764{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:51.764{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:51.764{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:51.764{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B357-63D3-AD03-00000000BC02}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000446619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:51.764{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B357-63D3-AD03-00000000BC02}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000446618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:51.765{45AAC21C-B357-63D3-AD03-00000000BC02}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000446628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:52.887{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA218BC0F77EA73D2FED573FA777FB77,SHA256=0AE3EB12AD8C58A7319D078E062A28AFDB8601DD77B00DE1507C029B2DF97A08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:52.871{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE60FEBB0F67C1FD440190B8379B0AF,SHA256=045AB78164686D9184CA170FFA8E92B27E759CE2E37CC675906F12B4A40AE0E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:52.189{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39C35B21B785C3FAE91C1C74F82C69D8,SHA256=0CE5A22F6A5D713A390663FD2E144CB83944578634E629700EEA71AB12AFF4F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:53.953{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D9A8C183C267EB3A824BAED154BF0F2,SHA256=81150A142DD4D263210E3F9CA2FB07517DD5C650F8D9DABA6F043B73D286A11F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.932{72106695-B359-63D3-9303-00000000BD02}54366036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.635{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B359-63D3-9303-00000000BD02}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.635{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.635{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.635{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.635{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.635{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B359-63D3-9303-00000000BD02}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.635{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B359-63D3-9303-00000000BD02}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.635{72106695-B359-63D3-9303-00000000BD02}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.267{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4AF59E0EFC33F1405B067824FFC6CC7,SHA256=9392D22C9E2A676A28D1CB98D1167EDF680DEB48C5C249784F7AB19BB1F63345,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:51.299{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50922-false10.0.1.12-8000- 10341000x8000000000000000320305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.812{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B35A-63D3-9503-00000000BD02}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.812{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.812{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.812{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.812{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.812{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B35A-63D3-9503-00000000BD02}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.812{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B35A-63D3-9503-00000000BD02}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.813{72106695-B35A-63D3-9503-00000000BD02}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.797{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C2288417BB9988ECE2255FD1A9E8FD5,SHA256=9DD96A86AD2DCF0ED036EBA1D6042DC442980C40AABD904AF152FA1385E859C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.578{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=72A1A06454ECCBA4A9F8B6FFA072B9B1,SHA256=0D4B0B64C04D9B7FABA8BE3D42FE3DDF20F3F9C392A05DC5A856F25CB5BD8F06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.356{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A344CE91AC907E2DF781E2102B1FF895,SHA256=16417B8417B585AAD35985AB3901FABA405DB9DB7A6923473843075A5A2A0EC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.844{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52637-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000320294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.138{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B35A-63D3-9403-00000000BD02}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.138{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.138{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.138{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.138{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.138{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B35A-63D3-9403-00000000BD02}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.138{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B35A-63D3-9403-00000000BD02}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.139{72106695-B35A-63D3-9403-00000000BD02}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000320324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.952{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B35B-63D3-9703-00000000BD02}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.952{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.952{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.952{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.952{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.952{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B35B-63D3-9703-00000000BD02}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.952{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B35B-63D3-9703-00000000BD02}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.953{72106695-B35B-63D3-9703-00000000BD02}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000320316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.515{72106695-B35B-63D3-9603-00000000BD02}56885412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000320315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.456{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4363C020AA16C43286C8B2FA7EB1A58,SHA256=AEE286FAE4ED1781C7A8155D766C5E3EA169CBB637F1DC8BE3915679FAC8C748,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:55.057{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=912D4B7651B5E558B837AE0BFC11EA0E,SHA256=D636B4EDC329EC0C2EB74172D264FC7EDB710E9195DA56FF77A7C3286632B4C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.315{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B35B-63D3-9603-00000000BD02}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.315{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.315{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.315{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.315{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.315{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B35B-63D3-9603-00000000BD02}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.315{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B35B-63D3-9603-00000000BD02}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.316{72106695-B35B-63D3-9603-00000000BD02}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000320335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.764{72106695-B35C-63D3-9803-00000000BD02}15525404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.576{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B35C-63D3-9803-00000000BD02}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.574{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.574{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.573{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.573{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.573{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B35C-63D3-9803-00000000BD02}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.573{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B35C-63D3-9803-00000000BD02}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.572{72106695-B35C-63D3-9803-00000000BD02}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.536{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3D626B972B58A57ED56DF5E4ACBCE26,SHA256=87AE8B86D9885391F461A57698A3A1FE8A7920135F564FC27CBA448F384465A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:56.152{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5844036460BB11AC88B00E8A5D489382,SHA256=F0FEBC53D896773850681361DD5E44A6634DE3EB81B0E4494B27DF4274042BB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.143{72106695-B35B-63D3-9703-00000000BD02}18563160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000320344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:57.731{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADDD65C2EB810E79DD89FD3B8A7FA514,SHA256=E2F48613E1B967A15D1F743946B6F5656A5C4898447CBBBD80BA8071E449449B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:57.238{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C181F66862CFA7F86EE4D0E2A3DF5565,SHA256=391DF69A3261BC900EF190D3D620B7ACEC4F402AA6E5892ABF853780ACF2FDB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:57.126{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B35D-63D3-9903-00000000BD02}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:57.126{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:57.126{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:57.126{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:57.126{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:57.126{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B35D-63D3-9903-00000000BD02}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:57.126{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B35D-63D3-9903-00000000BD02}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:57.125{72106695-B35D-63D3-9903-00000000BD02}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:58.822{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F923ABC6AADC550184E088715CE7A75,SHA256=E28F91A7A25DE60CF8D30957E4D3FC1280FF724ACED23F658D3B09E72CD5E077,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.520{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50923-false10.0.1.12-8000- 23542300x8000000000000000446635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:58.311{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98B6B434E97602DEE9B79C461EF27D72,SHA256=81D42A3A0789D69D4274E38356C3338EF8A80E37145D0A155C6A1D2D4A40C1CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:58.453{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=975A04F65D3768A74817E995DB334013,SHA256=7B19DC295CD51EBFE4779AAB375AD4500ED6CA1957D4568032C8F9E6E7528A15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:55.768{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52638-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000320348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:59.918{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E19E9F10A313B9FC032AA72C9801C78,SHA256=DF7538E95DE4EC8FBC8A5FF80064B2A90F0BDD403FBE3D3435ACC2996354D359,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.554{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.532{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.518{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.503{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.496{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.492{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.458{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.451{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.429{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.423{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.414{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.403{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.395{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 23542300x8000000000000000446642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.393{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=809AC2930A49C97F440A7447ABAF52F3,SHA256=48FBED29F86C35F5D02F971712435C07E3C5161EAF0FFEB4FC31A24AF6822F22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.382{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.373{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.364{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.355{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.307{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.304{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 23542300x8000000000000000446661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:00.425{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=369729BB0FAEF8F39C3F0102C559E9D4,SHA256=CA5583426D7107B0500A8BA64A973252F53E8B8A3D8B5ACF4A56ED7070E47E4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.754{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.739{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.737{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.696{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.685{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.666{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.660{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.658{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.655{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.654{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.651{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.645{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.645{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.642{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.641{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.640{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.638{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.635{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.625{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.619{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.610{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.607{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.586{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.560{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.554{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.536{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.470{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.455{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.432{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.414{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.381{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.375{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.366{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.350{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.336{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.325{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.323{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000446660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:00.118{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:00.109{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:00.106{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:00.104{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:00.102{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 23542300x8000000000000000446662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:01.503{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E914A25976215888BE772BBA02E50509,SHA256=41EB8D549237BA3B30F676A89678D0F6FCC33ED1DA3505BCC644B6925A13BA80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:01.159{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55AF0CEC9F1E39B711B85338CE43941C,SHA256=CA77D3C09404D1D32B7E3740FD3690D3CBA4BE8B2008ACF037505ECAD3E4DDEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.818{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.791{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.786{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.769{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.757{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.730{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.724{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.714{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.699{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.698{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.695{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.693{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.691{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.689{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 23542300x8000000000000000446668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.594{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77697FD3EAD7EC6D7AB80AD51A954050,SHA256=33C0C49692860CD30B72FC935A34936DF6FB00B3672AB7ED910C1666A1DE4F4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:02.176{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFEBBBC1077461D1147C051F5145626F,SHA256=CE245D9400821905FA30E301F92458FAA7C0F4A4168E0808A218FB77B0201AD6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.184{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.182{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.180{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.167{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.157{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 23542300x8000000000000000446683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:03.786{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61BDDF6CE945761C6CDDE99348EB3B62,SHA256=E5BE8931F5439B6AC75722D4B4B3B0484CF0BA8F9F31EFAFB2E38FD6E73645B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:03.377{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AAE62C2D587899173D18BD06A6CBF0B,SHA256=85AB44A2EE3C1CFC8D8A171C3F57690F9C7C205CAE3D315606991A835883D46F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:04.866{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BB8FB7C775C27EBFA925E443936B16F,SHA256=74EC877D7A5B6E664B1199DC60C146A05A5D1E765426020C804ED5B631D0F862,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:02.307{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50924-false10.0.1.12-8000- 10341000x8000000000000000320390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:04.728{72106695-9B85-63D3-0D00-00000000BD02}7963468C:\Windows\system32\svchost.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000320389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:04.478{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6AD5B64C89D843E32477BE313F40491,SHA256=BF250D13C2F5AFEA21F26CE08359FE4920CF78A8BAEEBBC3E2ECCD43AE223186,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:01.742{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52639-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000446685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:04.113{45AAC21C-9B96-63D3-2E00-00000000BC02}2804NT AUTHORITY\SYSTEMC:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\database_C64_5811_6457_FFBE\fsr00007.logMD5=AF4D225B60B65DEA33EF59F92EBCFC6A,SHA256=3FE807AB4B2509D9D058FC62DBB74CDEE8B5C3A1A66265522AF542733FAAA3FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:04.004{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\respondent-20230127093833-098MD5=ABD21C848C86C8C4C327246443A18885,SHA256=621828FF48080C628607F27990B50D4C7839DD5149D1A5B05A104AE9C04F6CF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:05.575{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21325CC461ECBD7F1B42A80F166B159C,SHA256=23B91CC7D5A3CDE9933F1BC1EBCA065F62161716AA19047FD3A21A7AF5517F72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:05.002{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\surveyor-20230127093831-099MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000320393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.662{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8265681E334A63291C331EE4F28092C,SHA256=F5B79387570EEC18A4F08B9A74857237ED6842A057342C1335C55846220FCC3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:06.082{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F6A7769EDE96FE7660080724390790B,SHA256=88C637D3854829779105BD58890111D0404EFD13863148F1AF6F0929C04DC439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:07.183{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8564C3AFF641AA446AF32BF3A20C371,SHA256=5BDB8ACE6D1CB827F2750BF5F845289563A5DCCC62132117A97A7045EA5CEBD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:08.267{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E2A81FF8AB1071BDEAD4056D62ED7BB,SHA256=E6A4E4245D747D798CCE697F0A22374CEF2BE3FBE946DCD992CC0ED610617CFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:06.764{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52640-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000446692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:09.350{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92E922C80D1CF4A2355D447E23FCCC4E,SHA256=84DB221F8B0D28E0667D123318F0E25F21699F7726657EAE26C1954EF5F5B074,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:10.431{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E513B27BA5FF0D69AA099315387FF6A0,SHA256=4781856ACD93C760FAC7CF4D3F37BCD9C820BBF78202D7408F0A0BB6DDE21FF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:11.550{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9466F704BA96F37B3F33D5727FE08360,SHA256=FDE9557173C0F01FA8FF07FBF94909F4EA5C8434A24FA7D7523AC3A56A143F63,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:08.288{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50925-false10.0.1.12-8000- 23542300x8000000000000000446696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:12.772{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F9809CD800390A5833B300E23FEEA8F,SHA256=F5CDB888688E31B2B544552766010583F8D0DE861A77FFCB33F95D4AA659D6BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:12.212{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D997E1000D3C66CAC338D026C922815F,SHA256=E33371C747D54570379AE7C805B15721EB430C6CB14F005DDF22FA6C83299DB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:13.972{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CA2179D21707514B31A80B8E43BF2B1,SHA256=314A7533AFA181185755CD281DE0945D5ACB2A5FDFB0379F6F6B29E6F5CECEFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:13.294{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B58ED8A256B6E3D7B7DDC87B50B1B75,SHA256=1196F0725795CCBC55BF0B461DA7FE557B74882EAC78200A22ECA88426D7B51B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:14.988{72106695-9B85-63D3-1100-00000000BD02}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=38BB658FE45C9E1285EA9DA5714AAF94,SHA256=37FEF2E395189EFE806ED416C8AA81943A45D441E2307E6BCFC4E3F63A118AAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:14.497{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E5DF834B56BB8FAAC6DE3E0392A2B38,SHA256=F0D757CEEC755C7DC4AB94C7952EF5D4D674DA2E0C37490D7BA45FAD117C9579,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:15.597{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F70F5C80A597C245A5C92EDD52469F81,SHA256=7516D294C77AA3BD1F38B76A9482A07B47E3C5F2C3A91970DBA338E9D888BC0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:12.749{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52641-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000446698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:15.073{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC4D73BD1420EC1CCF1D0C06B41C6D90,SHA256=860D554570293B1025560A12EB3D3200E6C645DE79C4020939700C01277193E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:16.794{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A697C2FA9065013EAFE0A5534AAFE673,SHA256=8ACCBFB169BB17FFD3488669E1999A9D0EFC273F49307648AF0B7A4E80E313E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:16.186{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=148A156B8CDB6FED0B9C965AAE11B4DE,SHA256=80C39602CE011E89E03790653D17EAF96AF95AEC67AF664765DC01284167D348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:16.171{45AAC21C-9B85-63D3-1000-00000000BC02}368NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E30F81A702F02EE3C1436A2BB3747475,SHA256=32488F6914C24F6982BD5C36FB6C181CAA1DF0CD20B639087CF649E9B91310B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:17.881{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E589BA203A9B9DA662AFCC50702DE95E,SHA256=E05AAC730F3ED670B425FF57C04D5D59C4441BE6414B8E694C87DE192F2D4D95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:17.267{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9C158F6B532AF7D01E63C5499D4D5F8,SHA256=10B5C519619CBC34A2EA01DE0966592A1BD57E4FC8AA5855444C770978F91346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:17.236{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=25928559D4423478D19F40F1766D0278,SHA256=23348DDF1B9FDA908ED7F7B7FA37042469FCDCC0600919827A3BA0B546E06B03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:17.412{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:17.412{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:17.412{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000320428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:14.301{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50926-false10.0.1.12-8000- 23542300x8000000000000000320433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:18.963{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D3CE1784E06077BEAEAFFFFE0933487,SHA256=B6AC6D87FE8C770A1F40DA86A7F0D329ACAF037A9F19B26C78518470AB18CA1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:18.355{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE0299BE4F53DB9885959DF4CA8BA469,SHA256=180C7D18F41B34C7867C9484922F859D99D612C0BEC2C5681923FC35B6EA95DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.662{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.647{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.640{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.637{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.635{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.631{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.575{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.569{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.554{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.549{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.526{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.516{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.491{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.441{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000446710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.440{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C99BF484FECC762A344E47BF9C45F72,SHA256=B2644C8E0DC75B0BC74C920CE0DEEC17932181207CFA76F57C8D768E2F892810,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.407{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.392{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.379{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.309{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.306{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000320471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.981{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.947{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.940{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.872{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.860{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.826{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.806{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.801{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.793{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.788{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.783{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.773{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.769{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.761{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.758{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.754{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.749{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.735{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.708{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.697{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.686{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.683{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.669{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.642{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.637{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.621{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.559{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.548{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.530{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.516{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.485{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.456{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.410{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.383{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.372{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.351{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.341{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000320434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.292{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DF3B4307B3F9DF7A98DACD8BB44CAB7,SHA256=9814CD77D3AAB1E5E8F763234200A07CA4588832AD7441FC9EBC76620BFF1ED1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:17.866{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52642-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000446730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:20.458{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=318FFECA826B6DAACF9BC4DF4B23E9A8,SHA256=ACD93D3F09E5F57E03FC39CD2FA77FB2F7AFB9F11D9840A116A0E754B3C2D0E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:20.408{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:20.402{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:20.399{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:20.395{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:20.390{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000320472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:21.778{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B167133BD4097A67DD5A1BA0EC21EF1A,SHA256=0FE05383A4C89417455BBAE1E676833BE4466A4F4C9A2D6510335290DA407721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:21.455{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=070AE7B0C375FC2DD63B5A39500DE660,SHA256=E10234872A05137FBE563D3009074F7D9BF70ADE1C541416E4C6EA92E9B0E766,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:22.977{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90DB100E5C4CC3A64A3E10598E01E57D,SHA256=9A36B8B9EEC745A37DD0A683951CE24CB4D0480F19F9BEAF0BA07ECCC1239549,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.994{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.987{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.978{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.972{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.970{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.967{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.964{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.963{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.960{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000446738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.537{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EF2F00747C65A0DE28F8A0BA9DEC591,SHA256=A1B530D4D927B0F7DB94A44D7D836317A2DAF0A5669CC32AC3D5F21C9D9B847B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.297{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50927-false10.0.1.12-8000- 10341000x8000000000000000446737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.446{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.445{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.444{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.434{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.427{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000446753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:23.624{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=041F866AE72EBE71FC1DDCEE7F5955C3,SHA256=46768719E538F2FF28E7F85E4E310086F226315586D0572AD9A1697EFB42CE1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:23.159{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:23.159{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:23.159{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:23.138{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-2000-00000000BD02}2000C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:23.069{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:23.048{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:23.043{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:23.034{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:23.021{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000446754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:24.721{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F5149845FCDA86CC30FD41E5C515B23,SHA256=A81C780D1C2DF3A3915DC4592ABBCB0BA0F671D1ED405BBB852E18CA3CF8333B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:24.063{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E4B8334773C8B2C23BEAA0865E2A2B5,SHA256=457BDCEF088E0C5DCD23E6824B3777AE85ACF40A9DCDB24AE01D50FD4F3C3748,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:25.821{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=185778E62DC01D6FAFAA339F73F0F172,SHA256=29817013BDF70C1406C4E1FC29D580B10C3F8C8944F8730623C85D97994AF426,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:25.166{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=273F29BA69DF537AE328418F8D489F53,SHA256=353E19C93648070E7A1262439387A4683953D23B3907700C9DFB0BCDC883D072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:26.272{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCBC242640AA643BA55110CDD7DFA992,SHA256=2775E49D47F36A5550EE644C0AF15EA2C6EE578E201384DA36E2EFA62A5746C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:23.811{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52643-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000320483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:27.568{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D371484151D886A6ACBD93D6764528EC,SHA256=B837C371428EC780DEEB8B29C4311AA28BF01936B62435B9EB3FF41A0B96CE94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:27.365{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16BF62233977A9AB38CD79C572FB21CA,SHA256=E4CA7411BB2E80ECDEDFAD79BDCE7E3CBA12D71A63784436EDC513382C3AF38A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:27.022{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5388432452CD2823A8098381EA74622,SHA256=2AFAA8D4A8A2E0F1172CBC8AA94B55F750E1F56B4F6D1A8FF60B61781984F55B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:25.346{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50928-false10.0.1.12-8000- 23542300x8000000000000000320484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:28.469{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1012DE7CC1F704E0299FF8BA9B143A1D,SHA256=5FE772F986008AEE41EE048FC875E5CB6BFA3155EEB43F706CDEC2C5527095B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:28.329{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=322E4AF7561D04AA447F12FBF594778F,SHA256=13B2220207780D5EE2EF72ECFA51752B8ADC04AF5360E49E214F742CD87D512E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:29.563{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4511EB127F2B21107892063983CB2FCB,SHA256=95FB90BF32D464425F1821798541795871D59802EC95122853BEB67D64BEDB83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:29.431{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=845243B512BD020D1F9D03DA2C843CEE,SHA256=EEB3615DF0096DB7A9A5977247536251D93E0E4109D0009C47C929FF4E49E9B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:30.633{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82FC20005AA9E78B2B085E899C9F9776,SHA256=F2B1122CD28225A8883108CB7DD8F8C07911A282F6B48A575C5909C231A09A94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:30.657{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4056E579BEFFE78514372980C6743418,SHA256=4AFA19F43EE493F641C9FEE2FBDE0485D7E1BA55D681EB05462951F658B7DA58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:31.762{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF9EA80EFF591E32D7022CC40D12056A,SHA256=A98BBCD6AC7ED19630640EC7AB545A287A51CBBE12B40B32E51DF9FA73707BF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:31.837{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F34EAAD19544FA3D8FD83C30D63E148,SHA256=52F52C380B99DC81B33E010B697A876BEF2C09067F4C977C22058D1D9F035FD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:32.972{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4056CC26C7816640C40735AEE4D4DBC,SHA256=673AFC48129EB5AD65CBD1D816D4488CE720529E01DCD5B3044C9DD93B46CA7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:32.929{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C16E697FBA4F2265175A9DF2387EC3C,SHA256=BCF5993C99271B01B9A316DFC7A91A5C83888743D28500E1227CCC8A8A2FF448,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:30.464{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50929-false10.0.1.12-8000- 354300x8000000000000000446763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:29.712{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52644-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000320491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:34.068{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=391CC83E0E0EEFBA574010BB392CCF3A,SHA256=38B8F61070BAD51E53E7F5AFB8B2893CED17D7D9BC207498CB1D7AB9F9A975F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:34.066{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:34.020{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F3E4CAF5D1FE25AB8E479CB31AD19D0,SHA256=0CC6C943F34ADEB736B2E0655BBE1B31E24F8399B31CF44D9A12A246E1284F3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:35.164{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E3B4EC5BD6695FA92CF164849A4FB84,SHA256=C18832FD6BA099AC16293AA6282C0EA3E258943FE94F67B584034E0BABF32B40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:35.593{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:35.593{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:35.593{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000446766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:35.120{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24E99564E01E3F26A003DA70C9365B17,SHA256=568333C22FF091BB7C9F2016DF14C4EC3944DABAD30E1D7F8E9B0DBC24C49CBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:36.258{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C96C1721AEBC953B14CD3809D4F23EFD,SHA256=4EA83FE52A1AD5988B8D51ABA9ADEE8D555A15109FC89DC4C428343CB082C2D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:32.750{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52645-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000446770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:36.205{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AEBA81F63196920A5ACB21927C02CB5,SHA256=3B658500F689AB2807DF71F0049F079D126BAD2347A9606FC6801E2A1136F311,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:35.511{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50930-false10.0.1.12-8000- 23542300x8000000000000000320494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:37.360{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B1975795973E464A08EC6227D0116D5,SHA256=34811674FC5B03C0971623784792AF4A992BE50149B1CD85B069F7322EB508F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:37.300{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A267007CE075160D3E41171AFD5612D4,SHA256=3D39CED1AAF0C2B99A5539A367090C3310467F5416D365848A213B0C465D5BA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:34.345{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local65358- 354300x8000000000000000446773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:34.344{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53380- 354300x8000000000000000446772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:34.343{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local59591- 23542300x8000000000000000320497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:38.755{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:38.458{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BD533E7B19629F9ECCE3698CCEAD57D,SHA256=0723DD95B5307664CB4EDB1BEAABE960032665F1EB46D45A03A8D252E1FFC2BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:38.271{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0965909D79DDD42587E6C264C9392982,SHA256=16D7E1CA0213733BDD4142840080627963A7639EE80242C034EECB0B8420FE3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:34.793{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52646-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000446776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:34.345{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52025- 23542300x8000000000000000320498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:39.541{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39E4301ED2BDFAE7D4E20A3350F6F9BE,SHA256=92B1CA082E5336EBD749F2D6B1DB5D68DEF303556C7074BEDB617D31F1B7E5F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.560{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.545{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.533{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.528{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.525{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.522{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.483{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.474{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.454{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.446{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.438{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.427{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.419{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.406{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.396{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.387{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.379{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000446781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.346{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EA8450BC877FFD3F7DB1D4F78E48288,SHA256=79525B30D4F6253F4050CEE1D594CEA4AB0B634E22B48C7005460EB2F61354E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.325{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.307{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.822{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.804{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.800{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.766{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.755{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.741{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.735{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.726{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.723{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.720{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.716{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.712{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.708{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 354300x8000000000000000320524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:38.008{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50931-false10.0.1.12-8089- 10341000x8000000000000000320523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.698{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.693{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.685{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.679{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.666{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.639{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 23542300x8000000000000000320517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.631{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD573487E4D913CBF0F5FFB65AC95981,SHA256=23E6016CD9EC42072B958D94F67CF0EA529BD96DABD930A581D4D04F0103DF7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.621{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.599{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.594{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.576{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.558{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.555{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 23542300x8000000000000000446804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:40.376{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8DDA029D90A577E02029DB0FCBB6DF5,SHA256=CF8135B2BFC28D60F0532E6705BE4AFAF019D06007F421EADDC404AF52674B78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.540{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.473{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.462{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.447{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.430{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.402{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.389{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.374{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.359{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.344{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.335{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.330{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000446803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:40.156{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:40.153{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:40.150{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:40.145{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:40.142{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000320538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:41.806{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2361354175A6E3A038FB5E1277A80CD3,SHA256=C12F6048AC7EE0705639248AA745778300C401F60AF93F8E57CB77122D3E0245,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:41.471{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=591BEFD8692BEB1DEA4E82A7BCAE1EFA,SHA256=526D4A4D0CFC0FE9CD377A415851BF4775FF2FB8F54FEFD43DE3A99A3D83DDA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:42.925{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D0245F09475B69352DFDB08447844A6,SHA256=BCF81BF25499942A32E5538CA356173849D452D4BB03D0CDF14AD460CACB4316,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.815{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.796{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.793{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.783{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.769{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.746{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.740{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.729{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.724{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.722{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.719{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.714{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.713{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.709{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000446813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.553{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47DFA7C9DF7E6B14DCBC89CE5D01B48C,SHA256=77936B9B2A9896548D199AB0FAF81BB66DDDBA389DF73A5CCF33738B2EBCF893,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.342{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-3000-00000000BC02}2848C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000446811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.827{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52647-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000446810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.201{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.200{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.199{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.186{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.178{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000446828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:43.721{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A9E4ECC0D7AA5FAABAED532EE61BC2B,SHA256=172493BE8D55D19E35247BCE7C71593959F7F94876F6595D9079B03D877CF585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:44.822{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=598493BAB1FDBE09C0B2795FF7A1D231,SHA256=2ABE456EE696E5FE05B6BF205A9BD40708941BFB3E8460FDA1814C31597E1FF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:41.499{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50932-false10.0.1.12-8000- 23542300x8000000000000000320540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:44.005{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A80A36F43ED4BE405D88E9B16B33F2CA,SHA256=A1CF59B244C0E65A6F49C392D1DDE6F0AB5A10D91246E49705A0A40C6475D4C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.957{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B38D-63D3-AE03-00000000BC02}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.957{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.957{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.957{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.957{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.957{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B38D-63D3-AE03-00000000BC02}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000446832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.957{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B38D-63D3-AE03-00000000BC02}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000446831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.958{45AAC21C-B38D-63D3-AE03-00000000BC02}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000446830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.926{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D936C7119BAEDCD9167B697E58409E40,SHA256=13947095DD9FE2D0D15E9D06E8D0B251D9ABAC8491F802C4980DCAD6CD46DE14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:45.094{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F525FE941B05EAF8AF70FE4619EE76B,SHA256=785ACAC92AB870677D841CBE2482B5AE5681B8C6CC438DD1D9E6FF7FFF1A7D1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:46.181{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BC863D7CF5AFA4CCAC3C46B6BF3622F,SHA256=6F4FE8F9D5AAA1CC422121889123B81E79B2C772E4A8E72648F684DA666E8E57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.630{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B38E-63D3-AF03-00000000BC02}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.630{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.630{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.630{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.630{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.630{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B38E-63D3-AF03-00000000BC02}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000446845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.630{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B38E-63D3-AF03-00000000BC02}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000446844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.631{45AAC21C-B38E-63D3-AF03-00000000BC02}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000446843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.170{45AAC21C-B38D-63D3-AE03-00000000BC02}48763008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000446842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.107{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=26C0E71D9551AECDF53DF6AE336BCC70,SHA256=030798747DD5D67ADECA77827C91EC4245B5F4760D780B8CAA59335F9C08F772,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.075{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B38D-63D3-AE03-00000000BC02}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000446840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.072{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B38D-63D3-AE03-00000000BC02}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000446839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.072{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B38D-63D3-AE03-00000000BC02}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 23542300x8000000000000000320545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:47.542{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\respondent-20230127093815-099MD5=FAFF531EDF0CFC03BCEBADF518BA5361,SHA256=88BF976C27BC6DB398DABD588375EB870CCDB2E8695A85E73E9E0CF078A2553A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:47.273{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47C6CD7AB479D9603AF0100751D4EB25,SHA256=6CCD5BED9B02AFE4D6DC6E9B7DC4BC2EB15AD0D7C0BFFCDBA2076C109ACCB677,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.408{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1A1B91F3BA43D5E279E235C61722F746,SHA256=F86ADB782C801A363257E8B8D11732AEE70FCD17382D68C176A6420DBB3EBA19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.361{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E48DC6697706B3CF34036FED758D4F0,SHA256=744E4978D440C122D10B94C7A403D816E9FCA700D646E5F2F184833AC61D7F92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.132{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B38F-63D3-B003-00000000BC02}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.132{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.132{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.132{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.132{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B38F-63D3-B003-00000000BC02}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000446855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.132{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.132{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B38F-63D3-B003-00000000BC02}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000446853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.132{45AAC21C-B38F-63D3-B003-00000000BC02}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000446852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.021{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=320695F230B49777C1FF9196159A9D7D,SHA256=DB67D0CE05B56507C128446B982763A0751B5D0B793AA4A4A2ED2565970BCC71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:48.555{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230127093814-100MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:48.363{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E621562CFEF6B29CC1E4F3B9B6FF51F3,SHA256=4EC3AE0E8F8B51B872A6D161130229E1555794EF2FF299C35EAE9DDFE40BE4FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.814{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52648-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000446863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:48.107{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D44DCD969183947730E377A1DA6538CC,SHA256=64A488796530A2D0C65D470F288BE74DDE664D76F7BD3A16A37CAFF234C5F009,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:49.670{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F82D8B8DF0274B021F4C65DC59A8007A,SHA256=11A0415D2B9B15A1CB1B493DAE0A7E57AB9033FBC81F293724929FF195BC0D57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.911{45AAC21C-B391-63D3-B203-00000000BC02}53561972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.691{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B391-63D3-B203-00000000BC02}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.691{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.691{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.691{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.691{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.691{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B391-63D3-B203-00000000BC02}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000446878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.691{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B391-63D3-B203-00000000BC02}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000446877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.693{45AAC21C-B391-63D3-B203-00000000BC02}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000446876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.248{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52649-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000446875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.248{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52649-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 10341000x8000000000000000446874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.410{45AAC21C-B391-63D3-B103-00000000BC02}37364808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000446873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.207{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48349CC772F6E5D004B09EAC5E3E0CA2,SHA256=0A2D8E6F077A6397D18625919505C0062208C2C29802BE8A5C63A8AB3FA62932,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.191{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B391-63D3-B103-00000000BC02}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.191{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.191{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.191{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.191{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.191{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B391-63D3-B103-00000000BC02}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000446866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.191{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B391-63D3-B103-00000000BC02}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000446865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.190{45AAC21C-B391-63D3-B103-00000000BC02}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:50.773{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D84789003EC08DED80A4AA210C48F911,SHA256=0ED465CB8BD901CFB3869E2C45C4D1FC06DD9FF9ADB2B3021F930EA8BF1B6E12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.540{45AAC21C-B392-63D3-B303-00000000BC02}43685880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.368{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B392-63D3-B303-00000000BC02}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.368{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.368{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.368{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.368{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.368{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B392-63D3-B303-00000000BC02}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000446888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.368{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B392-63D3-B303-00000000BC02}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000446887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.369{45AAC21C-B392-63D3-B303-00000000BC02}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000446886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.290{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4920A9DF9DEE3E4940F7402A0D298EE8,SHA256=8670871B0DD29AC2F4B8CB7F425953E8C597030932C5106DE42F6116C025E637,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:47.410{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50933-false10.0.1.12-8000- 10341000x8000000000000000446904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.767{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B393-63D3-B403-00000000BC02}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.767{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.767{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.767{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.767{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.767{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B393-63D3-B403-00000000BC02}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000446898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.767{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B393-63D3-B403-00000000BC02}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000446897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.768{45AAC21C-B393-63D3-B403-00000000BC02}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000446896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.377{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6431CAEAFB18497B146D5AC119D424E7,SHA256=F07B2D1A7784D7E6CAC59516A6B1D7F3983417444DF3073A500E6E992701CD93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:51.859{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=870CD3CC7BAC09421FEA53D352A9E56A,SHA256=5380C8A550F68362B2CD332837576205F199792EDBCEB462144210EDE0D19423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:52.873{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93FFC9EF0B21DD81F1ECFD7CBDA55B09,SHA256=437B094F6D97B770D6789A3CD57D4199CEDD10D841B11599ADE03E23FA7BDC4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:52.685{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D3AD7776C7C04BEEE3CAFC8D6049838,SHA256=EB889F0A0FEC830E616841B578E82FBEC8617724564A9E78610AD9C1964D2970,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:52.966{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2F1E1B30AA4A15142AB6E1C3EE9A6B9,SHA256=F9D1F0595478CDEF551951E6E37E0B36C255EBFB0735A8CC9F2E1B7D245A8518,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:53.781{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AAE50C3AF69F3038D8B436DDAE308F6,SHA256=4E78D8BC31FC716846C2148BAF09209E2220211A54B65C0212757F7861DA3429,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.961{72106695-B395-63D3-9A03-00000000BD02}54286104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000320564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.883{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B8BD50C432523D50DE0396F05B32967C,SHA256=B67B8F6C8DECDAA506622C111F0E80772822D3E67E5A4BE9D323761DDAF6F3A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.793{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B395-63D3-9A03-00000000BD02}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.793{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B395-63D3-9A03-00000000BD02}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.793{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B395-63D3-9A03-00000000BD02}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.643{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B395-63D3-9A03-00000000BD02}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.643{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.643{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.643{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.643{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.643{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B395-63D3-9A03-00000000BD02}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.643{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B395-63D3-9A03-00000000BD02}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.644{72106695-B395-63D3-9A03-00000000BD02}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000446909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:54.866{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7FB2400EF1579DAD9A75889779819AF,SHA256=44A4EA3196F518B53CE1D6E1AC9303195CE31872ECA0DFCA924A66A132917A64,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.791{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52650-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000320587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.843{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B396-63D3-9C03-00000000BD02}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.842{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B396-63D3-9C03-00000000BD02}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.842{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B396-63D3-9C03-00000000BD02}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x8000000000000000320584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.651{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1191B08C1C1AB746610FF6455D70670A,SHA256=07E75AB9B507D9697E402FE2A1E713D5B7B3EEB5424F0E940FF0730582F3CE64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.635{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B396-63D3-9C03-00000000BD02}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.635{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.635{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.635{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.635{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.635{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B396-63D3-9C03-00000000BD02}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.635{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B396-63D3-9C03-00000000BD02}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.636{72106695-B396-63D3-9C03-00000000BD02}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000320575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.385{72106695-B396-63D3-9B03-00000000BD02}43845172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.135{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B396-63D3-9B03-00000000BD02}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.135{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.135{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.135{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.135{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.135{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B396-63D3-9B03-00000000BD02}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.135{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B396-63D3-9B03-00000000BD02}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.137{72106695-B396-63D3-9B03-00000000BD02}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.086{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A61278505151CB9561FDA58A876E6D3C,SHA256=CC730F5EC36A763A03E4A1DAEF91CBE1AE1623E5E8F929C41EDB418844EDE229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:55.956{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CAE3C7042B2D4FE524C373D80994306,SHA256=ADAE613683A383AB324E954BF7AF214A2F0BA69A2554914FDEB068FA86A9A32E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.860{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B397-63D3-9E03-00000000BD02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.859{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B397-63D3-9E03-00000000BD02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.859{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B397-63D3-9E03-00000000BD02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.759{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B397-63D3-9E03-00000000BD02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.759{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.759{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.759{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.759{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B397-63D3-9E03-00000000BD02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.759{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.759{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B397-63D3-9E03-00000000BD02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.760{72106695-B397-63D3-9E03-00000000BD02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000320598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.494{72106695-B397-63D3-9D03-00000000BD02}5988592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000320597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:52.521{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50934-false10.0.1.12-8000- 10341000x8000000000000000320596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.260{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B397-63D3-9D03-00000000BD02}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.260{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.260{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.260{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B397-63D3-9D03-00000000BD02}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.260{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.260{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.260{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B397-63D3-9D03-00000000BD02}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.261{72106695-B397-63D3-9D03-00000000BD02}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.182{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CE083F280940FA066499FDADE66D262,SHA256=4E1FF3D9C44447FF18CCEF55C109D80B38D39A1BC1F0A3563A98716FD19B5ADB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:56.638{72106695-B398-63D3-9F03-00000000BD02}12762452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:56.386{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B398-63D3-9F03-00000000BD02}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:56.386{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:56.386{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:56.386{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:56.386{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:56.386{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B398-63D3-9F03-00000000BD02}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:56.386{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B398-63D3-9F03-00000000BD02}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:56.389{72106695-B398-63D3-9F03-00000000BD02}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:56.277{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E056FA5584774E9768DA7952B8F92EE,SHA256=CB3E5D29F6BE3A76603D5292C88C74A25D6992DE9F22F9E8709E7A44D82F7851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:57.706{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FBE6DD28E8E87A7CCAE0F6B58DAB5A7F,SHA256=7B234BB9EC3C66D6E22CF4E0DD917873EEDF2C0A07D97A05B9B37690A838CC3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:57.375{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EA613A098BE2041FB9A697B08819271,SHA256=49550F35BE0DC784503A6CD9FA3BE313DA51D22406AC6D449D8A54D22BB71361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:57.054{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23B1A818DFB3051B358418793C4B53FD,SHA256=8DF1911223C7F6512649A12270BF837CA623C7DFF6F415B37E490D878C9248FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:57.060{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B399-63D3-A003-00000000BD02}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:57.060{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:57.060{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:57.060{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:57.060{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:57.060{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B399-63D3-A003-00000000BD02}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:57.060{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B399-63D3-A003-00000000BD02}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:57.061{72106695-B399-63D3-A003-00000000BD02}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:58.471{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7A5BF85F7CC7AD24033196E74836491,SHA256=A1C2DE74583F60FFE8F8E01972D2BE64352F8911483C3CAB82E205C81A26045D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:58.138{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDFA11222CD699FEC117F706E8678637,SHA256=7C62C6CAD6BFA965CCB2B116343725EFBC1BB0AD593DAFA76077A0C002B73996,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:59.574{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DD2A5A47D44002B2F166D906EB7A0DD,SHA256=56506E933C47B1C711E2239A0F977AF12A405FFEBE2BB8894497A08847C3C53F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:59.496{72106695-9B85-63D3-0D00-00000000BD02}7963468C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.517{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 354300x8000000000000000446932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:56.885{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52651-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000446931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.503{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.497{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.493{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.491{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.489{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.450{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.444{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.433{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.425{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.415{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.401{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.389{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.375{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.367{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.358{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.346{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.305{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.302{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000446913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.242{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0624C6C111DACE073A526CCCCC40E97C,SHA256=9D9FADC6B3ECCF0771FE6DCF9C0AE556B861FBB26B3EEBE9FAF4601366BE408F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.701{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.692{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.689{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.656{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.639{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.612{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.607{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.605{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.601{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.599{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.597{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.593{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.592{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.590{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.589{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.588{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.585{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.582{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.574{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.568{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.560{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.558{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.549{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000320647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.545{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44803B3F219EAC3894887467FF402B8B,SHA256=814084ACA14DACF991B537C53EFDBDD5FEBC19BE69461FF4FBB6F8716E4CBE88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.527{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.524{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.512{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000446939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:00.274{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DB58ED00017A37E608E6AABFF648A67,SHA256=202F72E42A641CAC2F1B6A4BB3E8B39E097EDA479A7A640BAA4180386B4CFD27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.440{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.432{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.417{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.389{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.374{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.367{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.357{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.345{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.334{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.321{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.316{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:00.101{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:00.097{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:00.095{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:00.092{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:00.089{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000446940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:01.378{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78DB6AC3BC4134B57B4C6B662FC6620A,SHA256=338EC3EDE2B3720EE7EDE77478D6897A5C3F61C9982DDD8EFB5870D5DBB842B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:58.421{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50935-false10.0.1.12-8000- 10341000x8000000000000000446960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.818{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.789{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.786{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.776{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.756{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.709{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.700{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.680{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.672{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.668{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.663{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.660{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.658{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.655{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000446946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.564{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2682A7CCA18E647ADD1933C79F39B443,SHA256=DD775C1DE8EC3459E121662626FCB2DF72A8D3695196713F0958872B8C0683B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:02.073{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04B9AEF7B8EAFC702865DCDC8401855D,SHA256=216C7678582525FBBAFD44140B08E86792165118F93DB1C686535CC797B26251,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.142{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.141{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.139{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.127{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.115{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000320673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:03.154{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BDE29B45EA25BE80EA8C2A24998390B,SHA256=4D28F62997078B0E9FB8BFBE28CCE0CB3B810A8AD943711D8D4AB235AA8C29D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000446988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:04.148{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C2AB67E4324475B1ECFE155795363CC,SHA256=796B2A9DDDECBE869C97592AB1D93FEBE7DAD11D0D3EC22AD8576E66811E8F53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:04.249{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F56D005E2FEC10B7E1F61ADA99D39B5D,SHA256=44318487D1984F120E0B224740F5E6CCC6A7D7D816FFCB69F622F5654092214A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:05.817{72106695-9B85-63D3-0D00-00000000BD02}7963468C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000320675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:05.348{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=000855E3CBD935CAAB4EE16CCC3034D0,SHA256=8BD6F44A99011F4ED797E3E1D49454349C07718B5F73890E0667F8E535B61F96,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.848{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52652-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000446990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:05.535{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\respondent-20230127093833-099MD5=ABD21C848C86C8C4C327246443A18885,SHA256=621828FF48080C628607F27990B50D4C7839DD5149D1A5B05A104AE9C04F6CF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:05.295{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DC580FBFAA8246ABB7A8D5B01D62E45,SHA256=E93CB3420B2986246DAF784D688714284566CB991A5F3BA71054FC5F9939A0E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:04.314{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50936-false10.0.1.12-8000- 23542300x8000000000000000320677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:06.440{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB4C5DE26A1D0A0963FB845212F036B,SHA256=F4D19A9BD841EC5CA348E3571C3DFDB34DC4C565B21DED8733352EFD95D20F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:06.546{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\surveyor-20230127093831-100MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:06.388{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D1C26CFFB6FC29FE9F7848917AED59A,SHA256=933567216B47B6867F9224ED78741C4AC1A367C5463616082CF82C7122D0EC78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:07.530{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B239E3395728FADE226B94AA2777F18C,SHA256=AAECE574968B8C0EB523E12520EF4DC66FFA69227100E7DB6B89E59DB2D3C74A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:07.486{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33BD0D9CBF8A20A9DA9CD8C0FF4B205E,SHA256=9667BCCCB7D0B943C5AA5D29B5795394FDBF5650DDC311CB1F049B9A47B13504,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:08.629{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8343617BA2BD7CD3E39853B57639300,SHA256=FEEA15814633D7176E484924F7AADFB7B37B1F6CA59B9C7F8ECDFBD6DDF719A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:08.565{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=386A920848EC9C67307C77D913DEF5FF,SHA256=DEC4EE1EE6526007FF44BF3DA2FDC8F93516577FC918453A6E2ED4EDBC6EA6A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:09.730{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5352822EE6DB2BF3CA944F01FFC34D31,SHA256=B68C34F85CCECC03F9C97B5F4D18E57CB9EDE5D5CE5AE7A8664FC255E3ED99BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:09.652{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F34FD7AC55693C24B9316ADA301806C4,SHA256=22C28DE70B291B06B34677F213F58DD84EF279E062C0CF4C25843ABD96BA9C79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:10.826{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8E0EF62BE8072F8ED3ADE6D4E9DB474,SHA256=652B848B83FA6E39F1ACD6E61CB97B87ED7602FF3E68DEEE23D6FAAB68AAF196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:10.737{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0198FBAE7B95CA4C4CB4573D1056CB9D,SHA256=0D14801BBCE917FAA6F06EEDF505C131DD2C102C38462387DB7497685DE797F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:11.923{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E996DA48B61D9255186D5657A567335,SHA256=A1EBE2ED496BC0E1A7FB8CEC831B85CB1C6BB2C9E31C022D48F590A7B53443E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:08.746{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52653-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000446998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:11.826{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8E17A7C336F292B3CAD12A01C0FC03C,SHA256=E1ADBB400995BDA662EEFD4EDF9359BB27B77C1EE475382FBB7E2AC4D0663FB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:09.501{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50937-false10.0.1.12-8000- 23542300x8000000000000000447000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:12.925{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE630EDF78C45DD2FF3CE4DB9830ACB2,SHA256=51B0FB08E0C04E8348FD4AC4990C2F60F47D9C91B6CD3E2499D93293E5006761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:13.011{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B4F34153CAF3F9CCCB072B7F7CC023D,SHA256=A145A8A5D0AE3E0406542BD9E1F68F4724432B668E6DA25D344D201AC9703B37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:14.994{72106695-9B85-63D3-1100-00000000BD02}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=314A990B7F8323AB813B5BBB4DA74BC4,SHA256=F663C70415106C0F416EBE9B9F2154FF671D9648B649453A926D5270696F0E51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:14.108{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F4F5875E073CF0E04F1EFBEC38A8121,SHA256=44903232BB7BF4FDDD2C3A01B7317694831207FE9328335D5D65A6688131CC01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:14.017{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C0EAB1902F8792297DB2250986993A6,SHA256=F9A48BEE7619655BCC9928DB74FDB4E86053084680BCD5905D90CB1C6C4CF825,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000320698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:21:15.386{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000320697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:21:15.386{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x005e619f) 13241300x8000000000000000320696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:21:15.386{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d93239-0x160fd2d3) 13241300x8000000000000000320695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:21:15.386{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d93241-0x77d43ad3) 13241300x8000000000000000320694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:21:15.386{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d93249-0xd998a2d3) 13241300x8000000000000000320693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:21:15.386{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000320692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:21:15.386{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x005e619f) 13241300x8000000000000000320691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:21:15.386{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d93239-0x160fd2d3) 13241300x8000000000000000320690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:21:15.386{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d93241-0x77d43ad3) 13241300x8000000000000000320689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:21:15.386{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d93249-0xd998a2d3) 23542300x8000000000000000320688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:15.199{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF29F4E36531BA85956C1BBDBD7BA08D,SHA256=AF777C830D9538DDC1D62BA203DF1DF7440139336ACD5FE457B4488AFBBDDC26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:15.118{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81A6447253922C7BCD05F04C7D3B692F,SHA256=A7385201521C84DD7E9A7EDDED526C46B57C17CE55FFDB4C3F1806A097B830F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:16.295{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D06980D05C7C6EED4DDB83ABE132D0B6,SHA256=507F601C65B07EF93F9B04815E0BDA013EDD70E9A298C542FAD3827E6274C9B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:13.848{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52654-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000447004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:16.223{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A71426151A9481A7343205471C4C1DA,SHA256=718975EC1334A61CB4E11432D68850A12612D13F3F7295CFB6479B855812BDA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:16.175{45AAC21C-9B85-63D3-1000-00000000BC02}368NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CAD96115E5E5BB3B5CC9EBB6D1AD0BC2,SHA256=0A933AF96C8A0AA89C41F9B93DB31200A4C0D0C0BBBC6A08F87FFF6954D37C17,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:15.390{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50938-false10.0.1.12-8000- 23542300x8000000000000000320700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:17.397{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDF16E5B54666C0706A38F828D30F85D,SHA256=90EA273F87A0A23238F1CE6DF54BAF7A820A939C6DE94EFFC700F68615B87DC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:17.571{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3F14CDE68856A317E76A1ED1A232D7D1,SHA256=4B0F5B948D73438525A1DD2C2F6150A8EADC4A379F9522E96F7DE451BE6949CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:17.220{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6219D352CA8D110DF92ECD5ED38D3E4A,SHA256=DC76787959CA4AC8322137488D403EBBD9B19942C9D01A2D25101A3FD9597BFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:18.490{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A95A4F3707C69232CA23F2DF6F853838,SHA256=D23C46BC3AF2999368AE98A0645F981C77E7E9C2B298405DC0C300B70BEA3B4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:18.318{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F84AAA54A648F851D8B1ADD26DBF3C25,SHA256=20F97E11EC95F5A73BA385ABEDF985E1F61F5F333F6E94F457ACAD0A4562C834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:19.579{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F3FB5929202917AB09C61955E29E4D9,SHA256=FD78D518AAD21612EAAFA30D6FDA6CFBD3DA4F95B0DF07374A85662106C9E8F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.606{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.590{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.577{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.573{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.570{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.567{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.528{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.515{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.492{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.480{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.467{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.444{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.432{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.406{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 23542300x8000000000000000447014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.397{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53442C613AC75D7EDECEA9342A5C3254,SHA256=6E0B487179042E0ADDC32D966FED1A8F7FBA315725FDFB7ABB459EC6D54B2825,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.395{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.379{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.363{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.305{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.302{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000320741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.771{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.758{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.754{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.720{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.715{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.698{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.691{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.687{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.671{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.666{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.664{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.659{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.656{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 23542300x8000000000000000320728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.654{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8914CA9F1536999C292C9EFFD407CA6,SHA256=50DF01D23A06D2755268D5FC9984D9EC1264806DD79D017A7DD7136E4A9E18E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.653{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.652{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.650{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.644{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.639{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.625{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.621{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.614{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.610{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.600{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.582{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 23542300x8000000000000000447034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:20.417{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=674CFC8182E57BCEC470DF76D4027A30,SHA256=20577F151631BADF63E25673E638811A78089DD48A537175F26A8CFB673BA6AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.579{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.565{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.514{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.502{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.492{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.479{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.464{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.456{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.447{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.433{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.416{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.366{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.362{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000447033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:20.245{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:20.242{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:20.239{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:20.237{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:20.236{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 23542300x8000000000000000320742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:21.736{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05CD9026B05747F7D8332351B899EB53,SHA256=E2D155E9537E300CD31212814909B0E2B61322FFD519387197716B8F2E2B11AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:21.630{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BB5992836879C1C27C421C536B24FFB,SHA256=1999835DA0FBD97A920ADE1BC9DF0A01ED22695F1750A1AFA625F209769A28DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:22.828{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C32A63BB5E7908C74B96080C2FC3838,SHA256=5A3D58195418E0C4813CF0497CF53F66F4862C7DA436DC0BC9039B3D43921FD9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.938{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.917{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.911{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.900{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.887{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.857{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.849{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.836{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.830{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.828{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.824{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.819{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.819{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.813{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 23542300x8000000000000000447042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.718{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=760152D3CF17ED9DC8493F1A9D53A775,SHA256=0EB8D5A932EAC91BDAC7156D31EAAD550BE68175C3BA184ECCFF9D18D18C5B3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.303{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.301{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.300{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.290{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.282{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 354300x8000000000000000447036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:18.928{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52655-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000320749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:23.919{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62291418B759330DD879CC0681E1CFD7,SHA256=D8BFAD913A61890C90F6388130ED1EF755B9ECED7A8EFA491D24201A17D2BE88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:23.876{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=342E37D9A63DAF2A12437855D9453DC9,SHA256=1C9B2E5150C4827F92B9C1166C5796CF1C9FF4C47214422C734850334285F544,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:21.398{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50939-false10.0.1.12-8000- 10341000x8000000000000000320747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:23.162{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:23.161{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:23.161{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:23.139{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-2000-00000000BD02}2000C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000447058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:25.080{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CC172BAE7F216EDF909DDEC2D6EEB99,SHA256=F9539B5E018BF0E6322243E92146CB461C2C0B53C2D8B714ADA7A74E611B2C51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:24.999{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33435D48A74D8F1939178D5914BB3627,SHA256=333676AF8188430FB9DCA7E2F179D2EDB7994D57F8D1D7933EBEDB8436F5A323,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:26.087{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A87DF1230B8C6C23B71628F8A9D1432,SHA256=56B387A0D152D38AD1EC95DB2AD2A96159B900ED3E954D2FE5E6ACED4F0A0B3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:26.286{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCCD5766463DAE4CE0164F450555C0D3,SHA256=BD6450A57A45C231433F5018C4E097934D3A605F74FE36EDD72A0F3FBC621128,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:27.198{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AC94DF60215FB522A58481F9EBA16EA,SHA256=74860DF1FAB9D13B27BABBA41C163DAE334F45A404718000BD477A6162806241,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:24.795{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52656-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000447060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:27.491{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74515AC2C362C23D962B36FB14EFAD20,SHA256=EB313ED357E8B92967286D37B35430E73EC753C1250C1E21CAEA91FE52DDD55A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:28.574{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BC8146BBAAA54AA160BF4C10042580C,SHA256=97D00AB7A2B30458FEBE8C700F9D12930773F1A62E575A568891E434C5F90312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:28.300{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4867EA84CFB6F4F34B8CA585812E58FB,SHA256=71D66A4A9B1DD6DBE778E6C833B393AED3A884523F77D5CC059B25FA6D9EB4C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:28.064{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B2F5BDEEA495E65149F453009F645CB3,SHA256=816E5D07EE712116811BD30ADFDF47F55E4A47C3371A3DEB94DE0BD9533F96F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:29.661{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E8C89CDEF22E91C60BE906BE74F8E27,SHA256=8092B0B36FCA0B13692D071D7952E54B1A984318F4B2DE580B14C39EEA442BBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:29.393{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6FF60114FA6C06DD16C801AC243A70,SHA256=36619EAF7CF10E0D743553026F811089EA545F3307A5D44546B779BD63F5523D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:26.482{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50940-false10.0.1.12-8000- 23542300x8000000000000000447064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:30.741{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD5EDE2EAC0B52C2284299E7927B4D76,SHA256=95E418C150ED5018F566A12E34FC8E798F53DD81977AFE135CA55AD83C02064F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:30.485{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5974BD570F2B2A6EC2F24552D8107CF,SHA256=134EAAE2965FA2857D8902D7B0C61A866F13C0774BA326704A734756CDC54447,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:31.837{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78ED6E4D0BB6628A3EC9D871EF3B23F4,SHA256=85F9B2CA1DC467BF1893E1978FBF5E5F583160C3C87BEEB50C6E970A33253802,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:31.670{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CE1208A9E6FB70C276E0F6D77290542,SHA256=CDE4FDE5908160FCC07715CF12364276E692431BE53A1E8A825CF97D6B710ABB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:32.919{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7324DF457703504723D60E0167ABC867,SHA256=654460DE0E1B131EDCCB5A72FA4F8E94D0F346E6AC6109F5EE234B4D3FFE278E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:32.760{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86B914534AFC5E62F553E1CD41CB9EAA,SHA256=59B950EA95B0726CE76DAD70A75FD9E21ED2809C43071A2B73C876934CC087BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:29.815{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52657-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000320760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:33.862{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=646296D85A950F6F8BA89920177A248F,SHA256=CBB35A7F57C6F388F83A12B47BF6ABF6307BB95BED3D743186093B4128D4B425,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:34.953{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E43E43F798DFECC28114B9703036DEA1,SHA256=02FF8B98A33096F7B0188FB41D23B761DECE91539239BCAEB992FE731DC19640,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:34.083{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:34.020{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46E903DB567EF7FD25DBD2C972604D15,SHA256=04087EFB5AB417B4788F5A8CEAFBF397776FC25BADE6A185EDDCA9CCEBA3CAA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:32.767{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52658-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000447070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:35.117{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EB9E8F36CFD8985107FC214D20BC0FC,SHA256=7B48762F4346BF9F837C0CDD9BBCF15905AAB78F09D7813D67849A461654539F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:32.469{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50941-false10.0.1.12-8000- 23542300x8000000000000000447072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:36.218{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D4546D600121E5170B23787AB837A8C,SHA256=B6EBD333F9190D9D9475D2306A1FEF81DA8F860E35DC0CBFD71D86CE1ADBFA1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:36.041{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A4DCDF97ADC04418C4BD4CF3555BEE,SHA256=D15884BC47EF6B89C8F2887C0D36CD72209217EA10F6B2FEB1021338FE3729EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:34.917{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52659-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000447073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:37.318{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A5BCBF62B4FAD8FA7459199554BBA7E,SHA256=93CC28DCEED7DF7B9548C110DCBB1104010F96C0191512F53BA136AAADB29445,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:37.152{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8819B12CB21F738C1DFC583CFEEDA1F,SHA256=D7B7DCEAF0D4F7E2E9DA64F5AAF8590EAE16EB995036327E596B5872C924D20D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:38.515{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2226ED49691E2DF51B9765522489F173,SHA256=6329E1DE43C515DA1EA21E2466F3666F564240ECC07DC60C703A094320B82031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:38.774{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:38.252{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E911E5839EFF654A90C4A581D9E17C89,SHA256=3D1A8BF1C1AEBA04A99C799898378349A9F2406DFA7457CF0843BBD04AA7A354,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.706{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92636372852C2656EC16CE3CB7A9D7AF,SHA256=F3765AAF7333262B91E8449B7B01CB41B9C3AE1AFAEAB76FEFE24053D117E909,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.597{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000320767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:39.354{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01539140FF38944A4D0EC198B30AD554,SHA256=A8FE7C6BE759CBA49436D0AD90797F78170835628032304231C42841B544AF86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.580{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.561{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.555{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.552{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.549{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.506{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.492{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.466{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.445{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.436{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.421{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.408{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.389{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.380{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.370{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.362{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.313{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.311{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000447101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:40.640{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=348DFFAAFF4FBCBF0DC034090BBBE178,SHA256=780C00E5A8582AD97080E493822BEB5DCF481A1B5089645CFEF1AF69981050E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.779{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.763{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.757{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.714{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.702{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.675{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.664{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.661{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.654{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.653{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.650{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.644{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.643{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.638{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.637{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.634{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.630{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.624{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.611{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.604{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.589{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.585{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.571{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.548{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.542{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.523{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.461{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.450{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 23542300x8000000000000000320778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.436{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29D0F0807CD4FF9F03F6D4B37EC3DA85,SHA256=0C4F2652FE173130066957DC131D4DB4A5D60D86F7D711B5824EA9B582909478,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.425{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.409{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.391{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.380{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.368{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.355{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000447100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:40.237{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:40.234{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:40.232{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:40.230{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:40.228{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000320771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.337{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.326{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.322{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 354300x8000000000000000320768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:38.027{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50942-false10.0.1.12-8089- 23542300x8000000000000000447102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:41.750{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88EA5E4D65487EA309F7DF0AC6895095,SHA256=F6987A1A02801A640292A1CB6073BEA11BB2501421ECFEF47D43188912629A03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:41.756{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97B9161DDF781FA14F482D08178EAF15,SHA256=5290A2330E19577593C6A31FD14C655CD2DA0091D100689A4705A9C0BF521968,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:38.403{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50943-false10.0.1.12-8000- 10341000x8000000000000000447126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.969{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.938{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.932{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.912{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.883{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.842{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.836{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000447119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.829{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8C75B7F006CFE489D714565444FA9D1,SHA256=9B716090745036A3CAAE4E6BB560695F02CC10655166F15267C86861A1C8127D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.822{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.812{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.810{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.806{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.803{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.802{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.799{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000320809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:42.842{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4621C2336E78A3448C6F053FB4A3573E,SHA256=3C8803D9DC1FD42705EFA15039947ED7D9FB414A31BF674120B677610E442EA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.354{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.354{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.354{45AAC21C-9B83-63D3-0B00-00000000BC02}632756C:\Windows\system32\lsass.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.337{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-3000-00000000BC02}2848C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.290{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.289{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.288{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.278{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.271{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000320810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:43.938{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CCEFBAE15ADD822B517E670CBEC2444,SHA256=934CADA93FC5B259C6C040B1C3FC04190BDF5B078280E5D88DACC28D196F5C4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:43.914{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F067AAE9DCA92829DE1C8FDE2B220F65,SHA256=81F08A99AE3BC7A397AA1E78D0EBFFA0B11FF99023C77ECF423384ACFCF47F07,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:40.858{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52660-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000320811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:45.260{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C28821DE7DA7775E6688B59FE4389CD4,SHA256=A572FF1F30428466EADC7DB2034061E4A98B0D9D9E987F643B6C7D9EA29500CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:45.967{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B3C9-63D3-B503-00000000BC02}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:45.967{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:45.967{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:45.967{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:45.967{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:45.967{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B3C9-63D3-B503-00000000BC02}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000447131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:45.967{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B3C9-63D3-B503-00000000BC02}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000447130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:45.968{45AAC21C-B3C9-63D3-B503-00000000BC02}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000447129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:45.010{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51AE70893F214BF8BFC639EA911A78D2,SHA256=2D32123C38877EFF158FE48B7B3DE0B1EEAFAE686E87D18EBF08CA435A86A450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:46.343{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09964F116ED246330BFAF65D8B365357,SHA256=140F80BEE48099A0C96D7C6BABD8983081E071D6E43D4D8767CDD08B3DAE6A2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.749{45AAC21C-B3CA-63D3-B603-00000000BC02}54042144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.546{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B3CA-63D3-B603-00000000BC02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.546{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B3CA-63D3-B603-00000000BC02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000447148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.546{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.546{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.546{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.546{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.546{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B3CA-63D3-B603-00000000BC02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000447143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.547{45AAC21C-B3CA-63D3-B603-00000000BC02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000447142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.104{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CFA28C911FEB77BDD37D5BAD665491B,SHA256=3817E120570E56C5AB12AA768FA9F9C24B5ED7FDC8516DF11A36E6A2A76BE3E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.088{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3AC92E251F37B91F851F13313F2E57B1,SHA256=FD04CE4783AFECB0BB25B5762379D176DF98ABE2C0CCF5F6B45114BE30E2E2B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.040{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B3C9-63D3-B503-00000000BC02}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000447139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.040{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B3C9-63D3-B503-00000000BC02}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000447138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.040{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B3C9-63D3-B503-00000000BC02}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 354300x8000000000000000320814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:44.400{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50944-false10.0.1.12-8000- 23542300x8000000000000000320813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:47.545{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A83B3442A87C517987FC7A8E7E2B16FD,SHA256=FB468F76EEF68164D2955662953F4D9111B865D8E3CA18956A9CD24C1A0FBFF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:47.706{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=CE9C64865E7F462CF025F6BFD2B4CF71,SHA256=3FD7661F3C5FD5136873BCEB28CA09E58900DCDFC023C24AF973377C986BA5FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:47.206{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9BC9CC95DA02CBE13408AE7939DA6AB,SHA256=0ABD552555C21D247866BACF68476CE8BA6D0442576A37A96C7E3462FC39EDE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:47.173{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B3CB-63D3-B703-00000000BC02}1580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:47.173{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:47.173{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:47.173{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:47.173{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:47.173{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B3CB-63D3-B703-00000000BC02}1580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000447154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:47.173{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B3CB-63D3-B703-00000000BC02}1580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000447153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:47.174{45AAC21C-B3CB-63D3-B703-00000000BC02}1580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000447152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:47.079{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E24632734BD62802A460CAFC92D381A7,SHA256=763B41A54EADE044088A2CAF0CBD4D9288A3B8E5E6DC7A6413055082F9599F1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:48.650{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03B3C69F74C590824B47B9E6D250D06B,SHA256=7539A298FE0AA58639C9E2AE4D4E7EB0FF5C5D6F9D39B673ED4B1BEE00DB3BD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:48.285{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=658F8195DF8F42B5B4194B80E1E8E6C4,SHA256=8C55221CCFC5C3412E2680F78D001F3B90D1305286C04F21C5BD7850063E1DF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:49.850{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C848F9670F361B4E0C6D94157B6BD3A7,SHA256=3D485F9680D7A4468C707A95CA28D104C5275478FDDB3CA32A57D2D21600C49F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.949{45AAC21C-B3CD-63D3-B903-00000000BC02}31205644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.683{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B3CD-63D3-B903-00000000BC02}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.683{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.683{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.683{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.683{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B3CD-63D3-B903-00000000BC02}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000447178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.683{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.683{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B3CD-63D3-B903-00000000BC02}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000447176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.685{45AAC21C-B3CD-63D3-B903-00000000BC02}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000447175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.402{45AAC21C-B3CD-63D3-B803-00000000BC02}40041120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000447174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.387{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C10176E214D013F9F1C431F3F9E4AF,SHA256=9A6B195900CD0E8D833A6386C6360B4168524899AFE3D0488DD3EA9632F11092,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:49.089{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\respondent-20230127093815-100MD5=FAFF531EDF0CFC03BCEBADF518BA5361,SHA256=88BF976C27BC6DB398DABD588375EB870CCDB2E8695A85E73E9E0CF078A2553A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.249{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52661-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000447172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.249{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52661-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 10341000x8000000000000000447171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.182{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B3CD-63D3-B803-00000000BC02}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.182{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.182{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.182{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.182{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.182{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B3CD-63D3-B803-00000000BC02}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000447165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.182{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B3CD-63D3-B803-00000000BC02}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000447164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.183{45AAC21C-B3CD-63D3-B803-00000000BC02}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000447195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:50.627{45AAC21C-B3CE-63D3-BA03-00000000BC02}60883812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000447194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:50.471{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD0E2A8209FABC30BF5DBA38BB59B676,SHA256=C48A98BBCC8F66A36F2F63443BCE012694CEB8F422ED4D79CEE395FD08946E19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:50.101{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230127093814-101MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:50.361{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B3CE-63D3-BA03-00000000BC02}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:50.361{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:50.361{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:50.361{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:50.361{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:50.361{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B3CE-63D3-BA03-00000000BC02}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000447187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:50.361{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B3CE-63D3-BA03-00000000BC02}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000447186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:50.362{45AAC21C-B3CE-63D3-BA03-00000000BC02}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000447185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.866{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52662-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000447204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:51.729{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B3CF-63D3-BB03-00000000BC02}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:51.729{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:51.729{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:51.729{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:51.729{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:51.729{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B3CF-63D3-BB03-00000000BC02}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000447198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:51.729{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B3CF-63D3-BB03-00000000BC02}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000447197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:51.730{45AAC21C-B3CF-63D3-BB03-00000000BC02}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000447196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:51.573{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E79292E3A96FC93259EF6139B8BBA3F,SHA256=4DF7146DC36E4C912500B87F5317A1BBDFCAEF48DA9FB1ACEBCB72748920ED8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:51.037{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0609C0E45135942DCCA73519FE01D00,SHA256=E6CE2AF7C4C00BFB3DCF6EDF1342862F5923E3D8005271D079D4AA0CD7C5B7D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:52.846{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2A6E9BD8DAB9476BC59599E82A4DAEA,SHA256=93AAAAAE1E67764AF5D65E2E368369EFA5E3EEF277D3ECB7BA6C0F29E1F46C37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:52.675{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=899779A40040BED46597CD7FE455D1D4,SHA256=14572EE8E981376F9DDEA7E4D8310A19EFDFE1E02472C6F0D174AEB7049E421D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:50.368{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50945-false10.0.1.12-8000- 23542300x8000000000000000320820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:52.118{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02AFDC75398A2D8130FA0A7740110018,SHA256=9FC3A90A1BF3AEDAC2635272202F74754622DB7FE3FF7744D69DD4AC75C75930,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:53.768{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E64031312379B694D58F59E562B9C47,SHA256=C972826CC0B40EAF08FA180956549F2576557B7B3F28F2416E553563AE70DA1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:53.833{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=084582649F216365DA6D0ED1C818E8D7,SHA256=7E4B85B09216794BE618CEFE00A2F48DD3413621770B323F4F3DF0781646AEE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:53.687{72106695-B3D1-63D3-A103-00000000BD02}39323336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:53.512{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B3D1-63D3-A103-00000000BD02}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:53.512{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:53.512{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:53.512{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:53.512{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:53.512{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B3D1-63D3-A103-00000000BD02}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:53.512{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B3D1-63D3-A103-00000000BD02}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:53.513{72106695-B3D1-63D3-A103-00000000BD02}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:53.215{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCB594DDAFC937932E989E314A62C4FD,SHA256=25BB90C65D74E66F19A3FC5F3916292858956A4CB2EEFF78723B488961D89F2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:54.855{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F0D0BEC6299363D29B952D3D2D63620,SHA256=BE0D96FF6FDA67C350CB4F3483C2994F4CEA35E3723370C44773C5A2D1163982,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.832{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3D2-63D3-A303-00000000BD02}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.831{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3D2-63D3-A303-00000000BD02}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.829{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3D2-63D3-A303-00000000BD02}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.829{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3D2-63D3-A303-00000000BD02}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.829{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3D2-63D3-A303-00000000BD02}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.828{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3D2-63D3-A303-00000000BD02}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.694{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B3D2-63D3-A303-00000000BD02}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.694{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.694{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.694{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.694{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.694{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B3D2-63D3-A303-00000000BD02}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.694{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B3D2-63D3-A303-00000000BD02}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.695{72106695-B3D2-63D3-A303-00000000BD02}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.600{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33C9C038FFED7617B305C2B16FB27EDB,SHA256=1059972D92038A8CB4513C09B9CD28435F8D07A02969216DA955C4C568441188,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.397{72106695-B3D2-63D3-A203-00000000BD02}57645760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000320841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.303{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06AE6D9AF1B518F37E260C2950DB67D1,SHA256=412C013E7BD19AD7652C49E281E38D79B38F1ED09952DB265E648C70214414F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.194{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B3D2-63D3-A203-00000000BD02}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.194{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.194{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.194{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.194{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.194{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B3D2-63D3-A203-00000000BD02}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.194{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B3D2-63D3-A203-00000000BD02}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.195{72106695-B3D2-63D3-A203-00000000BD02}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000447209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:55.957{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30929D82FEF0EB06A0493E54AC71394B,SHA256=61FFE7C48D06E9F4323ECC7DA8445F5961E1C2F73185B44D8F43F630F10ECD40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.955{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3D3-63D3-A503-00000000BD02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.955{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3D3-63D3-A503-00000000BD02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.955{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3D3-63D3-A503-00000000BD02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.954{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3D3-63D3-A503-00000000BD02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.954{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3D3-63D3-A503-00000000BD02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.954{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3D3-63D3-A503-00000000BD02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.865{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B3D3-63D3-A503-00000000BD02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.865{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.865{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.865{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.865{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.865{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B3D3-63D3-A503-00000000BD02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.865{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B3D3-63D3-A503-00000000BD02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.866{72106695-B3D3-63D3-A503-00000000BD02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.397{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CCB9CF9A278A7E78D1A45EC23A90DD2,SHA256=D4094C79BF2D13BD062E697CFB85ECF13BBF687A57C3CABEC877251B18E0AA90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.365{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B3D3-63D3-A403-00000000BD02}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.365{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.365{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.365{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.365{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.365{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B3D3-63D3-A403-00000000BD02}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.365{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B3D3-63D3-A403-00000000BD02}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.366{72106695-B3D3-63D3-A403-00000000BD02}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000320891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:56.746{72106695-B3D4-63D3-A603-00000000BD02}59285952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:56.538{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B3D4-63D3-A603-00000000BD02}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:56.538{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:56.538{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:56.538{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:56.538{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:56.538{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B3D4-63D3-A603-00000000BD02}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:56.538{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B3D4-63D3-A603-00000000BD02}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:56.538{72106695-B3D4-63D3-A603-00000000BD02}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:56.458{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9FB60E9BA96EE3B7FB48AD22499B391,SHA256=26E57F0FBD611D80DFD7790FA95991B563E92622882C1797083FEEA1269CA9FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:51.934{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52663-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000320881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:56.053{72106695-B3D3-63D3-A503-00000000BD02}58645908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000320900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:57.562{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EED68BFBD35E3F9693A278C96C4BA0C,SHA256=F76939537798E974B22B6E21C6B6546BB1AFB48B773502DB4BDBA815688170EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:57.055{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11FF50D90DA6EE0B743AF5B28A9ADF3A,SHA256=1A82AF49CF48D1368239C0231D2C057F7C99448CF27FFA183C3378C17DF8D02F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:57.203{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B3D5-63D3-A703-00000000BD02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:57.203{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:57.203{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:57.203{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:57.203{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:57.203{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B3D5-63D3-A703-00000000BD02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:57.203{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B3D5-63D3-A703-00000000BD02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:57.203{72106695-B3D5-63D3-A703-00000000BD02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:58.647{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE860CCE2FC51F29505D50F17F7312B5,SHA256=D7F0F87E9978D742B264F2A4D7EF77A0BB0F93DBE286A9CA6CB0C45F6F399D6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:58.144{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F826D1335FBDF4C0FFA9E63729E4A11,SHA256=D119C0274330F39A1B4741475AD054882A62C5DA569E2822A80FDB51CB35274F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:58.059{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=574CD442FEB584AC4FCDBD289B662351,SHA256=552A05E4DD272E5F541CC1BD0251509D898DCC067FBE26629462686FFC6AB0D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:59.745{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F816758DDDAEEDF82908C529494001D2,SHA256=0DA6AF9629F1016D9E9B681305DB49B663CAA44FAA92B59EE09B47FE2886D55B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:56.329{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50946-false10.0.1.12-8000- 10341000x8000000000000000447232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.546{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.533{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.524{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.520{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.517{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.514{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.478{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.471{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.459{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.453{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.443{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.427{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.409{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.397{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.390{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.368{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.358{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.311{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.308{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000447213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.232{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ED5AF4F6A42DFA1CE5A83328DFD8615,SHA256=519C292D72B865650A35387655CC8A0473BB207CB74AF84609FC2A2D11F42379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.987{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=669D85A98A7D5DACE870808AFCAC4A50,SHA256=50A3AAC8DAD33C9D295582D930DF3DE6D1ACC60A360A4420C65C289E0794AFDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:57.837{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52664-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000447238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:00.352{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1125C03CC60453261C073D4AC0809A2,SHA256=674BAC696EA27780E3824F4812F7C06C965C2330BFE75F0F0271AB2331A42636,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.640{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.625{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.621{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.587{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.572{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.548{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.543{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.541{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.538{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.536{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.534{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.530{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.529{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.527{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.527{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.526{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.524{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.521{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.513{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.506{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.497{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.495{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.488{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.475{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.473{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.463{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.417{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.408{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.400{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.392{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.382{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.375{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.360{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.350{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.341{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.330{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.327{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000447237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:00.156{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:00.153{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:00.151{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:00.149{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:00.147{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000447240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:01.441{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC6C2066238897F2C6A0CF695C246F6A,SHA256=05E8BFCD1FC586173F8131DAA7D82C6BF94684C816832F819386E06A92911A80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.859{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.839{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.836{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.825{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.811{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.771{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.761{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.748{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.741{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.736{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.731{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.726{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.725{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.722{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000447246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.533{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=708C30325BB5F4E11C685BA5A803FD65,SHA256=02C6388AB51CE33459CC09A170A0CB8CEA2F6A9AF39BF04D9665A433110D2B06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:02.107{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C056ECD859CADE28E10944E04F920B2B,SHA256=43E3732A5098B26683BC7574AAA68E3FE929B48365864FD2C42386BEBF613FCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.212{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.211{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.209{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.193{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.180{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000447261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:03.599{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47C3128F3B6BFB9FA0EACCDB697166F5,SHA256=5409800C2275F9BA941992B8E168F2DD631655B5E4E323772FBCC748565D1262,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:01.344{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50947-false10.0.1.12-8000- 23542300x8000000000000000320944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:03.218{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7439C5BC6A2346A6396F3519423A6FD7,SHA256=855CD042DCACB72A0AA40139729DF43843B860A4AF57CED81A76BC3C52460433,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:04.685{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0DA44CEE8340512015DB0B3E28FF328,SHA256=234BF57A0AB09A4B2549E6AB75DF916B26DAE542293183C11BB1376A20D9634C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:04.311{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=808438B0A2E71386BF6C320D65F3F1B6,SHA256=326AB46A24F8CC3579EE93B8B46935ACA2BC5F794ECB6F60DA2732BEDF34846C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:05.764{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF74B124F4115867EE89CB0AFB828E16,SHA256=76ACF8F02490E773903B6964852D74A8FC245307EFC70B578F18C1AF06D0EA58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:05.395{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C26111B0E201C393EDEB33D4144C51B,SHA256=D9A0C1B3E67691CC8D9797925A1C83EE4FAA95FEF0BE6C74450AABA025535FD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.924{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52665-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000447265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:06.865{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=721754CC6A7CD08D2B323B98E41FFE39,SHA256=3B92BC20191AC4009E9D0CC9E7369F095BBDB3C3141708D29184B7F669084CE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:06.494{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA8AC5B3959E3345F1F39B50AE3E91E1,SHA256=CC4E6B025B28E282A8769E23CD838937C97B0F11AE656C2E7FDF1C5E448A3610,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:07.935{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4FD361059681C4301A238D3004B5A8A,SHA256=CAE627B742FF571B82368CEF316E23985676DB0DDB32D018DBC0D940F7B1AA9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:07.584{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B502675502B252C6B564460299C17FDE,SHA256=66C366C2FA113DC6E5825A1F1EA6B8031C960C7EB8209332714F2222D7BFA6B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:07.071{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\respondent-20230127093833-100MD5=ABD21C848C86C8C4C327246443A18885,SHA256=621828FF48080C628607F27990B50D4C7839DD5149D1A5B05A104AE9C04F6CF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:08.675{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC3817103C9F0F8D4EC269467BDECD82,SHA256=D627F44862C98CA67B1F109203851B0A278B394B6BB6F0883B77284616056CAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:08.077{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\surveyor-20230127093831-101MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:07.307{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50948-false10.0.1.12-8000- 23542300x8000000000000000320951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:09.770{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04CA749293DE7CC9EA2730BB20518186,SHA256=68BD4A7F1D44995C4EDDA6ACC114BBDEE4DF2263228C1126BDBCADBDDC0DA0A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:09.127{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3749548CC4C8FC891379343E2523D7E,SHA256=536D48E4A9065C7A0BDF7CCB73600C710724BF7306E72916BF718440AED6E849,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:10.857{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DBA79C913BF0DEE3D3F725215294C03,SHA256=A31A25A4ABA3BF9B9018DC8E61916E0A359D646720606FCFBC2BC471FBC3AA89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:10.301{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6AE681ECA4D1C6ECE6452A6F43E8F46,SHA256=8F86FB840D129E3CDB29745A85A9E54AA910CD084676A91ADD56FCC39F93823E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:11.945{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E2049362D7305BB73BF7976E446C5A4,SHA256=AB86E58152F08FD39B1672909C02BB9ECC627EDE530CDD81236E55D2B6A6DF25,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:08.828{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52666-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000447271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:11.408{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4711D9043258F433A1B215BECB8D237F,SHA256=0C9811BF875605AD5E74B83E0D8A8A109022C6917237B0B6ED1DB0599796CF12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:12.496{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07CBCB6AC2EF72A000091459ADD85CBA,SHA256=CC7A6702AC9BBC12564A56D843FB13463A2385635FBF6BEF6BCB355489558689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:13.568{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=030C1339C8A0B4DB71F360A067670722,SHA256=890C947539DFCDCF11531F8A143B1423BD40C9223A169C6E12A87B5DB1E9B40C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:13.022{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49868B8ECCB131BFBC58C3D8A7A510EF,SHA256=59BE93B812357F2C3E66DE35F5E7F03F59E39CD44A735CFC1DD001FF6E76735A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:14.670{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D394577CF14EC3FE196464998A33599,SHA256=3BC2E15CE539C72792AE1685FE11038D6D0573FCDA8BE0AEE020DF47842012EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:14.996{72106695-9B85-63D3-1100-00000000BD02}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=840629E773C81CD84EC614D71F943F54,SHA256=A8337FA52391185CAAD08936015D5FA9FC31BB74ACD1A00857B6E21498ED7354,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:14.113{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACA009FE48F6F64105A1F7999BE56E7D,SHA256=78C19849F5F88E6C6CA549FBBE0FD0A41C7D17E63FFF9BAD0EDA6C292EFB411B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:15.765{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEF6E1CA095F1161558DE78B8AD38D1C,SHA256=374865436C905A1B73AE3AF91A88FF500E47E551004331C32AA8ABC78422A8AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:15.208{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB7F7AB4D7B2FBF71ABD71BCA788854C,SHA256=580F62067F424B7CD8AB0FA0913B827FF7C11E060E2A4744A5033484A97D42BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:12.339{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50949-false10.0.1.12-8000- 23542300x8000000000000000447278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:16.848{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=523A2C1F364922AB22682DB6A0EABAF1,SHA256=D80A66E1F75412ED89F62DD589C3C4E43D8E7DCBFD73B5BAD3B1F7570FF0164B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:16.308{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05316C73290A97064E933FAF0E3978EA,SHA256=6B26D146788E9ADF5091E51515FB99643083E2F2D7153BD035D1F569583DD0E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:16.189{45AAC21C-9B85-63D3-1000-00000000BC02}368NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=BA8C7D89596A339AA67D67E2CB1BF415,SHA256=469ED0649A67B331BBE9F4B4BF64D2D38858CCC847583F3FEADB210CFD2DFE4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:17.949{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB569AD126BB6DD0F41D21D4EDFE62EC,SHA256=9F65DBCBFEB9BADE9D458698E5665D92D589DFE3074C3890FA8C80E66E56DA06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:17.411{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD5A2ED0805531A588B1A8BF708ACA1E,SHA256=FD5B7D0D72099A1B92265F28961CD67A58DEA104FB36048B64BD3612A81D6406,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:17.840{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3B9484D057ACBFB8D7AF362B5DF0E87B,SHA256=2E6F06F6037DBD1FD1D512F42B0247A6B8F58C6845000BAF5E19B766A5CEAB1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:14.808{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52667-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000320962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:18.491{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63C1085341000224EB33D9D57416CAD1,SHA256=B1FD008E37E1561F4FBFDA258354E942213A31EBB2358EB4EA3B69A945AAEEBE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:17.442{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50950-false10.0.1.12-8000- 23542300x8000000000000000320963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:19.590{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17BE8D6A2CEA15ABEAA2DAEE6C4B354E,SHA256=1518998292B159813679CEAF8B8276697B226FF0A41AFEABCA47FDBA67C901AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.633{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.615{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.600{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.592{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.588{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.584{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.530{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.518{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.488{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.477{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.453{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.415{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.400{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.380{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.373{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.362{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.354{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.301{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.297{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 23542300x8000000000000000447282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.049{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D3878639A8E98CC2F6B32791D429886,SHA256=47EF37A027C6EC1B840F86CF5991DBCA479BDEEEB889C2479C812650DC50ECED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.796{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000321001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.782{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000321000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.774{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.722{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.698{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.664{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000320996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.661{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A54608B34B1136D4D3C1A801AE1C9CB,SHA256=D323FB75D247094027B219948066B7C5558784F38CD0AFBF82389795135FE868,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.652{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.651{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.648{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.645{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.642{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.639{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.638{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.632{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.628{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.627{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.625{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.621{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.606{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.604{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:20.255{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:20.251{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:20.249{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:20.247{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:20.245{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 23542300x8000000000000000447302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:20.182{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95DC467684C36B58355572EB79BC1B60,SHA256=4051400FA26299160DE9360785B25E7D853EB7478E6EE7A40164AA0116C6ABB2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.586{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.583{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.572{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.553{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.550{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.533{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.466{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.453{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.444{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.429{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.409{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.389{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.375{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.367{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.349{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.342{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.333{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000321003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:21.719{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01A319B456618F77D76BA18DF4666C9E,SHA256=FE8B421459090CC28217146C58E27418D6A44C5ED6A02C6EA2BDC6215B2B19EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:21.276{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47F80923925DC69976BE8D2184375D8F,SHA256=81FD65F016544616CECE8FE8921485661DEC03B93D9CBE59CD82CC8D9177301B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:22.817{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F8BFCF5CFD56F9D70CDEE8E58520F1F,SHA256=A6803F36A977D07512986A439A49DF7928DAEE49BBA396F98B0CDD1628278555,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.910{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52668-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000447328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.945{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.920{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.916{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.897{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.883{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.860{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.853{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.845{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.835{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.833{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.827{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.823{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.822{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.819{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 23542300x8000000000000000447314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.360{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25F8749CCCE17E1361939EA4946814A4,SHA256=946CB40B5C47939B22076B0E2376372B3FB73596E6500F20A0700C3FA54B6CE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.308{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.307{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.305{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.293{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.286{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 13241300x8000000000000000321011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:23.941{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B298D29A-A6ED-11DE-BA8C-A68E55D89593} {000214E4-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x8000000000000000321010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:23.941{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{99D353BC-C813-41EC-8F28-EAE61E702E57} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFFBinary Data 23542300x8000000000000000321009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:23.894{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AAE67087557CD85432EBC57F052FA3E,SHA256=C3CC72C6113DF73D05546DFF8694FBCDC87F69F43485C93BA58C1AAE47DFF358,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:23.445{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=420E644D1DC932150E427D10DF88BC42,SHA256=8FD3BA121B52CA66DDE6206D292F30319EF53BE310142D25F356B5921B881B7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:23.162{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:23.162{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:23.162{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:23.140{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-2000-00000000BD02}2000C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:24.983{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11307A83E44B1BD5E00D82F2B12EFC53,SHA256=7D58D55EF0CCEEC26D99A1EBD36310C7E56E8C007695F9698686FE9CD0D0212B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:24.542{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DD57658119060C5ADADD16928AF6B74,SHA256=F3967F4E949B5A3EB63D051670F8ADEFA8D083957034DD1A4EFD1F27880ACBDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:24.654{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=97CC2EFD17A78DF1244BB58418C73605,SHA256=D51D05FE13134418230786CC386F0A1226F6542C7C9920FAB166CCAA9C5C5F55,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000321016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:24.129{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x8000000000000000321015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:24.098{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{ECF03A32-103D-11D2-854D-006008059367} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x8000000000000000321014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:24.098{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x8000000000000000321013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:24.081{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 10341000x8000000000000000321012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:24.003{72106695-9B85-63D3-1700-00000000BD02}12241696C:\Windows\System32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000447332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:25.642{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF1E59DB75022F540021CD501DF08C16,SHA256=FCBD1170AA45B99DC2C74B819FBCB61B8D03593291356471355EDF13DA6D11B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000447334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:26.740{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED6BFC6BFB881ADD0F8EC65026CC5FB7,SHA256=2E531642D8E5301198F1B84955A0D466C95D5049AD9DCCE8397308FCF54FA0E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.892{72106695-B105-63D3-2303-00000000BD02}39524080C:\Windows\system32\taskhostw.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.798{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.798{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.798{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.798{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.798{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.798{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.798{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.783{72106695-B105-63D3-2303-00000000BD02}39524080C:\Windows\system32\taskhostw.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.783{72106695-B105-63D3-2303-00000000BD02}39524080C:\Windows\system32\taskhostw.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.767{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.767{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.767{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.767{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.723{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.720{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.720{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.720{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.665{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.622{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.622{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.622{72106695-9B85-63D3-1400-00000000BD02}10321360C:\Windows\system32\svchost.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.622{72106695-9B85-63D3-1400-00000000BD02}10321120C:\Windows\system32\svchost.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.575{72106695-B102-63D3-1003-00000000BD02}39441080C:\Windows\system32\csrss.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.575{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.575{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.575{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.575{72106695-B106-63D3-2B03-00000000BD02}9645340C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\7-Zip\7-zip.dll+558c|C:\Program Files\7-Zip\7-zip.dll+6955|C:\Program Files\7-Zip\7-zip.dll+712e|C:\Program Files\7-Zip\7-zip.dll+7275|C:\Program Files\7-Zip\7-zip.dll+8ff3|C:\Program Files\7-Zip\7-zip.dll+c541|C:\Windows\System32\SHELL32.dll+4d8ef|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\SHELL32.dll+16c38c|C:\Windows\System32\SHELL32.dll+19ebfc|C:\Windows\System32\SHELL32.dll+2846f3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+16c630|C:\Windows\System32\SHELL32.dll+169a0e|C:\Windows\System32\SHELL32.dll+40eb1|C:\Windows\System32\SHELL32.dll+43d96|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15 10341000x8000000000000000321050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.575{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.571{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe22.017-Zip GUI7-ZipIgor Pavlov7zg.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Temp\" -an -ai#7zMap16821:48:7zEvent8084C:\Windows\system32\WIN-HOST-CTUS-A\Administrator{72106695-B105-63D3-6E44-240000000000}0x24446e2HighMD5=5AB26FFD7B3C23A796138640B1737B48,SHA256=EB775B0E8CC349032187C2329FEFCF64F5FEED4D148034C060E227ADF6D38500,IMPHASH=F5976AA5B71D78D164DDC61EA72A2DA7{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\explorer.exeC:\Windows\Explorer.EXE 354300x8000000000000000321048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:23.302{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50952-false10.0.1.12-8000- 354300x8000000000000000321047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:23.258{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50951-false72.21.91.29-80http 23542300x8000000000000000321046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.262{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B013EE036B07620E38C49E3B7FA5843A,SHA256=B949241142DBC891C836697915491688CDB99B582B47E00910506EED5B57BBA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.697{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A63942- 23542300x8000000000000000447335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:27.927{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E6333AB3CB91D25D6C58BC0BFD5B52,SHA256=642EF3389AAF7623CCEA5DF3C74228686756409E2A68111DB6481230BC46F939,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:27.710{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=128CB24D7F730223B43028B82A347674,SHA256=8BB79F7CFF78BF1DB9599B8C156CD7BFE4FF5BF7567D0E3424E8C81786E41C0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:27.408{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84A696009B8BE18634CD3D9330A21440,SHA256=0EB06B0A69C1FE29BFDFD6A22C6F15C44FBD0242BBC73BD321B9D4EDE83DA205,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:28.597{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:28.597{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:28.596{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 23542300x8000000000000000321083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:28.502{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=526BD1F1BBFD2ABD7612507125FBB2DD,SHA256=A14D4F167F7202D9D0DF1AD843B3BFACDCC393F91812D81F020004DD4A97B83A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:28.502{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F0700DDF0015A42830F3544C41CC7FE,SHA256=0CE95E26BE39137F68A0180B830D1F89BD6A1C3C90774797A3E588236C97701C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:25.720{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52669-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000321081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:28.219{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=51E865D0DA3613F801501E2FD433944A,SHA256=A1730184B1A9FEB49370A913DE4374F35F0CE67E5452A5151DA4E5EF3AAA396F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:29.587{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A0CC5499A89FE46193CECC3517ED28,SHA256=A4A29E4DBC2CE974B5F4CC2F6892F0D68C6B4CD997E25866917BE50E941A1915,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000321090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:29.506{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exeC:\Temp\OfficeSetup.exe2023-01-27 11:22:29.491 23542300x8000000000000000447337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:29.018{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7EC38C3D2129A0F1E6CCF3AB2EDA8C2,SHA256=89436C2E48E241EAE52A13F52A093FF1278C08B61B5FF1959F863ABE1CAA9AF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:29.256{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:29.256{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:29.256{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:30.584{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4FD04D707851DEEE55BD86BA0A7503F,SHA256=1F091B8932452E8537DD54B0FF66D595C95E8847274C01AE338D7DB4E6C009E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:30.109{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C21743D366637C0B30AC058B8FB1C307,SHA256=EE9B05C4ECB68AA49B8729F38EDA972961205456D6BFB56828B82D13926CE128,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:31.666{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41B015791A48ABE1DD8EFA0F3C223577,SHA256=B5245441EB44EB2FF8295E236FBCA51C0FEE6FFB7AAAD13778FCCB59F8AB07E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:31.197{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6FA0333B42568B34372169F7BAFB0EA,SHA256=7AA444A68D0F13A0A8FEDFEFC1E29FD6C5CA0F3A9B1D15BA6F049D3AFE2D524D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:29.335{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50953-false10.0.1.12-8000- 10341000x8000000000000000321125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.984{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.931{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.930{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.930{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.925{72106695-B105-63D3-2303-00000000BD02}39524080C:\Windows\system32\taskhostw.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.917{72106695-B105-63D3-2303-00000000BD02}39524080C:\Windows\system32\taskhostw.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.916{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.915{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.915{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.915{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.914{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.914{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.914{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.914{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.752{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3CA20B831AF4CAA183794E3672CB8CB,SHA256=7DCB9717C2523BE7108A0F8A04FAC52E1567A6608B92720F428CBBE53157509F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:32.282{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04A33BC2BE55BF880555DF7E5FE4AC83,SHA256=C850E46E2EC63F39298AC8C4AD4A11752F7F80D59819B9522E167E7F1A5F4074,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.659{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.659{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.487{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.487{72106695-9B85-63D3-1400-00000000BD02}10323972C:\Windows\system32\svchost.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.487{72106695-9B85-63D3-1400-00000000BD02}10321120C:\Windows\system32\svchost.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.237{72106695-9B85-63D3-1200-00000000BD02}10006076C:\Windows\System32\svchost.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000321104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDBSetValue2023-01-27 11:22:32.237{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exeHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\OfficeSetup.exeBinary Data 10341000x8000000000000000321103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.237{72106695-9B85-63D3-1200-00000000BD02}1000496C:\Windows\System32\svchost.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.237{72106695-9B85-63D3-1200-00000000BD02}1000496C:\Windows\System32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.206{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.206{72106695-B102-63D3-1003-00000000BD02}39442856C:\Windows\system32\csrss.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.206{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.206{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.206{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.206{72106695-B106-63D3-2B03-00000000BD02}9645996C:\Windows\Explorer.EXE{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+16d710|C:\Windows\System32\windows.storage.dll+16fcea|C:\Windows\System32\windows.storage.dll+16faa6|C:\Windows\System32\SHELL32.dll+5c3dd|C:\Windows\System32\SHELL32.dll+5b256|C:\Windows\System32\SHELL32.dll+4d869|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\SHELL32.dll+177a30|C:\Windows\System32\SHELL32.dll+177683|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.126{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe16.0.13801.20266Microsoft OfficeMicrosoft OfficeMicrosoft CorporationBootstrapper.exe"C:\Temp\OfficeSetup.exe" C:\Temp\WIN-HOST-CTUS-A\Administrator{72106695-B105-63D3-6E44-240000000000}0x24446e2HighMD5=1B649814B0DBE3798D7426035C957FBD,SHA256=6469E1E2B57624EF62F5D36DFF93DFA0A50357B38350B565F395954A69327BB3,IMPHASH=6C556F7C64982E938EFD4571794DFE48{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\explorer.exeC:\Windows\Explorer.EXE 354300x8000000000000000447342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:30.881{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52670-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000447341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:33.370{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E715FE50BBA7B0EB2C8946AB18CB6E1,SHA256=B19711BEB1DC264D3D5840203D0D5B158A1B36C05018E18AF49C0377DE9E6F86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.580{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.408{72106695-9B85-63D3-1400-00000000BD02}10323972C:\Windows\system32\svchost.exe{72106695-B3F9-63D3-AB03-00000000BD02}4676C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.408{72106695-9B85-63D3-1400-00000000BD02}10321120C:\Windows\system32\svchost.exe{72106695-B3F9-63D3-AB03-00000000BD02}4676C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.377{72106695-B3F9-63D3-AB03-00000000BD02}46763540C:\Windows\system32\conhost.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.222{72106695-B102-63D3-1003-00000000BD02}3944400C:\Windows\system32\csrss.exe{72106695-B3F9-63D3-AB03-00000000BD02}4676C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.205{72106695-9B85-63D3-1200-00000000BD02}10006076C:\Windows\System32\svchost.exe{72106695-B3F9-63D3-AB03-00000000BD02}4676C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.174{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAE3EC59A37096E67F5339642935C2F7,SHA256=5C9E1B87DCECA08B92C4FC1956C113506545C8C33BE6FB0A402665124F25D6C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.112{72106695-B102-63D3-1003-00000000BD02}39442856C:\Windows\system32\csrss.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.112{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.112{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.112{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.112{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.111{72106695-B3F8-63D3-A903-00000000BD02}60485684C:\Temp\OfficeSetup.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+d856c(wow64)|C:\Windows\System32\windows.storage.dll+1c6716(wow64)|C:\Windows\System32\windows.storage.dll+1c63d1(wow64)|C:\Windows\System32\windows.storage.dll+1c64a3(wow64)|C:\Windows\System32\windows.storage.dll+1c7175(wow64)|C:\Windows\System32\windows.storage.dll+1c6021(wow64)|C:\Windows\System32\windows.storage.dll+1c8182(wow64)|C:\Windows\System32\windows.storage.dll+1c85ec(wow64)|C:\Windows\System32\windows.storage.dll+1c8035(wow64)|C:\Windows\System32\SHELL32.dll+1a9394(wow64)|C:\Windows\System32\SHELL32.dll+1a926e(wow64)|C:\Windows\System32\SHELL32.dll+1a9069(wow64) 154100x8000000000000000321130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.100{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\ADMINI~1\AppData\Local\Temp\2\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\ADMINI~1\AppData\Local\Temp\2\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\ADMINI~1\AppData\Local\Temp\2\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "C:\Temp\WIN-HOST-CTUS-A\Administrator{72106695-B105-63D3-6E44-240000000000}0x24446e2HighMD5=65D86C34814C02569E2AD53FD24E7F61,SHA256=8133502266008B77DE7921451E1210B0EF3F0ED2DB7D8D3EE0C3350D856FA6FA,IMPHASH=5E0145CEF36FA9BFBA7DE33AA683B8ED{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe"C:\Temp\OfficeSetup.exe" 10341000x8000000000000000321129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.100{72106695-9B85-63D3-1200-00000000BD02}10006076C:\Windows\System32\svchost.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.039{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.039{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.038{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 354300x8000000000000000447346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:31.757{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A65427- 354300x8000000000000000447345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:31.757{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A51044- 23542300x8000000000000000447344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:34.483{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16341B0E43FBE1018D23730ECDD26F95,SHA256=9FE3A978A7FF07D0F5850DAAE62C51989CF9D39CBDC58C4F3E9E6903A98A2CF0,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000321168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-CreatePipe2023-01-27 11:22:34.717{72106695-B3F9-63D3-AA03-00000000BD02}5852\PSHost.133192921531001648.5852.DefaultAppDomain.powershellC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000321167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.685{72106695-B3F9-63D3-AA03-00000000BD02}5852WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_ztfcqicw.uw4.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.685{72106695-B3F9-63D3-AA03-00000000BD02}5852WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_bx42dlfi.nwp.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000321165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.376{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_bx42dlfi.nwp.ps12023-01-27 11:22:34.376 10341000x8000000000000000321164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.358{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000321163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.336{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50954-false52.109.13.64-443https 354300x8000000000000000321162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.329{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50955-false52.113.194.132-443https 10341000x8000000000000000321161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.342{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.124{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.124{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.124{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.123{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.121{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.121{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.079{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AB03-00000000BD02}4676C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.079{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AB03-00000000BD02}4676C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.079{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AB03-00000000BD02}4676C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.079{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AB03-00000000BD02}4676C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.079{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AB03-00000000BD02}4676C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.078{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AB03-00000000BD02}4676C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x8000000000000000321148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.053{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B3AE72E8117EEA707F9EA04C211DBEB5,SHA256=A60B044BEE9F7A1324A1727DC2234FF7710F8DD03299D55BDF91691CD1D72BE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.051{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E710A41F2B46CC54017AFB2DF1BEE1D9,SHA256=4824EA7CF91AB7FB94388BA04C8F2D8F3AC037EB2F56FF1AD39B8B7CFE863F68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.013{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.013{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.013{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x8000000000000000447343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:34.091{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:35.559{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34E8771FDA239B4F6FC2A23B651B677D,SHA256=1A815EE55160C679F82DB6EA44E6D5D1F38C1A762FCA23DFCB4609F084B89857,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:32.904{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A52998- 354300x8000000000000000447348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:32.904{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A58423- 354300x8000000000000000447347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:32.790{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52671-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000321189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.944{72106695-9B84-63D3-0A00-00000000BD02}6202516C:\Windows\system32\services.exe{72106695-B3FB-63D3-AC03-00000000BD02}5616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.944{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B3FB-63D3-AC03-00000000BD02}5616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.928{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B3FB-63D3-AC03-00000000BD02}5616C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.928{72106695-9B84-63D3-0A00-00000000BD02}6203860C:\Windows\system32\services.exe{72106695-B3FB-63D3-AC03-00000000BD02}5616C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.928{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+1f048|C:\Windows\system32\lsasrv.dll+1e271|C:\Windows\system32\lsasrv.dll+1ca8e|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.928{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.928{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.928{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.569{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D282A4A20EA09BE13BE38E27166E575F,SHA256=596CB8E95B3DB7CB522B00D11DD7BCEFA0A0515800D75E2FBB43EC169D98FF7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.569{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D46B912D74DE4982EA7CBBDE5B21C10,SHA256=1589C1487088E7753A67B387AA180E3FD0D519D0EA663DCE60EA5CCE57285942,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.366{72106695-B3F9-63D3-AA03-00000000BD02}5852WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_xqlgmawu.ped.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.366{72106695-B3F9-63D3-AA03-00000000BD02}5852WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_mysdrnn2.t50.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000321177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.366{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_mysdrnn2.t50.ps12023-01-27 11:22:35.366 22542200x8000000000000000321176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.315{72106695-B3F8-63D3-A903-00000000BD02}6048ecs.office.com0type: 5 ecs.office.trafficmanager.net;type: 5 s-0005-office.config.skype.com;type: 5 ecs-office.s-0005.s-msedge.net;type: 5 s-0005.s-msedge.net;::ffff:52.113.194.132;C:\Temp\OfficeSetup.exe 10341000x8000000000000000321175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.122{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AB03-00000000BD02}4676C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.122{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AB03-00000000BD02}4676C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.122{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AB03-00000000BD02}4676C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.082{72106695-9B85-63D3-1400-00000000BD02}10323972C:\Windows\system32\svchost.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.082{72106695-9B85-63D3-1400-00000000BD02}10321120C:\Windows\system32\svchost.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.010{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.010{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000447351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:36.652{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94E8C17A75E58A6AAB005AEED9D6A09A,SHA256=2FF0F80E26821EF2B1A7C280CADA845B03F32086102EF89DBFF347AF8B86396D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.890{72106695-B3FC-63D3-AE03-00000000BD02}48644360C:\Windows\system32\conhost.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.890{72106695-B102-63D3-1003-00000000BD02}39442856C:\Windows\system32\csrss.exe{72106695-B3FC-63D3-AE03-00000000BD02}4864C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.890{72106695-9B85-63D3-1200-00000000BD02}10006076C:\Windows\System32\svchost.exe{72106695-B3FC-63D3-AE03-00000000BD02}4864C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.875{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.875{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.875{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.875{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.875{72106695-B102-63D3-1003-00000000BD02}3944400C:\Windows\system32\csrss.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.875{72106695-B3F8-63D3-A903-00000000BD02}60485684C:\Temp\OfficeSetup.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+d856c(wow64)|C:\Windows\System32\windows.storage.dll+1c6716(wow64)|C:\Windows\System32\windows.storage.dll+1c63d1(wow64)|C:\Windows\System32\windows.storage.dll+1c64a3(wow64)|C:\Windows\System32\windows.storage.dll+1c7175(wow64)|C:\Windows\System32\windows.storage.dll+1c6021(wow64)|C:\Windows\System32\windows.storage.dll+1c8182(wow64)|C:\Windows\System32\windows.storage.dll+1c85ec(wow64)|C:\Windows\System32\windows.storage.dll+1c8035(wow64)|C:\Windows\System32\SHELL32.dll+1a9394(wow64)|C:\Windows\System32\SHELL32.dll+1a926e(wow64)|C:\Windows\System32\SHELL32.dll+1a9069(wow64) 154100x8000000000000000321201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.884{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\ADMINI~1\AppData\Local\Temp\2\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\ADMINI~1\AppData\Local\Temp\2\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\ADMINI~1\AppData\Local\Temp\2\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "C:\Temp\WIN-HOST-CTUS-A\Administrator{72106695-B105-63D3-6E44-240000000000}0x24446e2HighMD5=65D86C34814C02569E2AD53FD24E7F61,SHA256=8133502266008B77DE7921451E1210B0EF3F0ED2DB7D8D3EE0C3350D856FA6FA,IMPHASH=5E0145CEF36FA9BFBA7DE33AA683B8ED{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe"C:\Temp\OfficeSetup.exe" 10341000x8000000000000000321200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.875{72106695-9B85-63D3-1200-00000000BD02}10006076C:\Windows\System32\svchost.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.875{72106695-B3F8-63D3-A903-00000000BD02}6048WIN-HOST-CTUS-A\AdministratorC:\Temp\OfficeSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\Office.ValidateResult.scratchMD5=21438EF4B9AD4FC266B6129A2F60DE29,SHA256=13BF7B3039C63BF5A50491FA3CFD8EB4E699D1BA1436315AEF9CBE5711530354,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.875{72106695-B3F8-63D3-A903-00000000BD02}6048WIN-HOST-CTUS-A\AdministratorC:\Temp\OfficeSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\Office.ValidateError.scratchMD5=BD3457E50947D4280734E74B51B5B68D,SHA256=23D647979BC5DC186DE5BA3E00A222A912AB8E4782EB6407EFA70E29E95979F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.844{72106695-B3F9-63D3-AA03-00000000BD02}5852WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.574{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A22FD0E6CA604141CC79B1F5A89CD869,SHA256=0915C22CB4446CE63A9023B1C884E17AB2DE5463B7F96B509CC801672B065D3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.474{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=332A0538177F7AA151CCFECEC39B9DEB,SHA256=18B2685047F0478563A9DED2373786196D8C8FA76A72F926D4C86C8CF5A8A459,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.364{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50956-false10.0.1.12-8000- 10341000x8000000000000000321193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.164{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FB-63D3-AC03-00000000BD02}5616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.163{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FB-63D3-AC03-00000000BD02}5616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.163{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FB-63D3-AC03-00000000BD02}5616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.163{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FB-63D3-AC03-00000000BD02}5616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x8000000000000000447352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:37.735{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9CFBBEADA86C72C321F60DDCFEBBBF2,SHA256=5138AAFCCDA79C7E8E6CA08991BC005ADD2BCDD23FC28D3DAA201989B2944A97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.975{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E43D463E940B342245EA9B320B58C913,SHA256=4CE77E7FB2A850FB70770736B978DD6580292F19F74E66ADA338C6025C8974F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.740{72106695-B3FC-63D3-AD03-00000000BD02}5512WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_d3jk545z.krc.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.740{72106695-B3FC-63D3-AD03-00000000BD02}5512WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_ortcwqvg.zbi.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000321237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.740{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_ortcwqvg.zbi.ps12023-01-27 11:22:37.740 23542300x8000000000000000321236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.678{72106695-B3F8-63D3-A903-00000000BD02}6048WIN-HOST-CTUS-A\AdministratorC:\Temp\OfficeSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-CTUS-A-20230127-1122.logMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.631{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE81706ED904FA828ED4290FDBFF95E3,SHA256=152044B5C3A98E6E8D57A64FFE80158623478D26DF9D42D91A65CB9F7EC8AAC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.537{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1E9B00958766BCCA05753C1C13DBA659,SHA256=082EE7125486DFF9869C55E298979D217734657307E767923C7B0DFE08657247,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.492{72106695-9B85-63D3-1400-00000000BD02}10323972C:\Windows\system32\svchost.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.492{72106695-9B85-63D3-1400-00000000BD02}10321120C:\Windows\system32\svchost.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.443{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.443{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000321229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-CreatePipe2023-01-27 11:22:37.412{72106695-B3FC-63D3-AD03-00000000BD02}5512\PSHost.133192921568843282.5512.DefaultAppDomain.powershellC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000321228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.397{72106695-B3FC-63D3-AD03-00000000BD02}5512WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_02pkrd0i.lg1.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.397{72106695-B3FC-63D3-AD03-00000000BD02}5512WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_mmzfqxju.d4w.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000321226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.381{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_mmzfqxju.d4w.ps12023-01-27 11:22:37.381 10341000x8000000000000000321225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.351{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.334{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.320{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.242{72106695-9B85-63D3-1400-00000000BD02}10323972C:\Windows\system32\svchost.exe{72106695-B3FC-63D3-AE03-00000000BD02}4864C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.242{72106695-9B85-63D3-1400-00000000BD02}10321120C:\Windows\system32\svchost.exe{72106695-B3FC-63D3-AE03-00000000BD02}4864C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.167{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AE03-00000000BD02}4864C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.167{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AE03-00000000BD02}4864C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.167{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AE03-00000000BD02}4864C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.157{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.156{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.156{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.156{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.156{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.156{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x8000000000000000321211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.059{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=477DD69D48FB2E71D268AB9CEF38FE97,SHA256=7BD858AB39D95CB025AC53ADBDFDA43C2C3B1003DEE2E181D211903E1FD12F35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:38.826{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6AE6D8F00CC92520568B69DCD5A5AA2,SHA256=50BE644D3AC4F55653504131A47A4B4F5AD5F68626C11CDA3CF928FDD90F392E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.948{72106695-9B85-63D3-1500-00000000BD02}10401400C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+13e45|c:\windows\system32\es.dll+f73c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000321284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.936{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=29E550D41F9263B9115BF9CA7CF90C2E,SHA256=A6FAD30AA1B8B475A9D9A3727A2F12D4B4DDFC78E90B487CA702878693E80C8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.934{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+20b1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.932{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+20b1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000321281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.854{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\System32\svchost.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 734700x8000000000000000321280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.838{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000321279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.823{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.791{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.776{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.776{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.776{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.776{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.776{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.776{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.776{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.776{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.776{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.760{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.760{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.745{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.745{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.574{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68C758659A6275AC78DF0FB4B4361513,SHA256=B67885E0DF12DB6BC8F0049F572BCAEAC8342B62AF8E361234D97A9015522FA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.557{72106695-9B84-63D3-0A00-00000000BD02}6202516C:\Windows\system32\services.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.554{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.536{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.536{72106695-9B84-63D3-0A00-00000000BD02}6203860C:\Windows\system32\services.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\system32\services.exe+21fc|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000321259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.521{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.521{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.521{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000321256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:38.505{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BITS\Performance\PerfMMFileNameGlobal\MMF_BITSecc3ff9c-fa8e-4199-857f-b75585ed9495 354300x8000000000000000447353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:35.934{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52672-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000321255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.346{72106695-9B88-63D3-4200-00000000BD02}2308NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\disk.PNFMD5=4EFFFA1A69CC68965A020830F5849EB6,SHA256=B483BF142AF92CA4090161655EEB82EBFAE5BD835896B15A5680CD0824CC2C46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.345{72106695-B3F8-63D3-A903-00000000BD02}6048WIN-HOST-CTUS-A\AdministratorC:\Temp\OfficeSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db-journalMD5=1161D921BD8756FC0D09FD5A8FF30390,SHA256=51426F2AD7CD6596FD9901BA303332AAA9A3CE8B8E41D49A482CA065644ED78F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.335{72106695-B3F8-63D3-A903-00000000BD02}6048WIN-HOST-CTUS-A\AdministratorC:\Temp\OfficeSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db-journalMD5=D39D4B1DA933984BCD42FC8C9F39C9B0,SHA256=88E0663C2A1D43E4F65D6FA8CB51B18E421F3956F9394B8731D55A81ADFFAF94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.190{72106695-B3F8-63D3-A903-00000000BD02}6048WIN-HOST-CTUS-A\AdministratorC:\Temp\OfficeSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\Office.ValidateResult.scratchMD5=21438EF4B9AD4FC266B6129A2F60DE29,SHA256=13BF7B3039C63BF5A50491FA3CFD8EB4E699D1BA1436315AEF9CBE5711530354,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.189{72106695-B3F8-63D3-A903-00000000BD02}6048WIN-HOST-CTUS-A\AdministratorC:\Temp\OfficeSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\Office.ValidateError.scratchMD5=BD3457E50947D4280734E74B51B5B68D,SHA256=23D647979BC5DC186DE5BA3E00A222A912AB8E4782EB6407EFA70E29E95979F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.186{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4F439E8AC870F29B1F3199DAC8AA8C24,SHA256=FFD3D46770CB2C85FCDE2FAC4058FF6A1A23D2496F4CCE7327B7EC464F606EF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.168{72106695-B3FC-63D3-AD03-00000000BD02}5512WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=4EC9C6C86A2B618E8C869B7DD272B0EE,SHA256=8DEA3B617E28770368FF4E708938FC78D8AFC9C6D79D530B4DBDE5E347D7F403,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.045{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AE03-00000000BD02}4864C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.043{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AE03-00000000BD02}4864C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.043{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AE03-00000000BD02}4864C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.040{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.040{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.040{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.037{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FB-63D3-AC03-00000000BD02}5616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.037{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FB-63D3-AC03-00000000BD02}5616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 23542300x8000000000000000447376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.886{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BE736B63A8E7CE514BA6F19CC7D92E8,SHA256=DD05A6A8AA71803466C2B07EE713D6F1D83E3E6192D8AC4FCE472E4A48E2DBB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.180{72106695-9B82-63D3-0100-00000000BD02}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-host-ctus-attack-range-21250961-true0:0:0:0:0:0:0:1win-host-ctus-attack-range-21247001- 354300x8000000000000000321322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.180{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-host-ctus-attack-range-21250961-true0:0:0:0:0:0:0:1win-host-ctus-attack-range-21247001- 354300x8000000000000000321321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.111{72106695-9B82-63D3-0100-00000000BD02}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-host-ctus-attack-range-21250960-true0:0:0:0:0:0:0:1win-host-ctus-attack-range-21247001- 354300x8000000000000000321320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.111{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-host-ctus-attack-range-21250960-true0:0:0:0:0:0:0:1win-host-ctus-attack-range-21247001- 354300x8000000000000000321319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.048{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50959-false10.0.1.12-8089- 354300x8000000000000000321318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.034{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse239.255.255.250-1900ssdpfalse127.0.0.1win-host-ctus-attack-range-21256808- 10341000x8000000000000000321317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.986{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.986{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.657{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91F64870753C047B34F46942904FB00F,SHA256=6D44125926AB0DE0864E5E576685A5E8659F61AD757F7F4A0AC5FED4EA5D5039,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.579{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\OfficeC2R5BD0D6D6-30E2-41A3-924A-B80F653C92A7\BITAA40.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.548{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=728E8BD7CC9E64831DAD05E0C1663506,SHA256=31B93541583E60229ABF5B6F84C967D5104A4F5FCB90DB61603E507C16FD596B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.532{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=761DD7037D6CFE9776F2807725AFCD35,SHA256=D229E926B5569F88F6D16DE0FD4E26CEE45AFBA4DAFE8F454576E7F4C03277E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.517{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\OfficeC2R5BD0D6D6-30E2-41A3-924A-B80F653C92A7\BITAA40.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.517{72106695-9B85-63D3-1400-00000000BD02}10321432C:\Windows\system32\svchost.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b 23542300x8000000000000000321309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.517{72106695-B3F8-63D3-A903-00000000BD02}6048WIN-HOST-CTUS-A\AdministratorC:\Temp\OfficeSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\i640CheckReachable43DF1BC3-3BED-4CA0-A281-3F36D5D53C5AMD5=69691C7BDCC3CE6D5D8A1361F22D04AC,SHA256=08F271887CE94707DA822D5263BAE19D5519CB3614E0DAEDC4C7CE5DAB7473F1,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x4d 354300x8000000000000000447375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:37.162{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A56804- 354300x8000000000000000447374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:37.078{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A57619- 10341000x8000000000000000447373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.520{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.499{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.491{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.488{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.486{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.483{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.451{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.446{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.426{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.419{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.411{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.397{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.389{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.379{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.362{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.353{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.345{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.313{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.305{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 23542300x8000000000000000321308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.501{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\BITA9E1.tmpMD5=93B885ADFE0DA089CDF634904FD59F71,SHA256=6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000321307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.489{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\BITA9E1.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.724{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50958-false23.220.246.181a23-220-246-181.deploy.static.akamaitechnologies.com80http 354300x8000000000000000321305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.646{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50957-false52.109.4.18-443https 23542300x8000000000000000321304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.423{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\BITA9E1.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.408{72106695-9B85-63D3-1400-00000000BD02}10323512C:\Windows\system32\svchost.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b 23542300x8000000000000000321302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.392{72106695-B3F8-63D3-A903-00000000BD02}6048WIN-HOST-CTUS-A\AdministratorC:\Temp\OfficeSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\OfficeC2R85C46F03-C6D1-4ED6-81D5-020A1BA3D876\VersionDescriptor.xmlMD5=734094314B1AD4B9A51659C4C2B6F662,SHA256=52C2539D10DEBBA4C8DB2F9C18E7B7805BC1F9E229DF7ED209CBEE08B82AB57B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.391{72106695-B3F8-63D3-A903-00000000BD02}6048WIN-HOST-CTUS-A\AdministratorC:\Temp\OfficeSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\OfficeC2R85C46F03-C6D1-4ED6-81D5-020A1BA3D876\v64_16.0.15601.20456.cabMD5=8BBD8448DC98A6B5A8852A09FAEB1C60,SHA256=FBA7F173490B588AB932C6E104FD9C59BF561E484B533FF0C3BB0550336EA443,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.376{72106695-B3F8-63D3-A903-00000000BD02}6048WIN-HOST-CTUS-A\AdministratorC:\Temp\OfficeSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\OfficeC2R85C46F03-C6D1-4ED6-81D5-020A1BA3D876\v64.hashMD5=A261BD5EDAFDF1EE98823D307848AC04,SHA256=5F8C91FB1B1004A895AB67CF027306F45937D97F757A3D3ACCC31F09C9C63E24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.241{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.241{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.241{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.240{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.240{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.240{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x8000000000000000321293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.130{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\OfficeC2R85C46F03-C6D1-4ED6-81D5-020A1BA3D876\BITA8A7.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.107{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\OfficeC2R85C46F03-C6D1-4ED6-81D5-020A1BA3D876\BITA8A7.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.101{72106695-9B85-63D3-1400-00000000BD02}10323512C:\Windows\system32\svchost.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b 23542300x8000000000000000321290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.099{72106695-B3F8-63D3-A903-00000000BD02}6048WIN-HOST-CTUS-A\AdministratorC:\Temp\OfficeSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\v64_16.0.15601.20456CheckReachable5D0DC3DE-8825-4157-B863-B1E706CF6A39MD5=69691C7BDCC3CE6D5D8A1361F22D04AC,SHA256=08F271887CE94707DA822D5263BAE19D5519CB3614E0DAEDC4C7CE5DAB7473F1,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x4d 23542300x8000000000000000321289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.088{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\BITA858.tmpMD5=93B885ADFE0DA089CDF634904FD59F71,SHA256=6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000321288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.075{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\BITA858.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.026{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\BITA858.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.010{72106695-9B85-63D3-1400-00000000BD02}10323512C:\Windows\system32\svchost.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b 23542300x8000000000000000447385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:40.955{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7F6BCFF9BDE48661C5909B00C14D38B,SHA256=02A61D1433AE3BA705445DB2526461362E51D29C9DFFB1E1FC4A8CDA88CB2133,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000321470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:40.971{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\OfficeC2RClient.exe2023-01-27 11:22:40.971 11241100x8000000000000000321469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.971{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\msvcr120.dll2023-01-27 11:22:40.971 11241100x8000000000000000321468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.955{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\msvcp140.dll2023-01-27 11:22:40.955 11241100x8000000000000000321467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.955{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\msvcp120.dll2023-01-27 11:22:40.955 11241100x8000000000000000321466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.924{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\msix.dll2023-01-27 11:22:40.924 11241100x8000000000000000321465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:40.924{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\MavInject32.exe2023-01-27 11:22:40.924 11241100x8000000000000000321464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.893{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\manageability.dll2023-01-27 11:22:40.893 11241100x8000000000000000321463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.846{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\inventory.dll2023-01-27 11:22:40.846 23542300x8000000000000000321462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.815{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7AE596BEA2684543DBE5CA6C167BD5E,SHA256=A500F0519383C8279D933F01026E2DE29058886ACA4012F0CD116D781F391120,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000321461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:40.752{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\IntegratedOffice.exe2023-01-27 11:22:40.752 11241100x8000000000000000321460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:40.752{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\InspectorOfficeGadget.exe2023-01-27 11:22:40.752 11241100x8000000000000000321459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.752{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\concrt140.dll2023-01-27 11:22:40.752 354300x8000000000000000321458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.034{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse127.0.0.1win-host-ctus-attack-range-21256808-false239.255.255.250-1900ssdp 10341000x8000000000000000321457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.752{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.752{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.650{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.644{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RUI.dll2023-01-27 11:22:40.644 10341000x8000000000000000321453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.643{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.642{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.zh-tw.dll2023-01-27 11:22:40.641 11241100x8000000000000000321451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.637{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.zh-cn.dll2023-01-27 11:22:40.636 10341000x8000000000000000321450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.635{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.630{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.vi-vn.dll2023-01-27 11:22:40.629 10341000x8000000000000000321448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.625{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.625{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.uk-ua.dll2023-01-27 11:22:40.623 10341000x8000000000000000321446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.623{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.622{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.tr-tr.dll2023-01-27 11:22:40.621 11241100x8000000000000000321444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.615{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.th-th.dll2023-01-27 11:22:40.615 11241100x8000000000000000321443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.614{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.sv-se.dll2023-01-27 11:22:40.614 11241100x8000000000000000321442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.613{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.sr-latn-rs.dll2023-01-27 11:22:40.613 11241100x8000000000000000321441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.612{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.sl-si.dll2023-01-27 11:22:40.610 11241100x8000000000000000321440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.610{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.sk-sk.dll2023-01-27 11:22:40.610 11241100x8000000000000000321439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.609{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.ru-ru.dll2023-01-27 11:22:40.609 11241100x8000000000000000321438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.608{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.ro-ro.dll2023-01-27 11:22:40.608 11241100x8000000000000000321437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.608{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.pt-pt.dll2023-01-27 11:22:40.608 11241100x8000000000000000321436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.607{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.pt-br.dll2023-01-27 11:22:40.607 11241100x8000000000000000321435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.606{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.pl-pl.dll2023-01-27 11:22:40.606 11241100x8000000000000000321434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.606{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.nl-nl.dll2023-01-27 11:22:40.605 11241100x8000000000000000321433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.605{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.nb-no.dll2023-01-27 11:22:40.604 11241100x8000000000000000321432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.604{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.ms-my.dll2023-01-27 11:22:40.600 11241100x8000000000000000321431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.599{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.lv-lv.dll2023-01-27 11:22:40.599 11241100x8000000000000000321430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.599{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.lt-lt.dll2023-01-27 11:22:40.599 11241100x8000000000000000321429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.598{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.ko-kr.dll2023-01-27 11:22:40.598 11241100x8000000000000000321428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.597{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.kk-kz.dll2023-01-27 11:22:40.597 11241100x8000000000000000321427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.596{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.ja-jp.dll2023-01-27 11:22:40.596 11241100x8000000000000000321426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.595{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.it-it.dll2023-01-27 11:22:40.595 11241100x8000000000000000321425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.594{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.id-id.dll2023-01-27 11:22:40.594 11241100x8000000000000000321424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.593{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.hu-hu.dll2023-01-27 11:22:40.593 11241100x8000000000000000321423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.592{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.hr-hr.dll2023-01-27 11:22:40.592 11241100x8000000000000000321422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.592{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.hi-in.dll2023-01-27 11:22:40.591 11241100x8000000000000000321421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.589{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.he-il.dll2023-01-27 11:22:40.589 11241100x8000000000000000321420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.584{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.fr-fr.dll2023-01-27 11:22:40.584 11241100x8000000000000000321419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.584{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.fr-ca.dll2023-01-27 11:22:40.583 11241100x8000000000000000321418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.583{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.fi-fi.dll2023-01-27 11:22:40.583 11241100x8000000000000000321417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.582{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.et-ee.dll2023-01-27 11:22:40.582 11241100x8000000000000000321416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.582{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.es-mx.dll2023-01-27 11:22:40.581 11241100x8000000000000000321415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.581{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.es-es.dll2023-01-27 11:22:40.581 11241100x8000000000000000321414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.580{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.en-us.dll2023-01-27 11:22:40.579 11241100x8000000000000000321413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.578{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.en-gb.dll2023-01-27 11:22:40.578 10341000x8000000000000000321412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.578{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.577{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.el-gr.dll2023-01-27 11:22:40.577 11241100x8000000000000000321410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.577{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.de-de.dll2023-01-27 11:22:40.577 11241100x8000000000000000321409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.576{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.da-dk.dll2023-01-27 11:22:40.576 11241100x8000000000000000321408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.575{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.cs-cz.dll2023-01-27 11:22:40.575 11241100x8000000000000000321407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.575{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.bg-bg.dll2023-01-27 11:22:40.575 11241100x8000000000000000321406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.574{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.ar-sa.dll2023-01-27 11:22:40.573 11241100x8000000000000000321405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.569{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\c2r64werhandler.dll2023-01-27 11:22:40.569 10341000x8000000000000000321404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.567{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.550{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2R64.dll2023-01-27 11:22:40.550 11241100x8000000000000000321402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.548{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\c2r32werhandler.dll2023-01-27 11:22:40.547 10341000x8000000000000000321401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.547{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000321400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.535{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 354300x8000000000000000447384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:37.940{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A52336- 354300x8000000000000000447383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:37.940{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A57086- 354300x8000000000000000447382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:37.940{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A58701- 10341000x8000000000000000447381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:40.118{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:40.113{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:40.110{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:40.108{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:40.106{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000321399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.531{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.531{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2R32.dll2023-01-27 11:22:40.531 11241100x8000000000000000321397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:40.528{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppVShNotify.exe2023-01-27 11:22:40.528 10341000x8000000000000000321396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.527{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000321395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.526{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.524{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppVScripting.dll2023-01-27 11:22:40.524 10341000x8000000000000000321393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.523{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000321392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.516{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000321391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.516{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.515{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppVPolicy.dll2023-01-27 11:22:40.514 10341000x8000000000000000321389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.514{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000321388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.513{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000321387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.512{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000321386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.510{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000321385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.508{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.507{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppVOrchestration.dll2023-01-27 11:22:40.507 10341000x8000000000000000321383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.501{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.500{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppVManifest.dll2023-01-27 11:22:40.500 10341000x8000000000000000321381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.497{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.495{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppVIsvVirtualization.dll2023-01-27 11:22:40.494 11241100x8000000000000000321379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.492{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppVIsvSubsystems64_msix.dll2023-01-27 11:22:40.490 354300x8000000000000000321378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.325{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50962-false23.220.246.181a23-220-246-181.deploy.static.akamaitechnologies.com80http 10341000x8000000000000000321377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.482{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000321376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.475{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.473{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppvIsvSubsystems64_arm64x.dll2023-01-27 11:22:40.473 10341000x8000000000000000321374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.458{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.456{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppvIsvSubsystems64.dll2023-01-27 11:22:40.456 11241100x8000000000000000321372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.454{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppvIsvSubsystems32_msix.dll2023-01-27 11:22:40.454 10341000x8000000000000000321371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.442{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.442{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppvIsvSubsystems32.dll2023-01-27 11:22:40.437 10341000x8000000000000000321369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.437{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000321368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.426{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.423{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppVIsvSubsystemController.dll2023-01-27 11:22:40.422 11241100x8000000000000000321366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.419{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppVIsvStreamingManager.dll2023-01-27 11:22:40.419 11241100x8000000000000000321365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.414{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppVIsvApi.dll2023-01-27 11:22:40.414 11241100x8000000000000000321364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.401{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppVIntegration.dll2023-01-27 11:22:40.401 11241100x8000000000000000321363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.398{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppVFileSystemMetadata.dll2023-01-27 11:22:40.397 10341000x8000000000000000321362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.391{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000321361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.385{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:40.384{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\appvcleaner.exe2023-01-27 11:22:40.384 11241100x8000000000000000321359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.379{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppVCatalog.dll2023-01-27 11:22:40.379 10341000x8000000000000000321358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.376{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.375{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\ApiClient.dll2023-01-27 11:22:40.375 11241100x8000000000000000321356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.374{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-utility-l1-1-0.dll2023-01-27 11:22:40.374 11241100x8000000000000000321355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.374{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-time-l1-1-0.dll2023-01-27 11:22:40.374 11241100x8000000000000000321354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.374{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-string-l1-1-0.dll2023-01-27 11:22:40.374 11241100x8000000000000000321353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.373{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-stdio-l1-1-0.dll2023-01-27 11:22:40.373 11241100x8000000000000000321352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.372{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-runtime-l1-1-0.dll2023-01-27 11:22:40.372 11241100x8000000000000000321351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.372{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-process-l1-1-0.dll2023-01-27 11:22:40.371 11241100x8000000000000000321350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.371{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-private-l1-1-0.dll2023-01-27 11:22:40.370 11241100x8000000000000000321349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.370{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-multibyte-l1-1-0.dll2023-01-27 11:22:40.370 10341000x8000000000000000321348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.369{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.369{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-math-l1-1-0.dll2023-01-27 11:22:40.369 11241100x8000000000000000321346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.369{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-locale-l1-1-0.dll2023-01-27 11:22:40.369 11241100x8000000000000000321345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.368{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-heap-l1-1-0.dll2023-01-27 11:22:40.368 11241100x8000000000000000321344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.368{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-filesystem-l1-1-0.dll2023-01-27 11:22:40.368 11241100x8000000000000000321343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.368{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-environment-l1-1-0.dll2023-01-27 11:22:40.367 11241100x8000000000000000321342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.367{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-convert-l1-1-0.dll2023-01-27 11:22:40.367 11241100x8000000000000000321341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.367{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-conio-l1-1-0.dll2023-01-27 11:22:40.366 11241100x8000000000000000321340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.366{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-core-xstate-l2-1-0.dll2023-01-27 11:22:40.366 11241100x8000000000000000321339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.366{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-core-timezone-l1-1-0.dll2023-01-27 11:22:40.366 11241100x8000000000000000321338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.365{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-core-synch-l1-2-0.dll2023-01-27 11:22:40.365 11241100x8000000000000000321337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.365{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-core-processthreads-l1-1-1.dll2023-01-27 11:22:40.365 11241100x8000000000000000321336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.365{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-core-localization-l1-2-0.dll2023-01-27 11:22:40.364 11241100x8000000000000000321335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.364{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-core-file-l2-1-0.dll2023-01-27 11:22:40.363 11241100x8000000000000000321334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.363{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-core-file-l1-2-0.dll2023-01-27 11:22:40.362 10341000x8000000000000000321333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.358{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000321332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.352{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000321331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.345{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000321330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.336{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000321329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.328{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000321328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.320{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000321327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.315{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000321326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.186{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.183{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.183{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 23542300x8000000000000000321483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:41.939{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05EAB55D8E3DA01287B780600A283F42,SHA256=DEE59B851684B8B128ADFFF2A1A94BA62A4D269ACDB7311845F9CD2D3C935CD8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000321482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:41.502{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\vcruntime140_1.dll2023-01-27 11:22:41.502 11241100x8000000000000000321481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:41.502{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\vcruntime140.dll2023-01-27 11:22:41.502 11241100x8000000000000000321480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:41.502{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\vccorlib140.dll2023-01-27 11:22:41.486 11241100x8000000000000000321479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:41.486{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\ucrtbase.dll2023-01-27 11:22:41.486 11241100x8000000000000000321478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:41.440{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\StreamServer.dll2023-01-27 11:22:41.440 11241100x8000000000000000321477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:41.372{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\RepoMan.dll2023-01-27 11:22:41.371 11241100x8000000000000000321476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:41.352{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\policy.dll2023-01-27 11:22:41.352 11241100x8000000000000000321475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:41.351{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\offreg.dll2023-01-27 11:22:41.351 11241100x8000000000000000321474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:41.317{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\officesvcmgr.exe2023-01-27 11:22:41.317 11241100x8000000000000000321473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:41.311{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\officeinventory.dll2023-01-27 11:22:41.311 11241100x8000000000000000321472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:41.202{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\OfficeClickToRun.exe2023-01-27 11:22:41.202 11241100x8000000000000000321471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:41.183{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\OfficeC2RCom.dll2023-01-27 11:22:41.183 23542300x8000000000000000321518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.966{72106695-9B84-63D3-0A00-00000000BD02}620NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\nettun.PNFMD5=BD6709D5BF215E2CF91048A8CCDEBB3D,SHA256=C32982286CA7ACA0C46BEEA357EB862D310C77533A196F711D3B5974AC12EDFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.916{72106695-9B84-63D3-0A00-00000000BD02}620NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\kdnic.PNFMD5=861603879DD967E87280D332BBF7A1F3,SHA256=A4CFD010F2557CEFF643A89E8A6102E58A0380C14A6DBE6C23C372BF10E4C466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.885{72106695-9B84-63D3-0A00-00000000BD02}620NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\oem19.PNFMD5=DEB3EA3582187AC09FB17F4BFCDD1B29,SHA256=24B1DC69E5098CA0208FE82F3933595AA54D7B606E7F1313B4DDD8783C1C093F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.870{72106695-9B84-63D3-0A00-00000000BD02}620NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\disk.PNFMD5=20030ACEE21A871B3AA9005F2FD441BF,SHA256=97557E28164DEA0AA2F30EE0A3C6C87A16445948CDABFD12814D979CD10EF76F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.823{72106695-B105-63D3-2303-00000000BD02}39524080C:\Windows\system32\taskhostw.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.823{72106695-B105-63D3-2303-00000000BD02}39524080C:\Windows\system32\taskhostw.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.823{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.823{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.823{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.823{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.823{72106695-B402-63D3-B003-00000000BD02}37803272C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+2ccc05|C:\Windows\System32\SHELL32.dll+204fb5|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19cf94|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19db4e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19c32f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.823{72106695-B402-63D3-B003-00000000BD02}37803272C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+2ccbcf|C:\Windows\System32\SHELL32.dll+204fb5|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19cf94|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19db4e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19c32f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.823{72106695-B402-63D3-B003-00000000BD02}37803272C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+2ccb55|C:\Windows\System32\SHELL32.dll+204f88|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19cf94|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19db4e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19c32f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.823{72106695-B402-63D3-B003-00000000BD02}37803272C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+2ccb42|C:\Windows\System32\SHELL32.dll+204f88|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19cf94|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19db4e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19c32f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.823{72106695-B402-63D3-B003-00000000BD02}37803272C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+2ccb42|C:\Windows\System32\SHELL32.dll+204f88|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19cf94|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19db4e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19c32f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.807{72106695-B106-63D3-2B03-00000000BD02}9644604C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+5cf54|C:\Windows\Explorer.EXE+5c591|C:\Windows\Explorer.EXE+5a3f3|C:\Windows\Explorer.EXE+5968c|C:\Windows\Explorer.EXE+56c33|C:\Windows\Explorer.EXE+4bb4d|C:\Windows\Explorer.EXE+49f72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+28e4e|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8032ED142A8)|UNKNOWN(FFFFFD9D5A4DE5FF)|UNKNOWN(FFFFFD9D5A483BA2)|UNKNOWN(FFFFFD9D5A47E1A1)|UNKNOWN(FFFFFD9D5A47FB6A)|UNKNOWN(FFFFFD9D5A47DE26)|UNKNOWN(FFFFF8032E988C03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e 10341000x8000000000000000321502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.807{72106695-B106-63D3-2B03-00000000BD02}9644604C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+5cf54|C:\Windows\Explorer.EXE+5c591|C:\Windows\Explorer.EXE+5a3f3|C:\Windows\Explorer.EXE+5968c|C:\Windows\Explorer.EXE+56c33|C:\Windows\Explorer.EXE+4bb4d|C:\Windows\Explorer.EXE+49f72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+28e4e|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8032ED142A8)|UNKNOWN(FFFFFD9D5A4DE5FF)|UNKNOWN(FFFFFD9D5A483BA2)|UNKNOWN(FFFFFD9D5A47E1A1)|UNKNOWN(FFFFFD9D5A47FB6A)|UNKNOWN(FFFFFD9D5A47DE26)|UNKNOWN(FFFFF8032E988C03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\Explorer.EXE+51aca 10341000x8000000000000000321501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.807{72106695-B106-63D3-2B03-00000000BD02}9644604C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+5cf54|C:\Windows\Explorer.EXE+5c591|C:\Windows\Explorer.EXE+5a3f3|C:\Windows\Explorer.EXE+5968c|C:\Windows\Explorer.EXE+56c33|C:\Windows\Explorer.EXE+4bb4d|C:\Windows\Explorer.EXE+49f72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+28e4e|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8032ED142A8)|UNKNOWN(FFFFFD9D5A4DE5FF)|UNKNOWN(FFFFFD9D5A483BA2)|UNKNOWN(FFFFFD9D5A47E1A1)|UNKNOWN(FFFFFD9D5A47FB6A)|UNKNOWN(FFFFFD9D5A47DE26)|UNKNOWN(FFFFF8032E988C03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e 10341000x8000000000000000321500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.698{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.651{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.651{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.588{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.573{72106695-9B85-63D3-1400-00000000BD02}10323512C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.557{72106695-9B85-63D3-1400-00000000BD02}10321120C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000321494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.334{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50963-false10.0.1.12-8000- 10341000x8000000000000000321493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.511{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.371{72106695-B102-63D3-1003-00000000BD02}39441080C:\Windows\system32\csrss.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.371{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.371{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.371{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.371{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.371{72106695-B3F8-63D3-A903-00000000BD02}60485684C:\Temp\OfficeSetup.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+d856c(wow64)|C:\Temp\OfficeSetup.exe+162225|C:\Temp\OfficeSetup.exe+162311|C:\Temp\OfficeSetup.exe+162ac2|C:\Temp\OfficeSetup.exe+13640|C:\Temp\OfficeSetup.exe+1324c|C:\Temp\OfficeSetup.exe+137e5|C:\Temp\OfficeSetup.exe+339a1|C:\Temp\OfficeSetup.exe+27f2a|C:\Temp\OfficeSetup.exe+2a554|C:\Temp\OfficeSetup.exe+2a519|C:\Temp\OfficeSetup.exe+2a5f0 154100x8000000000000000321486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.272{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe16.0.15601.20446Microsoft Office Click-to-Run (SxS)Microsoft OfficeMicrosoft CorporationOfficeClickToRun.exeOfficeClickToRun.exe platform=x64 culture=en-us productstoadd=O365ProPlusRetail.16_en-us_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/7ffbc6bf-bc32-4f92-8982-f9dd17fd3114 baseurl.16=http://officecdn.microsoft.com/pr/7ffbc6bf-bc32-4f92-8982-f9dd17fd3114 version.16=16.0.15601.20456 mediatype.16=CDN sourcetype.16=CDN O365ProPlusRetail.excludedapps.16=groove bitnessmigration=False deliverymechanism=7ffbc6bf-bc32-4f92-8982-f9dd17fd3114 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknownC:\Temp\WIN-HOST-CTUS-A\Administrator{72106695-B105-63D3-6E44-240000000000}0x24446e2HighMD5=B354D28EB4C8B414AFFC2904352FD859,SHA256=6D1197B8425CE42A482AA3799351E4B6C24C83804F40B7202B69A06ED588269D,IMPHASH=4FA4A7FB515E6A9EBA3594732D26ECF7{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe"C:\Temp\OfficeSetup.exe" 10341000x8000000000000000321485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.271{72106695-9B85-63D3-1200-00000000BD02}10006076C:\Windows\System32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.223{72106695-B3F8-63D3-A903-00000000BD02}6048WIN-HOST-CTUS-A\AdministratorC:\Temp\OfficeSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\OfficeC2R5BD0D6D6-30E2-41A3-924A-B80F653C92A7\i640.cabMD5=F1A87BD364E5E9ED021790138E395827,SHA256=44D2EAF5B814526EA283DAAD5333D87170CC71F63AE008BDF03B57CDAA880F13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.774{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.757{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.753{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.747{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.738{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.713{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.708{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.696{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.690{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.688{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.685{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.683{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.682{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.680{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.364{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.364{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.364{45AAC21C-9B83-63D3-0B00-00000000BC02}632796C:\Windows\system32\lsass.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.349{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-3000-00000000BC02}2848C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.166{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.166{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.164{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.155{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.148{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 23542300x8000000000000000447386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.054{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37CECBF777CAC87D775C0CC0775A4ABA,SHA256=176F6AC5695E7110B28DBDA3716D482F6790743749EF49994DB1E2CD4C03B505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.986{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\Temp\OfficeC2R87976ADD-6B8F-4063-984D-09533066B623\BITBBB8.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.986{72106695-9B85-63D3-1400-00000000BD02}10322256C:\Windows\system32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b 23542300x8000000000000000321570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.986{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Windows\Temp\s640CheckReachableFE4A2A8C-B82B-47E3-9D92-8C10965DA207MD5=69691C7BDCC3CE6D5D8A1361F22D04AC,SHA256=08F271887CE94707DA822D5263BAE19D5519CB3614E0DAEDC4C7CE5DAB7473F1,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x4d 23542300x8000000000000000321569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.986{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\Temp\BITBB79.tmpMD5=93B885ADFE0DA089CDF634904FD59F71,SHA256=6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000321568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.970{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\Temp\BITBB79.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.923{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\Temp\BITBB79.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.923{72106695-9B85-63D3-1400-00000000BD02}10322256C:\Windows\system32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b 23542300x8000000000000000321565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.876{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Windows\Temp\OfficeC2R1E05752F-31EC-4263-AFE0-9DD22FEE9EF6\s641033.cabMD5=78438A5023EDFD496D311B2352D9A8D5,SHA256=9B4DB69F1588766EBA3DD44CD34F40A92B31FD42772FB640FED34214F9C54EBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.830{72106695-9B85-63D3-1700-00000000BD02}12241448C:\Windows\System32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.658{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\Temp\OfficeC2R1E05752F-31EC-4263-AFE0-9DD22FEE9EF6\BITBA3F.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.611{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\Temp\OfficeC2R1E05752F-31EC-4263-AFE0-9DD22FEE9EF6\BITBA3F.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.596{72106695-9B85-63D3-1400-00000000BD02}10323512C:\Windows\system32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b 23542300x8000000000000000321560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.596{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Windows\Temp\s641033CheckReachableDBF76697-148E-4FB8-A8B3-8ADAE12C4D88MD5=69691C7BDCC3CE6D5D8A1361F22D04AC,SHA256=08F271887CE94707DA822D5263BAE19D5519CB3614E0DAEDC4C7CE5DAB7473F1,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x4d 23542300x8000000000000000321559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.596{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\Temp\BITBA00.tmpMD5=93B885ADFE0DA089CDF634904FD59F71,SHA256=6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000321558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.587{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\Temp\BITBA00.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.575{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.575{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.575{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.574{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.574{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.574{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x8000000000000000321551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.542{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\Temp\BITBA00.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.538{72106695-9B85-63D3-1400-00000000BD02}10323512C:\Windows\system32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b 23542300x8000000000000000321549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.531{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB80BC9A3DCCD43A6608C763FCAEAA6,SHA256=72B9E04BEB588EF1CFEA03D61BABF2A959E4E3B75C79B7D4497EE5868381E2B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.424{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.424{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.424{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 11241100x8000000000000000321545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:43.301{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe2023-01-27 11:22:43.301 11241100x8000000000000000321544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:43.295{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe2023-01-27 11:22:43.295 10341000x8000000000000000321543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.113{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.112{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.105{72106695-9B84-63D3-0A00-00000000BD02}6202516C:\Windows\system32\services.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.104{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.104{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.077{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.077{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.077{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.073{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.028{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.028{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.028{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.028{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.028{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.028{72106695-9B84-63D3-0A00-00000000BD02}6203860C:\Windows\system32\services.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.030{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe16.0.15601.20446Microsoft Office Click-to-Run (SxS)Microsoft OfficeMicrosoft CorporationOfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /serviceC:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=B354D28EB4C8B414AFFC2904352FD859,SHA256=6D1197B8425CE42A482AA3799351E4B6C24C83804F40B7202B69A06ED588269D,IMPHASH=4FA4A7FB515E6A9EBA3594732D26ECF7{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\System32\services.exeC:\Windows\system32\services.exe 13241300x8000000000000000321527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:43.027{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ClickToRunSvc\Security\SecurityBinary Data 13241300x8000000000000000321526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:43.027{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ClickToRunSvc\FailureActionsBinary Data 13241300x8000000000000000321525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:43.027{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ClickToRunSvc\Description‪Manages resource coordination, background streaming, and system integration of Microsoft Office products and their related updates. This service is required to run during the use of any Microsoft Office program, during initial streaming installation and all subsequent updates.‬ 13241300x8000000000000000321524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:43.024{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ClickToRunSvc\ObjectNameLocalSystem 13241300x8000000000000000321523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:43.024{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ClickToRunSvc\DisplayNameMicrosoft Office Click-to-Run Service 13241300x8000000000000000321522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1031,T1050SetValue2023-01-27 11:22:43.024{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ClickToRunSvc\ImagePath"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service 13241300x8000000000000000321521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:43.024{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ClickToRunSvc\ErrorControlDWORD (0x00000001) 13241300x8000000000000000321520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1031,T1050SetValue2023-01-27 11:22:43.024{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ClickToRunSvc\StartDWORD (0x00000002) 13241300x8000000000000000321519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:43.024{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ClickToRunSvc\TypeDWORD (0x00000010) 23542300x8000000000000000447410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:43.214{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73351737D444ECB63323C5629CF838A5,SHA256=0FE9D09991A199906FD3F71B1651FD9B8ED53778975137CF8F04F2BD864C790B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.208{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A54704- 354300x8000000000000000447413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:41.794{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52673-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000447412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:41.427{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A61197- 23542300x8000000000000000447411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:44.292{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CDC74D24C668FE4D5DAC34FAD45E5D9,SHA256=4F7939D05484817CE94F5A74A830153A42ECC0B4358D8A8869BB108CCC6CE034,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000321599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.830{72106695-9B85-63D3-1400-00000000BD02}1032f.c2r.ts.cdn.office.net0type: 5 office-fg-geo.trafficmanager.net;type: 5 c2r.a-0020.a-msedge.net;type: 5 a-0020.a-msedge.net;::ffff:204.79.197.223;C:\Windows\System32\svchost.exe 22542200x8000000000000000321598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.766{72106695-B403-63D3-B103-00000000BD02}6092f.c2r.ts.cdn.office.net0type: 5 office-fg-geo.trafficmanager.net;type: 5 c2r.a-0020.a-msedge.net;type: 5 a-0020.a-msedge.net;::ffff:204.79.197.223;C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x8000000000000000321597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.730{72106695-9B85-63D3-1D00-00000000BD02}19122652C:\Windows\sysmon64.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+3625|C:\Windows\System32\sechost.dll+2bfd|C:\Windows\System32\sechost.dll+2a01|C:\Windows\System32\sechost.dll+18df|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000321596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.694{72106695-B403-63D3-B103-00000000BD02}6092ecs.office.com0type: 5 ecs.office.trafficmanager.net;type: 5 s-0005-office.config.skype.com;type: 5 ecs-office.s-0005.s-msedge.net;type: 5 s-0005.s-msedge.net;::ffff:52.113.194.132;C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x8000000000000000321595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.730{72106695-9B85-63D3-1D00-00000000BD02}19122652C:\Windows\sysmon64.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+3625|C:\Windows\System32\sechost.dll+2bfd|C:\Windows\System32\sechost.dll+2a01|C:\Windows\System32\sechost.dll+18df|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000321594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.219{72106695-B402-63D3-B003-00000000BD02}3780ecs.office.com0type: 5 ecs.office.trafficmanager.net;type: 5 s-0005-office.config.skype.com;type: 5 ecs-office.s-0005.s-msedge.net;type: 5 s-0005.s-msedge.net;::ffff:52.113.194.132;C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x8000000000000000321593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.730{72106695-9B85-63D3-1D00-00000000BD02}19122652C:\Windows\sysmon64.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+3625|C:\Windows\System32\sechost.dll+2bfd|C:\Windows\System32\sechost.dll+2a01|C:\Windows\System32\sechost.dll+18df|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.589{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B1B3E31E15B37AC4D87868976E1137A,SHA256=4120E77B9026A483CC8CE1B1DEFEC66F9895D7590C1DAF93FA951ACEE6CAFE8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.226{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50966-false52.113.194.132-443https 10341000x8000000000000000321590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.589{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.589{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000321588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.224{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50965-false52.109.13.64-443https 10341000x8000000000000000321587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.589{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.589{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000321585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.067{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50964-false52.109.4.32-443https 23542300x8000000000000000321584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.589{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6D861F46A792E7004F2F0E59BD6B9B97,SHA256=38827ED65DCA9CB9D326BFDE3EF3DA44CE958BEBDA209B65D0906386856A2A84,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.589{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.589{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.326{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.326{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.326{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.325{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.325{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.325{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.247{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.243{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Windows\Temp\OfficeC2R87976ADD-6B8F-4063-984D-09533066B623\s640.cabMD5=42E186BC65953299C519806BD975C487,SHA256=54D3C789E3B1D6895623F7D5EB331F6655833E95F4D5B7BDB6DB15CA20913253,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.048{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\Temp\OfficeC2R87976ADD-6B8F-4063-984D-09533066B623\BITBBB8.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:45.987{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B405-63D3-BC03-00000000BC02}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:45.987{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:45.987{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:45.987{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:45.987{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:45.987{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B405-63D3-BC03-00000000BC02}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000447417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:45.987{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B405-63D3-BC03-00000000BC02}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000447416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:45.988{45AAC21C-B405-63D3-BC03-00000000BC02}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000447415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:45.392{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5C661814CD84CE14F77F968C32159C9,SHA256=05A68394463A134F47F457E74216C0EE6F4622380C818975AE9963AB2C814591,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.955{72106695-9B85-63D3-1400-00000000BD02}10321432C:\Windows\system32\svchost.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.955{72106695-9B85-63D3-1400-00000000BD02}10321120C:\Windows\system32\svchost.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.861{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.861{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.861{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.846{72106695-B105-63D3-2303-00000000BD02}39524080C:\Windows\system32\taskhostw.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.815{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.815{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.815{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.815{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.799{72106695-9B85-63D3-1200-00000000BD02}10006076C:\Windows\System32\svchost.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000321618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDBSetValue2023-01-27 11:22:45.799{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exeHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeBinary Data 10341000x8000000000000000321617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.783{72106695-9B85-63D3-1200-00000000BD02}1000496C:\Windows\System32\svchost.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.783{72106695-9B85-63D3-1200-00000000BD02}1000496C:\Windows\System32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.783{72106695-B102-63D3-1003-00000000BD02}39442856C:\Windows\system32\csrss.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.783{72106695-B106-63D3-2B03-00000000BD02}9644716C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+16d710|C:\Windows\System32\SHELL32.dll+599af|C:\Windows\System32\SHELL32.dll+5983c|C:\Windows\System32\SHELL32.dll+e308e|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000321613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.836{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50971-false204.79.197.223-80http 354300x8000000000000000321612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.772{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50970-false204.79.197.223-80http 10341000x8000000000000000321611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.627{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.627{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000321609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.701{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50969-false52.113.194.132-443https 10341000x8000000000000000321608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.627{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.627{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000321606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.701{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50968-false52.109.13.64-443https 10341000x8000000000000000321605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.627{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.627{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000321603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.573{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50967-false52.109.4.32-443https 10341000x8000000000000000321602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.627{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.627{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.217{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEDC2EBEACB7E63CFF92B2BD6FE0AE66,SHA256=25AA34A6CFD92C814631D8499C98D04CAAB0A5676DD9A3CE0185D706B073442C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:44.100{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A55535- 10341000x8000000000000000447437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.512{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B406-63D3-BD03-00000000BC02}4872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.512{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.512{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.512{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.512{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.512{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B406-63D3-BD03-00000000BC02}4872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000447431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.512{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B406-63D3-BD03-00000000BC02}4872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000447430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.514{45AAC21C-B406-63D3-BD03-00000000BC02}4872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000447429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.481{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78BE29BAE8C31ACD8082EED34BBBA97F,SHA256=03C137378632EB612A9AD2FFF5D6EA31F3DACFC9664B1180D0E94024AB1E855C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000321718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.986{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\CERTINTL.DLL2023-01-27 11:22:46.984 11241100x8000000000000000321717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.984{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\BHOINTL.DLL2023-01-27 11:22:46.984 11241100x8000000000000000321716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.982{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\BCSRuntimeRes.dll2023-01-27 11:22:46.981 11241100x8000000000000000321715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.981{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ACWIZRC.DLL2023-01-27 11:22:46.981 11241100x8000000000000000321714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.981{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ACCOLKI.DLL2023-01-27 11:22:46.981 11241100x8000000000000000321713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.980{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\STSUCRES.DLL2023-01-27 11:22:46.980 11241100x8000000000000000321712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.936{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\1033\MSOINTL.DLL2023-01-27 11:22:46.936 11241100x8000000000000000321711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.874{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\vcruntime140.dll2023-01-27 11:22:46.871 11241100x8000000000000000321710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.871{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\vccorlib140.dll2023-01-27 11:22:46.870 11241100x8000000000000000321709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.869{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\MSOINTL.DLL2023-01-27 11:22:46.869 10341000x8000000000000000321708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.858{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.858{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.857{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 11241100x8000000000000000321705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.842{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\UCRTBASE.DLL2023-01-27 11:22:46.841 11241100x8000000000000000321704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:46.840{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe2023-01-27 11:22:46.840 11241100x8000000000000000321703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:46.840{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe2023-01-27 11:22:46.840 11241100x8000000000000000321702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.840{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\C2R64.dll2023-01-27 11:22:46.839 11241100x8000000000000000321701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:46.838{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe2023-01-27 11:22:46.837 11241100x8000000000000000321700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.837{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AppvIsvSubsystems64.dll2023-01-27 11:22:46.837 11241100x8000000000000000321699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:46.837{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exe2023-01-27 11:22:46.836 11241100x8000000000000000321698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.835{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-utility-l1-1-0.dll2023-01-27 11:22:46.834 11241100x8000000000000000321697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.832{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-process-l1-1-0.dll2023-01-27 11:22:46.832 11241100x8000000000000000321696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:46.826{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PerfBoost.exe2023-01-27 11:22:46.826 11241100x8000000000000000321695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.825{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msvcp140.dll2023-01-27 11:22:46.825 11241100x8000000000000000321694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.822{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-stdio-l1-1-0.dll2023-01-27 11:22:46.821 11241100x8000000000000000321693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.821{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-heap-l1-1-0.dll2023-01-27 11:22:46.819 11241100x8000000000000000321692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.818{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\concrt140.dll2023-01-27 11:22:46.818 11241100x8000000000000000321691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.817{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-time-l1-1-0.dll2023-01-27 11:22:46.817 11241100x8000000000000000321690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.816{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-string-l1-1-0.dll2023-01-27 11:22:46.816 11241100x8000000000000000321689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.815{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-runtime-l1-1-0.dll2023-01-27 11:22:46.814 11241100x8000000000000000321688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.814{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-private-l1-1-0.dll2023-01-27 11:22:46.812 11241100x8000000000000000321687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.812{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-multibyte-l1-1-0.dll2023-01-27 11:22:46.808 11241100x8000000000000000321686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.810{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-core-synch-l1-2-0.dll2023-01-27 11:22:46.804 11241100x8000000000000000321685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.810{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-environment-l1-1-0.dll2023-01-27 11:22:46.804 11241100x8000000000000000321684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.810{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-locale-l1-1-0.dll2023-01-27 11:22:46.804 11241100x8000000000000000321683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.805{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-convert-l1-1-0.dll2023-01-27 11:22:46.802 11241100x8000000000000000321682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.800{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-math-l1-1-0.dll2023-01-27 11:22:46.798 11241100x8000000000000000321681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.798{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-core-localization-l1-2-0.dll2023-01-27 11:22:46.798 11241100x8000000000000000321680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.798{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-core-timezone-l1-1-0.dll2023-01-27 11:22:46.797 11241100x8000000000000000321679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.797{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-filesystem-l1-1-0.dll2023-01-27 11:22:46.796 11241100x8000000000000000321678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.794{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-conio-l1-1-0.dll2023-01-27 11:22:46.794 11241100x8000000000000000321677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.794{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-core-processthreads-l1-1-1.dll2023-01-27 11:22:46.794 11241100x8000000000000000321676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.793{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-core-xstate-l2-1-0.dll2023-01-27 11:22:46.790 11241100x8000000000000000321675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.783{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-core-file-l2-1-0.dll2023-01-27 11:22:46.775 11241100x8000000000000000321674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.761{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-core-file-l1-2-0.dll2023-01-27 11:22:46.761 10341000x8000000000000000321673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.621{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.621{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.620{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.620{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.619{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.619{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.618{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.591{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.590{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.589{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.564{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\ClickToRun\ProductReleases\549B28D0-2AAB-4007-AF73-46E58ABB894E\BITC5AF.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.535{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\ClickToRun\ProductReleases\549B28D0-2AAB-4007-AF73-46E58ABB894E\BITC5AF.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.528{72106695-9B85-63D3-1400-00000000BD02}10324048C:\Windows\system32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b 23542300x8000000000000000321660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.524{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\ProgramData\Microsoft\ClickToRun\ProductReleases\549B28D0-2AAB-4007-AF73-46E58ABB894E\stream.x64.x-noneCheckReachableF182A2F5-A996-40D4-8BC2-05DAE1A41CEEMD5=9DD4E461268C8034F5C8564E155C67A6,SHA256=2D711642B726B04401627CA9FBAC32F5C8530FB1903CC4DB02258717921A4881,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x78 23542300x8000000000000000321659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.514{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\ClickToRun\ProductReleases\549B28D0-2AAB-4007-AF73-46E58ABB894E\BITC550.tmpMD5=93B885ADFE0DA089CDF634904FD59F71,SHA256=6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000321658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.496{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\ClickToRun\ProductReleases\549B28D0-2AAB-4007-AF73-46E58ABB894E\BITC550.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.473{72106695-B105-63D3-2303-00000000BD02}39524080C:\Windows\system32\taskhostw.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.472{72106695-B105-63D3-2303-00000000BD02}39524080C:\Windows\system32\taskhostw.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.471{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.471{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.471{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.471{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.445{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\ClickToRun\ProductReleases\549B28D0-2AAB-4007-AF73-46E58ABB894E\BITC550.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.441{72106695-9B85-63D3-1400-00000000BD02}10323512C:\Windows\system32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b 10341000x8000000000000000321649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.426{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.360{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\ClickToRun\ProductReleases\549B28D0-2AAB-4007-AF73-46E58ABB894E\BITC4E2.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.353{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A6CF53BF62162EA6393D4E3519B088C,SHA256=F2E077849722F6E998A4BC7E365FBE3F43F494FD60C39D2F06051EDBD225EB5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.334{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\ClickToRun\ProductReleases\549B28D0-2AAB-4007-AF73-46E58ABB894E\BITC4E2.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.330{72106695-9B85-63D3-1400-00000000BD02}10323972C:\Windows\system32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b 23542300x8000000000000000321644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.328{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\ProgramData\Microsoft\ClickToRun\ProductReleases\549B28D0-2AAB-4007-AF73-46E58ABB894E\stream.x64.en-usCheckReachable246A6C06-B9D3-425B-8436-4EC6C85B9AC8MD5=9DD4E461268C8034F5C8564E155C67A6,SHA256=2D711642B726B04401627CA9FBAC32F5C8530FB1903CC4DB02258717921A4881,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x78 23542300x8000000000000000321643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.317{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\ClickToRun\ProductReleases\549B28D0-2AAB-4007-AF73-46E58ABB894E\BITC4A3.tmpMD5=93B885ADFE0DA089CDF634904FD59F71,SHA256=6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000321642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.305{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBF25277277A604CA09DB8A95802A96A,SHA256=579974F01D034177F15A986F7C20ED68291F0D9EB3D684EF2DC7FD05BF081FCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.300{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\ClickToRun\ProductReleases\549B28D0-2AAB-4007-AF73-46E58ABB894E\BITC4A3.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.273{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.273{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.271{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\ClickToRun\ProductReleases\549B28D0-2AAB-4007-AF73-46E58ABB894E\BITC4A3.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.267{72106695-9B85-63D3-1400-00000000BD02}10321432C:\Windows\system32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b 10341000x8000000000000000321636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.253{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.253{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.253{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.235{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000447428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.149{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C8875B158745A54AE8A966AA8C66F2E1,SHA256=B30D38FECCF18ED578A83787A1EE5643952C58EF69F4335B74D1B7A7074C3A75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.031{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B405-63D3-BC03-00000000BC02}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000447426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.031{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B405-63D3-BC03-00000000BC02}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000447425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.031{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B405-63D3-BC03-00000000BC02}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 354300x8000000000000000447424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:43.074{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A58959- 23542300x8000000000000000321632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.172{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=29D669D106A5C4ED725D85834094DC71,SHA256=1B04D120EA6CAB2F04F33C158B07386F5C77EE060C482D7C2B0C59E247373DC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.157{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.157{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000447452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.566{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=720D7C875A2CC47EEAFDCCFE8D26A91A,SHA256=169326E5A351D0C925612F840E1FB75DE76D7F0ABB02E6C9B0D414B9175D97DE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000321781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.991{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pptico.exe2023-01-27 11:22:47.991 11241100x8000000000000000321780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.976{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pj11icon.exe2023-01-27 11:22:47.976 11241100x8000000000000000321779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.976{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe2023-01-27 11:22:47.976 11241100x8000000000000000321778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.944{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmadminicon.exe2023-01-27 11:22:47.944 11241100x8000000000000000321777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.944{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe2023-01-27 11:22:47.944 11241100x8000000000000000321776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.944{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ocapires.dll2023-01-27 11:22:47.944 11241100x8000000000000000321775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.944{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\msotelemetryintl.dll2023-01-27 11:22:47.929 11241100x8000000000000000321774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.929{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\msotdintl.dll2023-01-27 11:22:47.929 11241100x8000000000000000321773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.929{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\lyncDesktopResources.dll2023-01-27 11:22:47.929 11241100x8000000000000000321772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.929{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\XLSLICER.DLL2023-01-27 11:22:47.929 11241100x8000000000000000321771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.929{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\XLLEX.DLL2023-01-27 11:22:47.929 11241100x8000000000000000321770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.929{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\XLINTL32.DLL2023-01-27 11:22:47.929 11241100x8000000000000000321769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.929{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe2023-01-27 11:22:47.929 11241100x8000000000000000321768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.913{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exe2023-01-27 11:22:47.913 11241100x8000000000000000321767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.898{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\WWINTL.DLL2023-01-27 11:22:47.898 11241100x8000000000000000321766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.898{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\lyncicon.exe2023-01-27 11:22:47.898 11241100x8000000000000000321765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.898{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\VVIEWRES.DLL2023-01-27 11:22:47.898 11241100x8000000000000000321764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.898{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\joticon.exe2023-01-27 11:22:47.898 11241100x8000000000000000321763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.898{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\grv_icons.exe2023-01-27 11:22:47.898 11241100x8000000000000000321762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.898{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\dbcicons.exe2023-01-27 11:22:47.898 11241100x8000000000000000321761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.898{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\UmOutlookStrings.dll2023-01-27 11:22:47.898 11241100x8000000000000000321760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.882{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\UccApiRes.dll2023-01-27 11:22:47.882 11241100x8000000000000000321759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.882{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\UcAddinRes.dll2023-01-27 11:22:47.882 11241100x8000000000000000321758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.882{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.exe2023-01-27 11:22:47.882 11241100x8000000000000000321757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.866{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\oregres.dll2023-01-27 11:22:47.866 11241100x8000000000000000321756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.866{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\STSLISTI.DLL2023-01-27 11:22:47.866 11241100x8000000000000000321755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.866{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SOCIALCONNECTORRES.DLL2023-01-27 11:22:47.866 11241100x8000000000000000321754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.866{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SLINTL.DLL2023-01-27 11:22:47.866 11241100x8000000000000000321753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.866{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\QRYINT32.DLL2023-01-27 11:22:47.866 11241100x8000000000000000321752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.866{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBWZINT.DLL2023-01-27 11:22:47.866 11241100x8000000000000000321751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.866{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUB6INTL.DLL2023-01-27 11:22:47.866 11241100x8000000000000000321750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.866{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PROTOCOLHANDLERINTL.DLL2023-01-27 11:22:47.866 11241100x8000000000000000321749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.866{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PPINTL.DLL2023-01-27 11:22:47.866 11241100x8000000000000000321748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.866{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OcPubRes.dll2023-01-27 11:22:47.866 11241100x8000000000000000321747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.851{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OcHelperResource.dll2023-01-27 11:22:47.851 11241100x8000000000000000321746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.851{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OUTLWVW.DLL2023-01-27 11:22:47.851 11241100x8000000000000000321745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.851{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OUTLLIBR.DLL2023-01-27 11:22:47.851 11241100x8000000000000000321744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.851{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ORGCINTL.DLL2023-01-27 11:22:47.851 11241100x8000000000000000321743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.835{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\oregres.dll2023-01-27 11:22:47.835 354300x8000000000000000321742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.741{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50974-false204.79.197.223-80http 354300x8000000000000000321741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.718{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50973-false52.109.13.64-443https 23542300x8000000000000000321740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:47.609{72106695-B402-63D3-B003-00000000BD02}3780WIN-HOST-CTUS-A\AdministratorC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-CTUS-A-20230127-1122a.logMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.504{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50972-false10.0.1.12-8000- 23542300x8000000000000000321738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:47.404{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F9E70D3961748F4ABB6CF9F2DBC30DE,SHA256=2CC81AEBF3490DC0903B8DD70600B167A5830AC761A4F9BF9721394130ED9F2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:47.401{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26D22061A5E61CA2DE1B9723E6A23EFB,SHA256=4A578A22EC702A064CC2DC4CFD195CAD2ECFD99A43143C3605381B6E22B3DA0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:47.355{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:47.355{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:47.355{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000447451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.207{45AAC21C-B407-63D3-BE03-00000000BC02}42482108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.101{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B407-63D3-BE03-00000000BC02}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000447449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.101{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B407-63D3-BE03-00000000BC02}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000447448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.101{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B407-63D3-BE03-00000000BC02}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 23542300x8000000000000000447447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.031{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCB704D141CB890F4A1BD1C28A3466F6,SHA256=D789AD4DFA5DE5ED5D562BBC49448FD84B13BB346B15191764A1DFEE1D3BE121,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.012{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B407-63D3-BE03-00000000BC02}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.012{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.012{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.012{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.012{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.012{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B407-63D3-BE03-00000000BC02}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000447440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.012{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B407-63D3-BE03-00000000BC02}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000447439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.013{45AAC21C-B407-63D3-BE03-00000000BC02}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000321733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OMSINTL.DLL2023-01-27 11:22:47.056 11241100x8000000000000000321732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ONINTL.DLL2023-01-27 11:22:47.056 11241100x8000000000000000321731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OMICAUTINTL.DLL2023-01-27 11:22:47.056 11241100x8000000000000000321730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\MSSRINTL.DLL2023-01-27 11:22:47.056 11241100x8000000000000000321729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\MSAIN.DLL2023-01-27 11:22:47.056 11241100x8000000000000000321728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\MOR6INT.DLL2023-01-27 11:22:47.056 11241100x8000000000000000321727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\MAPISHELLR.DLL2023-01-27 11:22:47.056 11241100x8000000000000000321726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\MAPIR.DLL2023-01-27 11:22:47.056 11241100x8000000000000000321725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\IFDPINTL.DLL2023-01-27 11:22:47.056 11241100x8000000000000000321724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\GRLEX.DLL2023-01-27 11:22:47.056 11241100x8000000000000000321723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\GRINTL32.DLL2023-01-27 11:22:47.056 11241100x8000000000000000321722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\EntityPickerIntl.dll2023-01-27 11:22:47.056 11241100x8000000000000000321721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\EXPTOOWS.DLL2023-01-27 11:22:47.056 11241100x8000000000000000321720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ENVELOPR.DLL2023-01-27 11:22:47.056 11241100x8000000000000000321719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\CLVWINTL.DLL2023-01-27 11:22:46.994 23542300x8000000000000000447454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:48.759{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96C42F23D3B6DDF63EF2DF6D579B755B,SHA256=A077CC3456C45EC9BBEBADBB9404B68A069C3ACC0FFCB8751316E58AEF023DEA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000321959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.955{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\Common.PasswordManager.Resources.dll2023-01-27 11:22:48.955 11241100x8000000000000000321958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.955{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\FM20ENU.DLL2023-01-27 11:22:48.955 11241100x8000000000000000321957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.955{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetIQ.ExcelServices.Resources.dll2023-01-27 11:22:48.955 11241100x8000000000000000321956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.955{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetIQ.ExcelAddin.Resources.dll2023-01-27 11:22:48.955 11241100x8000000000000000321955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.955{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetIQ.Diagram.Resources.dll2023-01-27 11:22:48.955 11241100x8000000000000000321954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.955{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\Common.FileUtils.Resources.dll2023-01-27 11:22:48.955 11241100x8000000000000000321953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.955{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\Common.ClientConfiguration.Resources.dll2023-01-27 11:22:48.955 11241100x8000000000000000321952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.955{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\Common.ExcelServices.Resources.dll2023-01-27 11:22:48.955 11241100x8000000000000000321951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.955{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\Common.AuditItems.Resources.dll2023-01-27 11:22:48.955 11241100x8000000000000000321950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.955{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\1033\NATIVESHIM.RESOURCES.DLL2023-01-27 11:22:48.955 11241100x8000000000000000321949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.940{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\STSUPLD.INTL.DLL2023-01-27 11:22:48.940 11241100x8000000000000000321948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.940{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\VVIEWRES.DLL2023-01-27 11:22:48.940 11241100x8000000000000000321947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.940{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\OcHelperResource.dll2023-01-27 11:22:48.940 11241100x8000000000000000321946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.940{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\OCLTINT.DLL2023-01-27 11:22:48.940 11241100x8000000000000000321945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.940{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\MAPISHELLR.DLL2023-01-27 11:22:48.940 11241100x8000000000000000321944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.924{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\GrooveIntlResource.dll2023-01-27 11:22:48.924 11241100x8000000000000000321943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.902{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\BHOINTL.DLL2023-01-27 11:22:48.901 11241100x8000000000000000321942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.897{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\1033\PortalConnect.dll2023-01-27 11:22:48.897 11241100x8000000000000000321941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.897{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\1033\msointl30.dll2023-01-27 11:22:48.896 11241100x8000000000000000321940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.892{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\SYSTEM\MSMAPI\1033\MSMAPI32.DLL2023-01-27 11:22:48.892 11241100x8000000000000000321939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.890{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\VBEUIINTL.DLL2023-01-27 11:22:48.890 11241100x8000000000000000321938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.889{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLL2023-01-27 11:22:48.888 11241100x8000000000000000321937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.886{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\MSB1FREN.DLL2023-01-27 11:22:48.886 11241100x8000000000000000321936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.886{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\MSB1ESEN.DLL2023-01-27 11:22:48.885 11241100x8000000000000000321935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.875{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\FSTOCK.DLL2023-01-27 11:22:48.873 11241100x8000000000000000321934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.872{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\FPLACE.DLL2023-01-27 11:22:48.872 11241100x8000000000000000321933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.872{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\STINTL.DLL2023-01-27 11:22:48.871 11241100x8000000000000000321932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.871{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\BRANDING.DLL2023-01-27 11:22:48.871 11241100x8000000000000000321931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.859{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\xlsrvintl.dll2023-01-27 11:22:48.859 11241100x8000000000000000321930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.641{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\msointl30.dll2023-01-27 11:22:48.641 11241100x8000000000000000321929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.641{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\OSFINTL.DLL2023-01-27 11:22:48.641 11241100x8000000000000000321928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.641{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\MSSOAPR3.DLL2023-01-27 11:22:48.641 11241100x8000000000000000321927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.641{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ACEWSTR.DLL2023-01-27 11:22:48.641 11241100x8000000000000000321926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.625{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ACEODBCI.DLL2023-01-27 11:22:48.625 11241100x8000000000000000321925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.625{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ACEINTL.DLL2023-01-27 11:22:48.625 11241100x8000000000000000321924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.625{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\GettingStarted16\SLINTL.DLL2023-01-27 11:22:48.625 11241100x8000000000000000321923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.625{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mscss7fr.dll2023-01-27 11:22:48.625 11241100x8000000000000000321922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.621{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mscss7es.dll2023-01-27 11:22:48.621 11241100x8000000000000000321921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.619{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mscss7en.dll2023-01-27 11:22:48.619 11241100x8000000000000000321920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.552{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\JitV.dll2023-01-27 11:22:48.552 11241100x8000000000000000321919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.548{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\Interceptor.dll2023-01-27 11:22:48.548 11241100x8000000000000000321918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.547{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\vcruntime140.dll2023-01-27 11:22:48.545 11241100x8000000000000000321917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.544{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\vccorlib140.dll2023-01-27 11:22:48.544 11241100x8000000000000000321916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.542{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\ucrtbase.dll2023-01-27 11:22:48.542 11241100x8000000000000000321915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.528{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\msvcr120.dll2023-01-27 11:22:48.528 11241100x8000000000000000321914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.525{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\msvcp140.dll2023-01-27 11:22:48.525 11241100x8000000000000000321913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.523{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\msvcp120.dll2023-01-27 11:22:48.523 11241100x8000000000000000321912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.520{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\mfc140u.dll2023-01-27 11:22:48.520 11241100x8000000000000000321911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.491{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-locale-l1-1-0.dll2023-01-27 11:22:48.490 11241100x8000000000000000321910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.489{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-stdio-l1-1-0.dll2023-01-27 11:22:48.489 11241100x8000000000000000321909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.489{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\concrt140.dll2023-01-27 11:22:48.488 11241100x8000000000000000321908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.488{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-utility-l1-1-0.dll2023-01-27 11:22:48.487 11241100x8000000000000000321907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.484{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-time-l1-1-0.dll2023-01-27 11:22:48.484 11241100x8000000000000000321906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.484{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-string-l1-1-0.dll2023-01-27 11:22:48.483 11241100x8000000000000000321905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.483{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-process-l1-1-0.dll2023-01-27 11:22:48.481 11241100x8000000000000000321904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.481{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-private-l1-1-0.dll2023-01-27 11:22:48.479 11241100x8000000000000000321903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.479{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-math-l1-1-0.dll2023-01-27 11:22:48.477 11241100x8000000000000000321902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.476{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-heap-l1-1-0.dll2023-01-27 11:22:48.475 11241100x8000000000000000321901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.475{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-runtime-l1-1-0.dll2023-01-27 11:22:48.475 11241100x8000000000000000321900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.475{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-filesystem-l1-1-0.dll2023-01-27 11:22:48.474 11241100x8000000000000000321899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.474{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-environment-l1-1-0.dll2023-01-27 11:22:48.474 11241100x8000000000000000321898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.474{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-convert-l1-1-0.dll2023-01-27 11:22:48.474 11241100x8000000000000000321897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.474{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-conio-l1-1-0.dll2023-01-27 11:22:48.473 11241100x8000000000000000321896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.474{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-multibyte-l1-1-0.dll2023-01-27 11:22:48.473 11241100x8000000000000000321895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.473{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-core-xstate-l2-1-0.dll2023-01-27 11:22:48.473 11241100x8000000000000000321894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.469{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-core-timezone-l1-1-0.dll2023-01-27 11:22:48.469 11241100x8000000000000000321893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.469{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-core-synch-l1-2-0.dll2023-01-27 11:22:48.469 11241100x8000000000000000321892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.469{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-core-processthreads-l1-1-1.dll2023-01-27 11:22:48.468 11241100x8000000000000000321891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.468{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-core-localization-l1-2-0.dll2023-01-27 11:22:48.463 11241100x8000000000000000321890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.463{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-core-file-l2-1-0.dll2023-01-27 11:22:48.462 11241100x8000000000000000321889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.462{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-core-file-l1-2-0.dll2023-01-27 11:22:48.462 11241100x8000000000000000321888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.461{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXEV.DLL2023-01-27 11:22:48.461 11241100x8000000000000000321887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.461{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\vcruntime140_1.dll2023-01-27 11:22:48.461 11241100x8000000000000000321886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.460{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\vcruntime140.dll2023-01-27 11:22:48.460 11241100x8000000000000000321885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.460{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\vccorlib140.dll2023-01-27 11:22:48.460 11241100x8000000000000000321884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.460{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\ucrtbase.dll2023-01-27 11:22:48.448 23542300x8000000000000000321883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:48.460{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B755EEA9444801AFD6A2BF8EDBE219E,SHA256=11281C33C54E54B087DCDDDFB9F323DC8CB9B13BCC48C3CB24EF7C9820B178E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:48.448{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7D7ECF0A4A6ABFDF98E09543AB05CC2,SHA256=1A99DD171F1C7D84D6E2593A84CA06398E93B035A1EBC03F9518CE7DF3C4F52F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000321881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.433{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\offfiltx.dll2023-01-27 11:22:48.433 11241100x8000000000000000321880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.425{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\odffilt.dll2023-01-27 11:22:48.425 11241100x8000000000000000321879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.414{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\msvcr120.dll2023-01-27 11:22:48.414 11241100x8000000000000000321878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.406{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\msvcp140.dll2023-01-27 11:22:48.405 11241100x8000000000000000321877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.402{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\msvcp120.dll2023-01-27 11:22:48.402 11241100x8000000000000000321876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.397{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\msgfilt.dll2023-01-27 11:22:48.397 11241100x8000000000000000321875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.397{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\mfc140u.dll2023-01-27 11:22:48.396 23542300x8000000000000000447453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:48.038{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F782B410078CBB2F893449A791CA2748,SHA256=26840C0A44E21B4A6A21188788E98ABBDAB5ABA225699BEB813C899AD91FE624,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000321874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.351{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\concrt140.dll2023-01-27 11:22:48.351 11241100x8000000000000000321873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.351{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-time-l1-1-0.dll2023-01-27 11:22:48.350 11241100x8000000000000000321872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.351{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-utility-l1-1-0.dll2023-01-27 11:22:48.350 11241100x8000000000000000321871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.349{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-stdio-l1-1-0.dll2023-01-27 11:22:48.348 11241100x8000000000000000321870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.348{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-filesystem-l1-1-0.dll2023-01-27 11:22:48.348 11241100x8000000000000000321869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.348{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-runtime-l1-1-0.dll2023-01-27 11:22:48.347 11241100x8000000000000000321868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.347{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-convert-l1-1-0.dll2023-01-27 11:22:48.347 11241100x8000000000000000321867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.347{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-multibyte-l1-1-0.dll2023-01-27 11:22:48.344 11241100x8000000000000000321866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.347{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-math-l1-1-0.dll2023-01-27 11:22:48.344 11241100x8000000000000000321865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.344{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-core-timezone-l1-1-0.dll2023-01-27 11:22:48.344 11241100x8000000000000000321864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.344{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-string-l1-1-0.dll2023-01-27 11:22:48.343 11241100x8000000000000000321863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.343{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-heap-l1-1-0.dll2023-01-27 11:22:48.343 11241100x8000000000000000321862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.343{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-environment-l1-1-0.dll2023-01-27 11:22:48.343 11241100x8000000000000000321861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.341{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-process-l1-1-0.dll2023-01-27 11:22:48.341 11241100x8000000000000000321860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.341{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-private-l1-1-0.dll2023-01-27 11:22:48.341 11241100x8000000000000000321859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.341{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-conio-l1-1-0.dll2023-01-27 11:22:48.340 11241100x8000000000000000321858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.340{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-core-xstate-l2-1-0.dll2023-01-27 11:22:48.340 11241100x8000000000000000321857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.340{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-locale-l1-1-0.dll2023-01-27 11:22:48.340 11241100x8000000000000000321856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.340{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-core-synch-l1-2-0.dll2023-01-27 11:22:48.340 11241100x8000000000000000321855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.340{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-core-processthreads-l1-1-1.dll2023-01-27 11:22:48.339 11241100x8000000000000000321854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.339{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-core-localization-l1-2-0.dll2023-01-27 11:22:48.336 11241100x8000000000000000321853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.336{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-core-file-l2-1-0.dll2023-01-27 11:22:48.335 11241100x8000000000000000321852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.335{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-core-file-l1-2-0.dll2023-01-27 11:22:48.335 11241100x8000000000000000321851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.333{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OWSSUPP.DLL2023-01-27 11:22:48.333 11241100x8000000000000000321850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.319{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OSFPROXY.DLL2023-01-27 11:22:48.319 11241100x8000000000000000321849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.319{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NPSPWRAP.DLL2023-01-27 11:22:48.319 11241100x8000000000000000321848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.319{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOSB.DLL2023-01-27 11:22:48.314 11241100x8000000000000000321847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.314{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOHEV.DLL2023-01-27 11:22:48.314 11241100x8000000000000000321846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.310{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\JitV.dll2023-01-27 11:22:48.310 11241100x8000000000000000321845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.307{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Interceptor.dll2023-01-27 11:22:48.306 11241100x8000000000000000321844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:48.300{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\Integrator.exe2023-01-27 11:22:48.300 11241100x8000000000000000321843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.241{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\vcruntime140_1.dll2023-01-27 11:22:48.241 11241100x8000000000000000321842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.241{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\vcruntime140.dll2023-01-27 11:22:48.240 11241100x8000000000000000321841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.240{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\vccorlib140.dll2023-01-27 11:22:48.239 11241100x8000000000000000321840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.221{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\msth8FR.DLL2023-01-27 11:22:48.221 11241100x8000000000000000321839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.221{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\ucrtbase.dll2023-01-27 11:22:48.221 11241100x8000000000000000321838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.221{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\msth8ES.DLL2023-01-27 11:22:48.221 11241100x8000000000000000321837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.205{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\msth8EN.DLL2023-01-27 11:22:48.205 11241100x8000000000000000321836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.205{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\MSHY7FR.DLL2023-01-27 11:22:48.205 11241100x8000000000000000321835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.205{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\msvcr120.dll2023-01-27 11:22:48.205 11241100x8000000000000000321834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.190{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\MSHY7ES.DLL2023-01-27 11:22:48.190 11241100x8000000000000000321833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.190{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\MSHY7EN.DLL2023-01-27 11:22:48.190 11241100x8000000000000000321832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.190{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\msvcp140.dll2023-01-27 11:22:48.190 11241100x8000000000000000321831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.190{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NL7MODELS000C.dll2023-01-27 11:22:48.190 11241100x8000000000000000321830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.190{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\msvcp120.dll2023-01-27 11:22:48.190 23542300x8000000000000000321829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:48.174{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-journalMD5=7E28CA982D0207B8FBACBA001B55DE3C,SHA256=1CC6E4C1EC4D3CB5FF85FEB14B9152A664ACB79D66411D836B9C59D8DF313BAA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000321828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.174{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NL7MODELS000A.dll2023-01-27 11:22:48.174 11241100x8000000000000000321827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.174{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NL7MODELS0009.dll2023-01-27 11:22:48.174 11241100x8000000000000000321826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.174{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSYUBIN7.DLL2023-01-27 11:22:48.174 11241100x8000000000000000321825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.174{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Library\SOLVER\SOLVER32.DLL2023-01-27 11:22:48.174 11241100x8000000000000000321824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.174{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CSS7DATA000C.DLL2023-01-27 11:22:48.174 11241100x8000000000000000321823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.158{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CSS7DATA000A.DLL2023-01-27 11:22:48.158 11241100x8000000000000000321822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.158{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CSS7DATA0009.DLL2023-01-27 11:22:48.158 11241100x8000000000000000321821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.158{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CONVERT\1033\TRANSMRR.DLL2023-01-27 11:22:48.158 23542300x8000000000000000321820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:48.158{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-journalMD5=B804CA082B6CD88A825A46051584F06F,SHA256=3DDC33F6EF2963407F26C11F5248D84545BF9082CE5E64AB8668A709813A0460,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000321819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.158{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CONVERT\1033\LOCALDV.DLL2023-01-27 11:22:48.158 11241100x8000000000000000321818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.158{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\wxpr.dll2023-01-27 11:22:48.158 11241100x8000000000000000321817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.143{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\mfc140u.dll2023-01-27 11:22:48.143 23542300x8000000000000000321816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:48.127{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Windows\Temp\WIN-HOST-CTUS-A-20230127-1122.logMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000321815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.089{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\C2R64.dll2023-01-27 11:22:48.089 11241100x8000000000000000321814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.089{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\AppvIsvSubsystems64.dll2023-01-27 11:22:48.088 11241100x8000000000000000321813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.086{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\concrt140.dll2023-01-27 11:22:48.084 11241100x8000000000000000321812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:48.084{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\AppVLP.exe2023-01-27 11:22:48.084 11241100x8000000000000000321811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:48.082{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\AppVDllSurrogate64.exe2023-01-27 11:22:48.081 11241100x8000000000000000321810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:48.081{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\AppVDllSurrogate32.exe2023-01-27 11:22:48.081 11241100x8000000000000000321809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:48.081{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\AppVDllSurrogate.exe2023-01-27 11:22:48.079 11241100x8000000000000000321808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.078{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-convert-l1-1-0.dll2023-01-27 11:22:48.077 11241100x8000000000000000321807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.077{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-utility-l1-1-0.dll2023-01-27 11:22:48.077 11241100x8000000000000000321806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.077{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-string-l1-1-0.dll2023-01-27 11:22:48.077 11241100x8000000000000000321805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.077{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-stdio-l1-1-0.dll2023-01-27 11:22:48.076 11241100x8000000000000000321804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.076{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-runtime-l1-1-0.dll2023-01-27 11:22:48.076 11241100x8000000000000000321803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.076{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-process-l1-1-0.dll2023-01-27 11:22:48.075 11241100x8000000000000000321802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.071{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-multibyte-l1-1-0.dll2023-01-27 11:22:48.069 11241100x8000000000000000321801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.069{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-time-l1-1-0.dll2023-01-27 11:22:48.069 11241100x8000000000000000321800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.069{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-math-l1-1-0.dll2023-01-27 11:22:48.068 11241100x8000000000000000321799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.068{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-heap-l1-1-0.dll2023-01-27 11:22:48.068 11241100x8000000000000000321798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.068{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-filesystem-l1-1-0.dll2023-01-27 11:22:48.067 11241100x8000000000000000321797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.068{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-private-l1-1-0.dll2023-01-27 11:22:48.067 11241100x8000000000000000321796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.067{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-environment-l1-1-0.dll2023-01-27 11:22:48.067 11241100x8000000000000000321795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.067{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-locale-l1-1-0.dll2023-01-27 11:22:48.066 11241100x8000000000000000321794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.067{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-core-localization-l1-2-0.dll2023-01-27 11:22:48.066 11241100x8000000000000000321793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.067{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-conio-l1-1-0.dll2023-01-27 11:22:48.066 11241100x8000000000000000321792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.067{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-core-timezone-l1-1-0.dll2023-01-27 11:22:48.064 11241100x8000000000000000321791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-core-synch-l1-2-0.dll2023-01-27 11:22:48.064 11241100x8000000000000000321790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-core-processthreads-l1-1-1.dll2023-01-27 11:22:48.063 11241100x8000000000000000321789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.063{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-core-xstate-l2-1-0.dll2023-01-27 11:22:48.062 11241100x8000000000000000321788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.062{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-core-file-l2-1-0.dll2023-01-27 11:22:48.062 11241100x8000000000000000321787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.062{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-core-file-l1-2-0.dll2023-01-27 11:22:48.062 11241100x8000000000000000321786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:48.061{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe2023-01-27 11:22:48.061 11241100x8000000000000000321785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:48.023{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe2023-01-27 11:22:48.023 11241100x8000000000000000321784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:48.007{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\visicon.exe2023-01-27 11:22:48.007 11241100x8000000000000000321783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.991{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe2023-01-27 11:22:47.991 11241100x8000000000000000321782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.991{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pubs.exe2023-01-27 11:22:47.991 10341000x8000000000000000447474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.868{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B409-63D3-C003-00000000BC02}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.868{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.868{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.868{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B409-63D3-C003-00000000BC02}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000447470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.868{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.868{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.868{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B409-63D3-C003-00000000BC02}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000447467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.869{45AAC21C-B409-63D3-C003-00000000BC02}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000447466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.852{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D000F6EAC4AA557EE845601C284DEE9,SHA256=E7682D395B04FEC5FC79C85F32FBAB170611AA81510C9632B7BC17E8D9FE2804,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.966{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\XLMACRO.CHM2023-01-27 11:22:49.966 11241100x8000000000000000322009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.950{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\WordNaiveBayesCommandRanker.txt2023-01-27 11:22:49.950 11241100x8000000000000000322008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.857{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\WacLangPackEula.txt2023-01-27 11:22:49.857 11241100x8000000000000000322007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.857{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\WacLangPack2021Eula.txt2023-01-27 11:22:49.857 11241100x8000000000000000322006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.857{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\WacLangPack2019Eula.txt2023-01-27 11:22:49.857 11241100x8000000000000000322005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.760{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\STSLIST.CHM2023-01-27 11:22:49.760 11241100x8000000000000000322004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.760{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\smb_eula.txt2023-01-27 11:22:49.760 11241100x8000000000000000322003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.760{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt2023-01-27 11:22:49.758 11241100x8000000000000000322002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.758{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SkypeForBusinessBasic2021_eula.txt2023-01-27 11:22:49.745 11241100x8000000000000000322001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.745{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt2023-01-27 11:22:49.745 11241100x8000000000000000322000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.745{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SkypeForBusinessVDI2021_eula.txt2023-01-27 11:22:49.745 23542300x8000000000000000321999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.508{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD92912EAC32CC737E88DD12F70CFC0B,SHA256=222EFDB63236ED6CBB235A6813899324070275BBA4D9D36A8BAB85E4E7035499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.505{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=627C46EB5C44F5988F91CF07C081B10C,SHA256=F91238F386D666B990367D63E7C41EF041D3BCB974B6B7AA314C1C783BF86FA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.399{45AAC21C-B409-63D3-BF03-00000000BC02}26246052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.196{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B409-63D3-BF03-00000000BC02}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.196{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.196{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.196{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.196{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.196{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B409-63D3-BF03-00000000BC02}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000447458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.196{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B409-63D3-BF03-00000000BC02}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000447457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.196{45AAC21C-B409-63D3-BF03-00000000BC02}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000447456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.250{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52674-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000447455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.250{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52674-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 11241100x8000000000000000321997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.347{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PROTTPLN.XLS2023-01-27 11:22:49.347 11241100x8000000000000000321996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.347{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PROTTPLV.XLS2023-01-27 11:22:49.346 11241100x8000000000000000321995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.347{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PROTTPLV.PPT2023-01-27 11:22:49.346 11241100x8000000000000000321994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.346{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PROTTPLN.PPT2023-01-27 11:22:49.346 11241100x8000000000000000321993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.341{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PowerPointNaiveBayesCommandRanker.txt2023-01-27 11:22:49.339 11241100x8000000000000000321992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.333{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OutlookTaskNaiveBayesCommandRanker.txt2023-01-27 11:22:49.332 11241100x8000000000000000321991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.331{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OutlookNaiveBayesCommandRanker.txt2023-01-27 11:22:49.331 11241100x8000000000000000321990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.329{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OutlookMeetingReqSendNaiveBayesCommandRanker.txt2023-01-27 11:22:49.329 11241100x8000000000000000321989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.328{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OutlookMeetingReqReadNaiveBayesCommandRanker.txt2023-01-27 11:22:49.328 11241100x8000000000000000321988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.327{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OutlookMailReadNaiveBayesCommandRanker.txt2023-01-27 11:22:49.327 11241100x8000000000000000321987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.325{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OutlookMailNaiveBayesCommandRanker.txt2023-01-27 11:22:49.325 11241100x8000000000000000321986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.323{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OutlookApptNaiveBayesCommandRanker.txt2023-01-27 11:22:49.322 11241100x8000000000000000321985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.222{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OutlookAddrNaiveBayesCommandRanker.txt2023-01-27 11:22:49.222 11241100x8000000000000000321984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.199{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ORGCHART.CHM2023-01-27 11:22:49.199 11241100x8000000000000000321983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.188{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\MSQRY32.CHM2023-01-27 11:22:49.187 11241100x8000000000000000321982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.112{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\LyncBasic_Eula.txt2023-01-27 11:22:49.111 11241100x8000000000000000321981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.108{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\LyncVDI_Eula.txt2023-01-27 11:22:49.107 11241100x8000000000000000321980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.091{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ExcelNaiveBayesCommandRanker.txt2023-01-27 11:22:49.091 11241100x8000000000000000321979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientVolumeLicense2021_eula.txt2023-01-27 11:22:49.064 11241100x8000000000000000321978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientARMRefer2019_eula.txt2023-01-27 11:22:49.064 11241100x8000000000000000321977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientOSub_eula.txt2023-01-27 11:22:49.064 11241100x8000000000000000321976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientLangPack2021_eula.txt2023-01-27 11:22:49.064 11241100x8000000000000000321975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientLangPack2019_eula.txt2023-01-27 11:22:49.064 11241100x8000000000000000321974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientSub_M365_eula.txt2023-01-27 11:22:49.064 11241100x8000000000000000321973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientSub2019_eula.txt2023-01-27 11:22:49.064 11241100x8000000000000000321972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientVolumeLicense_eula.txt2023-01-27 11:22:49.064 11241100x8000000000000000321971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientOSub2019_eula.txt2023-01-27 11:22:49.064 11241100x8000000000000000321970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientLangPack_eula.txt2023-01-27 11:22:49.064 11241100x8000000000000000321969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientVolumeLicense2019_eula.txt2023-01-27 11:22:49.064 11241100x8000000000000000321968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientSub_eula.txt2023-01-27 11:22:49.064 11241100x8000000000000000321967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientARMRefer_eula.txt2023-01-27 11:22:49.064 11241100x8000000000000000321966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientPreview_eula.txt2023-01-27 11:22:49.064 11241100x8000000000000000321965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\client_eula.txt2023-01-27 11:22:49.064 11241100x8000000000000000321964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\Client2021_eula.txt2023-01-27 11:22:49.064 11241100x8000000000000000321963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\Client2019_eula.txt2023-01-27 11:22:49.064 11241100x8000000000000000321962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.049{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\AccessRuntime2019_eula.txt2023-01-27 11:22:49.049 11241100x8000000000000000321961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.049{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\AccessRuntime_eula.txt2023-01-27 11:22:49.049 11241100x8000000000000000321960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.049{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\AccessRuntime2021_eula.txt2023-01-27 11:22:49.049 11241100x8000000000000000322015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:50.677{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\C2R64.dll2023-01-27 11:22:50.677 11241100x8000000000000000322014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:50.677{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AppvIsvSubsystems64.dll2023-01-27 11:22:50.677 11241100x8000000000000000322013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:50.677{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe2023-01-27 11:22:50.677 23542300x8000000000000000322012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:50.612{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\respondent-20230127093815-101MD5=FAFF531EDF0CFC03BCEBADF518BA5361,SHA256=88BF976C27BC6DB398DABD588375EB870CCDB2E8695A85E73E9E0CF078A2553A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:50.550{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9218CD53C9C2F450ABF6FE704510168,SHA256=8797C9F8ADC1A59F2609BC7B6675B2FF8E5C8A0D7C0E56024644782996E1C50B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:50.672{45AAC21C-B40A-63D3-C103-00000000BC02}45524624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:50.469{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B40A-63D3-C103-00000000BC02}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:50.469{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:50.469{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:50.469{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:50.469{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:50.469{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B40A-63D3-C103-00000000BC02}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000447480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:50.469{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B40A-63D3-C103-00000000BC02}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000447479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:50.470{45AAC21C-B40A-63D3-C103-00000000BC02}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000447478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:50.111{45AAC21C-B409-63D3-C003-00000000BC02}17081336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:50.099{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B409-63D3-C003-00000000BC02}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000447476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:50.099{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B409-63D3-C003-00000000BC02}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000447475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:50.099{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B409-63D3-C003-00000000BC02}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 11241100x8000000000000000322020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:51.770{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SAMPLES\SOLVSAMP.XLS2023-01-27 11:22:51.770 11241100x8000000000000000322019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:51.744{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\Addons\OneDriveSetup.exe2023-01-27 11:22:51.744 23542300x8000000000000000322018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:51.606{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230127093814-102MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:51.584{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F47179D9CC89D09602AAFB328AAD3E,SHA256=BAD9186FF768F7C68AB034250E7D70736FC2EF7E3E5BD37EBAF56E7726E0829D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:51.642{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B40B-63D3-C203-00000000BC02}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:51.642{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:51.642{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:51.642{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:51.642{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:51.642{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B40B-63D3-C203-00000000BC02}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000447491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:51.642{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B40B-63D3-C203-00000000BC02}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000447490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:51.643{45AAC21C-B40B-63D3-C203-00000000BC02}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000447489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.740{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52675-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000447488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:51.031{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57A5201FA07A1EB90EFD788FA6F8A6A7,SHA256=8CD9FFB9DD6515942174F2420FA9EA10975326C0AFFF988E0780B6A508DDD31E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:51.269{72106695-B405-63D3-B203-00000000BD02}4756WIN-HOST-CTUS-A\AdministratorC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-CTUS-A-20230127-1122b.logMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:52.849{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\ACCOLK.DLL2023-01-27 11:22:52.849 11241100x8000000000000000322024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:52.849{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ACEDAO.DLL2023-01-27 11:22:52.849 11241100x8000000000000000322023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:52.628{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ACCWIZ.DLL2023-01-27 11:22:52.627 11241100x8000000000000000322022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:52.624{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ACCICONS.EXE2023-01-27 11:22:52.624 23542300x8000000000000000322021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:52.592{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C21185B957A735BBEFE486683E5E7BB7,SHA256=9B7E2684862CE4C3A62EE88E341C59585A580DD27DD26804D8A369085B275463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:52.780{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8780856D97B81386002FD772C6228A0,SHA256=791D1F7173A9384C31D8D9532174F972DD4474EC5903A51A6A66B226C7B65126,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:52.139{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6EC610E28001EB0A3857B4DFA17ACD3,SHA256=B35A6F792157DB7455D8522138F406FDFD877A98B0591750057EA76AD86251FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:53.828{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B45EA5913BFEF55D14BED3A570CF4831,SHA256=8E06897D193ECD6264B7C0B2B38DC100F310F827168040E763CA7D25920286F4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.Runtime.InteropServices.RuntimeInformation.dll2023-01-27 11:22:53.828 11241100x8000000000000000322058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.ValueTuple.dll2023-01-27 11:22:53.827 11241100x8000000000000000322057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.814{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MsoAriaCApiWrapper.dll2023-01-27 11:22:53.814 11241100x8000000000000000322056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.814{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.SapClient.dll2023-01-27 11:22:53.814 11241100x8000000000000000322055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.814{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.VisualStudio.Tools.Applications.Runtime.dll2023-01-27 11:22:53.569 10341000x8000000000000000322054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:53.689{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B40D-63D3-B303-00000000BD02}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:53.689{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B40D-63D3-B303-00000000BD02}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:53.689{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:53.689{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:53.689{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:53.689{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:53.689{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B40D-63D3-B303-00000000BD02}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:53.518{72106695-B40D-63D3-B303-00000000BD02}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000447500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:53.341{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=099331F536251554CD577D42BC294B2F,SHA256=7DB420DFEA69F90415558806B7B00274B7577F32B480122E5C0ED331847F3EB1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.569{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.Edm.NetFX35.dll2023-01-27 11:22:53.569 11241100x8000000000000000322045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.568{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.dll2023-01-27 11:22:53.568 11241100x8000000000000000322044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.568{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Excel.dll2023-01-27 11:22:53.360 23542300x8000000000000000322043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:53.531{72106695-B402-63D3-B003-00000000BD02}3780WIN-HOST-CTUS-A\AdministratorC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-journalMD5=0437BF4F0955874D4DA79AEA907BD746,SHA256=D9B05893A250C8D607753978E5F86B250C05D8D74F7AA1117F1D0EF167CC62E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:51.331{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50975-false10.0.1.12-8000- 10341000x8000000000000000322041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:53.492{72106695-9B85-63D3-1700-00000000BD02}12242536C:\Windows\System32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000322040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.360{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Common.v4.0.Utilities.dll2023-01-27 11:22:53.359 11241100x8000000000000000322039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.359{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Telemetry.Json.dll2023-01-27 11:22:53.359 11241100x8000000000000000322038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.359{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Telemetry.EventFlags.dll2023-01-27 11:22:53.358 11241100x8000000000000000322037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.358{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll2023-01-27 11:22:53.358 11241100x8000000000000000322036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.358{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Extensions.Logging.Abstractions.dll2023-01-27 11:22:53.358 11241100x8000000000000000322035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.358{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Workbook.dll2023-01-27 11:22:53.357 11241100x8000000000000000322034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.357{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Views.dll2023-01-27 11:22:53.357 11241100x8000000000000000322033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.357{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.UWP.dll2023-01-27 11:22:53.357 11241100x8000000000000000322032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.357{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.StreamerUI.dll2023-01-27 11:22:53.356 11241100x8000000000000000322031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.354{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Service.dll2023-01-27 11:22:53.354 11241100x8000000000000000322030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.354{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Serial.dll2023-01-27 11:22:53.354 11241100x8000000000000000322029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.354{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Manifest.dll2023-01-27 11:22:53.352 11241100x8000000000000000322028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.352{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Excel.dll2023-01-27 11:22:53.352 11241100x8000000000000000322027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.101{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Core.dll2023-01-27 11:22:53.101 11241100x8000000000000000322026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.063{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\ColleagueImport.dll2023-01-27 11:22:52.849 10341000x8000000000000000322130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.724{72106695-B40E-63D3-B403-00000000BD02}7406112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000322129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.708{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Edm.NetFX35.dll2023-01-27 11:22:54.708 11241100x8000000000000000322128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.708{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.dll2023-01-27 11:22:54.708 11241100x8000000000000000322127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.708{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.ProgramSynthesis.dll2023-01-27 11:22:54.708 11241100x8000000000000000322126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.708{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.V7.dll2023-01-27 11:22:54.708 11241100x8000000000000000322125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.708{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Storage.XmlSerializers.dll2023-01-27 11:22:54.708 11241100x8000000000000000322124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.708{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.MashupEngine.Library45.dll2023-01-27 11:22:54.708 11241100x8000000000000000322123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.708{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.WebViews.dll2023-01-27 11:22:54.708 11241100x8000000000000000322122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.708{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.WebViews.Windows.Shared.dll2023-01-27 11:22:54.708 11241100x8000000000000000322121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.708{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.WebViews.Windows.EdgeChromium.dll2023-01-27 11:22:54.708 11241100x8000000000000000322120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.708{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.MashupEngine.dll2023-01-27 11:22:54.609 23542300x8000000000000000447501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:54.431{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3856807CDE20AC3DAC7618F4A9A35BF8,SHA256=99ADE4A565276E573C740B41E119B4EE176CC1117B7B357316C9F9F90435405D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.609{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Shims.dll2023-01-27 11:22:54.609 11241100x8000000000000000322118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.609{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.SapBwProvider.dll2023-01-27 11:22:54.609 11241100x8000000000000000322117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.609{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.XmlSerializers.dll2023-01-27 11:22:54.608 11241100x8000000000000000322116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.608{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OleDbProvider.dll2023-01-27 11:22:54.608 11241100x8000000000000000322115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:54.608{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe2023-01-27 11:22:54.608 11241100x8000000000000000322114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.608{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OAuth.dll2023-01-27 11:22:54.607 11241100x8000000000000000322113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.607{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.EventSource.dll2023-01-27 11:22:54.607 11241100x8000000000000000322112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.607{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.DocumentServices.dll2023-01-27 11:22:54.607 11241100x8000000000000000322111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.607{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.dll2023-01-27 11:22:54.607 11241100x8000000000000000322110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.607{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ProviderShared.dll2023-01-27 11:22:54.606 11241100x8000000000000000322109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.606{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OleDbInterop.dll2023-01-27 11:22:54.605 11241100x8000000000000000322108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:54.604{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe2023-01-27 11:22:54.604 11241100x8000000000000000322107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:54.601{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe2023-01-27 11:22:54.601 11241100x8000000000000000322106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:54.601{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe2023-01-27 11:22:54.600 23542300x8000000000000000322105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.568{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=604BCF9BD2FD101C1B69B261791092F4,SHA256=9246B38D41CE27EB5BFE93E9FBE449BA599C31F6896F8CA192FA55A46971B0B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:52.745{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50977-false72.21.91.29-80http 354300x8000000000000000322103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:52.625{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50976-false51.104.15.253-443https 10341000x8000000000000000322102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.518{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B40E-63D3-B403-00000000BD02}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.516{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.516{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.516{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.515{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.515{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B40E-63D3-B403-00000000BD02}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.515{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B40E-63D3-B403-00000000BD02}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.358{72106695-B40E-63D3-B403-00000000BD02}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000322094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.314{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBUI6.CHM2023-01-27 11:22:54.309 11241100x8000000000000000322093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.314{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBOB6.CHM2023-01-27 11:22:54.309 11241100x8000000000000000322092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.308{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBLR6.CHM2023-01-27 11:22:54.308 11241100x8000000000000000322091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.308{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\VBAOWS10.CHM2023-01-27 11:22:54.307 11241100x8000000000000000322090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.307{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBHW6.CHM2023-01-27 11:22:54.307 11241100x8000000000000000322089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.307{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBENDF98.CHM2023-01-27 11:22:54.307 11241100x8000000000000000322088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.307{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBCN6.CHM2023-01-27 11:22:54.307 11241100x8000000000000000322087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.306{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\FM20.CHM2023-01-27 11:22:54.305 11241100x8000000000000000322086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.290{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\PSS10O.CHM2023-01-27 11:22:54.290 11241100x8000000000000000322085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.288{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\SETUP.CHM2023-01-27 11:22:54.287 11241100x8000000000000000322084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.286{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\PSS10R.CHM2023-01-27 11:22:54.286 11241100x8000000000000000322083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.286{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ADO210.CHM2023-01-27 11:22:54.285 11241100x8000000000000000322082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.276{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Packaging.dll2023-01-27 11:22:54.275 11241100x8000000000000000322081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.276{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Models.dll2023-01-27 11:22:54.275 11241100x8000000000000000322080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.274{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.dll2023-01-27 11:22:54.272 11241100x8000000000000000322079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.273{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\EEINTL.DLL2023-01-27 11:22:54.273 11241100x8000000000000000322078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.268{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.UI.dll2023-01-27 11:22:54.267 11241100x8000000000000000322077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.267{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.UI.Extension.dll2023-01-27 11:22:54.265 23542300x8000000000000000322076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.194{72106695-B402-63D3-B003-00000000BD02}3780WIN-HOST-CTUS-A\AdministratorC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-journalMD5=9401611DCE9F0B7D4453FA874B37FF66,SHA256=9168922BF719C301820EBC7A41E2397B302203595F42AF285AEA52B6F1148BFC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.128{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.Extensions.dll2023-01-27 11:22:54.112 11241100x8000000000000000322074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.128{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.Themes.dll2023-01-27 11:22:54.112 11241100x8000000000000000322073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.128{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.EditorRibbon.dll2023-01-27 11:22:54.112 11241100x8000000000000000322072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.112{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.AddinTelemetry.dll2023-01-27 11:22:54.112 10341000x8000000000000000322071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.081{72106695-B40D-63D3-B303-00000000BD02}58723960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000322070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.047{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.HostIntegration.Connectors.dll2023-01-27 11:22:54.047 11241100x8000000000000000322069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.047{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Exchange.WebServices.dll2023-01-27 11:22:54.047 11241100x8000000000000000322068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.047{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.TransformDataByExample.dll2023-01-27 11:22:54.047 11241100x8000000000000000322067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.047{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.NetFX35.dll2023-01-27 11:22:54.047 11241100x8000000000000000322066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.047{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatchingCommon.dll2023-01-27 11:22:54.047 11241100x8000000000000000322065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.047{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\OTelCS.dll2023-01-27 11:22:54.047 11241100x8000000000000000322064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.047{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyClustering.dll2023-01-27 11:22:54.047 11241100x8000000000000000322063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.047{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Common.dll2023-01-27 11:22:54.047 11241100x8000000000000000322062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.047{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.Query.NetFX35.dll2023-01-27 11:22:54.047 11241100x8000000000000000322061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.047{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatching.dll2023-01-27 11:22:53.814 23542300x8000000000000000447503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:55.629{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D80C8C36CA3960B65C5A732C8B890561,SHA256=30C937AD71FE18CFD9E1682F4FDB698BB49B10195EACD05BA79B13CD290B0812,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.976{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Data.Recommendation.Client.Picasso.Sampler.dll2023-01-27 11:22:55.976 11241100x8000000000000000322212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.976{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Data.ConnectionUI.dll2023-01-27 11:22:55.975 11241100x8000000000000000322211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.975{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.AnalysisServices.Excel.Common.FrontEnd.dll2023-01-27 11:22:55.975 11241100x8000000000000000322210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.975{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.AnalysisServices.Excel.Common.FrontEnd.XmlSerializers.dll2023-01-27 11:22:55.975 11241100x8000000000000000322209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.974{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.AnalysisServices.Excel.BackEnd.dll2023-01-27 11:22:55.974 11241100x8000000000000000322208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.974{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.AnalysisServices.Excel.BackEnd.XmlSerializers.dll2023-01-27 11:22:55.974 11241100x8000000000000000322207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.974{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.AnalysisServices.Common.dll2023-01-27 11:22:55.971 11241100x8000000000000000322206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.972{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.RsClient.dll2023-01-27 11:22:55.972 11241100x8000000000000000322205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.971{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\ReportingServicesNativeClient.dll2023-01-27 11:22:55.971 11241100x8000000000000000322204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.971{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.AnalysisServices.Common.Wizard.dll2023-01-27 11:22:55.967 11241100x8000000000000000322203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.967{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.dll2023-01-27 11:22:55.965 11241100x8000000000000000322202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.965{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\OFFICE.dll2023-01-27 11:22:55.965 11241100x8000000000000000322201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.965{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Types.dll2023-01-27 11:22:55.965 11241100x8000000000000000322200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.965{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Configuration.SString.dll2023-01-27 11:22:55.965 11241100x8000000000000000322199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.965{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Interop.MSDASC.dll2023-01-27 11:22:55.964 11241100x8000000000000000322198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.963{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportViewer.WinForms.dll2023-01-27 11:22:55.963 11241100x8000000000000000322197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.963{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Forms.dll2023-01-27 11:22:55.963 11241100x8000000000000000322196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.963{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.PowerPivot.ExcelAddIn.dll2023-01-27 11:22:55.962 11241100x8000000000000000322195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.962{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Common.dll2023-01-27 11:22:55.962 11241100x8000000000000000322194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.962{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.Interfaces.dll2023-01-27 11:22:55.961 11241100x8000000000000000322193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.961{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.DataWarehouse.Interfaces.DLL2023-01-27 11:22:55.947 11241100x8000000000000000322192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.961{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.Diagnostics.dll2023-01-27 11:22:55.947 11241100x8000000000000000322191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.947{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.QueryDesigners.dll2023-01-27 11:22:55.946 11241100x8000000000000000322190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.946{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportViewer.Common.dll2023-01-27 11:22:55.946 11241100x8000000000000000322189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.945{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.DataExtensions.dll2023-01-27 11:22:55.944 11241100x8000000000000000322188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.944{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.MDXQueryGenerator.dll2023-01-27 11:22:55.944 11241100x8000000000000000322187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.944{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.DataWarehouse.dll2023-01-27 11:22:55.942 11241100x8000000000000000322186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.943{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.AnalysisServices.AdomdClientUI.dll2023-01-27 11:22:55.942 11241100x8000000000000000322185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.943{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.DataWarehouse.DLL2023-01-27 11:22:55.942 11241100x8000000000000000322184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.942{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.QueryDesigners.Extensions.dll2023-01-27 11:22:55.941 11241100x8000000000000000322183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.940{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Common.dll2023-01-27 11:22:55.899 11241100x8000000000000000322182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.899{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.dll2023-01-27 11:22:55.898 11241100x8000000000000000322181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.898{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.XLHost.Modeler.dll2023-01-27 11:22:55.728 11241100x8000000000000000322180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.898{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.SPClient.Interfaces.DLL2023-01-27 11:22:55.728 11241100x8000000000000000322179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.898{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Picasso.dll2023-01-27 11:22:55.729 11241100x8000000000000000322178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.898{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Layout.dll2023-01-27 11:22:55.728 11241100x8000000000000000322177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.898{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.Dialog.dll2023-01-27 11:22:55.728 11241100x8000000000000000322176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.898{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Picasso.Sampler.dll2023-01-27 11:22:55.728 11241100x8000000000000000322175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.727{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Core.dll2023-01-27 11:22:55.727 11241100x8000000000000000322174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.726{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.dll2023-01-27 11:22:55.726 11241100x8000000000000000322173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.726{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.XmlSerializers.dll2023-01-27 11:22:55.725 11241100x8000000000000000322172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.725{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.BackEnd.dll2023-01-27 11:22:55.725 11241100x8000000000000000322171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.725{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Common.dll2023-01-27 11:22:55.700 11241100x8000000000000000322170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.725{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.BackEnd.XmlSerializers.dll2023-01-27 11:22:55.725 23542300x8000000000000000322169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:55.723{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEC38EF57F17CF4EE69B45A166544D09,SHA256=90EB04E7AD372EF02D05C461CF196162E586957B2E3870B2168B075E94E70658,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.700{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Common.Wizard.dll2023-01-27 11:22:55.699 11241100x8000000000000000322167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.700{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONDIRECTX.DLL2023-01-27 11:22:55.699 11241100x8000000000000000322166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.699{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\WPFEXTENSIONS.DLL2023-01-27 11:22:55.699 11241100x8000000000000000322165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.699{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINSHELL.DLL2023-01-27 11:22:55.699 11241100x8000000000000000322164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.699{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONENGINE.DLL2023-01-27 11:22:55.698 11241100x8000000000000000322163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.699{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONGRAPHICS.DLL2023-01-27 11:22:55.698 11241100x8000000000000000322162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.698{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Interop.MSDASC.dll2023-01-27 11:22:55.698 11241100x8000000000000000322161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.697{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\OUTLVBA.DLL2023-01-27 11:22:55.697 11241100x8000000000000000322160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.697{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCOMMON.DLL2023-01-27 11:22:55.696 11241100x8000000000000000322159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.697{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCHART.DLL2023-01-27 11:22:55.696 11241100x8000000000000000322158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.696{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\POWERMAPCLASSIFICATION.DLL2023-01-27 11:22:55.696 11241100x8000000000000000322157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.695{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINCORE.DLL2023-01-27 11:22:55.695 11241100x8000000000000000322156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.695{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCONTROL.DLL2023-01-27 11:22:55.423 11241100x8000000000000000322155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.423{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCHARTCOMMON.DLL2023-01-27 11:22:55.423 11241100x8000000000000000322154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.423{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINDATAPROVIDER.DLL2023-01-27 11:22:55.422 11241100x8000000000000000322153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.422{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Web.Mvc.dll2023-01-27 11:22:55.422 11241100x8000000000000000322152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.422{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Web.WebView2.WinForms.dll2023-01-27 11:22:55.421 11241100x8000000000000000322151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.421{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Collections.Immutable.dll2023-01-27 11:22:55.421 11241100x8000000000000000322150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.421{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\PRIVATE_ODBC32.dll2023-01-27 11:22:55.160 10341000x8000000000000000322149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:55.235{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B40F-63D3-B503-00000000BD02}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:55.233{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:55.233{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:55.233{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:55.232{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:55.232{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B40F-63D3-B503-00000000BD02}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:55.232{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B40F-63D3-B503-00000000BD02}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:55.074{72106695-B40F-63D3-B503-00000000BD02}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000322141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.158{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\pdf2text.dll2023-01-27 11:22:55.158 11241100x8000000000000000322140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.158{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\mashupcompression.dll2023-01-27 11:22:55.157 11241100x8000000000000000322139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.157{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\WebView2Loader.dll2023-01-27 11:22:55.157 11241100x8000000000000000322138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.157{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Newtonsoft.Json.dll2023-01-27 11:22:55.156 11241100x8000000000000000322137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.156{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Spatial.NetFX35.dll2023-01-27 11:22:55.156 11241100x8000000000000000322136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.156{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Edm.NetFX35.V7.dll2023-01-27 11:22:55.155 11241100x8000000000000000322135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.156{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.dll2023-01-27 11:22:55.155 11241100x8000000000000000322134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.155{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Web.WebView2.Core.dll2023-01-27 11:22:55.154 11241100x8000000000000000322133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.154{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.V7.dll2023-01-27 11:22:55.154 11241100x8000000000000000322132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.154{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Practices.Unity.dll2023-01-27 11:22:55.154 11241100x8000000000000000322131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.154{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.PowerBI.AdomdClient.dll2023-01-27 11:22:54.708 354300x8000000000000000447502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:51.986{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A49690- 11241100x8000000000000000322317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.968{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\msipc.dll2023-01-27 11:22:56.968 11241100x8000000000000000322316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.968{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\ipcsecproc.dll2023-01-27 11:22:56.968 23542300x8000000000000000322315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.953{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55A357C9A5E5A047B8024AEBB9C34305,SHA256=0B90388DDC49E2B34A1125A3BAF7EDE49D4363D7783044FEC809417F183CF651,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.929{72106695-B410-63D3-B703-00000000BD02}29364468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000447506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:56.725{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=032D9C1F947F240D9C7CB3E466559E54,SHA256=45A00DCAF6797C37695FC3E99EEB2C4D344231211D4C30D1EEABFEB4E2C6CE50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.699{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B410-63D3-B703-00000000BD02}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.695{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.695{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.695{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.695{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.695{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B410-63D3-B703-00000000BD02}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.694{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B410-63D3-B703-00000000BD02}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.694{72106695-B410-63D3-B703-00000000BD02}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000322305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSAEXP30.DLL2023-01-27 11:22:56.657 11241100x8000000000000000322304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSBARCODE.DLL2023-01-27 11:22:56.657 11241100x8000000000000000322303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OART.DLL2023-01-27 11:22:56.657 11241100x8000000000000000322302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSACCESS.EXE2023-01-27 11:22:56.657 11241100x8000000000000000322301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MINSBROAMINGPROXY.DLL2023-01-27 11:22:56.657 11241100x8000000000000000322300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MORPH9.DLL2023-01-27 11:22:56.657 11241100x8000000000000000322299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MINSBPROXY.DLL2023-01-27 11:22:56.657 11241100x8000000000000000322298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MIMEDIR.DLL2023-01-27 11:22:56.657 11241100x8000000000000000322297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MAPISHELL.DLL2023-01-27 11:22:56.657 11241100x8000000000000000322296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MAPIPH.DLL2023-01-27 11:22:56.657 11241100x8000000000000000322295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LyncDesktopSmartBitmapResources.dll2023-01-27 11:22:56.657 11241100x8000000000000000322294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\IVY.DLL2023-01-27 11:22:56.657 11241100x8000000000000000322293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\INTLDATE.DLL2023-01-27 11:22:56.657 11241100x8000000000000000322292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\INKCOMMENT.DLL2023-01-27 11:22:56.657 11241100x8000000000000000322291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\IGX.DLL2023-01-27 11:22:56.657 11241100x8000000000000000322290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\IEContentService.exe2023-01-27 11:22:56.657 11241100x8000000000000000322289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\IEAWSDC.DLL2023-01-27 11:22:56.657 11241100x8000000000000000322288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Httpproxy.DLL2023-01-27 11:22:56.657 11241100x8000000000000000322287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\GRAPH.EXE2023-01-27 11:22:56.657 11241100x8000000000000000322286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\GKWord.dll2023-01-27 11:22:56.365 10341000x8000000000000000322285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.393{72106695-B40F-63D3-B603-00000000BD02}25805288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000322284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.364{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\GKPowerPoint.dll2023-01-27 11:22:56.364 11241100x8000000000000000322283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.364{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\GKExcel.dll2023-01-27 11:22:56.364 11241100x8000000000000000322282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.363{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\GFX.DLL2023-01-27 11:22:56.363 11241100x8000000000000000322281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.363{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\EntityDataHandler.dll2023-01-27 11:22:56.362 11241100x8000000000000000322280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.362{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\EntityPicker.dll2023-01-27 11:22:56.362 11241100x8000000000000000322279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.362{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\EXSEC32.DLL2023-01-27 11:22:56.362 11241100x8000000000000000322278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:56.360{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\EXCEL.EXE2023-01-27 11:22:56.360 23542300x8000000000000000322277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.360{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49E55A51E1209285EE6D2281AB2F0F39,SHA256=66EFA93514B366FC5A38313B0F93D549B4CF70FB560427B8F9768F3E0FA00C62,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.360{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\DIFF_MATCH_PATCH_WIN32.DLL2023-01-27 11:22:56.345 11241100x8000000000000000322275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.360{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\EMABLT32.DLL2023-01-27 11:22:56.314 11241100x8000000000000000322274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.329{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ENVELOPE.DLL2023-01-27 11:22:56.314 11241100x8000000000000000322273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.314{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CONVERT\TRANSMGR.DLL2023-01-27 11:22:56.314 11241100x8000000000000000322272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.314{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mfc140u.dll2023-01-27 11:22:56.314 11241100x8000000000000000322271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.314{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\DLGSETP.DLL2023-01-27 11:22:56.097 11241100x8000000000000000322270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.096{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\DBGCORE.DLL2023-01-27 11:22:56.096 11241100x8000000000000000322269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.095{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Cpprest141_2_10.DLL2023-01-27 11:22:56.092 10341000x8000000000000000322268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.094{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B40F-63D3-B603-00000000BD02}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000322267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.092{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\EMSMDB32.DLL2023-01-27 11:22:56.092 11241100x8000000000000000322266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.092{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CONVERT\RM.DLL2023-01-27 11:22:56.091 10341000x8000000000000000322265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.090{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.089{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.089{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.089{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.089{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B40F-63D3-B603-00000000BD02}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.088{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B40F-63D3-B603-00000000BD02}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:55.899{72106695-B40F-63D3-B603-00000000BD02}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000322258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\DBGHELP.DLL2023-01-27 11:22:56.063 11241100x8000000000000000322257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:56.050{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CNFNOT32.EXE2023-01-27 11:22:56.050 11241100x8000000000000000322256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:56.050{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CLVIEW.EXE2023-01-27 11:22:56.050 11241100x8000000000000000322255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.050{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AutoHelper.dll2023-01-27 11:22:56.050 354300x8000000000000000447505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:53.238{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A54114- 354300x8000000000000000447504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:52.757{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52676-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000322254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.049{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CONTAB32.DLL2023-01-27 11:22:56.049 11241100x8000000000000000322253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.049{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CHART.DLL2023-01-27 11:22:56.049 11241100x8000000000000000322252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.048{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\BIPLAT.DLL2023-01-27 11:22:56.048 11241100x8000000000000000322251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:56.048{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AppSharingHookController64.exe2023-01-27 11:22:56.047 11241100x8000000000000000322250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.047{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AppSharingChromeHook64.dll2023-01-27 11:22:56.047 11241100x8000000000000000322249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.047{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Appshapi.dll2023-01-27 11:22:56.046 11241100x8000000000000000322248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.046{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AUDIOSEARCHSAPIFE.DLL2023-01-27 11:22:56.045 11241100x8000000000000000322247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.045{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\vcruntime140_1.dll2023-01-27 11:22:56.045 11241100x8000000000000000322246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.045{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AUDIOSEARCHMAIN.DLL2023-01-27 11:22:56.044 11241100x8000000000000000322245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.045{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AUDIOSEARCHLTS.DLL2023-01-27 11:22:56.044 11241100x8000000000000000322244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.044{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.ReportingServices.Interfaces.dll2023-01-27 11:22:56.043 11241100x8000000000000000322243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.043{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\OFFICE.dll2023-01-27 11:22:56.043 11241100x8000000000000000322242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.043{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.ReportingServices.RsClient.dll2023-01-27 11:22:56.043 11241100x8000000000000000322241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.043{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\ReportingServicesNativeClient.dll2023-01-27 11:22:56.027 11241100x8000000000000000322240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.027{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\sqmapi.dll2023-01-27 11:22:56.026 11241100x8000000000000000322239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.027{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\UmOutlookAddin.dll2023-01-27 11:22:56.026 11241100x8000000000000000322238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.026{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.SqlServer.Configuration.SString.dll2023-01-27 11:22:56.026 11241100x8000000000000000322237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.026{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.SqlServer.Types.dll2023-01-27 11:22:56.025 11241100x8000000000000000322236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.026{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.ReportingServices.ReportDesign.Common.dll2023-01-27 11:22:56.025 11241100x8000000000000000322235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.025{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\PowerPivotExcelClientAddIn.dll2023-01-27 11:22:56.024 11241100x8000000000000000322234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.024{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Excel.DataWarehouse.dll2023-01-27 11:22:56.024 11241100x8000000000000000322233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.024{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.ReportingServices.Diagnostics.dll2023-01-27 11:22:56.024 11241100x8000000000000000322232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.024{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Excel.AnalysisServices.AdomdClientUI.dll2023-01-27 11:22:56.023 11241100x8000000000000000322231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.023{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Office.PowerPivot.ExcelAddIn.dll2023-01-27 11:22:56.022 11241100x8000000000000000322230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.021{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.ReportingServices.ReportDesign.Forms.dll2023-01-27 11:22:56.021 11241100x8000000000000000322229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.021{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Excel.ReportingServices.DataExtensions.dll2023-01-27 11:22:56.014 11241100x8000000000000000322228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.013{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Excel.MDXQueryGenerator.dll2023-01-27 11:22:56.013 11241100x8000000000000000322227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.013{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Data.Recommendation.Client.Core.dll2023-01-27 11:22:56.013 11241100x8000000000000000322226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.013{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.ReportViewer.WinForms.dll2023-01-27 11:22:56.012 11241100x8000000000000000322225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.012{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.ReportViewer.Common.dll2023-01-27 11:22:56.012 11241100x8000000000000000322224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.011{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.DataWarehouse.Interfaces.DLL2023-01-27 11:22:56.011 11241100x8000000000000000322223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.011{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.DataWarehouse.DLL2023-01-27 11:22:56.010 11241100x8000000000000000322222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.010{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Office.Interop.Excel.dll2023-01-27 11:22:56.010 11241100x8000000000000000322221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.010{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Excel.ReportingServices.QueryDesigners.dll2023-01-27 11:22:56.009 11241100x8000000000000000322220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.009{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Excel.ReportingServices.QueryDesigners.Extensions.dll2023-01-27 11:22:56.009 11241100x8000000000000000322219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.009{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Data.Recommendation.Common.dll2023-01-27 11:22:56.009 11241100x8000000000000000322218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.009{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Data.Recommendation.Client.Picasso.dll2023-01-27 11:22:56.006 11241100x8000000000000000322217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.005{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Data.ConnectionUI.Dialog.dll2023-01-27 11:22:56.005 11241100x8000000000000000322216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.005{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.AnalysisServices.XLHost.Modeler.dll2023-01-27 11:22:56.004 11241100x8000000000000000322215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.002{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.AnalysisServices.SPClient.Interfaces.DLL2023-01-27 11:22:56.001 11241100x8000000000000000322214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.001{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.AnalysisServices.Layout.dll2023-01-27 11:22:56.000 23542300x8000000000000000447507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:57.817{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E56C0DA1ACAA0D9C00BFC1C157154B52,SHA256=4C5A4F50822731EEA98F790C48948F0538AB7AD3E154DDB50D6B8B843C401FC4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.769{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBCONV.DLL2023-01-27 11:22:57.769 11241100x8000000000000000322431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.768{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PTXT9.DLL2023-01-27 11:22:57.768 11241100x8000000000000000322430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.768{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PRTF9.DLL2023-01-27 11:22:57.768 11241100x8000000000000000322429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.768{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PSTPRX32.DLL2023-01-27 11:22:57.768 11241100x8000000000000000322428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.768{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\msgrammar8.dll2023-01-27 11:22:57.767 11241100x8000000000000000322427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.767{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\msspell7.dll2023-01-27 11:22:57.767 11241100x8000000000000000322426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.767{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\msgr3jp.dll2023-01-27 11:22:57.766 11241100x8000000000000000322425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.767{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PPTICO.EXE2023-01-27 11:22:57.767 11241100x8000000000000000322424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.766{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PPSLAX.DLL2023-01-27 11:22:57.766 11241100x8000000000000000322423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.766{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PPRESOURCES.DLL2023-01-27 11:22:57.765 11241100x8000000000000000322422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.765{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PPINTL.COMMON.DLL2023-01-27 11:22:57.765 11241100x8000000000000000322421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.765{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PPCORE.DLL2023-01-27 11:22:57.764 11241100x8000000000000000322420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.501{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\POWERPNT.EXE2023-01-27 11:22:57.501 11241100x8000000000000000322419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.501{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PEOPLEDATAHANDLER.DLL2023-01-27 11:22:57.500 11241100x8000000000000000322418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.500{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookWebHost.dll2023-01-27 11:22:57.500 11241100x8000000000000000322417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.500{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PDFREFLOW.EXE2023-01-27 11:22:57.500 11241100x8000000000000000322416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.499{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OfficeScrSanBroker.exe2023-01-27 11:22:57.499 11241100x8000000000000000322415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.499{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OfficeScrBroker.exe2023-01-27 11:22:57.499 11241100x8000000000000000322414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.499{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OsfTaskengine.dll2023-01-27 11:22:57.499 11241100x8000000000000000322413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.498{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OfficeJs_Core.DLL2023-01-27 11:22:57.498 11241100x8000000000000000322412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.498{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OfficeScr.dll2023-01-27 11:22:57.498 11241100x8000000000000000322411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.498{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OUTLVBS.DLL2023-01-27 11:22:57.498 11241100x8000000000000000322410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.497{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OUTLRPC.DLL2023-01-27 11:22:57.497 11241100x8000000000000000322409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.497{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OcPubMgr.exe2023-01-27 11:22:57.497 11241100x8000000000000000322408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.497{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OUTLPH.DLL2023-01-27 11:22:57.497 11241100x8000000000000000322407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.497{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OcOffice.dll2023-01-27 11:22:57.496 11241100x8000000000000000322406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.496{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookServicing.DLL2023-01-27 11:22:57.496 11241100x8000000000000000322405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.492{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OUTLMIME.DLL2023-01-27 11:22:57.492 11241100x8000000000000000322404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.491{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OUTLOOK.EXE2023-01-27 11:22:57.490 11241100x8000000000000000322403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.490{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OUTLCTL.DLL2023-01-27 11:22:57.486 11241100x8000000000000000322402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.490{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OUTLLIBR.COMMON.DLL2023-01-27 11:22:57.490 11241100x8000000000000000322401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.486{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OSFUI.DLL2023-01-27 11:22:57.485 11241100x8000000000000000322400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.485{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OSFSHARED.DLL2023-01-27 11:22:57.485 11241100x8000000000000000322399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.485{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ORGCHART.EXE2023-01-27 11:22:57.484 11241100x8000000000000000322398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.484{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONENOTEM.EXE2023-01-27 11:22:57.483 11241100x8000000000000000322397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.484{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OSFROAMINGPROXY.DLL2023-01-27 11:22:57.483 11241100x8000000000000000322396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.484{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONWordAddin.dll2023-01-27 11:22:57.483 11241100x8000000000000000322395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.482{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OSF.DLL2023-01-27 11:22:57.481 11241100x8000000000000000322394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.480{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONLNTCOMLIB.DLL2023-01-27 11:22:57.480 11241100x8000000000000000322393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.478{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONRES.DLL2023-01-27 11:22:57.478 11241100x8000000000000000322392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.478{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONPPTAddin.dll2023-01-27 11:22:57.477 11241100x8000000000000000322391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.477{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONFILTER.DLL2023-01-27 11:22:57.477 11241100x8000000000000000322390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.477{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONBttnIE.dll2023-01-27 11:22:57.476 11241100x8000000000000000322389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.475{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONBttnPPT.dll2023-01-27 11:22:57.475 11241100x8000000000000000322388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.474{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONBttnIELinkedNotes.dll2023-01-27 11:22:57.474 11241100x8000000000000000322387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.474{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\onmain.DLL2023-01-27 11:22:57.474 11241100x8000000000000000322386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.474{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONENOTE.EXE2023-01-27 11:22:57.473 11241100x8000000000000000322385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.473{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONECLIENTW32.DLL2023-01-27 11:22:57.473 11241100x8000000000000000322384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.473{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONBttnWD.dll2023-01-27 11:22:57.473 11241100x8000000000000000322383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.472{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONBttnOL.dll2023-01-27 11:22:57.472 11241100x8000000000000000322382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.472{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OMSXP32.DLL2023-01-27 11:22:57.471 11241100x8000000000000000322381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.470{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OMSMAIN.DLL2023-01-27 11:22:57.470 11241100x8000000000000000322380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.469{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OMRAUT.DLL2023-01-27 11:22:57.469 11241100x8000000000000000322379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.469{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OMICAUT.DLL2023-01-27 11:22:57.469 11241100x8000000000000000322378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.468{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OLMAPI32.DLL2023-01-27 11:22:57.468 11241100x8000000000000000322377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.466{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OLKFSTUB.DLL2023-01-27 11:22:57.465 11241100x8000000000000000322376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.465{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OLCFG.EXE2023-01-27 11:22:57.464 11241100x8000000000000000322375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.465{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OIMG.DLL2023-01-27 11:22:57.459 11241100x8000000000000000322374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.459{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OFFRHD.DLL2023-01-27 11:22:57.456 11241100x8000000000000000322373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.454{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OFFICEJS_WORD.DLL2023-01-27 11:22:57.446 11241100x8000000000000000322372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.453{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\zlibwapi.dll2023-01-27 11:22:57.433 11241100x8000000000000000322371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.446{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OFFICEJS_EXCEL.DLL2023-01-27 11:22:57.446 11241100x8000000000000000322370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.432{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\zlibwapi.dll2023-01-27 11:22:57.423 11241100x8000000000000000322369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.425{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\sbicuuc58_64.dll2023-01-27 11:22:57.424 11241100x8000000000000000322368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.424{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\sfodbc_sb64.dll2023-01-27 11:22:57.424 23542300x8000000000000000322367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:57.424{72106695-B405-63D3-B203-00000000BD02}4756WIN-HOST-CTUS-A\AdministratorC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exeC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db-journalMD5=2AC5F3AFCAB502E1C9D4338AB25A4649,SHA256=31947DE749CA9A6E56EAA58DD40A0E6047A5AD46D2FB23E163054D20AAAA70E2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.423{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\libssl-1_1-x64.dll2023-01-27 11:22:57.423 11241100x8000000000000000322365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.423{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\sbicuin58_64.dll2023-01-27 11:22:57.423 11241100x8000000000000000322364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.423{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\libcrypto-1_1-x64.dll2023-01-27 11:22:57.422 10341000x8000000000000000322363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:57.422{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B411-63D3-B803-00000000BD02}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000322362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.422{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\zlibwapi.dll2023-01-27 11:22:57.420 10341000x8000000000000000322361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:57.421{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:57.421{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:57.420{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:57.420{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000322357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.419{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\sbicudt58_64.dll2023-01-27 11:22:57.419 10341000x8000000000000000322356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:57.418{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B411-63D3-B803-00000000BD02}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:57.413{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B411-63D3-B803-00000000BD02}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:57.251{72106695-B411-63D3-B803-00000000BD02}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000322353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.411{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\libcurl.dll2023-01-27 11:22:57.410 11241100x8000000000000000322352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.409{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\libssl-1_1-x64.dll2023-01-27 11:22:57.409 23542300x8000000000000000322351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:57.408{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=72E1696A3B17613CB1F5C69C5375EC87,SHA256=6ACD247E50A51CA31B689530805F80E52FFEAF4668F46B3ED2E64C44F26CF41C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.398{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\libcrypto-1_1-x64.dll2023-01-27 11:22:57.398 11241100x8000000000000000322349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.388{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OCSCLIENTWIN32.DLL2023-01-27 11:22:57.386 11241100x8000000000000000322348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.387{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OCHelper.dll2023-01-27 11:22:57.372 23542300x8000000000000000322347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:57.384{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C40882DA814495680525F9E84557E65B,SHA256=40CAB07430FFD6A0EAEB055228A230A13DD79C921A64345C1BC5BB73FED76C67,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.129{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OARTODF.DLL2023-01-27 11:22:57.129 11241100x8000000000000000322345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.129{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NAME.DLL2023-01-27 11:22:57.128 11241100x8000000000000000322344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.129{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NL7Lexicons0011.DLL2023-01-27 11:22:57.129 11241100x8000000000000000322343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.129{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NL7Models0011.DLL2023-01-27 11:22:57.129 11241100x8000000000000000322342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.128{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NAMECONTROLSERVER.EXE2023-01-27 11:22:57.128 11241100x8000000000000000322341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.127{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NL7Data0011.DLL2023-01-27 11:22:57.126 11241100x8000000000000000322340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.126{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MeetingJoinAxOC.dll2023-01-27 11:22:57.125 11241100x8000000000000000322339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.125{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NAMECONTROLPROXY.DLL2023-01-27 11:22:57.125 11241100x8000000000000000322338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.125{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Microsoft.Office.PolicyTips.dll2023-01-27 11:22:57.120 23542300x8000000000000000322337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:57.123{72106695-B405-63D3-B203-00000000BD02}4756WIN-HOST-CTUS-A\AdministratorC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exeC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db-journalMD5=154FA03BC7C5DE95D2C9A28C56C9E0B3,SHA256=6CB765900C9F8570DCCE9565AF38AEA17ECABEB100FA56AC8A3D82E3CFD3F4CC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.119{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Microsoft.Ink.Recognition.DLL2023-01-27 11:22:57.119 11241100x8000000000000000322335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.119{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSVCP140_APP.DLL2023-01-27 11:22:57.118 11241100x8000000000000000322334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.118{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSRTEDIT.DLL2023-01-27 11:22:57.118 11241100x8000000000000000322333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.118{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC32.DLL2023-01-27 11:22:57.118 11241100x8000000000000000322332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.117{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSQRY32.EXE2023-01-27 11:22:57.116 11241100x8000000000000000322331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.116{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSPUB.EXE2023-01-27 11:22:57.116 11241100x8000000000000000322330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.115{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSPST32.DLL2023-01-27 11:22:57.106 11241100x8000000000000000322329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.106{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOSVG.DLL2023-01-27 11:22:57.105 11241100x8000000000000000322328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.106{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOSTYLE.DLL2023-01-27 11:22:57.104 11241100x8000000000000000322327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.104{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOSREC.EXE2023-01-27 11:22:57.104 11241100x8000000000000000322326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.104{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOSPECTRE.DLL2023-01-27 11:22:57.103 11241100x8000000000000000322325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.103{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOHEVI.DLL2023-01-27 11:22:57.103 11241100x8000000000000000322324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.103{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOCR.DLL2023-01-27 11:22:57.102 11241100x8000000000000000322323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.102{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOHTMED.EXE2023-01-27 11:22:57.102 11241100x8000000000000000322322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.094{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSO.FRAMEPROTOCOLWIN32.DLL2023-01-27 11:22:57.092 11241100x8000000000000000322321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.092{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOADFPS.DLL2023-01-27 11:22:57.091 11241100x8000000000000000322320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.090{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOARIANEXT.DLL2023-01-27 11:22:57.090 11241100x8000000000000000322319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.088{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOARIACAPI.DLL2023-01-27 11:22:57.088 11241100x8000000000000000322318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.081{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOARIA.DLL2023-01-27 11:22:57.081 23542300x8000000000000000447508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:58.915{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96230AA0D4DE6F4D407FDD371AF9E8A1,SHA256=C53CB5A3FD4CE0FCE324CFD5D5620C9DFA946E25CBBD34049981B6D96D3BB814,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.989{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-math-l1-1-0.dll2023-01-27 11:22:58.989 11241100x8000000000000000322633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.989{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-locale-l1-1-0.dll2023-01-27 11:22:58.988 11241100x8000000000000000322632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.988{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-heap-l1-1-0.dll2023-01-27 11:22:58.988 11241100x8000000000000000322631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.988{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-filesystem-l1-1-0.dll2023-01-27 11:22:58.987 11241100x8000000000000000322630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.987{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-environment-l1-1-0.dll2023-01-27 11:22:58.987 11241100x8000000000000000322629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.987{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-convert-l1-1-0.dll2023-01-27 11:22:58.987 11241100x8000000000000000322628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.987{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\EXP_XPS.DLL2023-01-27 11:22:58.986 11241100x8000000000000000322627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.986{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\EXP_PDF.DLL2023-01-27 11:22:58.986 11241100x8000000000000000322626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.984{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\EXPSRV.DLL2023-01-27 11:22:58.984 11241100x8000000000000000322625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.984{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\xmlrwbin_xl.dll2023-01-27 11:22:58.983 11241100x8000000000000000322624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.983{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\xmlrw_xl.dll2023-01-27 11:22:58.983 11241100x8000000000000000322623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.983{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\tmtransactions_xl.dll2023-01-27 11:22:58.983 11241100x8000000000000000322622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.982{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\tmpersistence_xl.dll2023-01-27 11:22:58.982 11241100x8000000000000000322621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.981{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\tmcachemgr_xl.dll2023-01-27 11:22:58.981 11241100x8000000000000000322620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.981{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\tmapi_xl.dll2023-01-27 11:22:58.981 11241100x8000000000000000322619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.981{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\System.Spatial.dll2023-01-27 11:22:58.880 11241100x8000000000000000322618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.980{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\msolap_xl.dll2023-01-27 11:22:58.980 11241100x8000000000000000322617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.978{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\msmgdsrv_xl.dll2023-01-27 11:22:58.977 11241100x8000000000000000322616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.977{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\msmdlocal_xl.dll2023-01-27 11:22:58.973 11241100x8000000000000000322615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.977{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\adal.dll2023-01-27 11:22:58.879 11241100x8000000000000000322614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.973{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Excel.Amo.dll2023-01-27 11:22:58.880 23542300x8000000000000000322613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:58.911{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B79653C2E8052C3FFF7DA31553A581B1,SHA256=08F467A9D7C0423D7A3827E052E6BB5BF176FD63B19F6D75DC04666FA981FC9C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.878{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Office.Excel.DataModel.dll2023-01-27 11:22:58.878 11241100x8000000000000000322611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.878{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Excel.Tabular.dll2023-01-27 11:22:58.877 11241100x8000000000000000322610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.877{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Excel.SPClient.Interfaces.dll2023-01-27 11:22:58.877 11241100x8000000000000000322609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.877{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Data.Edm.dll2023-01-27 11:22:58.877 11241100x8000000000000000322608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.877{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Data.Odata.dll2023-01-27 11:22:58.876 11241100x8000000000000000322607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.877{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.SqlServer.Configuration.SString.dll2023-01-27 11:22:58.876 11241100x8000000000000000322606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.875{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Data.DataFeedClient.dll2023-01-27 11:22:58.874 11241100x8000000000000000322605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.873{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.AnalysisServices.Excel.BackEnd.dll2023-01-27 11:22:58.873 11241100x8000000000000000322604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.873{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODEXL.DLL2023-01-27 11:22:58.873 11241100x8000000000000000322603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.873{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Excel.Amo.Core.dll2023-01-27 11:22:58.872 11241100x8000000000000000322602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.872{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Excel.AdomdClient.dll2023-01-27 11:22:58.872 11241100x8000000000000000322601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.872{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Data.ConnectionUI.Dialog.dll2023-01-27 11:22:58.787 11241100x8000000000000000322600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.784{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\msmgdsrv_xl.dll2023-01-27 11:22:58.784 11241100x8000000000000000322599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.784{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.SqlServer.Configuration.SString.dll2023-01-27 11:22:58.783 11241100x8000000000000000322598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.784{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.AdomdClient.dll2023-01-27 11:22:58.781 11241100x8000000000000000322597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.781{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.Amo.dll2023-01-27 11:22:58.779 11241100x8000000000000000322596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.872{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Data.ConnectionUI.dll2023-01-27 11:22:58.871 11241100x8000000000000000322595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.785{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.AnalysisServices.Common.dll2023-01-27 11:22:58.785 11241100x8000000000000000322594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.784{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\msolap_xl.dll2023-01-27 11:22:58.784 11241100x8000000000000000322593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.783{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.SPClient.Interfaces.dll2023-01-27 11:22:58.781 11241100x8000000000000000322592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.775{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.Tabular.dll2023-01-27 11:22:58.775 11241100x8000000000000000322591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.775{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.Amo.Core.dll2023-01-27 11:22:58.775 11241100x8000000000000000322590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.775{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\msmdlocal_xl.dll2023-01-27 11:22:58.774 11241100x8000000000000000322589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.772{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Office.Excel.DataModel.dll2023-01-27 11:22:58.772 11241100x8000000000000000322588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.771{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Data.ConnectionUI.dll2023-01-27 11:22:58.769 11241100x8000000000000000322587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.770{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.AnalysisServices.Excel.BackEnd.dll2023-01-27 11:22:58.768 11241100x8000000000000000322586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.768{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Data.ConnectionUI.Dialog.dll2023-01-27 11:22:58.765 11241100x8000000000000000322585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.768{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.AnalysisServices.Common.dll2023-01-27 11:22:58.764 11241100x8000000000000000322584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.764{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEOLEDB.DLL2023-01-27 11:22:58.759 11241100x8000000000000000322583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.753{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Csi.dll2023-01-27 11:22:58.747 11241100x8000000000000000322582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.747{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AIRWER.DLL2023-01-27 11:22:58.747 11241100x8000000000000000322581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.743{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ADALPREVIOUS.DLL2023-01-27 11:22:58.743 11241100x8000000000000000322580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.741{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODTXT.DLL2023-01-27 11:22:58.741 11241100x8000000000000000322579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.741{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ADAL.DLL2023-01-27 11:22:58.741 11241100x8000000000000000322578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.739{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEXBE.DLL2023-01-27 11:22:58.737 11241100x8000000000000000322577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.738{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODDBS.DLL2023-01-27 11:22:58.738 11241100x8000000000000000322576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.736{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEWSS.DLL2023-01-27 11:22:58.736 11241100x8000000000000000322575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.735{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEWDAT.DLL2023-01-27 11:22:58.735 11241100x8000000000000000322574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.735{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACETXT.DLL2023-01-27 11:22:58.735 11241100x8000000000000000322573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.735{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODATASERVICE.DLL2023-01-27 11:22:58.734 11241100x8000000000000000322572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.734{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODBC.DLL2023-01-27 11:22:58.730 11241100x8000000000000000322571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.720{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODATA.DLL2023-01-27 11:22:58.654 11241100x8000000000000000322570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.661{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEEXCH.DLL2023-01-27 11:22:58.591 11241100x8000000000000000322569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.658{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEERR.DLL2023-01-27 11:22:58.591 11241100x8000000000000000322568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.593{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEES.DLL2023-01-27 11:22:58.588 11241100x8000000000000000322567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.588{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEEXCL.DLL2023-01-27 11:22:58.586 11241100x8000000000000000322566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.576{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEDAO.DLL2023-01-27 11:22:58.575 11241100x8000000000000000322565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.575{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\ucrtbase.dll2023-01-27 11:22:58.574 11241100x8000000000000000322564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.575{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\msitss55.dll2023-01-27 11:22:58.574 11241100x8000000000000000322563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.575{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACECORE.DLL2023-01-27 11:22:58.574 11241100x8000000000000000322562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.574{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\itircl55.dll2023-01-27 11:22:58.574 11241100x8000000000000000322561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.574{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\MSClientDataMgr\MSCDM.DLL2023-01-27 11:22:58.574 11241100x8000000000000000322560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.574{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\MSOEURO.DLL2023-01-27 11:22:58.573 11241100x8000000000000000322559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.573{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\vcruntime140.dll2023-01-27 11:22:58.572 11241100x8000000000000000322558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.572{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\vccorlib140.dll2023-01-27 11:22:58.559 11241100x8000000000000000322557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.559{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\hxds.dll2023-01-27 11:22:58.559 11241100x8000000000000000322556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.558{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\msvcp140.dll2023-01-27 11:22:58.558 11241100x8000000000000000322555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.558{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\mfc140u.dll2023-01-27 11:22:58.557 11241100x8000000000000000322554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.557{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE2023-01-27 11:22:58.557 11241100x8000000000000000322553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.557{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\concrt140.dll2023-01-27 11:22:58.557 11241100x8000000000000000322552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.557{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DBGHELP.DLL2023-01-27 11:22:58.556 11241100x8000000000000000322551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.557{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DBGCORE.DLL2023-01-27 11:22:58.556 11241100x8000000000000000322550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.555{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\vccorlib110.dll2023-01-27 11:22:58.555 11241100x8000000000000000322549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.555{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\v8jsi.dll2023-01-27 11:22:58.555 11241100x8000000000000000322548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.553{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\rtmmvrhw.dll2023-01-27 11:22:58.552 11241100x8000000000000000322547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.553{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\rtmmvrcs.dll2023-01-27 11:22:58.552 11241100x8000000000000000322546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.553{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\scdec.dll2023-01-27 11:22:58.552 11241100x8000000000000000322545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.553{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxbgt.dll2023-01-27 11:22:58.552 11241100x8000000000000000322544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.551{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\react-native-win32.dll2023-01-27 11:22:58.551 11241100x8000000000000000322543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.551{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\react-native-sdk.dll2023-01-27 11:22:58.550 11241100x8000000000000000322542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.551{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\rdpqoemetrics.dll2023-01-27 11:22:58.550 11241100x8000000000000000322541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.550{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\protocolhandler.exe2023-01-27 11:22:58.549 11241100x8000000000000000322540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.549{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\officeappguardwin32.exe2023-01-27 11:22:58.548 11241100x8000000000000000322539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.548{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ocrec.dll2023-01-27 11:22:58.548 11241100x8000000000000000322538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.547{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ocimport.dll2023-01-27 11:22:58.547 11241100x8000000000000000322537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.547{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msvcr110.dll2023-01-27 11:22:58.547 11241100x8000000000000000322536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.547{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msproof7.dll2023-01-27 11:22:58.547 11241100x8000000000000000322535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.547{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msvcp110.dll2023-01-27 11:22:58.547 11241100x8000000000000000322534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.546{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msotelemetry.dll2023-01-27 11:22:58.546 11241100x8000000000000000322533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.545{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msotdaddin.dll2023-01-27 11:22:58.545 11241100x8000000000000000322532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.545{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msotd.exe2023-01-27 11:22:58.545 11241100x8000000000000000322531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.544{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msoianetutil.dll2023-01-27 11:22:58.544 11241100x8000000000000000322530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.544{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msoia.exe2023-01-27 11:22:58.544 11241100x8000000000000000322529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.544{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msoev.exe2023-01-27 11:22:58.544 11241100x8000000000000000322528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.544{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msoetwres.dll2023-01-27 11:22:58.543 11241100x8000000000000000322527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.540{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msoasb.exe2023-01-27 11:22:58.539 11241100x8000000000000000322526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.539{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msoadfsb.exe2023-01-27 11:22:58.539 11241100x8000000000000000322525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.539{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msix.dll2023-01-27 11:22:58.539 11241100x8000000000000000322524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.539{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msfad.dll2023-01-27 11:22:58.538 11241100x8000000000000000322523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.538{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mset7tkjp.dll2023-01-27 11:22:58.538 11241100x8000000000000000322522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.538{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mset7tk.dll2023-01-27 11:22:58.538 11241100x8000000000000000322521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.538{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mset7.dll2023-01-27 11:22:58.537 11241100x8000000000000000322520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.538{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\misc.exe2023-01-27 11:22:58.537 11241100x8000000000000000322519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.535{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mce_office.dll2023-01-27 11:22:58.534 11241100x8000000000000000322518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.534{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\lynchtmlconvpxy.dll2023-01-27 11:22:58.534 11241100x8000000000000000322517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.534{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\lynchtmlconv.exe2023-01-27 11:22:58.533 11241100x8000000000000000322516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.533{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\lync99.exe2023-01-27 11:22:58.533 11241100x8000000000000000322515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.533{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ssscreenvvs.dll2023-01-27 11:22:58.533 11241100x8000000000000000322514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.533{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\roottools.dll2023-01-27 11:22:58.533 11241100x8000000000000000322513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.532{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\lyncModelProxy.dll2023-01-27 11:22:58.532 11241100x8000000000000000322512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.531{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\lyncDesktopViewModel.dll2023-01-27 11:22:58.531 11241100x8000000000000000322511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.531{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\lync.exe2023-01-27 11:22:58.531 11241100x8000000000000000322510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.531{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\excelcnvpxy.dll2023-01-27 11:22:58.530 11241100x8000000000000000322509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.530{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\excelcnv.exe2023-01-27 11:22:58.529 11241100x8000000000000000322508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.527{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\csi.dll2023-01-27 11:22:58.527 11241100x8000000000000000322507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.527{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\atl110.dll2023-01-27 11:22:58.527 11241100x8000000000000000322506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.527{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\cpprestsdk.dll2023-01-27 11:22:58.526 11241100x8000000000000000322505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.526{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\appshvw.dll2023-01-27 11:22:58.526 11241100x8000000000000000322504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.526{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\appshcom.dll2023-01-27 11:22:58.526 11241100x8000000000000000322503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.526{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\appsharingmediaprovider.dll2023-01-27 11:22:58.525 11241100x8000000000000000322502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.525{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\XLINTL32.COMMON.DLL2023-01-27 11:22:58.525 11241100x8000000000000000322501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.525{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\XLICONS.EXE2023-01-27 11:22:58.525 11241100x8000000000000000322500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.525{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\XLCALL32.DLL2023-01-27 11:22:58.524 11241100x8000000000000000322499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.524{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Wordconv.exe2023-01-27 11:22:58.523 11241100x8000000000000000322498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.523{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Wordcnvr.dll2023-01-27 11:22:58.523 11241100x8000000000000000322497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.523{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\WebView2Host.dll2023-01-27 11:22:58.522 11241100x8000000000000000322496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.522{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Wordcnv.dll2023-01-27 11:22:58.484 11241100x8000000000000000322495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.481{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Win32MsgQueue.dll2023-01-27 11:22:58.481 11241100x8000000000000000322494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.480{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\WebView2Loader.dll2023-01-27 11:22:58.480 11241100x8000000000000000322493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.479{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\WINWORD.EXE2023-01-27 11:22:58.479 11241100x8000000000000000322492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.472{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\WORDICON.EXE2023-01-27 11:22:58.472 11241100x8000000000000000322491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.472{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\WWLIB.DLL2023-01-27 11:22:58.469 11241100x8000000000000000322490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.468{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\WEBSANDBOX.DLL2023-01-27 11:22:58.468 11241100x8000000000000000322489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.447{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\VPREVIEW.EXE2023-01-27 11:22:58.416 11241100x8000000000000000322488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.444{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\VVIEWER.DLL2023-01-27 11:22:58.444 11241100x8000000000000000322487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.428{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\VVIEWDWG.DLL2023-01-27 11:22:58.428 11241100x8000000000000000322486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.407{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\VISSHE.DLL2023-01-27 11:22:58.406 11241100x8000000000000000322485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.406{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\UccApi.dll2023-01-27 11:22:58.406 11241100x8000000000000000322484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.397{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\UcMapi.exe2023-01-27 11:22:58.397 11241100x8000000000000000322483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.397{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Uc.dll2023-01-27 11:22:58.396 11241100x8000000000000000322482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.396{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\TellMeRuntime.dll2023-01-27 11:22:58.396 11241100x8000000000000000322481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.396{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\URLREDIR.DLL2023-01-27 11:22:58.395 11241100x8000000000000000322480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.395{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SkypeSrv\SKYPESERVER.EXE2023-01-27 11:22:58.394 11241100x8000000000000000322479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.395{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\UCAddin.dll2023-01-27 11:22:58.395 11241100x8000000000000000322478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.394{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SkypeSrv\SFBAPPSDK.DLL2023-01-27 11:22:58.394 11241100x8000000000000000322477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.394{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SignalRClient.dll2023-01-27 11:22:58.392 11241100x8000000000000000322476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.393{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\STSLIST.DLL2023-01-27 11:22:58.391 11241100x8000000000000000322475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.391{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SOCIALPROVIDER.DLL2023-01-27 11:22:58.391 11241100x8000000000000000322474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.391{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SOCIALCONNECTOR.DLL2023-01-27 11:22:58.391 11241100x8000000000000000322473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.391{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SOA.DLL2023-01-27 11:22:58.390 11241100x8000000000000000322472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.390{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SHAREPOINTPROVIDER.DLL2023-01-27 11:22:58.390 11241100x8000000000000000322471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.390{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SEQCHK10.DLL2023-01-27 11:22:58.390 11241100x8000000000000000322470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.390{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SETLANG.EXE2023-01-27 11:22:58.389 11241100x8000000000000000322469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.389{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SENDTO.DLL2023-01-27 11:22:58.389 11241100x8000000000000000322468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.389{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SELFCERT.EXE2023-01-27 11:22:58.388 11241100x8000000000000000322467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.388{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\VCRUNTIME140_APP.DLL2023-01-27 11:22:58.388 11241100x8000000000000000322466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.388{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\VCCORLIB140_APP.DLL2023-01-27 11:22:58.388 11241100x8000000000000000322465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.388{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SDXHelperBgt.exe2023-01-27 11:22:58.388 11241100x8000000000000000322464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.387{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SDXHelper.exe2023-01-27 11:22:58.387 11241100x8000000000000000322463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.387{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SCNPST64C.DLL2023-01-27 11:22:58.387 11241100x8000000000000000322462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.387{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SCNPST64.DLL2023-01-27 11:22:58.387 11241100x8000000000000000322461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.385{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SCNPST32.DLL2023-01-27 11:22:58.385 11241100x8000000000000000322460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.385{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SCANPST.EXE2023-01-27 11:22:58.385 11241100x8000000000000000322459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.385{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Rtmmvras.dll2023-01-27 11:22:58.385 11241100x8000000000000000322458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.385{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Rtmpal.dll2023-01-27 11:22:58.384 11241100x8000000000000000322457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.384{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SAEXT.DLL2023-01-27 11:22:58.384 11241100x8000000000000000322456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.384{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Rtmmvrsplitter.dll2023-01-27 11:22:58.384 11241100x8000000000000000322455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.384{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Rtmmediamanager.dll2023-01-27 11:22:58.383 23542300x8000000000000000322454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:58.382{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FC71DE7AD1A9072FE5B89CA695CE339,SHA256=9E3A7456C35653FDCC29B8FD26D26626296204C94B0563AE3BE89EED67BAC432,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.382{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Rtmcodecs.dll2023-01-27 11:22:58.382 11241100x8000000000000000322452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.382{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\RTMPLTFM.dll2023-01-27 11:22:58.382 11241100x8000000000000000322451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.382{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\RTC.DLL2023-01-27 11:22:58.381 11241100x8000000000000000322450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.381{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\REFEDIT.DLL2023-01-27 11:22:58.381 11241100x8000000000000000322449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.381{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\RECALL.DLL2023-01-27 11:22:58.381 11241100x8000000000000000322448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.381{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PropertyModelProxy.dll2023-01-27 11:22:58.381 11241100x8000000000000000322447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.381{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Psom.dll2023-01-27 11:22:58.380 11241100x8000000000000000322446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.379{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBTRAP.DLL2023-01-27 11:22:58.379 11241100x8000000000000000322445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.379{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PropertyModel.dll2023-01-27 11:22:58.379 11241100x8000000000000000322444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.379{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUB6INTL.COMMON.DLL2023-01-27 11:22:57.769 23542300x8000000000000000322443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:58.378{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DD9A7151B04BA8D89EBF7DEA271F351,SHA256=13A2945213DC49BF919B3EA609AEFA08D4BEBF61FEFB084BDDCC464C9434228B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.515{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50978-false10.0.1.12-8000- 10341000x8000000000000000322441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:58.354{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:58.268{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B412-63D3-B903-00000000BD02}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:58.268{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:58.268{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:58.268{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:58.268{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:58.268{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B412-63D3-B903-00000000BD02}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:58.268{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B412-63D3-B903-00000000BD02}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:58.114{72106695-B412-63D3-B903-00000000BD02}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000447528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.962{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2302872C5C00159385BB2BC00D616E68,SHA256=94F0FA3E506275F125F0A897FD1C6CEEDCADA7949A81CB8BAEC4050086D7C41C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:59.812{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFE4D21EE28888B75395BAAABF7F82F8,SHA256=67E3448C4C68C3FA347E94F4F2EC9333C1C126AE692131D310C3FD8DF41547BA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:59.804{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\operfmon.exe2023-01-27 11:22:59.803 11241100x8000000000000000322684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.804{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ucrtbase.dll2023-01-27 11:22:59.803 11241100x8000000000000000322683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.803{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\FDATE.DLL2023-01-27 11:22:59.803 11241100x8000000000000000322682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.803{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\vccorlib140.dll2023-01-27 11:22:59.803 11241100x8000000000000000322681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.803{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\concrt140.dll2023-01-27 11:22:59.802 11241100x8000000000000000322680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.803{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\offhud.dll2023-01-27 11:22:59.802 11241100x8000000000000000322679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.803{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\MSLID.DLL2023-01-27 11:22:59.802 11241100x8000000000000000322678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.802{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\mfc140u.dll2023-01-27 11:22:59.801 11241100x8000000000000000322677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.801{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msowercrash.dll2023-01-27 11:22:59.801 11241100x8000000000000000322676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.801{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll2023-01-27 11:22:59.801 11241100x8000000000000000322675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.801{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\mlg.dll2023-01-27 11:22:59.801 11241100x8000000000000000322674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.801{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\aitrx.dll2023-01-27 11:22:59.801 11241100x8000000000000000322673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:59.801{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\aimgr.exe2023-01-27 11:22:59.801 11241100x8000000000000000322672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.800{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\WISC30.DLL2023-01-27 11:22:59.534 11241100x8000000000000000322671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.800{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\WXPNSE.DLL2023-01-27 11:22:59.534 11241100x8000000000000000322670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:59.800{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe2023-01-27 11:22:59.794 11241100x8000000000000000322669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.800{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.dll2023-01-27 11:22:59.794 23542300x8000000000000000322668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:59.794{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A009DA55755CA4F306A907D1B5C648F0,SHA256=4E4798186D503BD694217657BC60C3F55D8B94EC1261BCF6E4633E6B2C6A63D9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.533{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\VBAJET32.DLL2023-01-27 11:22:59.533 11241100x8000000000000000322666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.531{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\TextIntelligence.dll2023-01-27 11:22:59.531 11241100x8000000000000000322665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.530{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\RICHED20.DLL2023-01-27 11:22:59.530 11241100x8000000000000000322664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.530{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OPTINPS.DLL2023-01-27 11:22:59.530 11241100x8000000000000000322663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.527{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OFFREL.DLL2023-01-27 11:22:59.527 11241100x8000000000000000322662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.527{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ODATACPP.DLL2023-01-27 11:22:59.527 11241100x8000000000000000322661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.526{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso98win32client.dll2023-01-27 11:22:59.526 11241100x8000000000000000322660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.526{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso50win32client.dll2023-01-27 11:22:59.525 11241100x8000000000000000322659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.525{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso40UIwin32client.dll2023-01-27 11:22:59.525 11241100x8000000000000000322658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.525{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso30win32client.dll2023-01-27 11:22:59.525 11241100x8000000000000000322657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.525{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso20win32client.dll2023-01-27 11:22:59.524 11241100x8000000000000000322656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.524{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MUOPTIN.DLL2023-01-27 11:22:59.274 11241100x8000000000000000322655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.273{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSPTLS.DLL2023-01-27 11:22:59.273 11241100x8000000000000000322654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.273{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSSOAP30.DLL2023-01-27 11:22:59.273 11241100x8000000000000000322653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.273{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLMF.DLL2023-01-27 11:22:59.273 11241100x8000000000000000322652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:59.272{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE2023-01-27 11:22:59.272 10341000x8000000000000000447527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.606{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.583{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.574{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.571{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.568{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.563{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.514{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.497{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.478{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.470{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.456{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.443{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.434{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.412{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.396{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.376{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.357{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.304{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.296{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 11241100x8000000000000000322651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.265{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSORES.DLL2023-01-27 11:22:59.265 11241100x8000000000000000322650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:59.250{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE2023-01-27 11:22:59.250 11241100x8000000000000000322649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.250{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSO99LRES.DLL2023-01-27 11:22:59.250 11241100x8000000000000000322648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.250{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSO40UIRES.DLL2023-01-27 11:22:59.250 11241100x8000000000000000322647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.250{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSO.DLL2023-01-27 11:22:59.250 11241100x8000000000000000322646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.249{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msvcp140.dll2023-01-27 11:22:59.244 11241100x8000000000000000322645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.249{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\IACOM3.DLL2023-01-27 11:22:59.249 11241100x8000000000000000322644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.249{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\vcruntime140.dll2023-01-27 11:22:59.245 11241100x8000000000000000322643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.249{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\vcruntime140_1.dll2023-01-27 11:22:59.248 11241100x8000000000000000322642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.249{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\IACOM2.DLL2023-01-27 11:22:59.244 11241100x8000000000000000322641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.240{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-string-l1-1-0.dll2023-01-27 11:22:59.239 11241100x8000000000000000322640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:59.239{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE2023-01-27 11:22:59.239 11241100x8000000000000000322639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.236{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-utility-l1-1-0.dll2023-01-27 11:22:59.235 11241100x8000000000000000322638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.235{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-time-l1-1-0.dll2023-01-27 11:22:59.234 11241100x8000000000000000322637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.234{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\xmsrv_xl.dll2023-01-27 11:22:58.984 11241100x8000000000000000322636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.234{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-stdio-l1-1-0.dll2023-01-27 11:22:59.233 11241100x8000000000000000322635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.233{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-runtime-l1-1-0.dll2023-01-27 11:22:58.989 10341000x8000000000000000322893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.956{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.939{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.933{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.931{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.919{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.909{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.898{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.895{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.867{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 23542300x8000000000000000322884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.862{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B11AFDA5B5E8CF425AB4C2AAF1307F52,SHA256=698DA1CBC0FDA7AC157B8BCD05571EE9C02137501F7FC4D632322492D4CB256F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.862{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.852{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.845{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.842{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.839{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.807{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.800{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.798{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.793{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.792{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 11241100x8000000000000000322873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.791{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\mfc140.dll2023-01-27 11:23:00.791 10341000x8000000000000000322872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.791{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 11241100x8000000000000000322871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.790{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\vccorlib140.dll2023-01-27 11:23:00.790 11241100x8000000000000000322870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.790{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\FM20.DLL2023-01-27 11:23:00.790 10341000x8000000000000000322869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.790{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 11241100x8000000000000000322868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.790{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140kor.dll2023-01-27 11:23:00.789 11241100x8000000000000000322867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.789{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\msvcp140_1.dll2023-01-27 11:23:00.789 11241100x8000000000000000322866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.789{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\msvcp140.dll2023-01-27 11:23:00.789 11241100x8000000000000000322865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.789{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfcm140u.dll2023-01-27 11:23:00.788 11241100x8000000000000000322864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.789{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfcm140.dll2023-01-27 11:23:00.788 11241100x8000000000000000322863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.788{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140u.dll2023-01-27 11:23:00.777 10341000x8000000000000000322862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.788{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.787{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 11241100x8000000000000000322860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.777{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\msvcp140_codecvt_ids.dll2023-01-27 11:23:00.777 11241100x8000000000000000322859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.777{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140rus.dll2023-01-27 11:23:00.777 11241100x8000000000000000322858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.777{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\msvcp140_2.dll2023-01-27 11:23:00.777 11241100x8000000000000000322857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.777{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140cht.dll2023-01-27 11:23:00.777 11241100x8000000000000000322856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.777{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140ita.dll2023-01-27 11:23:00.777 11241100x8000000000000000322855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.777{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140fra.dll2023-01-27 11:23:00.777 11241100x8000000000000000322854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.777{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140enu.dll2023-01-27 11:23:00.777 11241100x8000000000000000322853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.777{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140deu.dll2023-01-27 11:23:00.777 11241100x8000000000000000322852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.777{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140jpn.dll2023-01-27 11:23:00.777 11241100x8000000000000000322851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.777{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140chs.dll2023-01-27 11:23:00.532 10341000x8000000000000000322850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.668{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.661{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.655{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.653{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.646{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.619{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.617{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.608{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.534{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.532{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 11241100x8000000000000000322840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.531{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140esn.dll2023-01-27 11:23:00.530 11241100x8000000000000000322839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.529{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140.dll2023-01-27 11:23:00.526 11241100x8000000000000000322838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.527{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ucrtbase.dll2023-01-27 11:23:00.526 11241100x8000000000000000322837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.526{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\concrt140.dll2023-01-27 11:23:00.526 11241100x8000000000000000322836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.525{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Mozilla Firefox\plugins\npMeetingJoinPluginOC.dll2023-01-27 11:23:00.525 10341000x8000000000000000322835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.520{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 11241100x8000000000000000322834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.513{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\vccorlib140.dll2023-01-27 11:23:00.513 11241100x8000000000000000322833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.513{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\mfc140u.dll2023-01-27 11:23:00.513 11241100x8000000000000000322832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.513{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\concrt140.dll2023-01-27 11:23:00.512 11241100x8000000000000000322831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.512{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL2023-01-27 11:23:00.511 11241100x8000000000000000322830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.511{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\VVIEWDWG.DLL2023-01-27 11:23:00.511 11241100x8000000000000000322829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.511{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\STSUPLD.DLL2023-01-27 11:23:00.511 11241100x8000000000000000322828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.511{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\STSCOPY.DLL2023-01-27 11:23:00.247 10341000x8000000000000000322827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.506{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.474{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.458{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.437{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.405{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.373{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.352{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.340{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000447533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:00.295{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:00.292{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:00.288{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:00.286{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:00.284{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 11241100x8000000000000000322819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.247{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\PPSLAX.DLL2023-01-27 11:23:00.247 11241100x8000000000000000322818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.247{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OWSCLT.DLL2023-01-27 11:23:00.242 11241100x8000000000000000322817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.245{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\URLREDIR.DLL2023-01-27 11:23:00.242 11241100x8000000000000000322816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.242{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OWSSUPP.DLL2023-01-27 11:23:00.242 11241100x8000000000000000322815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.242{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OSFPROXY.DLL2023-01-27 11:23:00.241 11241100x8000000000000000322814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.241{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONLNTCOMLIB.DLL2023-01-27 11:23:00.240 11241100x8000000000000000322813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.240{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONBttnIELinkedNotes.dll2023-01-27 11:23:00.240 11241100x8000000000000000322812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.239{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONBttnIE.dll2023-01-27 11:23:00.239 11241100x8000000000000000322811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.239{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OLKFSTUB.DLL2023-01-27 11:23:00.239 11241100x8000000000000000322810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.239{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OSFROAMINGPROXY.DLL2023-01-27 11:23:00.239 11241100x8000000000000000322809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.239{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OCHelper.dll2023-01-27 11:23:00.238 11241100x8000000000000000322808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.238{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NPSPWRAP.DLL2023-01-27 11:23:00.238 11241100x8000000000000000322807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.238{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NAMEEXT.DLL2023-01-27 11:23:00.237 11241100x8000000000000000322806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.237{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NAMECONTROLPROXY.DLL2023-01-27 11:23:00.211 11241100x8000000000000000322805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.211{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NAME.DLL2023-01-27 11:23:00.211 11241100x8000000000000000322804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.211{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MeetingJoinAxOC.dll2023-01-27 11:23:00.210 11241100x8000000000000000322803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.210{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL2023-01-27 11:23:00.210 11241100x8000000000000000322802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.206{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE2023-01-27 11:23:00.206 11241100x8000000000000000322801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.205{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHEV.DLL2023-01-27 11:23:00.204 11241100x8000000000000000322800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.200{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MINSBROAMINGPROXY.DLL2023-01-27 11:23:00.200 11241100x8000000000000000322799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.200{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MINSBPROXY.DLL2023-01-27 11:23:00.199 11241100x8000000000000000322798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.197{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\IEAWSDC.DLL2023-01-27 11:23:00.197 11241100x8000000000000000322797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.196{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\GROOVEEX.DLL2023-01-27 11:23:00.196 11241100x8000000000000000322796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.184{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\office.dll2023-01-27 11:23:00.184 11241100x8000000000000000322795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.184{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Microsoft.Vbe.Interop.dll2023-01-27 11:23:00.184 11241100x8000000000000000322794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.184{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SpreadsheetIQ.ExcelServices.dll2023-01-27 11:23:00.184 11241100x8000000000000000322793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.184{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SpreadsheetIQ.ExcelAddIn.dll2023-01-27 11:23:00.182 11241100x8000000000000000322792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.181{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SpreadsheetIQ.Diagram.dll2023-01-27 11:23:00.181 11241100x8000000000000000322791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.181{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\NativeShim.dll2023-01-27 11:23:00.181 11241100x8000000000000000322790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.181{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe2023-01-27 11:23:00.180 11241100x8000000000000000322789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.180{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Microsoft.Office.Interop.Excel.dll2023-01-27 11:23:00.180 11241100x8000000000000000322788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.180{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Microsoft.Office.Interop.Access.dll2023-01-27 11:23:00.180 11241100x8000000000000000322787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.180{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Microsoft.Office.Interop.Access.dao.dll2023-01-27 11:23:00.180 11241100x8000000000000000322786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.180{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE2023-01-27 11:23:00.179 11241100x8000000000000000322785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.179{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\MSVCR120.DLL2023-01-27 11:23:00.179 11241100x8000000000000000322784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.179{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\NativeShim.Resources.dll2023-01-27 11:23:00.177 11241100x8000000000000000322783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.177{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Inquire.dll2023-01-27 11:23:00.176 11241100x8000000000000000322782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.176{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DcfMsoWrapper.dll2023-01-27 11:23:00.176 11241100x8000000000000000322781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.176{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DcfMsoWrapper.x86.dll2023-01-27 11:23:00.176 11241100x8000000000000000322780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.175{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DatabaseServices.dll2023-01-27 11:23:00.175 11241100x8000000000000000322779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.175{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DatabaseCore.dll2023-01-27 11:23:00.175 11241100x8000000000000000322778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.175{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.SqlDatabase.dll2023-01-27 11:23:00.175 11241100x8000000000000000322777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.175{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.PasswordManager.dll2023-01-27 11:23:00.174 11241100x8000000000000000322776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.174{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.MsoInterop.dll2023-01-27 11:23:00.174 11241100x8000000000000000322775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.174{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.FileUtils.dll2023-01-27 11:23:00.174 11241100x8000000000000000322774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.174{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ExcelServices.dll2023-01-27 11:23:00.173 11241100x8000000000000000322773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.173{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE2023-01-27 11:23:00.173 11241100x8000000000000000322772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.173{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe2023-01-27 11:23:00.173 11241100x8000000000000000322771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.173{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe2023-01-27 11:23:00.172 11241100x8000000000000000322770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.172{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe2023-01-27 11:23:00.168 11241100x8000000000000000322769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.168{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ClientConfiguration.dll2023-01-27 11:23:00.168 11241100x8000000000000000322768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.168{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.AuditItems.dll2023-01-27 11:23:00.168 11241100x8000000000000000322767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.168{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AutoHelper.dll2023-01-27 11:23:00.168 11241100x8000000000000000322766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.168{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\vcruntime140.dll2023-01-27 11:23:00.167 11241100x8000000000000000322765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.167{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\msvcp140.dll2023-01-27 11:23:00.167 11241100x8000000000000000322764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.167{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe2023-01-27 11:23:00.164 11241100x8000000000000000322763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.167{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-utility-l1-1-0.dll2023-01-27 11:23:00.164 11241100x8000000000000000322762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.162{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-stdio-l1-1-0.dll2023-01-27 11:23:00.160 11241100x8000000000000000322761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.161{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-time-l1-1-0.dll2023-01-27 11:23:00.160 11241100x8000000000000000322760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.161{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-runtime-l1-1-0.dll2023-01-27 11:23:00.159 11241100x8000000000000000322759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.161{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-math-l1-1-0.dll2023-01-27 11:23:00.159 11241100x8000000000000000322758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.161{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-string-l1-1-0.dll2023-01-27 11:23:00.159 11241100x8000000000000000322757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.160{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-locale-l1-1-0.dll2023-01-27 11:23:00.159 11241100x8000000000000000322756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.160{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-heap-l1-1-0.dll2023-01-27 11:23:00.159 11241100x8000000000000000322755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.157{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-environment-l1-1-0.dll2023-01-27 11:23:00.157 11241100x8000000000000000322754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.157{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-convert-l1-1-0.dll2023-01-27 11:23:00.157 11241100x8000000000000000322753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.157{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-filesystem-l1-1-0.dll2023-01-27 11:23:00.157 11241100x8000000000000000322752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.155{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingChromeHook.dll2023-01-27 11:23:00.155 11241100x8000000000000000322751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.155{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\xmsrv.dll2023-01-27 11:23:00.154 11241100x8000000000000000322750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.154{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msolui.dll2023-01-27 11:23:00.153 11241100x8000000000000000322749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.153{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msolap.dll2023-01-27 11:23:00.153 11241100x8000000000000000322748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.153{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msmgdsrv.dll2023-01-27 11:23:00.153 11241100x8000000000000000322747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.151{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msmdlocal.dll2023-01-27 11:23:00.151 11241100x8000000000000000322746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.150{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\adal.dll2023-01-27 11:23:00.149 11241100x8000000000000000322745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.149{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe2023-01-27 11:23:00.145 11241100x8000000000000000322744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.145{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Microsoft.AnalysisServices.AzureClient.dll2023-01-27 11:23:00.145 11241100x8000000000000000322743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.145{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\xmsrv.dll2023-01-27 11:23:00.145 11241100x8000000000000000322742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.144{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\msolui.dll2023-01-27 11:23:00.144 11241100x8000000000000000322741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.144{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\msolap.dll2023-01-27 11:23:00.143 11241100x8000000000000000322740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.143{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\msmgdsrv.dll2023-01-27 11:23:00.143 11241100x8000000000000000322739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.143{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\msmdlocal.dll2023-01-27 11:23:00.142 11241100x8000000000000000322738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.143{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe2023-01-27 11:23:00.131 11241100x8000000000000000322737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.142{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Microsoft.AnalysisServices.AzureClient.dll2023-01-27 11:23:00.131 11241100x8000000000000000322736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.142{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\adal.dll2023-01-27 11:23:00.131 11241100x8000000000000000322735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.131{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\System\ole db\xmlrwbin.dll2023-01-27 11:23:00.130 11241100x8000000000000000322734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.130{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\System\ole db\xmlrw.dll2023-01-27 11:23:00.130 11241100x8000000000000000322733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.129{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\FPWEC.DLL2023-01-27 11:23:00.129 11241100x8000000000000000322732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.129{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\PortalConnectCore.dll2023-01-27 11:23:00.128 11241100x8000000000000000322731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.129{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\vcruntime140.dll2023-01-27 11:23:00.128 11241100x8000000000000000322730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.129{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\FPSRVUTL.DLL2023-01-27 11:23:00.128 11241100x8000000000000000322729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.129{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\msvcp140.dll2023-01-27 11:23:00.120 11241100x8000000000000000322728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.128{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\vccorlib140.dll2023-01-27 11:23:00.127 11241100x8000000000000000322727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.128{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ucrtbase.dll2023-01-27 11:23:00.128 11241100x8000000000000000322726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.120{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mfc140u.dll2023-01-27 11:23:00.120 11241100x8000000000000000322725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.118{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\msoshext.dll2023-01-27 11:23:00.118 11241100x8000000000000000322724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.118{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\concrt140.dll2023-01-27 11:23:00.118 11241100x8000000000000000322723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.117{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mlg.dll2023-01-27 11:23:00.117 11241100x8000000000000000322722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.116{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\aimgr.exe2023-01-27 11:23:00.115 11241100x8000000000000000322721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.116{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ai.exe2023-01-27 11:23:00.115 11241100x8000000000000000322720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.116{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\aitrx.dll2023-01-27 11:23:00.115 11241100x8000000000000000322719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.110{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ai.dll2023-01-27 11:23:00.110 11241100x8000000000000000322718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.110{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\TextIntelligence.dll2023-01-27 11:23:00.110 11241100x8000000000000000322717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.094{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso98win32client.dll2023-01-27 11:23:00.094 11241100x8000000000000000322716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.094{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso50win32client.dll2023-01-27 11:23:00.094 11241100x8000000000000000322715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.094{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso40UIwin32client.dll2023-01-27 11:23:00.094 11241100x8000000000000000322714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.094{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso30win32client.dll2023-01-27 11:23:00.094 11241100x8000000000000000322713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.092{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso20win32client.dll2023-01-27 11:23:00.092 11241100x8000000000000000322712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.092{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOXMLMF.DLL2023-01-27 11:23:00.092 11241100x8000000000000000322711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.091{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSORES.DLL2023-01-27 11:23:00.091 11241100x8000000000000000322710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.090{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSO99LRES.DLL2023-01-27 11:23:00.090 11241100x8000000000000000322709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.090{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSO40UIRES.DLL2023-01-27 11:23:00.090 11241100x8000000000000000322708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.090{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSO.DLL2023-01-27 11:23:00.089 11241100x8000000000000000322707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.089{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Csi.dll2023-01-27 11:23:00.089 11241100x8000000000000000322706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.089{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ADAL.DLL2023-01-27 11:23:00.068 11241100x8000000000000000322705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.069{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\SYSTEM\ole db\xmlrw.dll2023-01-27 11:23:00.068 11241100x8000000000000000322704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.069{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\SYSTEM\ole db\xmlrwbin.dll2023-01-27 11:23:00.068 11241100x8000000000000000322703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.068{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ADALPREVIOUS.DLL2023-01-27 11:23:00.068 11241100x8000000000000000322702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.065{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\FPWEC.DLL2023-01-27 11:23:00.065 11241100x8000000000000000322701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.065{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\FPSRVUTL.DLL2023-01-27 11:23:00.065 11241100x8000000000000000322700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.065{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUIRES.DLL2023-01-27 11:23:00.064 11241100x8000000000000000322699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL2023-01-27 11:23:00.064 11241100x8000000000000000322698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\MSB1XTOR.DLL2023-01-27 11:23:00.064 11241100x8000000000000000322697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBE7.DLL2023-01-27 11:23:00.064 11241100x8000000000000000322696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\MSCONV97.DLL2023-01-27 11:23:00.063 11241100x8000000000000000322695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\MSB1CORE.DLL2023-01-27 11:23:00.063 11241100x8000000000000000322694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.063{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE2023-01-27 11:23:00.063 11241100x8000000000000000322693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.063{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe2023-01-27 11:23:00.062 11241100x8000000000000000322692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.063{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\MOFL.DLL2023-01-27 11:23:00.062 11241100x8000000000000000322691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.062{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.DLL2023-01-27 11:23:00.062 11241100x8000000000000000322690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.062{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\IMCONTACT.DLL2023-01-27 11:23:00.062 11241100x8000000000000000322689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.062{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\IETAG.DLL2023-01-27 11:23:00.061 11241100x8000000000000000322688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.061{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\FPERSON.DLL2023-01-27 11:23:00.061 11241100x8000000000000000322687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.061{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\FBIBLIO.DLL2023-01-27 11:22:59.803 23542300x8000000000000000322925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:01.540{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=947649622F55066F8E847230EB75DAC0,SHA256=DAE317BA9D1BDC3ACC2A4DAF31C18E690567DCE2A70182630B5C15AA75773B64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:01.408{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=071DDE2B5ED1BD9E68D71146CFB10DB1,SHA256=23AB1D6267BC8079FB3735CBDF499EFBC0E4F2279B35B01710F094CC148543D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:58.711{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52677-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000447534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:01.030{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B1115CE5D60CEE6E22B3361DCBC5722,SHA256=CB6BD40C89C889700A482885D565D5BF264D8423848B61F7A42F518104207D9D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:01.350{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessApplications.Diagnostics\16.0.0.0__71E9BCE111E9429C\microsoft.office.businessapplications.diagnostics.dll2023-01-27 11:23:01.350 11241100x8000000000000000322922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:01.350{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessData\16.0.0.0__71E9BCE111E9429C\microsoft.office.businessdata.dll2023-01-27 11:23:01.350 11241100x8000000000000000322921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:01.350{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\vcruntime140_1.dll2023-01-27 11:23:01.350 11241100x8000000000000000322920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:01.350{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\vccorlib140.dll2023-01-27 11:23:01.350 11241100x8000000000000000322919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:01.350{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\msvcp140_2.dll2023-01-27 11:23:01.350 11241100x8000000000000000322918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:01.350{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\vcruntime140.dll2023-01-27 11:23:01.350 11241100x8000000000000000322917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:01.350{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\msvcp140_codecvt_ids.dll2023-01-27 11:23:01.151 11241100x8000000000000000322916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:01.350{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessData.Intl\16.0.0.0__71E9BCE111E9429C\microsoft.office.businessdata.intl.dll2023-01-27 11:23:01.154 11241100x8000000000000000322915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:01.153{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.BusinessData\16.0.0.0__71E9BCE111E9429C\Microsoft.BusinessData.dll2023-01-27 11:23:01.153 11241100x8000000000000000322914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:01.111{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\msvcp140_atomic_wait.dll2023-01-27 11:23:01.111 11241100x8000000000000000322913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:01.111{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\assembly\GAC_64\Microsoft.Office.Access.BusinessDataCatalog\16.0.0.0__71E9BCE111E9429C\Microsoft.Office.Access.BusinessDataCatalog.DLL2023-01-27 11:23:01.111 11241100x8000000000000000322912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:01.111{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\msvcp140_1.dll2023-01-27 11:23:01.103 11241100x8000000000000000322911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:01.103{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\msvcp140.dll2023-01-27 11:23:01.103 11241100x8000000000000000322910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:01.103{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\msvcp100.dll2023-01-27 11:23:01.103 11241100x8000000000000000322909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:01.101{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\mfcm140u.dll2023-01-27 11:23:01.101 11241100x8000000000000000322908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:01.101{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\mfcm140.dll2023-01-27 11:23:01.101 11241100x8000000000000000322907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:01.100{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\mfc140u.dll2023-01-27 11:23:01.100 11241100x8000000000000000322906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:01.100{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\mfc140rus.dll2023-01-27 11:23:01.100 11241100x8000000000000000322905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:01.094{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\mfc140kor.dll2023-01-27 11:23:01.093 11241100x8000000000000000322904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:01.093{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\mfc140jpn.dll2023-01-27 11:23:01.093 11241100x8000000000000000322903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:01.092{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\mfc140ita.dll2023-01-27 11:23:01.091 11241100x8000000000000000322902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:01.091{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\mfc140fra.dll2023-01-27 11:23:01.090 11241100x8000000000000000322901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:01.090{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\mfc140esn.dll2023-01-27 11:23:01.089 11241100x8000000000000000322900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:01.089{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\mfc140enu.dll2023-01-27 11:23:01.087 11241100x8000000000000000322899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:01.086{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\mfc140deu.dll2023-01-27 11:23:01.086 11241100x8000000000000000322898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:01.086{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\mfc140chs.dll2023-01-27 11:23:01.085 11241100x8000000000000000322897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:01.086{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\mfc140cht.dll2023-01-27 11:23:01.009 11241100x8000000000000000322896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:01.009{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\concrt140.dll2023-01-27 11:23:01.009 11241100x8000000000000000322895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:01.009{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\msvcp140_atomic_wait.dll2023-01-27 11:23:01.009 11241100x8000000000000000322894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:01.009{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\vcruntime140.dll2023-01-27 11:23:00.790 23542300x8000000000000000322926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:02.727{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17D01055B96BC1C7D5916D57CA7CE1A0,SHA256=D2C592274B63411B17DC760351C96CABD3F316DAC490C168F351AAD1F44EE00E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:02.986{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:02.960{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:02.911{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:02.903{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:02.890{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:02.880{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:02.878{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:02.875{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:02.872{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:02.871{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:02.868{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:02.361{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:02.357{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:02.352{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:02.342{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:02.334{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 23542300x8000000000000000447536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:02.118{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAD21EFEF4BB0E25BD872B86EC1C8BBB,SHA256=55E190BC2975352F7944A04C115047CB3EAA7766944F3087522630E01627E776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:03.202{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7103B1A68E9B6FFA7C69BC2F3F4F772,SHA256=92B3D1DD4263ACD9F04A5CA180D5BCB9D8E4EE8F935D3191D3443A3CB4DC9DD9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:03.045{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:03.012{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:03.003{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 23542300x8000000000000000447557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:04.293{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=097B53FE711DA47620B78F4B952285A4,SHA256=E7BF38C9EEA8F9218CE051BE9EAEF14CB224A6A1E0282783F5580209E6C1E30D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:02.520{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50979-false10.0.1.12-8000- 23542300x8000000000000000322927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:03.997{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7B2D9A75B11D00D4D65C8E317BD4E54,SHA256=B244F673FCB469AECDCE4D5967E4FA2B8E040150E6A45B8455099473D01A0E4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:05.387{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BD268AB420A0D3EF55A60E6068DC18C,SHA256=9857291B0DD8B95FE4716349A622B8407BDB6699912C649EA19826AEB4DDCC97,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:05.572{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\sqmapi_x64.dll2023-01-27 11:23:05.572 11241100x8000000000000000322935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:05.571{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.WindowsAzure.StorageClient.dll2023-01-27 11:23:05.571 11241100x8000000000000000322934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:05.571{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Windows.dll2023-01-27 11:23:05.571 11241100x8000000000000000322933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:05.570{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Initialization.dll2023-01-27 11:23:05.570 11241100x8000000000000000322932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:05.570{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Localytics.dll2023-01-27 11:23:05.570 11241100x8000000000000000322931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:05.569{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\EventSource.dll2023-01-27 11:23:05.569 11241100x8000000000000000322930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:05.569{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\DocumentFormat.OpenXml.dll2023-01-27 11:23:05.568 23542300x8000000000000000322929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:05.060{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A0D1E9FBE7BB8C01B3B17B9B60F678F,SHA256=1B82DE87EE321BB4A272F253DFB31DC8628F5A2804E2DDA73C9BEBC283189551,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:03.921{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52678-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000447559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:06.457{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A0732A7C9FBB1D3129C7B376555C4BA,SHA256=CD8985A20A8018E8FBF52634D48B590E36569A554F26BC21BF75A6B2B2213772,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:06.309{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe2023-01-27 11:23:06.308 23542300x8000000000000000322937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:06.221{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF6E6B2F8CF79699CE5F0968A73EB8CB,SHA256=2E195B33A99F12745AC6D3373A2F4A149B0CF2E3A2A1CB739B1E8DD99C720166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:07.540{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5771EB93F1FD6BD665C7A1D1A15D4E0D,SHA256=268239594BAEFBD0DB06A5429FA04191005A9FD252732408D1EB299FDE9CDFCF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:07.994{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Configuration\card_terms_dict.txt2023-01-27 11:23:07.994 11241100x8000000000000000322958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:07.994{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Configuration\card_security_terms_dict.txt2023-01-27 11:23:07.982 11241100x8000000000000000322957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:07.981{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Configuration\card_expiration_terms_dict.txt2023-01-27 11:23:07.981 11241100x8000000000000000322956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:07.981{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Configuration\ssn_high_group_info.txt2023-01-27 11:23:07.981 11241100x8000000000000000322955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:07.774{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AugLoop\third-party-notices.txt2023-01-27 11:23:07.774 11241100x8000000000000000322954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:07.689{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AdeModule.dll2023-01-27 11:23:07.689 11241100x8000000000000000322953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:07.659{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\sqmapi.dll2023-01-27 11:23:07.659 11241100x8000000000000000322952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:07.659{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.Interop.Excel.dll2023-01-27 11:23:07.647 11241100x8000000000000000322951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:07.612{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\MICROSOFT.DATA.RECOMMENDATION.CLIENT.CORE.DLL2023-01-27 11:23:07.611 11241100x8000000000000000322950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:07.612{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\MICROSOFT.DATA.RECOMMENDATION.COMMON.DLL2023-01-27 11:23:07.611 11241100x8000000000000000322949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:07.611{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\DATATRANSFORMERWRAPPER.DLL2023-01-27 11:23:07.611 11241100x8000000000000000322948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:07.611{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\otkloadr_x64.dll2023-01-27 11:23:07.611 11241100x8000000000000000322947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:07.610{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\MSOSEC.DLL2023-01-27 11:23:07.610 11241100x8000000000000000322946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:07.608{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Office.dll2023-01-27 11:23:07.608 11241100x8000000000000000322945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:07.608{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Outlook.dll2023-01-27 11:23:07.607 11241100x8000000000000000322944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:07.607{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Excel.dll2023-01-27 11:23:07.607 11241100x8000000000000000322943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:07.607{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll2023-01-27 11:23:07.607 11241100x8000000000000000322942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:07.607{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\NOTICE.txt2023-01-27 11:23:07.606 11241100x8000000000000000322941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:07.573{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office15\pidgenx.dll2023-01-27 11:23:07.573 23542300x8000000000000000322940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:07.289{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADCD0B311EAEC9CC72489A61F5A8397B,SHA256=7E283ED28A547703D8AF543A04B5B1E1AE0D0F622073F22CCFE589191CE9BF8F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:07.005{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\OWSHLP10.CHM2023-01-27 11:23:07.005 23542300x8000000000000000447563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:08.634{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=074B1BEE0CF0704A3B4762C825B80D78,SHA256=8C47170C014A0F6BAC8F8EC3B74EADE791ACD8E8862E9487873E1307D6845581,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:08.606{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\respondent-20230127093833-101MD5=ABD21C848C86C8C4C327246443A18885,SHA256=621828FF48080C628607F27990B50D4C7839DD5149D1A5B05A104AE9C04F6CF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:08.944{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PersonaSpy\notice.txt2023-01-27 11:23:08.944 11241100x8000000000000000322985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:08.813{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookReactNative\SearchView\NOTICE.txt2023-01-27 11:23:08.813 11241100x8000000000000000322984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:08.605{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OUTLFLTR.DLL2023-01-27 11:23:08.604 11241100x8000000000000000322983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:08.591{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OneNote\SendToOneNoteFilter.dll2023-01-27 11:23:08.591 11241100x8000000000000000322982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:08.546{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBCTRAC.DLL2023-01-27 11:23:08.546 11241100x8000000000000000322981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:08.546{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Redshift\lib\sbicuuc53_64.dll2023-01-27 11:23:08.515 11241100x8000000000000000322980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:08.515{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Redshift\lib\sbicuin53_64.dll2023-01-27 11:23:08.514 11241100x8000000000000000322979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:08.514{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Redshift\lib\sbicudt53_64.dll2023-01-27 11:23:08.402 11241100x8000000000000000322978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:08.401{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\ssleay32.dll2023-01-27 11:23:08.400 11241100x8000000000000000322977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:08.401{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\libeay32.dll2023-01-27 11:23:08.400 11241100x8000000000000000322976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:08.401{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Redshift\lib\amazonredshiftodbc_sb64.dll2023-01-27 11:23:08.400 11241100x8000000000000000322975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:08.398{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OCSAEXT.dll2023-01-27 11:23:08.398 11241100x8000000000000000322974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:08.397{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ocppvwintl.dll2023-01-27 11:23:08.397 11241100x8000000000000000322973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:08.396{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ocpptview.dll2023-01-27 11:23:08.396 11241100x8000000000000000322972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:08.396{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ocogl.dll2023-01-27 11:23:08.395 11241100x8000000000000000322971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:08.395{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ocmsptls.dll2023-01-27 11:23:08.395 11241100x8000000000000000322970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:08.395{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OCIntlDate.dll2023-01-27 11:23:08.395 11241100x8000000000000000322969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:08.384{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msvcr120.dll2023-01-27 11:23:08.384 11241100x8000000000000000322968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:08.383{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msvcp120.dll2023-01-27 11:23:08.383 11241100x8000000000000000322967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:08.362{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\ThirdPartyNotices.txt2023-01-27 11:23:08.360 23542300x8000000000000000322966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:08.328{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8D078260832A946ADDBD9860026AA9F,SHA256=9ECBCED01C763916CA1D65454AAB490D830CD0FC2E7460D485C7A48EFA46EB42,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x8000000000000000322965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:08.299{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mce.dll2023-01-27 11:23:08.299 11241100x8000000000000000322964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:08.276{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Lync2013_Third_Party_Notices.txt2023-01-27 11:23:08.276 11241100x8000000000000000322963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:08.275{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\lpklegal.txt2023-01-27 11:23:08.275 11241100x8000000000000000322962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:08.074{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LivePersonaCardRollback\TPN.txt2023-01-27 11:23:08.073 11241100x8000000000000000322961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:08.071{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LivePersonaCard\TPN.txt2023-01-27 11:23:08.070 11241100x8000000000000000322960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:08.052{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FilterModule.dll2023-01-27 11:23:08.051 23542300x8000000000000000447565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:09.721{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5F391B406282FCA0EC223ED15FC9466,SHA256=9AA9F8F46173B3EB1D997807366D9F3737735832823A4A88E4D81544E37FC083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:09.618{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\surveyor-20230127093831-102MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:09.342{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1166A41EFC9EBDCADB5464DBE582EC4D,SHA256=29046C13D04D03268CEA5BE9DB74E8A524A5ACBA702E11E7C5F412F50CF0FD07,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000447566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:10.699{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0C1DF79AA61960B5C7379283E0E440B,SHA256=2BC18C4FF2112AAF69B2754FA0B03F1D1FFD886C93480B95DCBB869D72E2A9EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:08.401{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50980-false10.0.1.12-8000- 23542300x8000000000000000322989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:10.457{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E10E09389431B677DBBC5E6DEB36BBB,SHA256=B3AB521A1579890C2E1E9B1A6CAAABC066A897094C90E8DCFEA83DF8C65DA74E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x8000000000000000322988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:10.071{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\rtmvc1decmft.dll2023-01-27 11:23:10.071 23542300x8000000000000000447567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:11.791{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=254BF3D0C5A4D651B4CB656DC301E9BA,SHA256=E77C483BF444E718BB88067405F55A6CF99E854C988CB748BF2A1F0DA831B1E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:11.469{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=696530A373718450E56477599DD7FE2E,SHA256=CC6086CD9105103AAB0E3DECFFE46FE7604394F4176475A233F5F795CDEC9F2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x8000000000000000322992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:11.323{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview.win32.bundle.tpn.txt2023-01-27 11:23:11.322 11241100x8000000000000000322991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:11.322{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview.win32.bundle.LICENSE.txt2023-01-27 11:23:11.303 23542300x8000000000000000447568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:12.894{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E70CA9EC20A32BCB927C21E97B130B1,SHA256=0DB38778C7EC6759179B93AB2DE884750BB6A23B8865F720AE92F55E6034C03A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000323008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:12.680{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\4.356cfef7.chunk.js.LICENSE.txt2023-01-27 11:23:12.679 11241100x8000000000000000323007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:12.679{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\FluidFramework-HashFallback.af775831.chunk.js.LICENSE.txt2023-01-27 11:23:12.672 11241100x8000000000000000323006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:12.602{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\277.9b1c4bfe.chunk.js.LICENSE.txt2023-01-27 11:23:12.602 11241100x8000000000000000323005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:12.595{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\273.014f5a9c.chunk.js.LICENSE.txt2023-01-27 11:23:12.595 11241100x8000000000000000323004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:12.594{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\272.409bc465.chunk.js.LICENSE.txt2023-01-27 11:23:12.594 11241100x8000000000000000323003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:12.594{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\271.271de555.chunk.js.LICENSE.txt2023-01-27 11:23:12.593 11241100x8000000000000000323002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:12.593{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\270.e7fe39ff.chunk.js.LICENSE.txt2023-01-27 11:23:12.593 11241100x8000000000000000323001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:12.592{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\2.27310396.chunk.js.LICENSE.txt2023-01-27 11:23:12.592 11241100x8000000000000000323000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:12.588{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\robots.txt2023-01-27 11:23:12.588 11241100x8000000000000000322999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:12.584{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\build.txt2023-01-27 11:23:12.584 11241100x8000000000000000322998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:12.572{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\subcenter.win32.bundle.LICENSE.txt2023-01-27 11:23:12.571 23542300x8000000000000000322997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:12.484{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B3D4CB669A1CED604A02D9413E10239,SHA256=80B56F0569F76D4A8EEF728B64D0021BA170DEAA005601B4AD7FBA9525FA685B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x8000000000000000322996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:12.357{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000063\index.win32.bundle.tpn.txt2023-01-27 11:23:12.356 11241100x8000000000000000322995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:12.348{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000062\index.win32.bundle.LICENSE.txt2023-01-27 11:23:12.348 11241100x8000000000000000322994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:12.006{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000049\index.win32.bundle.LICENSE.txt2023-01-27 11:23:12.005 23542300x8000000000000000447570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:13.978{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9038ADA4CA63D52F0C17DB7B2D7987A8,SHA256=CB209B17821F6B28E597A3D99F56B779700786DCE20E6F56EEB72AE05EDE2F55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:13.597{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BC95DC89762C722505E48B3A8BBACBF,SHA256=DA4740A808FD7E3B2E80CC1A8ED788F0403C53DDF46FC9D7B0765F272ADDFE0F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000447569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:09.868{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52679-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000323020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:14.979{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\windowsspeakerrecosdk.dll2023-01-27 11:23:14.979 11241100x8000000000000000323019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:14.959{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\upe.dll2023-01-27 11:23:14.959 11241100x8000000000000000323018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:14.959{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Ucmp.dll2023-01-27 11:23:14.958 11241100x8000000000000000323017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:14.944{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\TecProxy.dll2023-01-27 11:23:14.944 11241100x8000000000000000323016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:14.943{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\TextConversionModule.dll2023-01-27 11:23:14.943 11241100x8000000000000000323015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:14.943{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\tmpod.dll2023-01-27 11:23:14.943 11241100x8000000000000000323014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:14.943{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Tec.dll2023-01-27 11:23:14.942 11241100x8000000000000000323013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:14.942{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SkypeSrv\MSO20SKYPEWIN32.DLL2023-01-27 11:23:14.823 11241100x8000000000000000323012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:14.733{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000104\index.win32.bundle.LICENSE.txt2023-01-27 11:23:14.726 23542300x8000000000000000323011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:14.607{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A0E2079A3EBA22043149875806B2647,SHA256=CEE620E255F749396680C24C09E8690E285018D461BE7B390FD9A6588AC050C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x8000000000000000323010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:14.399{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000088\index.win32.bundle.LICENSE.txt2023-01-27 11:23:14.398 11241100x8000000000000000323081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.928{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-core-xstate-l2-1-0.dll2023-01-27 11:23:15.928 11241100x8000000000000000323080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.924{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-core-timezone-l1-1-0.dll2023-01-27 11:23:15.923 11241100x8000000000000000323079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.923{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-core-synch-l1-2-0.dll2023-01-27 11:23:15.923 11241100x8000000000000000323078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.923{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-core-processthreads-l1-1-1.dll2023-01-27 11:23:15.922 11241100x8000000000000000323077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.922{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-core-localization-l1-2-0.dll2023-01-27 11:23:15.922 11241100x8000000000000000323076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.922{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-core-file-l2-1-0.dll2023-01-27 11:23:15.922 11241100x8000000000000000323075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.922{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-core-file-l1-2-0.dll2023-01-27 11:23:15.921 13241300x8000000000000000323074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:23:15.796{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d93241-0xbfe6919b) 23542300x8000000000000000447571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:15.205{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABF6BE78541100C3EF809A483EA31B58,SHA256=1881ED78EA3595F26ECC953F6F338BB0EBA26AB4737F589D2D6F7CC3A07DAA57,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000323073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:15.596{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.TXT2023-01-27 11:23:15.596 11241100x8000000000000000323072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.501{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msvcr120.dll2023-01-27 11:23:15.500 11241100x8000000000000000323071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.500{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msvcp120.dll2023-01-27 11:23:15.499 11241100x8000000000000000323070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.479{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOIDRES.DLL2023-01-27 11:23:15.479 11241100x8000000000000000323069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.479{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOIDCLIL.DLL2023-01-27 11:23:15.478 11241100x8000000000000000323068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.310{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\xmsrv_xl.dll2023-01-27 11:23:15.310 11241100x8000000000000000323067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.309{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\xmlrw_xl.dll2023-01-27 11:23:15.309 11241100x8000000000000000323066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.309{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\xmlrwbin_xl.dll2023-01-27 11:23:15.308 11241100x8000000000000000323065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.308{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\tmtransactions_xl.dll2023-01-27 11:23:15.308 11241100x8000000000000000323064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.305{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\tmpersistence_xl.dll2023-01-27 11:23:15.305 11241100x8000000000000000323063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.300{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\tmcachemgr_xl.dll2023-01-27 11:23:15.300 11241100x8000000000000000323062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.297{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\tmapi_xl.dll2023-01-27 11:23:15.297 11241100x8000000000000000323061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.296{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\System.Spatial.dll2023-01-27 11:23:15.296 11241100x8000000000000000323060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.286{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Data.Odata.dll2023-01-27 11:23:15.286 11241100x8000000000000000323059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.286{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Data.Edm.dll2023-01-27 11:23:15.285 11241100x8000000000000000323058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.285{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Data.DataFeedClient.dll2023-01-27 11:23:15.285 11241100x8000000000000000323057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.139{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\adal.dll2023-01-27 11:23:15.124 11241100x8000000000000000323056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.138{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-xstate-l2-1-0.dll2023-01-27 11:23:15.123 11241100x8000000000000000323055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.123{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-process-l1-1-0.dll2023-01-27 11:23:15.123 11241100x8000000000000000323054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.123{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-private-l1-1-0.dll2023-01-27 11:23:15.123 11241100x8000000000000000323053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.123{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-multibyte-l1-1-0.dll2023-01-27 11:23:15.122 11241100x8000000000000000323052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.122{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-conio-l1-1-0.dll2023-01-27 11:23:15.122 11241100x8000000000000000323051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.122{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-synch-l1-2-0.dll2023-01-27 11:23:15.122 11241100x8000000000000000323050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.122{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-timezone-l1-1-0.dll2023-01-27 11:23:15.121 11241100x8000000000000000323049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.121{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-processthreads-l1-1-1.dll2023-01-27 11:23:15.121 11241100x8000000000000000323048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.121{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-localization-l1-2-0.dll2023-01-27 11:23:15.120 11241100x8000000000000000323047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.120{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-file-l2-1-0.dll2023-01-27 11:23:15.085 11241100x8000000000000000323046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.084{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-file-l1-2-0.dll2023-01-27 11:23:15.084 11241100x8000000000000000323045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.057{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\msvcr120.dll2023-01-27 11:23:15.057 11241100x8000000000000000323044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.057{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-time-l1-1-0.dll2023-01-27 11:23:15.056 11241100x8000000000000000323043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\msvcp120.dll2023-01-27 11:23:15.056 11241100x8000000000000000323042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-utility-l1-1-0.dll2023-01-27 11:23:15.056 11241100x8000000000000000323041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-string-l1-1-0.dll2023-01-27 11:23:15.055 11241100x8000000000000000323040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-stdio-l1-1-0.dll2023-01-27 11:23:15.055 11241100x8000000000000000323039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.055{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-runtime-l1-1-0.dll2023-01-27 11:23:15.055 11241100x8000000000000000323038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.055{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-process-l1-1-0.dll2023-01-27 11:23:15.054 11241100x8000000000000000323037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.055{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-multibyte-l1-1-0.dll2023-01-27 11:23:15.054 11241100x8000000000000000323036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.055{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-private-l1-1-0.dll2023-01-27 11:23:15.054 11241100x8000000000000000323035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.054{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-math-l1-1-0.dll2023-01-27 11:23:15.054 11241100x8000000000000000323034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.054{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-locale-l1-1-0.dll2023-01-27 11:23:15.053 11241100x8000000000000000323033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.053{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-heap-l1-1-0.dll2023-01-27 11:23:15.053 11241100x8000000000000000323032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.053{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-filesystem-l1-1-0.dll2023-01-27 11:23:15.040 11241100x8000000000000000323031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.040{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-environment-l1-1-0.dll2023-01-27 11:23:15.040 11241100x8000000000000000323030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.040{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-convert-l1-1-0.dll2023-01-27 11:23:15.039 11241100x8000000000000000323029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.040{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-conio-l1-1-0.dll2023-01-27 11:23:15.039 11241100x8000000000000000323028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.039{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-core-xstate-l2-1-0.dll2023-01-27 11:23:15.039 11241100x8000000000000000323027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.039{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-core-timezone-l1-1-0.dll2023-01-27 11:23:15.038 11241100x8000000000000000323026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.038{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-core-synch-l1-2-0.dll2023-01-27 11:23:15.038 11241100x8000000000000000323025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.038{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-core-processthreads-l1-1-1.dll2023-01-27 11:23:15.038 11241100x8000000000000000323024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.038{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-core-localization-l1-2-0.dll2023-01-27 11:23:15.038 11241100x8000000000000000323023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.038{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-core-file-l2-1-0.dll2023-01-27 11:23:15.037 11241100x8000000000000000323022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:15.037{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-core-file-l1-2-0.dll2023-01-27 11:23:15.037 23542300x8000000000000000323021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:14.999{72106695-9B85-63D3-1100-00000000BD02}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2100596F285E720218ADE12D3E8426C7,SHA256=A16044B58D1C8F9CFB83638450A04468DB12FF045827B1B982D13775696FADC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x8000000000000000323127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.643{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinStatusBar.v8.1.dll2023-01-27 11:23:16.642 11241100x8000000000000000323126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.641{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinStatusBar.v11.1.dll2023-01-27 11:23:16.641 11241100x8000000000000000323125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.638{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinGrid.v8.1.dll2023-01-27 11:23:16.638 11241100x8000000000000000323124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.614{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinGrid.v11.1.dll2023-01-27 11:23:16.611 11241100x8000000000000000323123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.591{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinEditors.v8.1.dll2023-01-27 11:23:16.591 11241100x8000000000000000323122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.591{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinEditors.v11.1.dll2023-01-27 11:23:16.591 11241100x8000000000000000323121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.591{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinChart.v11.1.dll2023-01-27 11:23:16.583 11241100x8000000000000000323120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.571{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraChart.v8.1.Design.dll2023-01-27 11:23:16.570 11241100x8000000000000000323119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.558{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraChart.v11.1.Design.dll2023-01-27 11:23:16.558 11241100x8000000000000000323118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.540{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.Misc.v8.1.dll2023-01-27 11:23:16.540 11241100x8000000000000000323117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.535{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.Misc.v11.1.dll2023-01-27 11:23:16.535 11241100x8000000000000000323116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.535{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Shared.v11.1.dll2023-01-27 11:23:16.534 11241100x8000000000000000323115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:16.534{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\ExcelMessageDismissal.txt2023-01-27 11:23:16.534 11241100x8000000000000000323114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.534{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DocumentFormat.OpenXml.dll2023-01-27 11:23:16.533 11241100x8000000000000000323113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:16.533{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\AccessMessageDismissal.txt2023-01-27 11:23:16.533 11241100x8000000000000000323112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.533{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-process-l1-1-0.dll2023-01-27 11:23:16.533 11241100x8000000000000000323111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.533{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-private-l1-1-0.dll2023-01-27 11:23:16.532 11241100x8000000000000000323110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.532{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-multibyte-l1-1-0.dll2023-01-27 11:23:16.532 11241100x8000000000000000323109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.532{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-core-xstate-l2-1-0.dll2023-01-27 11:23:16.484 11241100x8000000000000000323108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.532{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-core-timezone-l1-1-0.dll2023-01-27 11:23:16.483 11241100x8000000000000000323107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.532{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-core-synch-l1-2-0.dll2023-01-27 11:23:16.484 11241100x8000000000000000323106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.483{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-conio-l1-1-0.dll2023-01-27 11:23:16.483 11241100x8000000000000000323105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.483{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-core-processthreads-l1-1-1.dll2023-01-27 11:23:16.482 11241100x8000000000000000323104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.482{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-core-localization-l1-2-0.dll2023-01-27 11:23:16.482 11241100x8000000000000000323103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.482{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-core-file-l2-1-0.dll2023-01-27 11:23:16.482 11241100x8000000000000000323102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.482{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-core-file-l1-2-0.dll2023-01-27 11:23:16.482 11241100x8000000000000000323101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.035{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\msvcr120.dll2023-01-27 11:23:16.035 11241100x8000000000000000323100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.035{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\msvcp120.dll2023-01-27 11:23:16.034 11241100x8000000000000000323099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.015{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOIDRES.DLL2023-01-27 11:23:16.015 11241100x8000000000000000323098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.015{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOIDCLIL.DLL2023-01-27 11:23:16.015 11241100x8000000000000000323097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.014{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-utility-l1-1-0.dll2023-01-27 11:23:16.011 11241100x8000000000000000323096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.011{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-time-l1-1-0.dll2023-01-27 11:23:16.010 11241100x8000000000000000323095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.010{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-stdio-l1-1-0.dll2023-01-27 11:23:16.010 11241100x8000000000000000323094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.010{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-string-l1-1-0.dll2023-01-27 11:23:16.009 11241100x8000000000000000323093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.009{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-runtime-l1-1-0.dll2023-01-27 11:23:16.009 11241100x8000000000000000323092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.009{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-process-l1-1-0.dll2023-01-27 11:23:16.008 11241100x8000000000000000323091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.009{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-private-l1-1-0.dll2023-01-27 11:23:16.008 11241100x8000000000000000323090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.009{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-multibyte-l1-1-0.dll2023-01-27 11:23:16.008 11241100x8000000000000000323089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.009{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-locale-l1-1-0.dll2023-01-27 11:23:16.007 11241100x8000000000000000323088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.009{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-filesystem-l1-1-0.dll2023-01-27 11:23:16.007 11241100x8000000000000000323087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.008{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-math-l1-1-0.dll2023-01-27 11:23:16.007 11241100x8000000000000000323086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.008{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-conio-l1-1-0.dll2023-01-27 11:23:15.929 11241100x8000000000000000323085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.008{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-convert-l1-1-0.dll2023-01-27 11:23:16.007 11241100x8000000000000000323084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.008{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-heap-l1-1-0.dll2023-01-27 11:23:16.007 11241100x8000000000000000323083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:16.008{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-environment-l1-1-0.dll2023-01-27 11:23:15.929 23542300x8000000000000000323082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:16.005{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C17957476390F1DA7EC597C6BD0C8C83,SHA256=3011341994442A60BB808CB9588AFA4AEE9A9B4D0BDA71D12F68F12B3B8AC95C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000447573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:16.295{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7F47DA82A29F40283A9AEE5E5D26AED,SHA256=A915DC869C84F96736011FC7729AD8DCA23B3CC8989B25A063E4728EA24B2B02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:16.202{45AAC21C-9B85-63D3-1000-00000000BC02}368NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8EE9545C0036B1EB588B5767AF738E6E,SHA256=CBFE4419105A7AF7670ED1AA7187E2924DAC334910F87B225DA1F85D34BE2AAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:14.947{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52680-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000447585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:17.375{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8392F49E9C6FD3867737FC359A24ED53,SHA256=093459924DA87C0824946408A9485FD8CCDAA6DBB1EC5267E3D2E9BE74512349,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:17.531{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7D6682678C9754AD4659478A00E983F,SHA256=FB576E1A13B583BAC81A1A983CBEE454AC3600C7C83378C68CC3F07946A10ED0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x8000000000000000323160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:17.198{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\vccorlib120.dll2023-01-27 11:23:17.198 11241100x8000000000000000323159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:17.198{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\vccorlib110.dll2023-01-27 11:23:17.198 11241100x8000000000000000323158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:17.198{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\msvcr120.dll2023-01-27 11:23:17.197 11241100x8000000000000000323157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:17.197{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\msvcr110.dll2023-01-27 11:23:17.197 11241100x8000000000000000323156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:17.197{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\msvcr100.dll2023-01-27 11:23:17.197 11241100x8000000000000000323155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:17.197{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\msvcp120.dll2023-01-27 11:23:17.196 11241100x8000000000000000323154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:17.171{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\msvcp110.dll2023-01-27 11:23:17.171 11241100x8000000000000000323153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:17.167{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\atl110.dll2023-01-27 11:23:17.167 11241100x8000000000000000323152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:17.167{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\atl100.dll2023-01-27 11:23:17.167 11241100x8000000000000000323151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:17.159{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\msvcr120.dll2023-01-27 11:23:17.159 11241100x8000000000000000323150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:17.159{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\msvcp120.dll2023-01-27 11:23:17.159 11241100x8000000000000000323149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:17.159{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.XlsIO.Base.dll2023-01-27 11:23:17.159 11241100x8000000000000000323148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:17.158{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Tools.Windows.dll2023-01-27 11:23:17.158 11241100x8000000000000000323147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:17.158{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Tools.Base.dll2023-01-27 11:23:17.158 11241100x8000000000000000323146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:17.158{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Shared.Windows.dll2023-01-27 11:23:17.157 11241100x8000000000000000323145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:17.157{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Shared.Base.dll2023-01-27 11:23:17.157 11241100x8000000000000000323144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:17.157{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Grouping.Base.dll2023-01-27 11:23:17.157 11241100x8000000000000000323143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:17.157{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Grid.Windows.dll2023-01-27 11:23:17.156 11241100x8000000000000000323142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:17.157{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Core.dll2023-01-27 11:23:17.059 11241100x8000000000000000323141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:17.157{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Grid.Grouping.Windows.dll2023-01-27 11:23:17.156 11241100x8000000000000000323140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:17.157{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Grid.Grouping.Base.dll2023-01-27 11:23:17.059 11241100x8000000000000000323139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:17.157{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Grid.Base.dll2023-01-27 11:23:17.059 11241100x8000000000000000323138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:17.057{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\stdole.dll2023-01-27 11:23:17.053 11241100x8000000000000000323137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:17.054{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinTree.v8.1.dll2023-01-27 11:23:17.053 11241100x8000000000000000323136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:17.053{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Northwoods.Go.dll2023-01-27 11:23:17.053 11241100x8000000000000000323135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:17.053{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.v11.1.dll2023-01-27 11:23:17.053 11241100x8000000000000000323134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:17.052{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Compression.Base.dll2023-01-27 11:23:17.052 11241100x8000000000000000323133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:17.052{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinTree.v11.1.dll2023-01-27 11:23:17.052 11241100x8000000000000000323132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:17.052{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinToolbars.v8.1.dll2023-01-27 11:23:17.052 11241100x8000000000000000323131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:17.052{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinToolbars.v11.1.dll2023-01-27 11:23:17.051 11241100x8000000000000000323130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:17.051{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinTabControl.v8.1.dll2023-01-27 11:23:17.051 11241100x8000000000000000323129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:17.051{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinTabControl.v11.1.dll2023-01-27 11:23:16.644 354300x8000000000000000323128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:13.432{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50981-false10.0.1.12-8000- 23542300x8000000000000000447584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:17.204{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0FF9EF577C57E5547D0E521CF1A8C52F,SHA256=3610870815DE615F7DC9EC059FB49705959EFAA6603A3B240B31E7CDD3BB2ED9,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000447583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:23:17.102{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000447582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:23:17.102{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006042b3) 13241300x8000000000000000447581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:23:17.102{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d93239-0x5eaa3cdd) 13241300x8000000000000000447580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:23:17.102{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d93241-0xc06ea4dd) 13241300x8000000000000000447579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:23:17.102{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d9324a-0x22330cdd) 13241300x8000000000000000447578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:23:17.102{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000447577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:23:17.102{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006042b3) 13241300x8000000000000000447576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:23:17.102{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d93239-0x5eaa3cdd) 13241300x8000000000000000447575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:23:17.102{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d93241-0xc06ea4dd) 13241300x8000000000000000447574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:23:17.102{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d9324a-0x22330cdd) 23542300x8000000000000000447587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:18.473{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D562F00F030343E05B6AC7399BF3EF4,SHA256=11A62A7282EC24417724F933F87D708DF144934DD41F817AF523939DC231B3C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:18.160{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A561A3BFEDCAD3774D0896B812D6EB93,SHA256=E26FC49E6F737B35341B5F7F1A7C60D14B3E4C26C149FE51DB6081B9CE2946D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000323162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:15.062{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal123ntpfalse169.254.169.123-123ntp 10341000x8000000000000000447607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:19.692{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:19.646{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:19.626{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:19.620{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:19.616{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:19.612{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 23542300x8000000000000000447601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:19.558{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D509C70452F73556C6130D6CBFA0511,SHA256=EDC81F693F0E06E9C87391F21FBCFBA244732F2EA9B39B0DEF78C48735D20248,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:19.531{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:19.499{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 23542300x8000000000000000323164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:19.069{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96EF5065E4AC37E279D574B5DD754525,SHA256=71CF88353683AF04ACC8D1C0BD44656C6DB114E7C853B3969E8F7C761DAD6EE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000447598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:19.475{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:19.462{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:19.446{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:19.434{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:19.424{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:19.399{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:19.388{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:19.370{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:19.357{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:19.308{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:19.302{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 23542300x8000000000000000447613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:20.586{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=075AF4F9C91734AAD7185089658812AB,SHA256=4D65957B8E99D01F97388B8E886380C9A769DAC48ECBB06B19A72EB37BAC26BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.795{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000323206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.782{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000323205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.774{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000323204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.773{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000323203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.764{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000323202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.755{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000323201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.733{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000323200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.724{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000323199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.692{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000323198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.684{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000323197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.671{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000323196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.664{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000323195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.661{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000323194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.658{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000323193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.657{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000323192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.655{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000323191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.651{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000323190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.650{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000323189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.648{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000323188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.647{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000323187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.645{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000323186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.643{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000323185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.641{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000323184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.633{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000323183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.628{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000323182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.619{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000323181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.616{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000323180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.609{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000323179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.583{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000323178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.578{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000323177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.557{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000323176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.512{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000323175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.507{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000323174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.490{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000323173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.482{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000323172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.467{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000323171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.460{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000323170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.448{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000323169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.438{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000323168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.426{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000323167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.420{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000323166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.413{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 23542300x8000000000000000323165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:20.079{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33ABDCC46947DBAF56443FBFE80CB49F,SHA256=4419C8C393A82CBD745E252C43E1F65EF7519D7191A090ECE44C78ED2B8E7E51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000447612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:20.317{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:20.313{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:20.310{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:20.308{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:20.306{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 23542300x8000000000000000447614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:21.687{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFCAFC7D44A21CB893C3EE94E41BA749,SHA256=503353A1B1AE20A728FCDB5C45CAC25ED35EF5B1CB8B220EB79F0211AD6CEAF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:21.620{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0B59358E6FFF0AEC8C845A43E38ED9A,SHA256=B58262DBDD1C39A3CA3C0DAA2A810460F6606D959A0675815DB92080004668A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000447633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:22.991{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:22.986{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:22.976{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:22.957{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:22.926{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:22.919{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:22.904{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:22.896{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:22.891{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:22.885{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:22.882{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:22.881{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:22.877{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 23542300x8000000000000000447620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:22.782{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA98B7151AFB2B14A27483EF660604F5,SHA256=1338B0366F79BEC7D6EEE2BE90668A325820CCEA2631D347F46F49109730E945,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:22.639{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4708E8378D0217D9056BB66CE433BF96,SHA256=1345A79B2A5F293E8F1617823580B52F1ED1740FD62F090AB80F0066DBDAD8B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000447619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:22.363{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:22.362{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:22.356{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:22.341{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:22.332{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 354300x8000000000000000323209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:18.492{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50982-false10.0.1.12-8000- 23542300x8000000000000000447636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:23.842{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85E1791B6C80AEA74FFBCB2A40230B16,SHA256=106BB40CF0DE67D28C3D66C12C1D385C86A0BE5228113EDC86184D1095E41E57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:23.649{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91F52FFCD50EB337D932688E01BA517D,SHA256=8852CA0E2CBD8F87B4821175C0D6FC66BB4E960D79EB302190F6EE3F441A629C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000447635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:20.779{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52681-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000447634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:23.021{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000323211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:23.140{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-2000-00000000BD02}2000C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000447637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:24.941{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76271F6AEA2D6925A5964DB0B73A279E,SHA256=B34BF02B870FD2F26BEE1B1844AB8EA51B36966970DD46A82F5BBDE941F38152,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:24.660{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D16B7AC04EAFEA1AB3F60015768DA2C,SHA256=941591BF045F010268F9DE5ED7A1A6C0C1C80274BE347B19AD42A7049ACBD91C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000323213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:24.146{72106695-9B85-63D3-0D00-00000000BD02}7963468C:\Windows\system32\svchost.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000323215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:25.775{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0486D5B53AEFFE9021C128A241845EB6,SHA256=701B231E141563F279754FB6C1453797D4EAD20B9BFF6D5117608A9FC6304647,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:26.787{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5375E4C19F92D0E551509AD311C9F2B2,SHA256=BE9B41F1DEE7310847110D47E0638086C41A7E21064CA2B597483127E9513CBC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000447638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:26.034{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6433EBAED05CF9030A8E5D3A4779836E,SHA256=DFF2C2B3C9D35C1D7DAA88130CB8CF67421FE0EDDD158C41DDE19B098EE59D08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:27.797{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=349EA8552D64CA7FA3A3AE8BAC1FC4EE,SHA256=9E6DC10B23E119E9436331C1F87177D01FDE34D996FE53D9BF5B74A546E9BE3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000323217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:24.394{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50983-false10.0.1.12-8000- 23542300x8000000000000000447639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:27.119{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2001F6E59A8AE3E2043C28FABBF0BAE4,SHA256=EB4A558ACA796EB77D91377162B132D9F8A5EBC677F876F02582D7F1C971827A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:28.910{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A1C39649AC62132392317F458899957,SHA256=85959A1E1A7593C49F86079958E5C0844010C1534D1C5C9062586F1BF6DDCFCA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000447640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:28.202{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ADF05731889323870EAC17E17E63DB1,SHA256=105CF271D1D21C8A9716CA4648A6613FC41A77D341909E2A72701FC2BC9EDC86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:28.375{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B252FA27BAABBC9203730206D775BE0C,SHA256=72D5B4BEF1E786AB5D7C32AD07B9EF681B79A631F712E5A9092327864AF125EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000447642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:29.291{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C80020DD75F5B41CE72286F368973084,SHA256=A9FD9A5495A38BB6E31756452CFB26D1E530AFF8B2F7285C5523D40BA876F473,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:25.818{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52682-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000323221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:30.122{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FFE1EE2326BA137C9B3ABE3D86BF6A4,SHA256=A1E21354052500D9CD2EC8A06C863020E5602ACBD29F215463E9A6CBBD9AE3E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000447643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:30.389{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0148295120B38EA7C6E508440B9419D5,SHA256=6F7705FB9D0E481D574E20BA5DAF9B2758309C1C14828D454992F86D6CBDC92F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:31.340{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=236EC35CEF17784B509710CC48345731,SHA256=C8D5DA23D6D9B43140C56AD7A66D58F6AD05F8DAC5458F5B96140CFCEAACCFAF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000447644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:31.475{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7403ABEB0E47E8D94C7B0D6FB1620263,SHA256=7DCD8B52AD6030626BBDF42D2E2C9693FCA3C582C589486151FD6C8A36A63DEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:32.562{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73BA0AA6449C92DC0E8832FF9AC4A5F5,SHA256=D44B07D7E75AEF5EE067601832DC8E3D93F05A516B0273E209E5D9AA8E86BEB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:32.350{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7747FFFFE401CB4CEB1EC2066519693,SHA256=4062A4C0B2AD94FBBC2A71848E31742D9062AD40C6EEC1D983C5E6912326EE86,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000323223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:29.463{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50984-false10.0.1.12-8000- 354300x8000000000000000447647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:30.918{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52683-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000447646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:33.753{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5DDE75AF3FFAAAD3C21C032839CE5C8,SHA256=D8E715551F9FFE9B185B5C9A3E31F5A0FC4D45F1A4E6353A5C32923FC8A55C73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:33.403{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=415FBA994106762687EF6842DD21BA1B,SHA256=AA4D7C73A9EA4F2E6F34352D95C8230C97AE893A8E85FD1D435281A078A45A4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:34.636{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A01419187FA95723B5D70D1459F95800,SHA256=3B1F966EDA0CD2C74014487CC58480CC20ABC94E298C148F2712F2AC37CAAD0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000447649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:34.842{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A2873B9C9E22ED12B8EF2A68C65EF36,SHA256=9CB90EE62052FA18BB5A59F23BD7F0EC9A496E266BE8A426D3F26BA1E1D9FFB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:34.123{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:34.234{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=28F46F5D6C5C9A944D2BAA29F789D664,SHA256=48DA759BAFA9781BD5E1D1BD3296F685AB343A9D1524238E9C3D5F8353B461D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:35.833{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=813C45C1E098114743C89D74C6FB6665,SHA256=0783CD0BE3AF320C0395916B4B2A28FD54ECCCEA81C1A23C20944643884E541A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000447651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:35.940{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CB3124D47643B8C8A73DDC724421B03,SHA256=F487C06A5AAB6A3E94D9BE63E4691CBD6F565D58760EE8778EDF20EBFB09A539,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:32.648{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50985-false20.126.106.131-443https 354300x8000000000000000447650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:32.003{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A50221- 23542300x8000000000000000323230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:36.843{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCA7302BADF66DEDE3B09AA75C4EAE69,SHA256=971EDEBFFA8183904DE49DBD317D99F1147BC20C46A1D3E2003DBD5F0BF6DEAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:37.856{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8243AEBCF7BC87D4F112D111D0D9A4C,SHA256=48ABE0A228B43DA6D00DA014C4AEF03F5FCB8CBAFAC04D3FC32F597F3DDE306A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000447654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:33.830{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A63675- 354300x8000000000000000447653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:32.792{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52684-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000447652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:37.026{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D69835B627C542C9E61FA2A3F72584E,SHA256=31BA6B128890000DCDAD39F21D9426E1ED219E45D4CC716785489E98A0BBBE65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:38.869{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46E33F50BA602708A2CCBA98A4992E7C,SHA256=F3E1A1778BE4D4978DDD21781CA8EE0E59F0387AE7AB4E48EDCD55A676B934C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:38.806{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000323232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:35.445{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50986-false10.0.1.12-8000- 23542300x8000000000000000447655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:38.125{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1E1A4E8A329C78FD94B2D4C54F24C0D,SHA256=AEB201664B5E86AEBB7FFABC40B4F01F135A06582EB7139BB3A66BAA7F99A368,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:39.886{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=843D39D562F3226FE5D899DCD040966E,SHA256=2547DA3C04ADDD527BCDD7B62B935D4DC219DF87AF911FDDDCB0F2B520FCA0C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000447675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:39.636{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:39.620{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:39.607{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:39.603{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:39.600{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:39.594{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:39.554{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:39.545{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:39.519{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:39.499{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:39.483{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:39.458{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:39.441{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:39.426{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:39.419{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:39.408{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:39.399{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:39.328{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000447657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:39.320{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 23542300x8000000000000000447656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:39.204{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99A4E0FE966110770984897E06D74EBE,SHA256=266CE68EC45D44F1A88627B4786E5DB15B2D1750DEDF85BBC146A528849A397E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000323236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:39.393{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\C2R32.dll2023-01-27 11:23:39.393 11241100x8000000000000000323235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:39.393{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppvIsvSubsystems32.dll2023-01-27 11:23:39.392 23542300x8000000000000000447682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:40.320{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C06B2A6808E70B337B59358D8E953EE3,SHA256=17B0F6D33C4DF19BFCF93B56C6C67B1408D7A99CDA20F33AC8ECC8ABD7D97F37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.672{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.656{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.645{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.642{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.632{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.624{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.611{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.609{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.575{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.570{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.558{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.554{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.552{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.547{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.545{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.544{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.540{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.539{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.537{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.536{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.535{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.533{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.530{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.522{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.518{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.511{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.506{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.496{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.484{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000323251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.482{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000323250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.474{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000323249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.444{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000323248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.439{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000323247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.426{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000323246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.417{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000323245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.405{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000323244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.400{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000323243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.394{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000323242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.379{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 354300x8000000000000000323241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:38.060{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50987-false10.0.1.12-8089- 10341000x8000000000000000323240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.358{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000323239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.326{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000323238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:40.316{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000447681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:40.254{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:40.251{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:40.248{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:40.246{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:40.244{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 354300x8000000000000000447676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:36.873{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52685-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000323281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:41.314{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6565597F1AC4CE1384C9609B7A0B1AD0,SHA256=7FAFE32A5FA439B276BE993A8216AD120BA5E01FDBE117E4313282A6CEF9DEE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000447683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:41.423{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF7857348805C89EAE40E8FD46356864,SHA256=F6ADE6BE3FB0635303D7D58FFFC07B1AEEA33C75AB86F1A8E08D6C21EE5ED4DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:42.439{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3879C9A7209BF8F2ADA8F6D8D79881BE,SHA256=781226521226FDE9B3007A7476B2E50039265AD9DE71634920A03F03B366F717,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000447704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:42.929{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:42.903{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:42.899{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:42.887{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:42.872{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:42.842{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:42.835{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:42.826{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:42.822{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:42.820{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:42.818{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:42.816{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:42.814{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:42.812{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 23542300x8000000000000000447690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:42.498{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F9E48559786C354FA0FE45DE666DED0,SHA256=8ED632A3B7F3EFD40BAAD7EE6B7C072E8C88363617E97001F3875636C4B76751,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:42.336{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-3000-00000000BC02}2848C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:42.303{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:42.302{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:42.299{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:42.283{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:42.272{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 23542300x8000000000000000323283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:43.550{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=787A01E291AE29195F4669FE4FDD920C,SHA256=D184F5AD9924F5E733E40565403CB80BE6476F64122E949341ADE1D30E523505,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000447706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:43.589{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C21A99FB3A31F1F943599300C98AE4EB,SHA256=9B209B7E9F76B73C8FBFB5AD94AB54766747071156FF6358ECAD2A085291B5AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:43.370{45AAC21C-9B85-63D3-0D00-00000000BC02}8924856C:\Windows\system32\svchost.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000323285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:44.560{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14CFE504EB2799E4EFD153A8DD09E295,SHA256=522976E96D6F26D060DC2B223455C90584B0EDECDB1AC1191CDF223ED1FEC5C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000447707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:44.682{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1644CCABA69DA48AE72B38AD8C73B45A,SHA256=6C723E43521913F8E035ABB2CCBCEC8923E2A4C5027A011C585A7BFFC7CF5894,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:41.296{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50988-false10.0.1.12-8000- 10341000x8000000000000000447717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:45.909{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B441-63D3-C303-00000000BC02}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:45.909{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:45.909{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:45.909{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:45.909{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:45.909{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B441-63D3-C303-00000000BC02}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000447711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:45.909{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B441-63D3-C303-00000000BC02}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000447710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:45.911{45AAC21C-B441-63D3-C303-00000000BC02}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000447709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:45.784{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF29A996BA5A2B7541B37A05CD572DEF,SHA256=C45CDA386F924A8734A4BC291CDF5F0B0E7919C6279DAD14566435982B308A4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:45.579{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9BFE0CDEF492C691E25600CEB76DCAF,SHA256=BB12DB0440E7CA88FFE4DBA06AD2131053E15D7DBE88C55801134CD795077173,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000447708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:41.887{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52686-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000447729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:46.951{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB1B3E6055A6F45319BDE4E6B4EB65F1,SHA256=C18405C23C62E2C23F4CA29596A222FD0D9C49470DA9A2F853F14E4D30DE19F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:46.873{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D5B37815A87539F68B139729F703B6B,SHA256=17A6E003B8016657585D023FFB6D3527242A5C6815D1D88093AE66641AA4102C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:46.699{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81FF63D410EF4703B215B8CA96E6BF58,SHA256=6AAB977508FA350AF061887A1FF9B8EB04D9DEADBCB77B3ACBABD1D8A1A197EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000447727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:46.530{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B442-63D3-C403-00000000BC02}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:46.529{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:46.529{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:46.529{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:46.529{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B442-63D3-C403-00000000BC02}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000447722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:46.529{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:46.528{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B442-63D3-C403-00000000BC02}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000447720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:46.528{45AAC21C-B442-63D3-C403-00000000BC02}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000447719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:46.358{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=908D97E8014ADC44D8663DA94A91700A,SHA256=6F4447A381F96512D18255621C27A72C6D870E82A10A50A1C74F36EC4D292300,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:46.144{45AAC21C-B441-63D3-C303-00000000BC02}37564712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000447739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:47.963{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79C17015298735CC60713247C58A358A,SHA256=01725C43C11AF0F39E328C33D372F74BF680AC9157923C3DA7F644E759D8BA29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:47.798{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A357D89115621D977376587982524D0,SHA256=CFB80956B9AF70AC862C38C08620CBC000AF1AD546F3AFA4D8508CF26538F840,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000447738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:47.347{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D2074457A1120E48FBFBBF92A96143D6,SHA256=45EA94C17E7F86D7C0C962A01101A7A86DAF60E55EBBBB326DA89E19F9A6E770,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:47.029{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B443-63D3-C503-00000000BC02}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:47.029{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:47.029{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:47.029{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:47.029{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:47.029{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B443-63D3-C503-00000000BC02}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000447731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:47.029{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B443-63D3-C503-00000000BC02}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000447730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:47.031{45AAC21C-B443-63D3-C503-00000000BC02}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:48.812{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FA030212150819DB614BB77BF35F6A3,SHA256=8F0DF7A85432887662EE7913AF1DB8C876F6E23EE2D0E7E30BCCC778E64DA2A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000447740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:45.532{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A57244- 354300x8000000000000000323289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:46.096{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50989-false204.79.197.223-80http 23542300x8000000000000000323293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:49.823{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18DD110E3A5B3A1472279A3787A5F180,SHA256=46D7BC7DD4327C187890D407C2A56EB8012005EB9308887C055E347CBF159329,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000447763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:49.864{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B445-63D3-C703-00000000BC02}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:49.864{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:49.864{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:49.864{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:49.864{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:49.864{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B445-63D3-C703-00000000BC02}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000447757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:49.864{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B445-63D3-C703-00000000BC02}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000447756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:49.865{45AAC21C-B445-63D3-C703-00000000BC02}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000447755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:49.425{45AAC21C-B445-63D3-C603-00000000BC02}33444884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:49.404{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B445-63D3-C603-00000000BC02}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000447753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:49.404{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B445-63D3-C603-00000000BC02}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000447752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:49.404{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B445-63D3-C603-00000000BC02}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 354300x8000000000000000447751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:46.253{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52687-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000447750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:46.253{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52687-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 10341000x8000000000000000447749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:49.203{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B445-63D3-C603-00000000BC02}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:49.203{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:49.203{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:49.203{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:49.203{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:49.203{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B445-63D3-C603-00000000BC02}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000447743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:49.203{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B445-63D3-C603-00000000BC02}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000447742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:49.202{45AAC21C-B445-63D3-C603-00000000BC02}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000447741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:49.139{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F9F84B37E03688164D72891BDFDB667,SHA256=B1EFA9F59175A1A3421F2596E34A0C1AB4927D4923A60BBB27B0D971E6F5809D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:46.357{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50990-false10.0.1.12-8000- 22542200x8000000000000000323291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:46.090{72106695-B403-63D3-B103-00000000BD02}6092f.c2r.ts.cdn.office.net0type: 5 office-fg-geo.trafficmanager.net;type: 5 c2r.a-0020.a-msedge.net;type: 5 a-0020.a-msedge.net;::ffff:204.79.197.223;C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 23542300x8000000000000000323294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:50.838{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=213BDFA5030D6D0983030820BF45E868,SHA256=6C22E9BAB716C66A3AD234EE7545C2D0396900910468D0F07ED4EC0E8B66C6E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000447778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:50.653{45AAC21C-B446-63D3-C803-00000000BC02}56964728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:50.492{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B446-63D3-C803-00000000BC02}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000447776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:50.492{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B446-63D3-C803-00000000BC02}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000447775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:50.492{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B446-63D3-C803-00000000BC02}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000447774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:50.380{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B446-63D3-C803-00000000BC02}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:50.380{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:50.380{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:50.380{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:50.380{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:50.380{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B446-63D3-C803-00000000BC02}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000447768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:50.380{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B446-63D3-C803-00000000BC02}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000447767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:50.381{45AAC21C-B446-63D3-C803-00000000BC02}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000447766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:47.744{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52688-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000447765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:50.239{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2253536BF299F2BA5A212E7B4C15EC6,SHA256=6A9E5963514BED48DEA0D0AAE329DE8BE529A937FBFEEB8DFD7BC3AF2C7DC118,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:50.098{45AAC21C-B445-63D3-C703-00000000BC02}26526128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000323295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:51.947{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38233F1D2069097E9704E711FDA339AD,SHA256=25CFCC947DFDF4399EFEED71428BC55C9EDC2798E867A3165C5E8E1DC2B31C61,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000447787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:51.651{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B447-63D3-C903-00000000BC02}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:51.651{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:51.651{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:51.651{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B447-63D3-C903-00000000BC02}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000447783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:51.651{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:51.651{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:51.651{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B447-63D3-C903-00000000BC02}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000447780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:51.652{45AAC21C-B447-63D3-C903-00000000BC02}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000447779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:51.434{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31D681D97C80650627B2ED1CACF4AD68,SHA256=F40ADBAEF0F92E9701AFBF5165BFEC0C36755A5E583351FE6F10FEDFE2CD790E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:52.960{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE0A72E2B5B076843C39611810559532,SHA256=7B0576CB2586A132BD53768DE71E5CDCBE63E8E0167DDA2F83F3A8D023A1BB86,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000447789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:52.740{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13CA0943C804EF84C669574ACECB687F,SHA256=B8B728C6C669180E442767E366122FBEBD317A575CC3809585B68B71E31E679B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:52.526{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A96D8408FD8C8DF2BCBE695B6816B5F3,SHA256=C7D522CA75EB63529334663EC634FF45029F0E54E68B0D95ED1CF093B4A3A6EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:52.124{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\respondent-20230127093815-102MD5=FAFF531EDF0CFC03BCEBADF518BA5361,SHA256=88BF976C27BC6DB398DABD588375EB870CCDB2E8695A85E73E9E0CF078A2553A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000447790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:53.717{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=087FF28771057DDBD4A8D4493F5C5B10,SHA256=1CD8D3D129361FC490C318C3E0A1CA115F82706201B437F6BD4EC185DBD1AC3C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:53.771{72106695-B449-63D3-BA03-00000000BD02}636740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:53.526{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B449-63D3-BA03-00000000BD02}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:53.524{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:53.524{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:53.523{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:53.523{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B449-63D3-BA03-00000000BD02}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:53.523{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:53.523{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B449-63D3-BA03-00000000BD02}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:53.523{72106695-B449-63D3-BA03-00000000BD02}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:53.122{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230127093814-103MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000447791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:54.814{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1C543FDB1E623877DD4AEA6AE8E2A1B,SHA256=A1B7EF3CF038234628C8158D985DCF9AA94D94CEA69B8977BC066C5AF528B2BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:54.616{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B44A-63D3-BC03-00000000BD02}4968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:54.614{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:54.613{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:54.613{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:54.613{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:54.613{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B44A-63D3-BC03-00000000BD02}4968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:54.613{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B44A-63D3-BC03-00000000BD02}4968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:54.610{72106695-B44A-63D3-BC03-00000000BD02}4968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:54.569{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\ProgramData\Microsoft\ClickToRun\ProductReleases\549B28D0-2AAB-4007-AF73-46E58ABB894E\B34D8FFE-5FBD-47B8-95D1-0ADB41DF9DBD_stream.x64.en-us.datMD5=CF9D4BC35644F035B6BCB3FDD5A6FF15,SHA256=2E8FCB790396B5DEA3D83268218513CE5C267481141736A7A02CCE501A62EFDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:54.530{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68305A2A03F0B173809565D2CE644A5B,SHA256=1A5DEA04CF62635A8C0149AEB27DB7E302525C544E51A76757E6BE8D9AF90D7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000323318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:52.356{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50991-false10.0.1.12-8000- 10341000x8000000000000000323317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:54.324{72106695-B44A-63D3-BB03-00000000BD02}42525996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:54.094{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B44A-63D3-BB03-00000000BD02}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:54.093{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:54.092{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:54.092{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:54.092{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:54.092{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B44A-63D3-BB03-00000000BD02}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:54.092{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B44A-63D3-BB03-00000000BD02}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:54.092{72106695-B44A-63D3-BB03-00000000BD02}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:54.086{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAA78124CFFC39891B8B4C07320495F8,SHA256=D3733F529ABEC5C72D59EE7ED1E7743C27EB1E8BA546505CE516B30011720959,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000323338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:55.586{72106695-B44B-63D3-BD03-00000000BD02}43484620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:55.401{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B44B-63D3-BD03-00000000BD02}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:55.401{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:55.401{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:55.401{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:55.401{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:55.401{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B44B-63D3-BD03-00000000BD02}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:55.401{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B44B-63D3-BD03-00000000BD02}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:55.402{72106695-B44B-63D3-BD03-00000000BD02}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:55.116{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B36533767B034CC67ADA166EC8CE2D64,SHA256=DB7324E5AF3FD4B1079F9CA9AEBA3274D99B61ED3705D635A44A1ED5BB3E57D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000447792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:52.918{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52689-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000323355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:56.806{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:56.806{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:56.806{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:56.806{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:56.696{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B44C-63D3-BF03-00000000BD02}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:56.696{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B44C-63D3-BF03-00000000BD02}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:56.696{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B44C-63D3-BF03-00000000BD02}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:56.697{72106695-B44C-63D3-BF03-00000000BD02}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:56.202{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7C6805221710CB3508E65A8171C96D8,SHA256=57176E221CDD315CF70090B457C3B30338EB3B71242E1E55DA633932D360EEE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000447793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:56.017{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5679D95F41E9DDDFF45D99CAD285A532,SHA256=38CC51444E174A4EA9D22008E6BA816B02D3D8D3CAA680513118C111CBDB05F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:56.038{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B44C-63D3-BE03-00000000BD02}1436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:56.038{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:56.038{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:56.038{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:56.038{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:56.038{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B44C-63D3-BE03-00000000BD02}1436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:56.038{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B44C-63D3-BE03-00000000BD02}1436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:56.039{72106695-B44C-63D3-BE03-00000000BD02}1436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:57.573{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2312389C3F0B64714F156AE6EECD0FF,SHA256=5DC5ECF060D303746A84C54861E23A0D120ACB2F29F01FB8D0A54A9D08964097,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000323364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:57.542{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:57.542{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:57.542{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:57.542{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:57.385{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B44D-63D3-C003-00000000BD02}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:57.370{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B44D-63D3-C003-00000000BD02}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:57.370{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B44D-63D3-C003-00000000BD02}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:57.371{72106695-B44D-63D3-C003-00000000BD02}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000447794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:57.106{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3AC7F2D5E174CCB2D1702EAF960916C,SHA256=E02FF3D8F328DB29B4B25FFE5C2DEAB7675891F792ADE4C00B27005873C47FE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:56.837{72106695-B44C-63D3-BF03-00000000BD02}43604864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000323367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:58.762{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4F0EEBF43758600FD03BAEE246E721B,SHA256=209FFB684F20E9C4A4597D87CADA849D937DCB3AFC79CEB65EEC356938F2EF31,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000447795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:58.185{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A4EBA13A71985310FAFA576E109AD7A,SHA256=15BEDA7DC08180DDFD9B69E80E41BA0EC81078E231A3ED8D729454361182ADCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:58.473{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=911DB07AA81073EE73AAC01F1F1AB4C7,SHA256=5D5FB578B269EFE880DAD1F7F9D892FBF8869DB9AEA3298E29F0DC3ED56D29D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000447815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:59.582{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:59.564{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:59.557{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:59.554{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:59.552{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:59.548{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:59.499{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:59.492{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:59.474{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:59.462{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:59.451{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:59.441{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:59.430{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:59.416{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:59.406{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:59.387{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:59.375{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:59.314{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:59.310{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000447796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:59.279{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAC715367EB324481EF335DFB63EC25D,SHA256=1E0FDECC35CFD331F02232623B994433E17632473E244482F49587BE37A8A41B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:57.358{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50992-false10.0.1.12-8000- 23542300x8000000000000000447821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:00.405{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78AD20D5CE4E7F1C5117C7D5015A2E28,SHA256=0662AA5B959A761EEB801D3C927EE356D4E3C6567AD573C0B5A3167EC71E6BDC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.997{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.981{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.954{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.951{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.924{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.908{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.880{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.873{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.839{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.821{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.797{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.787{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.784{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.781{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.777{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.775{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.767{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.765{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.761{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.760{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.758{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.746{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.741{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.710{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.704{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.681{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.672{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.654{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.640{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.631{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.587{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.486{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.473{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.461{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.450{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.399{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.377{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.369{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.348{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.339{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.330{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000323370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:00.327{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 23542300x8000000000000000323369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:59.997{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C36A849C65AF39DB17568CD83320549,SHA256=5D9EED2F746CA0B69BE1C4766C07D95026D6F7ED30F2788574810A50FC2826C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000447820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:00.176{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:00.169{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:00.164{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:00.161{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:00.159{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000323412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:01.343{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB80B819307950DF428D10AF50C28C8C,SHA256=5C8CC13827F457826939CC4998FC66786FB4F74B25DF0476EA5A25750D3473A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000447823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:58.903{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52690-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000447822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:01.608{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5621446961C58F7C264C98AC693B7CE7,SHA256=5BEF5EAAED653DA63CDBE6DDBCD809B1DCA9099639621A835241727955C123B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:02.914{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:02.887{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:02.883{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:02.863{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:02.846{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:02.806{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:02.797{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:02.782{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:02.770{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:02.765{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:02.759{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:02.756{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:02.755{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:02.751{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000447830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:02.688{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ECDB45D30B36C69D2BD2EB1C8715230,SHA256=03FBD3B2CE439A89926C532504713DC179BE3FE200C98E80111574AF1E139B2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:02.395{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94DB82B9A24CDD614E66EC7808AC2E35,SHA256=CCC96EB355C13C4C7A03841B4C91F90E30C207767FC5ED85F454D86AE136BD72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000447829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:02.237{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:02.236{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:02.234{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:02.214{45AAC21C-9B83-63D3-0B00-00000000BC02}632680C:\Windows\system32\lsass.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:02.214{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:02.204{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000447874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:03.849{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=560E2A030E7D3483B526F82D459B972A,SHA256=35FAA4ABA0B0AF7AAFE415E8DDB08ED4FF6933E6BCF36B7893618B4B33100EC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:00.916{45AAC21C-9B80-63D3-0100-00000000BC02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local52691-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local445microsoft-ds 11241100x8000000000000000323416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:24:03.719{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\root\Client\C2R64.dll2023-01-27 11:24:03.719 11241100x8000000000000000323415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:24:03.703{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\root\Client\AppvIsvSubsystems64.dll2023-01-27 11:24:03.703 23542300x8000000000000000323414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:03.477{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F89BD9BE0F20D6E2359799E5CC2030A1,SHA256=32736FC45498903319DE543608A5C2509C7740E680D016E96086F9728B4BC2D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000447872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:00.916{45AAC21C-9B80-63D3-0100-00000000BC02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local52691-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local445microsoft-ds 10341000x8000000000000000447871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:03.366{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:03.366{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:03.366{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:03.366{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:03.366{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:03.366{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:03.366{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:03.366{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:03.366{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:03.366{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:03.366{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:03.366{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:03.366{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:03.366{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:03.366{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:03.366{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:03.366{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:03.366{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:03.366{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:03.366{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:03.366{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:03.366{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:03.366{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:03.366{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:03.366{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:03.366{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:03.366{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000323418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:02.394{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50993-false10.0.1.12-8000- 23542300x8000000000000000323417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:04.563{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CED36D67FC1D64399BA8F88E7B4D393,SHA256=5EE4D0D157D5F5AC872578CB8D85B0339E77911B2D6CA7DCAB42CB6F1006544F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000447875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:04.756{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A555CFE6A75E00242DCCAF67AFF999,SHA256=25235B6F8C01DD0FBFCBC865ED82C2F633B16C542C9FF011FA3EA9564EF755F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:05.703{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF84B26A1551261318DC1A44FBFE0C67,SHA256=7BA0075AA1A47DFC097EE994DA97335A7BC3BB2830BE5FCEAACFA21AF3A26DEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000447878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:05.848{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EE23233B1AFE64D8FC3F2A416BF6C70,SHA256=CB61C2ED6698B520D1CC9AEE7474911A700FE7F24B3C4C4F5193D43686AD4AEA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000323420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:24:05.275{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\root\Office16\C2R64.dll2023-01-27 11:24:05.275 11241100x8000000000000000323419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:24:05.260{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\root\Office16\AppvIsvSubsystems64.dll2023-01-27 11:24:05.260 10341000x8000000000000000447877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:05.586{45AAC21C-9B83-63D3-0B00-00000000BC02}632756C:\Windows\system32\lsass.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:05.586{45AAC21C-9B83-63D3-0B00-00000000BC02}632756C:\Windows\system32\lsass.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000323428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:06.765{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92484AACF3E5465BEF3E74CBDEE6AE6D,SHA256=71491DD5C9665EA527B0CB47D68583D7DD762D0915D8EECE469CC1CF96EC7378,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x8000000000000000323427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:24:06.737{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\root\Client\C2R32.dll2023-01-27 11:24:06.737 11241100x8000000000000000323426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:24:06.737{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\root\Client\AppvIsvSubsystems32.dll2023-01-27 11:24:06.737 23542300x8000000000000000447885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:06.929{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A93C33EAE773160823B2CCB33861B834,SHA256=DE0CB2C0CD5FA4D510B9845C3AE1C3448F95DAFAE90329F1D5AE9C55A5B2C9F8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000323425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:24:06.614{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\C2R32.dll2023-01-27 11:24:06.614 11241100x8000000000000000323424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:24:06.612{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppvIsvSubsystems32.dll2023-01-27 11:24:06.612 11241100x8000000000000000323423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:24:06.393{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\C2R64.dll2023-01-27 11:24:06.393 11241100x8000000000000000323422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:24:06.393{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AppvIsvSubsystems64.dll2023-01-27 11:24:06.393 354300x8000000000000000447884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:04.288{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local57282- 354300x8000000000000000447883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:03.941{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52692-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000447882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:06.472{45AAC21C-9B83-63D3-0B00-00000000BC02}632756C:\Windows\system32\lsass.exe{45AAC21C-9B80-63D3-0100-00000000BC02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+32ce5|C:\Windows\system32\lsasrv.dll+30b6b|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000447881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:06.472{45AAC21C-9B83-63D3-0B00-00000000BC02}632756C:\Windows\system32\lsass.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:06.378{45AAC21C-9B83-63D3-0B00-00000000BC02}632756C:\Windows\system32\lsass.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:06.363{45AAC21C-9B83-63D3-0B00-00000000BC02}632756C:\Windows\system32\lsass.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000323475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.998{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-math-l1-1-0.dllMD5=877C5FF146078466FF4370F3C0F02100,SHA256=9B05A43FDC185497E8C2CEA3C6B9EB0D74327BD70913A298A6E8AF64514190E8,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000323474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.997{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-locale-l1-1-0.dllMD5=0D50A16C2B3EC10B4D4E80FFEB0C1074,SHA256=FAB41A942F623590402E4150A29D0F6F918EE096DBA1E8B320ADE3EC286C7475,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000323473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.995{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-heap-l1-1-0.dllMD5=5D409D47F9AEBD6015F7C71D526028C3,SHA256=7050043B0362C928AA63DD7800E5B123C775425EBA21A5C57CBC052EBC1B0BA2,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000323472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.994{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-filesystem-l1-1-0.dllMD5=D76F73BE5B6A2B5E2FA47BC39ECCDFE5,SHA256=6C86E40C956EB6A77313FA8DD9C46579C5421FA890043F724C004A66796D37A6,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000323471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.993{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-environment-l1-1-0.dllMD5=FE93C3825A95B48C27775664DC54CAE4,SHA256=C4ED8F65C5A0DBF325482A69AB9F8CBD8C97D6120B87CE90AC4CBA54AC7D377A,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000323470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.992{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-convert-l1-1-0.dllMD5=AFC20D2EF1F6042F34006D01BFE82777,SHA256=CD5256B2FB46DEAA440950E4A68466B2B0FF61F28888383094182561738D10A9,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000323469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.990{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-conio-l1-1-0.dllMD5=E3D0F4E97F07033C1FEAF72362BBB367,SHA256=3067981026FAD83882F211BFE32210CE17F89C6A15916C13E62069E00D5A19E3,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000323468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.989{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-core-xstate-l2-1-0.dllMD5=42DC903598FF9D2BFB92D3F1F1563A92,SHA256=583BE047AA83CCE2E8950F5F550DABC5F7CB5957860316E3F409BFAFB10B963C,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000323467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.988{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-core-timezone-l1-1-0.dllMD5=BDD63EA2508C27B43E6D52B10DA16915,SHA256=7D4252AB1B79C5801B58A08CE16EFD3B30D8235733028E5823F3709BD0A98BCF,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000323466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.987{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-core-synch-l1-2-0.dllMD5=B9BC664A451424342A73A8B12918F88D,SHA256=0C5C4DFEA72595FB7AE410F8FA8DA983B53A83CE81AEA144FA20CAB613E641B7,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000323465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.986{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-core-processthreads-l1-1-1.dllMD5=247061D7C5542286AEDDADE76897F404,SHA256=CCB974C24DDFA7446278CA55FC8B236D0605D2CAAF273DB8390D1813FC70CD5B,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000323464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.985{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-core-localization-l1-2-0.dllMD5=6B4F2CA3EFCEB2C21E93F92CDC150A9D,SHA256=B39A515B9E48FC6589703D45E14DCEA2273A02D7FA6F2E1D17985C0228D32564,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000323463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.983{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-core-file-l2-1-0.dllMD5=ADB3471F89E47CD93B6854D629906809,SHA256=355633A84DB0816AB6A340A086FB41C65854C313BD08D427A17389C42A1E5B69,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000323462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.982{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-core-file-l1-2-0.dllMD5=19DF2B0F78DC3D8C470E836BAE85E1FF,SHA256=BD9E07BBC62CE82DBC30C23069A17FBFA17F1C26A9C19E50FE754D494E6CD0B1,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000323461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.966{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\PackageManifests\AuthoredExtensions.16.xmlMD5=4876BF2C894105EF41AA0B6E14775900,SHA256=6F3AF2639897E6574A09A9CC73F3A58B9E935DA9B91A1403CAB40EC238120CF9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.966{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\PackageManifests\AppXManifestLoc.16.en-us.xmlMD5=6D2648020BF16CAAF42DFED7CEA1BBD8,SHA256=8881FFC1A2439E2FFF086FBCBDC57A1C41972663D3A869478209E30214079F80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.965{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\PackageManifests\AppXManifest.common.16.xmlMD5=A6AAA600ED46714C78E814B8BEEECECB,SHA256=72AA437CDB23E6A01FDB3B8B74F34848559A4E17BF5A829022BC19EEAA1D569E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.939{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\PackageManifests\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xmlMD5=DAB7C49C0BFF1B25499B13E6A8511037,SHA256=2785F65782A9D93B7AA80E671A35995354B8EEE6A5563742F9257E9CC859C1D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.938{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\PackageManifests\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xmlMD5=2EDA9861704E93B37F8D3CC092486557,SHA256=369EA571F6C39B8EC1C867DFF5A69233BF250CF638D89CA7B90CD0800C2C4142,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.937{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\PackageManifests\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xmlMD5=94AB434DAAD90D156E3105CCD44E7A51,SHA256=C41562664E845AE81DA155987E8D889FF3788FF7FBAF2ECA99525398E1A80F79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.928{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\PackageManifests\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xmlMD5=29BF20F59FAD400307478AAB5EC1AEF0,SHA256=1A38253692B846A86B35325B28A854A1080C68EED12E5647AA429D7327A1F345,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.927{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\PackageManifests\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xmlMD5=FF2F06D9846F0E175A1BAFE8A4F6B24B,SHA256=578258B3D9E9877E18CA6C1222E43F731DA4F98536DECE2FDA8B6504A274D77C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.926{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\PackageManifests\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xmlMD5=4EEB09B040919A5ED07D4ECB3F7ADF8B,SHA256=1E675EAD95351F596F043FDB374EF70132492EDDE4EF15E3BAF8986B448425AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.926{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xmlMD5=A319322B0DCBB115247903D835B66772,SHA256=6181C20038B78F16F1CA7CB0A638A6EC7C1912B800B1E806F34F9D0B26C58E87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.925{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\PackageManifests\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xmlMD5=DB618031811FC29AAFC74FF68DA28C6E,SHA256=8FDB48ED019A732BE9A9D571285B7B4B77B52ACAD015DC23D24F0BCD79CFCF2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.924{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\PackageManifests\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xmlMD5=0434F7511B4B6FF97B37586BF56DEAE1,SHA256=923115D55540A3E88DCCEA475CEE1FA0B37996335385349A5AFDEDD7E6A0209E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.916{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\PackageManifests\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xmlMD5=B7734BED7B87C606AD458922758784E4,SHA256=41B13B4AEFE53DDD1D6D092FC53BE9970607F790C55264049CCCEAEAB553D048,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.915{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\PackageManifests\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xmlMD5=2956B662130A4860934EA5DA038D409A,SHA256=515BDA3FFF3325E22DAC018B72CCC223B8840A4AB2AA2FFAA47CF10F432E5A71,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.913{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\PackageManifests\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xmlMD5=F163436CBFE062F400E7F72DA7C2FF2A,SHA256=8B113EF8A3F86070B9BCE2E4CFAE4FF0548C0AED781677CEF26999DFB801D22A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.912{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xmlMD5=4CCAD0F6DC8E8E024D5C7FE9827E0949,SHA256=266E3E48AD9FD12F6C3625D7C672F9CB27FD5FBD133AFC51D1CD1A98C1F4520E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.905{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xmlMD5=003A67431ECC1F90BB827691723972A6,SHA256=5B9D9F9D7629831809DC11F23654137DF5FAFF166E571012991FAF981D75C0C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.903{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xmlMD5=9C2A51AE2458965F90EFE126A4256690,SHA256=4CB18A34F25D4D4328BE25DA73FC803FD24E1CD1F177FBF8A0DAD165D8ED280D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.902{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xmlMD5=2565C40CA9A8A32261A2B65C36230320,SHA256=8F79D671D9DDED97BFD45ABEA0D2067E3AD6ED2566E6153C83BA1F866240BAD2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.902{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xmlMD5=FB82C675646364F980819BB77C3C6F68,SHA256=26D9E3FF8838450DE97F392812F2C767D2BFF4463A10BFA983A8E9D258396196,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.901{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\PackageManifests\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xmlMD5=84AAF11EE04CF80E14BEE05EBB1829B4,SHA256=B156067D358DCE6701AC7507C40ADA3827574C3AAB3989ADB627CF6057D754B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.898{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\PackageManifests\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xmlMD5=AD46E4702F3A9988B19BA5AEE7807AD3,SHA256=5EFDB56D04A47F3EBE790C9AD1B0F30CA31578951A5BF364570DC7CFF2D10011,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.877{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\PackageManifests\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xmlMD5=D9F2748547E7F8C251D461D5F7AB65B5,SHA256=099FB902B3F73A3E917538C20AD680F09B70076CD99AB1BAEE2DBF30F210EC0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.877{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8F4A597CD81DAEAB3BA87333F09CA3F,SHA256=72689942DD5B6094027835A69A3BB4EB511E387B7CE8C3EA7E209B576CE3BD5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.874{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\PackageManifests\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xmlMD5=4E71F5A3ADC0DF40B65AB76E0B061C8D,SHA256=3221A1571EB823930A2A0D11DC4E7CC832EDBB380A8E3C35B9967FA9D70E9209,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.854{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\PackageManifests\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xmlMD5=6FA61DF2DCAAB90382DD3C973DD640F3,SHA256=F6D756D39E0886CF69A0E733C316A6C271508400FEE78843EFCC4EEE01D58B23,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.853{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\PackageManifests\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xmlMD5=2CF757AE675F5A1115A6ADD115FE687E,SHA256=32689DCCA657DCBA2E27C3F658C16EACDBCA86DDECC392D067055504B5690BB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.846{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xmlMD5=00C8820C60B73FBB48808B0AFD7C02A8,SHA256=9D50661CBD59D8B65802892E7DF237D0D2B2D6AA5D45CEFD25A82B7673842670,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.845{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\PackageManifests\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xmlMD5=841404F8E6C158F8C5682411AE5E87D6,SHA256=6A8BCDE887799D48293057475C8AB6306179CF46CFCEB427BBB4BA50C5B015B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.835{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\PackageManifests\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xmlMD5=91BAEDBF45C82282B892F6932E849590,SHA256=73058FC9BBFD52FB629C07A9C165B19B804E8CA10FAE7B97655CD0989077F72A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.834{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\PackageManifests\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xmlMD5=5192489EFDA4A7939DE6E37886F7737F,SHA256=60DC1A18A2EDC8871B23CBDB5F0410280B9987AE8FA12F7AD8EAE5165BE9561C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.820{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\PackageManifests\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xmlMD5=03F1D529F044CF78CABC4DDC905C6035,SHA256=5BF7792454A2B5D98B89F538EB00C8A733780EB7BBDA82FAF79592AD7867357E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.819{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\PackageManifests\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xmlMD5=4852711279B9E198A076CA69A7DAF2D3,SHA256=5A5ECA8077D1D29440C2E4A5E7259D7E8D7508CF147687D8F0B008F64E385EB7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000447890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:05.083{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52694-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000447889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:05.083{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52694-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000447888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:05.066{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local52693-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000447887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:05.066{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local52693-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local389ldap 23542300x8000000000000000447886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:07.468{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE91A9B70022C2895779D39D291E2D20,SHA256=507A695DC503868388B65E0A77D2846803D805FAB59D1F8B605ED3ECD14588E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:08.019{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB9AC49B98A49376F62A3BDB5EB1286C,SHA256=3BD79EB5EF6B27FFDAE663D6AEADCE5C1B0AF7F7C379B3AD92505C7B1DC828B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.998{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0151067.WMFMD5=62B7C9D25E9B4D3B5A3DD60CCEDA239F,SHA256=5FD8819AB41E8ED3676A6A5B02549F447F8F39D255812984770B2CCB9E18CEFE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.994{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0151063.WMFMD5=F94BB02392C9C939463328D8CF45FEB2,SHA256=D0E150C42D751809D05BDDC91B9E3B9287E6E7898C8C485FE106134CD55EDB90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.993{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0151061.WMFMD5=121F6490E062B1E86BD4C9ECE5D92200,SHA256=50F5CF7DA0CE58F37A3F263BA6EE933985D1A5EB489AC0B97938728ACD690020,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.992{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0151055.WMFMD5=AE710368F97C6FD66240E6F5A7CF346B,SHA256=AE06F8243DE414B4CDF56AB3D468A9334D5D79074666A9ED686F684252724025,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.991{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0151047.WMFMD5=912308C3A4002C3C2014C2F56D05ADA5,SHA256=40941B9A78F403C204E9C1E299329AF7DBDB16E0ADFE8A8E3335E97388174606,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.990{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0151045.WMFMD5=FF8DB1D3EF3ADCC70D81CB5AAF8303E5,SHA256=F337752B160F38F8D9552B9996CDB7A3C217DA975D9738710130D33286864922,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.989{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0151041.WMFMD5=914B229F1CAA0020010D0CBEEE636B0F,SHA256=019E01137DDC7A1E59659E41EC9EC3E4A2D47F6208EA61C157DA629AB206A290,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.988{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0150861.WMFMD5=5F4118DBDBA1821ABF618207E1D91722,SHA256=599C335B3DDC04EFA96DBED2452304AB41F16979E09E97C728A92F132CC066F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.986{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0150150.WMFMD5=9E468A49DF081866D5F5609CBF8E652A,SHA256=C1DCA03CF7A8A90F9BF43CA160B2C0E3A708014EAF188B00F18EE79D69B0AD4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.984{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0149118.JPGMD5=E2D4E57176F5A0B7BD65198D5A2703AE,SHA256=EC037BDAAA860F96C8CB5E0B7BDEE629F3035D29715B380592828B9AADCDB49A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.982{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0149018.JPGMD5=39DE0B970C66D5D5873F1D92DFC45303,SHA256=FAE1CAFC9BD8B5D3322D069E1ADEA6A60EF1F7B9561BE98B02FB20BB3B3598ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.981{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0148798.JPGMD5=576424F8A3B169660825AD9D0BF54874,SHA256=A66D1A667097DA70D1C16CAD3714097057389753E68DA3990937EE66575056D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.979{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0148757.JPGMD5=4983569052310E858F87F050D6989F1D,SHA256=6E39F33FB29EB4494E2450BF79256C693CD1B0E9B9B2ADACBB612C2665454BDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.976{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0148309.JPGMD5=D78C28D364EBF14EC7AC59FC889611B9,SHA256=7A5559B132543608783789421CF532D4ECF1C50B8F93171F9123D1AC08EBE783,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.974{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0146142.JPGMD5=4F0B544A16767212A0BC092EEFC71D68,SHA256=13B5A98C0A177F59D94513AA29F0D9F195C5D9B97106F383B915AB8B179B7954,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.972{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0145904.JPGMD5=B9CDA8F7DCECD06829999223178E888F,SHA256=7EAF24B293849DCAC502AEDE4D11031EE3D261D15108EE7681F0014E42A76B8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.971{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0145895.JPGMD5=D8FB0C3E52FC8ABC07D92869315A1C96,SHA256=4C53C3B52A160380564A892557DF3BE8DC35E58E00E0E5DCAAB856F2666C667C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.969{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0145879.JPGMD5=C736386E2DE22409764E6C8BDFF42598,SHA256=9FB6D8D98E7399511F3EDD4B7609076345DF8ED67A1B1BC4EF3E9EF5D2EFF891,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.967{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0145810.JPGMD5=1D6C738DF79B6E138005712E59C91B69,SHA256=248D3064DB5599FA9B6FCE515CE2F7CEC4B067875D6F5CB5AB3D1713DCBC64AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.966{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0145707.JPGMD5=C57E8E779CADBE7EF05016F7D0AE1EA5,SHA256=831AAA6D335F9B60ACD69D14C6926A2B0052C771D27E5A06B83D366639F8F824,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.964{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0145669.JPGMD5=21F7AC57587E01C238491E4018D6D95A,SHA256=B95B4A759F7643D60448E42AA3030D55483D3E36A024E090290A03C88EE2F982,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.963{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0145373.JPGMD5=BD3E0A84DEE16BEFE59B284C06ED809C,SHA256=AA18B693F1036F1E949AF7FA6633007EC0FAC1F41B39FC3F3EBAE86EA178DD97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.961{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0145361.JPGMD5=635C7388039D85D21472E1B722A0804B,SHA256=BD8CFEBB0A123D8E4AC65286B5BFE1E109348F23BDFE591EC7DA9D0D27A2BEA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.960{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0145272.JPGMD5=D4651290F3C10101F5D0AAB4107C59CF,SHA256=2639F9199E85B2826664C1AC73F1F9396A33566D561FF71DCEC4918BF8B673B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.958{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0145212.JPGMD5=7309E1C4E64FBFF3644FACC50235AFEF,SHA256=E66090839BFFCA5C6A41AB2EE2640A8403BA22D5EA5E1801245029E05403F1CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.956{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0145168.JPGMD5=F7CB23AB4FB811A05DAC70F33F24865A,SHA256=6B5BD05C1F89EA56520F146A1D71F25517A3FBA28452231F5822C480607EAD86,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.954{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0144773.JPGMD5=E110C8258C3F6D5A9B71C145E96450CB,SHA256=8C806BCF7EC92B5E61B195AF7064AC491D9939BFA4F4E0B7A277E9ED53CFEED9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.953{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0136865.WMFMD5=944A919741C2850598E914E4C449A550,SHA256=DF1796D8FD8DAD61F83701BDD6DF0C34A28AF4C52F4D41262EB0EFFEAF48EE90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.951{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107750.WMFMD5=7718E46E7638AB1C3491DB5436A8621E,SHA256=E342137CA4875030413C9B2EA4F1E26BAC03935516B4234C7684480532ED064F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.951{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107748.WMFMD5=51909D91C9CA7CD7107EFB4B7702007F,SHA256=597BE7C78D434E21238C048948C495B7245439E4EDCFA94EEEEADB842F44A4A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.950{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107746.WMFMD5=2A6A18941C9503B11C7F7F1D98AFDF81,SHA256=6279D6316EE878208BE89D659F782EAE5730C8F8F2B3B9BCE32B34649583AEED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.949{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107744.WMFMD5=F0E69CD59D38D13F7C980679D2FDD647,SHA256=A43A6E0A987673209F158E090068189BFDB38CDE49244FBF55C4ABB492D0DFF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.947{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107742.WMFMD5=8B2AAF56F1ED91A682FF3BB05D8CD14D,SHA256=1B07CAF09CFC4589701FDA2AA87EDB5858C03C553346E84066C8D9C27898AEBE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.947{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107734.WMFMD5=B12BA7D9CE663AD086610B3D262D6023,SHA256=6F0F252B740FD9110195C14E9ECF9A0E69C8E3E4385E6D4869F6C9C1A47F5430,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.946{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107730.WMFMD5=943775CA018342BB28868E6D6D037A7D,SHA256=5B237457B8E49AC8DC19CD14F1FA801614367832AFA45EE34E1223B0BE34DABE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.944{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107728.WMFMD5=819626ADB33AF8BE184A2E53FE704EB5,SHA256=8819CA9909774F8B463C4E7C1D501ED498E37293B4735D3AA50CE8FA8BAB0390,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.943{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107724.WMFMD5=DEE8311D355AB4937163A996B3C28407,SHA256=834BB2553C353A37C5A2DF9EE174722924872F86D42685D3CDF63C7F2F04AF95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.942{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107722.WMFMD5=00F974391410A8AD9CEC9FA481E3467B,SHA256=29537AC4E026FF3BB0BC5549C53EA42BDEE8149D946FAAD6BB593C2522C6CBB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.941{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107718.WMFMD5=C22612744F3008A71CD4342E35318390,SHA256=DE8645CB5C1BF82CCDAD34AAB593348AA73EFCFB84019D46E154B79FD021CB4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.941{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107712.WMFMD5=366205E100472ABC6C25A37B9D10D3BF,SHA256=7FE04D1FA5159DC4BCC5E9096414BBD9E379571F97C26A7DB1ADA254D6B68A29,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.940{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107708.WMFMD5=08EE515815E8E98CBAA45735111B5127,SHA256=3CD46E00148E795889F9D57E493B92A567CF6F06DAA34C31401B93961F02FC19,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.938{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107658.WMFMD5=8EC01AFA42AB29047BF12103776FDC1E,SHA256=47EE227352D9AF2BD19CDB81CEE5165012DFDFB2A15A0957ECBBE4A5AF7CC7F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.937{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107544.WMFMD5=C34CC6CE76E446CA00CCAEB23C72FB90,SHA256=D286BFD10FD8F50E50F4E622677646D25D9B3DD0F4F213A71694F1109893BDA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.936{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107528.WMFMD5=57741D53439E7F0F40A5BC3D9448E68B,SHA256=4A499A4420332B6E8BD26D29889A995E00B9D2BD4DE843ED0977C131DC3D61BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.935{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107526.WMFMD5=B45F0F600D9B58FBF79DE0B3BD428694,SHA256=B803415C94B1D86879E082641F8348CFD836E8229760FE9759A0EBB3926D58D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.934{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107516.WMFMD5=5D05874D64775301E36E9871985E62D5,SHA256=1BFF31C05CB2D963B81C06A77F167B1DE51E0F7D0D62C43DD055EA4BF59A0955,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.933{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107514.WMFMD5=9AEB86E0751AEB920E305609A4F2590F,SHA256=33EE907D02DB71DB8A2810B0FF0AB6D0973CD00C214115A3F021E89BE9340A4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.932{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107512.WMFMD5=7ABF18E3DA829D7665366CF1178A7842,SHA256=549B85D7C71423653B907C2E05B5B09DB6CDDE0B38FBD8204C6B2665EDC5F236,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.931{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107502.WMFMD5=364640992C3985078B3BB33BC7E73A54,SHA256=7CD0B11090616AFDE8612E87B3BDA0FF4A7F3E587E183BC26A027D51131454B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.930{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107500.WMFMD5=611B524C8ECA65B651DE57372ED3F020,SHA256=3189415AE1EBF74DEF913D35EB509C6D096901F77248504540854EBF5F07ACEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.929{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107496.WMFMD5=C2C95E46C58AFE035330BC060367AE5E,SHA256=A658FC64D16B2DD30B1D998EBC6A52162F8DF3E1F8B1A0BD6DADAA324D939F4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.926{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107494.WMFMD5=F6A7D6B2FFA4FA65F025BF1FE935C4C1,SHA256=A0DEF73986D8375981517A885A6362B96C8F3A3AC9FA9A7284FA494BA2977AA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.925{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107492.WMFMD5=A91355E087BAA1D8B192D13C67CD9E00,SHA256=3AD06ECBF1396936D0E722F49FE16DD49709AF131DD08B53F442EDE3124D2E22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.923{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107490.WMFMD5=EEDBD471F076F06C758A9B9AD3D6AA21,SHA256=3C219F0D0E27C87650024F73BE99BAE4A03D4D22C1D46989BF7ED71BD5EB732C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.922{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107488.WMFMD5=7AA7CA12AD3E5B81C8E23EAC0240ECA6,SHA256=20147ED9A011CEF852F34F03ABCE09E66C4280A39EC450BE0BE54F8E83E50D5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.922{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107484.WMFMD5=5493FCFC07BCD6C9B6CBB8E69B4BF815,SHA256=510FAADC1A27B2406B6BA1A95A72000F3042EB334A4E3FF27EF85BE2475ED3F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.921{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107482.WMFMD5=1AD7CEB062BE8D3C514C7C50DB9E1F9A,SHA256=14D57FD09BD59BEF6278D9EDC9945E5E472BB7D6B03EB71617BEB5BFC39BF44B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.920{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107480.WMFMD5=FB4DC96DD72ED9F4EB2943C545697A60,SHA256=22CEA334C10AB880A7FD3A7866EBC9230B8C878B258B10C3CF8CF862553326D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.919{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107468.WMFMD5=D3DFD3C575BE9E56DFDE31BCABFAE58B,SHA256=D858ADB263629BC9359308D00CF5371496B2EBAE34873AA8C18C8E2C5FE9FBDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.918{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107458.WMFMD5=DBB87736AC526077161B495A50811024,SHA256=DC81D35CD59172924ED5266604FCA9514D97A49D27F74B0F26BA479820299194,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.917{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107456.WMFMD5=38DEE77861C05A84D6DCA078F3B5CAD3,SHA256=A0E03AB955F68425EACDCD7D8F506657044694ECC2E4BAC4278077D0F158DF70,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.917{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107452.WMFMD5=1BBE451120213E9AB17015F51E0D51DC,SHA256=1D9220FD74E62A59690E7C9735BAEC519B245406788AAEE8A03D2014E32C79B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.915{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107450.WMFMD5=7D190466EA5675C118746FD5E5603954,SHA256=20CDE6BC38A8AFF5500D6B94E407D19D8A0AC308FBFCCEBE5A4D69AD95D8C9C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.914{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107446.WMFMD5=0049331B678C2C117C707BCB881ACCF2,SHA256=B4C43BEE779FAD570898415AB61B94805F6C00F98BB4A24DAA39C0917ABD5495,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.913{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107426.WMFMD5=318A83433540BBF81264371CB51F12F4,SHA256=0A3CA95E82551E68C2C4BF011AEB9852452BCC978D89843CFEE6110F9DEF7751,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.912{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107364.WMFMD5=4CA455BD6D13A7FB2E025813DF3D9DF1,SHA256=33460C2FA73F0BEDCB9D560B8D099CCE0511399E5B61A5379753F189DDE00949,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.911{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107358.WMFMD5=3B1D212906AB1C51EB5C7A131EF91B41,SHA256=831E2EF30A6E620C85283CD20305BC445D3CD4EECF9BD7489BA2D401FC1FA9F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.910{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107350.WMFMD5=B30B4CAE9D5CC7C9EE8943D987E6037C,SHA256=F38D4F6D5A3CCDEB8A5840308432E6FF815A33FE5897E90B87F147100DDB39FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.909{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107344.WMFMD5=77C43E201603BC030A944BD6FCC42B21,SHA256=746132F6A4D334C745AE3DE80E0BB40700D0D0CD30F6FD9116A01A22BFE8FD0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.908{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107342.WMFMD5=B01BEAD21B7E20F8D10425E5AC994C67,SHA256=2232774657214802A545B42440A346F49918D8F30EE750E76AE4474478731AA4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.907{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107328.WMFMD5=2593353C75AF6848DE8617ED1EEC992F,SHA256=8669572A1DF74737A59DDC90DEE7C17065D5828819F5B84AEA9184906088C691,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.907{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107316.WMFMD5=8F481576CAB51EAB9E0B403E0D6C8B2B,SHA256=9C4A8C1B6EB6BD35131C1356AD5D86845A98E4C8D98EBFD94E6A62F03352D777,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.906{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107314.WMFMD5=73F1A5C5D982E8EE2C74A64DBC41FBED,SHA256=D6CDFFEE68858179383E2EDABCF721F35CE1E33F3684E6E1B6FBBE42AE6C2FB8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.904{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107308.WMFMD5=041F9284A3F9BF1427FF0EF8EF762DB2,SHA256=0750A9531F5B78955AD649A9270746D2C4FBE038271C586199842DE8AC82E67E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.903{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107302.WMFMD5=FA00557D51586714D7CF453C3A352ECC,SHA256=5E7C9564023044425A45100B61C767C7F9C4BF82AFF5E7DF53EA541356EE223B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.902{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107300.WMFMD5=1B68B373C07352AD7CEDA5C419E9E076,SHA256=13E80C7A17A285B7824EB5F522FF701735E51F5020D14AF07AD15AAD62EA7A12,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.902{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107290.WMFMD5=E52B3EF5263BA323CD19F35DDEC7353C,SHA256=84FB66F62085A4D0FAF4EECA796C681A0E596FCB8171864C27883C804539834B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.900{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107288.WMFMD5=BD4ECA4AB9BD290854238034731A1BDE,SHA256=8F00960F90DF59F5F16F6EDF5CD78237EA102DAECC1514E7526CC6428576C241,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.899{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107282.WMFMD5=6DAE07F8CA485D215572DC61255D1174,SHA256=835938D00F054D1ABC2F26F66FC4DF95423B80C68012F1304A2B2C1247EE1C24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.898{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107280.WMFMD5=D094762BAEF1E379F29C9A62D233D1CB,SHA256=C69132474C2C0C0C4DDDA5969206B2FADFBB66E87F6401829CA993D31D82B83E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.897{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B54AB3420D120E6591BCABAA3D23CF,SHA256=B86B44A20A4BAC7F819881F6F0F56A7598832A7218A7E6A879D448DDD2BF99A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.897{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107266.WMFMD5=F225EEB3067F0617570A69BA1EE47FCC,SHA256=37712DC05421442BA1ACCACA2F9C2C9AECC3F1F12A7F97292F0B9A8E70B673F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.895{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107264.WMFMD5=F2B77777301AFE4E26DA77F492935337,SHA256=829A02CC6D9A93F5A0BBD146A8F7A7CD22978DBEC0C226BC5A056A6358A8D74F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.894{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107262.WMFMD5=D94A0C98EA2C4EFDCC6EE7F61146B821,SHA256=3B1F10F6F4707EBB6F88013DA0456774766E83ABC70E06B869685FD59E0CE5CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.893{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107258.WMFMD5=06D78413B1F2D78F5E3791804132AE1C,SHA256=CDD5040B84E3D3292442E36B5248C20F97DF33F88C42F020E0B67F2D697A6F36,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.892{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107254.WMFMD5=17679B587243322A5438116493551B4C,SHA256=839444B8A0F2D71C3BAFA59776894C987D9E8404C0B52CEF65CD3F86ED35FF54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.890{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107192.WMFMD5=35245B106CB92CFD66AFE08AC2DA1E77,SHA256=392F4C2DFFC09E93150734BDB21C769B88FCC4060272D1B825D7033B2855BD9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.886{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107188.WMFMD5=1ACF0D5CB16037E046BFF2114BE41B43,SHA256=A45E360DF53799CD3B0224E4E448B176CF97447FDF8998CF9539C8139181B557,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.885{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107182.WMFMD5=D1A3501D02DFA12E0EE188510CB18303,SHA256=BD78457FE4253F11731E04546FF152FB40F72A0B5BD87F77707C98B240A3DCE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.884{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107158.WMFMD5=E7FCF3CD2341BA1EE121E0338D828401,SHA256=D65D5CE2F23BD06ED1D9AFDC9FE0A0D8F415D1E5F14BE216FDBE974B853ADD34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.883{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107154.WMFMD5=D83DC9F78B38253CE0E73A8E0A86A65F,SHA256=9476A1F49D1F7DF37B48A0B0C40FC6557A284A4D5835D37240E2B1D7BD0E9C03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.882{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107152.WMFMD5=AC1331EEC5484B7DB4EC5E352E49563A,SHA256=542675FFBC864E779C75FD5CAAAD0B40E4FD3254CBAF212ECF8C8A8048B7FBE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.881{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107150.WMFMD5=2992CBF5817D5391553AB1FEF43E4912,SHA256=C454D4EBC9F6F79A38D71D182600B0A20A9125F479707773F193A2ADC279F82D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.880{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107148.WMFMD5=CAFD94202BFD3A667DEE639A30698C38,SHA256=1E87F8318C4DCDFE68E0D029F5F9E170877175E76707CE2614E985E6F10C0273,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.876{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107146.WMFMD5=83673DE26BF4172F86A6FB0890C37F2A,SHA256=84A734E306FAF290DF94B91C796EBFD0139A21BFA89F61B0F6804F34970B991C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.875{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107138.WMFMD5=6BF8389BEFBDEC0C03E66EB756DEDB33,SHA256=85F8B3C4F1607D856BDA9A1CB1BF865A260704441A630DDDA91ADA4CA05B0BEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.874{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107134.WMFMD5=A2E03F1BD23B96CD7B26B0BC22B46B48,SHA256=82D4BC4008E5A2D49284D61FDA2580794C781ED7E3ECCD92BF28AFCC4A9B9058,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.872{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107132.WMFMD5=356C043D204FF7D1E08099061535B6BF,SHA256=54A4260A5413DCEF1554173A7202D8C0FD6506B42713381DD018D5A1E830B883,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.870{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107130.WMFMD5=988CDA7140299372FEA7BB8E3D7CF43E,SHA256=92EA912359B4A07EB342E85D6F40393E4F8E6837CCBDA3196EB812C1A5EDE687,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107090.WMFMD5=5BC07D3228DC622E76C70F5017722224,SHA256=1EF3DB9939BE5A270B1826544502C4D6FBE2A7E3415C1580EFAD1EFB6687C36D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.868{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107042.WMFMD5=7DEACE4E95A43FDE57408B22B43F5E4E,SHA256=6EBBF393AFA4CD94A85F56298DBD4552B695ACEA6FCDBC62F82F68E208EA4563,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.866{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107026.WMFMD5=F366BF52755CB76DAF93FDE082F0F0E8,SHA256=179D89682FCC2823237232DA2529EF53F1294D43A5E8D78E41E741EDFD244404,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.865{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0107024.WMFMD5=CE7DB2DC022D2FD2FB6D3723CAF9858A,SHA256=A5EFDAA63E1BBAE94AA850B9006A4771AC34A47D9D7E7087FD09319815C71ACB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.864{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0106958.WMFMD5=9CDB1D1C4CB6A6DB454F4AC30B4A63E0,SHA256=94D8E49F7C4C0DEC64C14B6FA4369D58B177EA030D7BAF7FA87AC2E543203FC6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.863{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0106816.WMFMD5=C9499523E37530DAA8C8712A43123180,SHA256=D9151DABBC528DA69807C83CE2D9FF3EE5ECA0710F34706F7C98F28BE27251DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.862{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0106572.WMFMD5=578925099E09C5B35CC8BEE509A53852,SHA256=74D010E2BA2963AB521CFDFADCAB7673622CB4E772550E8BE4A1C0C2BE1DA1E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.861{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0106222.WMFMD5=054F32AC8EFA5945695F755E0E01CB09,SHA256=13106A255856C81B0C3AD7F7D8E18614860D813083660557A4E1303117081695,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.860{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0106208.WMFMD5=AB2B9BE252CE5F4F9122937A5796384B,SHA256=66BC0CDE2F1064B73953C39F2B6032EA06769845FBDF561301EECE326E3FE1E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.858{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0106146.WMFMD5=497C90AB3F1833B5EECC47CC282C05C3,SHA256=C9C636B7D336C41E264D75498CB10D2E0F7C99ABB90C30491FAF6E5949884FEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.857{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0106124.WMFMD5=87CED83CFE30978738A07FC0F210824C,SHA256=B5D066CD1FF035A196611006CC2D4C2DCC639E4C2B9067335ED8F318914E5E89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.856{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0106020.WMFMD5=3F3A61B3CC0CDCF2BFBD1DB085F1E901,SHA256=9BD06E0678F80027B9DCFAD6862D597328B2A0F6DE042406382AE682ACCCCC66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.855{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105974.WMFMD5=9DF07C0FF0C02B9D40917F93903C4BDB,SHA256=A6E1C9B47320488AC544EEEC830CA4445E59A7611226CF8B2FF522F911D31EBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.854{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105912.WMFMD5=5C0CC3C0AC66C3CF4CF3F86E190067B6,SHA256=7923E9EFB490C182F4100AD0A5273A1F346A60127CABDEE8F863DACBD06BB53B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.853{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105846.WMFMD5=BB8CD0D3ADCDF6B8F9F2BC849E8E0DF9,SHA256=A3458FCC0FA035B539D88F456A6A8A28C9390C8565A0E96C886E43847B642EC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.852{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105710.WMFMD5=45F12CAFD879C17BE18256E150F08417,SHA256=67260535E310FF32BA935D3313EBDB6293FADAA38AA4BACDE72E590D752A6711,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.851{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105638.WMFMD5=0DAEF4C4F141344A3528BD582CB3F4D4,SHA256=FBF503B811AD1E2D3A0CBE039E18E193DFFF0B5094FBA135306814AC4ACD3D16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.850{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105600.WMFMD5=C7C6BCCE332D4B57E031EC6B6B772F0D,SHA256=92EBDDE2887D7589BF1285AE76B3BC7314B10A2C0DC499F2DD4B1052D877A900,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.849{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105588.WMFMD5=8BB300CF21CD95146916EB45FA967A3B,SHA256=63D275FE5D5D1AEEE3D61662C489438F7D61E497B572FD6C407DF1E204F9502E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.847{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105530.WMFMD5=00E1AD007BB2C31C4318D2756FAAFC7B,SHA256=81D050AF99C7949AD181708B6FB31E24BD55E4FD8F31BF2F83C7B95F54FEEC5B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.846{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105526.WMFMD5=36B19501DA5BE786CEC262EB5D07D9D3,SHA256=5166D94E5F3DACF703031E4E02478775BDDB817F9AD30CA0A03763EE819A21C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.845{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105520.WMFMD5=41FCF5A113BB5366A89270128A07D144,SHA256=E8B7F0E849134B38A4BB949682DDA7D427A5687B9DB21403DDC5FDB065BD7C27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.844{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105506.WMFMD5=507E8D3B91579751D96AB2BA4E49E978,SHA256=CBB6D15105E730FA0B686EFC4529362DF3753CE108B650971B3E09EE77E61D22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.843{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105504.WMFMD5=C1A8877646FC290D81BDB5B290E73BC1,SHA256=AE7420D5B055ED8BC60AE365107B5A0E900FF5FB7A57F73CBD2EA3CF80D3F6C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.842{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105502.WMFMD5=8E378EE3A10A4DA2D0C5A49F22E07145,SHA256=CD65CFD3D4D83A9DAF9B1021CD9B4603BD4312D56AF53FF2DAE74417C5CD5DD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.841{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105496.WMFMD5=DA8006AAD13BDFE8304446F579FC41EE,SHA256=2B7A193FE69B69A6B26831BD1AF1415690EFF6B5C01106B4A585ED227208CD4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.840{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105490.WMFMD5=EC168C0B19FF733AF7B5AAD07570F20C,SHA256=735354FEF0390124268E020B25A6B626AAA8CDE7EDA5E79F2A97CDAD668AFD6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.839{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105414.WMFMD5=8F2EB8F37F2E05F210ECF645EAB328CB,SHA256=1B5A06B342C49C583A64A100EE47B269672C7F44E98B9693D88EB9C478C8C8EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.838{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105412.WMFMD5=4709D5EA8D981C73BF8C126C4DCC53A3,SHA256=327A1EB2B240B3D1A1D04E845A0EF4970C2B3234F15E9B8C0628DF545401430B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.837{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105410.WMFMD5=4FB0FD3E8581B1FE2576D195FEB28BC8,SHA256=53FED022842F0524A0516597FA45E1238D25CC6A0CF491BBEEA2EAFAD32244EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.836{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105398.WMFMD5=472687ACB19666CBF38EC5DDFB918285,SHA256=1B050DDA2D67A9D55C0C1AC73897F2DDC5861BF017A55F1D1C1FDEA42BE2C4B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.835{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105396.WMFMD5=084C830EE7330EF503027F967FBC2525,SHA256=29D2E1B9BCED3C63039014B58200B836418C156DCDC868BD8B3D5FF61F7C7788,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.834{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105390.WMFMD5=ADF471D7B868F5B0C51B8277069A486C,SHA256=D597C66DDDD84525C80F5B1BC72490B9FC36590927D08ABFA6853E1ABBB8AB98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.833{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105388.WMFMD5=0AA34BA8A4B5386BFA38BCEF2AE9EDA5,SHA256=B65645593A47D3F66BE438FAF696D13F5EDCE96B80F3615315028630BC5A244A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.831{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105386.WMFMD5=B8D392C770B3B8AFE9DEF383029FB458,SHA256=E8A3D3B5C3741E36D90589A6F1D36D94B8491EFD6C03BACB89DC1C1A0C1B31C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.830{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105384.WMFMD5=470963083B788679DDCD965D608D33F2,SHA256=2FC19E18044F0306BED067CAFA8C5032A89EE8FA680616F973AE8B8B7B10E0F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.829{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105380.WMFMD5=60C63521C10CD2548A89D9318AA159FF,SHA256=F1067A8D89599432600153FF385430A189B8832BCC4773F186F5580149E360C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.828{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105378.WMFMD5=429750F9992A1254227A4FC45E5ED178,SHA256=18958D2BDBED5F523D02FA49D2F27EB7E1B3770F8E31E99D66C69D58F080BD63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.826{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105376.WMFMD5=9FE4717914C3C54BF1A493603730BE57,SHA256=7D70FC6095656580EBB674767F0145BD9B9AB35207CBA05A3520195836AD6CBC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.825{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105368.WMFMD5=A94D1FB017F697AC6419E9F46F08F90F,SHA256=D3E4219BA1F9FAC56B93E50CFAB17C6C3066DCBC0AED4745387DE27D17B5C162,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.824{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105360.WMFMD5=65838BD6CE7F43D729A3A6944616321D,SHA256=A8A884387D636CBE0D3E07F47AEBC4F7EF75732757BC2D95616567AF40AA9407,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.824{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105348.WMFMD5=CFA5677F0C76D80296FA2E888EF7A028,SHA256=82E0F1747EEE528B4B4A71C7C04782FFA2C2B0078440AE9FEF377D043A75BBA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.823{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105338.WMFMD5=593CCFC7E0E754AC4B370674B39FC90A,SHA256=77C02035EE0F152EA02FBFDD576A938D37219D822BAD59854677A7794DFAB60E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.822{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105336.WMFMD5=9B0DB92D6CFA04B5F95624653B559095,SHA256=5E6E2B8BA1FBAC744A7105B4A5B6A951793624820ADF87186DEBDB39A979675D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.821{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105332.WMFMD5=05FB46A24744D28D52481CF38FDBE5C5,SHA256=7BD8A7D3AA0C71AFE319100040B8D9484CD12C17B396F9BB0D308EF8B0B2E8D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.820{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105328.WMFMD5=A0C25AF28719C99B4F53F1E94B74446F,SHA256=75534AFD9EC34D02E766A2DB370D09936E4A56A7576D327D25FBFBFCFF16C60C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.819{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105320.WMFMD5=1DBCAF6EC556BB7ACEA0170C096190AF,SHA256=E6EAE6B27F40C72CB26F937937953AF3592F243C2E872E300558D4D1EDB04829,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.818{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105306.WMFMD5=13A5F66AE7D4F9DF0953F1B0A0CCAA79,SHA256=6BF9FC089AA2C554D001F0EFF7247A9F133A4C574B9EA70B3E2119F4521AE5B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.817{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105298.WMFMD5=622A3706C973A6CF080AE181C600F67A,SHA256=70AE41B34BB27D613C0F803DA2F470B96EE5E353CE20FDC7C727A9FB03C38D87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.816{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105294.WMFMD5=DA844361E239E0A5770D2E37E5A2448F,SHA256=972611FA78DE7515CFEB98ECFE409B48D96B1EE5045707926EB4C2E212922A9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.815{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105292.WMFMD5=120967E98FF095A62B10A1D6F7B902A0,SHA256=C01647B5E79F83BA08E9B015209DE5671862CF172DC750A5357BB4853C5981EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.814{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105288.WMFMD5=F963B0BEFDD25AA5EDAEF61EEDB88669,SHA256=3FDC24DA587DB826776BF7A9BE5AB670DDBDB8A7A7EA31919925EDBE6F8A64EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.813{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105286.WMFMD5=F423ED2FC09B3D2E337244D3A42F49CD,SHA256=497603F27B9903A31625D6267300AE19D3AE3DF181A366D84D765E8D79C5E257,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.812{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105282.WMFMD5=D5FD5F292CA212CD8533A064CB4FB881,SHA256=FC296118C1D39C3BAA60C9E73886D43A9CC0FC22196345B90F2F58A805D30AA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.811{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105280.WMFMD5=A05A55A5C88D2627A59184A1E96A4DC6,SHA256=99D06584F75D113A2D970C9320DEEB3A0CB335414C038ECA9B97D6CD40ADEF66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.810{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105276.WMFMD5=D6C811D6806433228585024B7A9BB002,SHA256=9B926438B7AF049D31EF5B9404F588AAD942A5FB0D55BE4E2902422FFD479A66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.809{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105272.WMFMD5=F81D30A5287CE6BAA3B26BC7441E1C39,SHA256=CFF43CA24B9B6E7A7EC79DB155FC607108D7819012EEFFC4C5F122FBBCE27FE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.808{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105266.WMFMD5=ACA4222C623138E4E659F03F403314CF,SHA256=7EBF4954F49C30C15BBA53CC706B70DC747947A6D399CB49221C30D48F1D70AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.807{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105250.WMFMD5=93CEBE7AF61FB4FE512C43B281B2FB4E,SHA256=395DB4696C5C287979BC9E0CC3FAFEB2ECC20E93F5E8479F01B7BA8D618A2705,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.806{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105246.WMFMD5=A0DE85AD71B087B75E7D593ED1CFAD72,SHA256=4C842A41C85FE36C3DDCED2EC3CC1A7C49B8A37CED1A438E8638F72A28D22858,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.805{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105244.WMFMD5=AB02F354DBFC959044A53A3D7C755025,SHA256=95CBDDDCB6AB52F877E34C65879F2C3D619250000CCAA7BA77FB732A43FEB8FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.804{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105240.WMFMD5=E444FE3C8C28B819318BB6554B7D4F15,SHA256=51DDA91D6F32A2A35D1354B0AD197F626812ABE2B6F2C3758403CC3DF762B75C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.803{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105238.WMFMD5=AEA4E94E04CE4943D6838A5CEB2EA2EB,SHA256=C03C2671ECD5BC0F60DFA9E3227BDD08D6FBA8E61E60A287FF93806769BBFC7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.802{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105234.WMFMD5=D203788E263CFCF8680A7BBCAC861D3F,SHA256=FF2F06F3C9AC0887828D382F9C28044D6DA782B86EE4CFCB5EC3AEA69BF1BC07,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.801{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105232.WMFMD5=1E833C4B45A26D3D8A83C99676BCF7ED,SHA256=31E67B41D147234192069BBF039D824284097E31871BCB81A29E9899AA9697A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.800{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0105230.WMFMD5=D2204742E7BC7879DF1508D2DCA1CF78,SHA256=C89804FDD62A2008515EFBD34D3F2C59C46C2B6C9090D97B88DDE0ECF18AB4DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.799{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0103850.WMFMD5=0DDD8B7D8E495990878699E670AE0980,SHA256=C6756530608B84B31559B966A4A5A272C51494BA149A1C69742D990475A761BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.797{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0103812.WMFMD5=D76616113168AA6B118CD9DE2263C766,SHA256=4FA9F6C33FE41B236E68FC35D5D7952F42A9796FB3C420699D8D84A311A2A514,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.796{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0103402.WMFMD5=56DE5E80F8B295189B17397554133543,SHA256=B1710AA27FE6CE1703F35036A0F840CBE5885A60A814E64D69F399CDC1164C44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.794{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0103262.WMFMD5=2B8120EC67CEA5278DB1D0F559F7F168,SHA256=EF4B4F54D046B537B60278870BC386869007D76F39D03DA527CFFFDBE389243F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.793{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0103058.WMFMD5=C98B1CD4D0D59608207B55CFC3568902,SHA256=63C6F73F890B8A5C9150169AC4BCE78F6F0DB848895E05309DDA76CBB083123A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.791{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0102984.WMFMD5=4042321CBE21358A171449C480B56501,SHA256=BF9507C52550D48D6333CA629A0466555DEE48E9ACD6DA668A5E101417A481D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.790{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0102762.WMFMD5=E0147252856208E667A0E88CD5D78F6C,SHA256=FA7E0DA3ACED4D60D8DFBC5459231854AC4F037FD885B2EED7511D31D6F462F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.788{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0102594.WMFMD5=FD56FFD58A93EC30F8C91A21A9F7EB95,SHA256=942C66DA24895505391FB86E0D591F22AFF2D60367AE8AFD0563925639940C11,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.787{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0102002.WMFMD5=F7D5C3F699C613C725689DCBF863A773,SHA256=F9149AC580C60508F11AB86C396FFD067F21CEF2DE47BF45C7AB13B244619618,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.786{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0101980.WMFMD5=21AB736FD3A8980E9AC3289CECABB3CD,SHA256=6ECDD5CB9C315169C087429CDFAC442BDFEE8431F26C3A1F7585C3C4D4E60AF9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.785{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0101867.BMPMD5=5969BB97758418BC85337E8813A25790,SHA256=9407C653E6574D60859AA595DF06CBA4A252BB3F256293B9D5C038F3E6E86D18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.783{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0101866.BMPMD5=ADE36BE922177A374E6F9C0B3796C03A,SHA256=5F839B9FAC49331D3F7007392C3C30ACF90D9E546BB960F4E8F8F39D80D248E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.781{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0101865.BMPMD5=478E7ACFE54D464D33913452FDA8100A,SHA256=EAF744F6E89141D1CA6215BBD46265DBB0A904E78165FE373A1C2B979C26A76C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.780{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0101864.BMPMD5=967C5ACB8C48860BB927BBC3D59D4BF4,SHA256=1A22FC2BD37BBE4344CC99428D9095E111C70328621036894620EF516B033F27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.777{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0101863.BMPMD5=906029909273F696C5AE274C1910654F,SHA256=CF5FE1B9631B6CDE174C57B4A2D9F8E7922916CCED95DA336B1B37B716CABA7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.775{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0101862.BMPMD5=391DE3BF5FF50FE8BE74E9D5869256D7,SHA256=43836A8E069E998A2963AEB70A9E791798BE3C84F28F97B2CB09977C5C1D7F14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.773{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0101861.BMPMD5=78990098B71358C48929D92ED0A1218D,SHA256=616CEF9B2B2C82C4D7E20FD8A495BEC6C259072DBB9F845CEF41693043B5387F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.772{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0101860.BMPMD5=74737E6E2DBD946231CA66A171A793D1,SHA256=6C2671EF15A2F31695B858D2E634C2F1A6BFEB6673A187D2C1498EFEA52FEDD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.770{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0101859.BMPMD5=65148E78C17B18569CD15DE69C9E60F2,SHA256=286E6978143774E81A2DB46C945FCBD9CA548DB9F8108A7D35D412AEAD8FE8CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.769{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0101858.BMPMD5=72EC91EE27347B9B4D93DC0AF16D54B8,SHA256=AE217780686EA47991C7301D37450A2D6D9C45D1012D605A298EA78300DE91E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.767{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0101857.BMPMD5=974953D10663B442D766E90CE8D8CAFA,SHA256=2E77E2F1888BEC48B77BBCE80259A1CF4C5789840835FB57555ACE2C77098FEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.762{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0101856.BMPMD5=C9C4D3013A30D8A44B990664BEF89821,SHA256=49EB09953AA29B7DFF1E3B466B31B68DFF84532ED66143450C51CAF2104A5530,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.758{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAA69F7F523134CB2D5630096649EC78,SHA256=9EB87BAF1608AE188933594EFEAEFA46593FEB14E4377C90980B45DCF8AB6313,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.754{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099205.WMFMD5=89ED7F99A2CB9B2F812ECE8886096D13,SHA256=72742EDA22BABBC079E9AD07511D8BA3FC0D215D6948A01A1850C38169F80021,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.750{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099204.WMFMD5=162392D7724094C46CB5D29CE47B2A3F,SHA256=0337709628225CAC2E9F10EFC2CDD796A79BE6F075756158D86383C34A978526,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.748{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099203.GIFMD5=42B8BB781EB1DCC9191EC1C95FA8B454,SHA256=08B2AF562C2527C78E04978F1452AF871D19A9A7E28DD5978654E9733F68DE23,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.746{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099202.GIFMD5=1D54B7277F9856AFEA89547A5065B96D,SHA256=8AFB7FCC4E788DBDE3494FF4E1343ACA018283105569BD6A8F0459E2118C89DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.741{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099201.GIFMD5=AF05D4D4911B97D358EA8DACD0A32BC9,SHA256=B119040094E00C99C34166C22963A6E6CBC010B2D517BE935FF779C0E0B03110,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.738{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099200.GIFMD5=5F397786C72AF73BB07993B1814D56FD,SHA256=A808FE7009EAEAAC800FBF8BBAD568A9C5EA3D25D9775981171DA3663C1BC2C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.730{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099199.GIFMD5=CCB6733B2B37BF04B8B49553C447346E,SHA256=4E8AFF691777B10CA1433F867002FEFC677CF3016CBD3498F437AF71104B2E36,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.727{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099198.GIFMD5=DEE57689F8FA76BD1688A67ECA26485B,SHA256=B8635A1EBD59E71C0D3B88A972AD07D4646CAC8025730D4D5E7F125CE625A264,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.725{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099197.GIFMD5=5A2C5F32985171CE1F5B5068B9044F03,SHA256=E6EFDA472AF8678BBCA3AA272650AE1DA89AFF148521B05D73EF1AAE5D6D0384,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.724{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099196.GIFMD5=AB2F28FA554F60A685B46980470290CE,SHA256=F7B354D26F093FF4E32A5A41BBFE36E855BAD2C925AEECCC3DE30EBC1599E993,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.720{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099195.GIFMD5=A882B3860978598A64502FD5E4167D22,SHA256=FBC7BC1F87E4EB95D49337B55AD61B1FA60B3C431C6B564AAABC5DBD0ACDF667,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.719{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099194.GIFMD5=A3E75EC499FC10BB64F31AB67EFBD103,SHA256=0A58E226AF4738303DE7335343DD3882E65F720A95548429E26F208B62E0ED73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.717{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099193.GIFMD5=F5E8E2020CD6315EC03C45D1A93A2FE3,SHA256=49E82B2521CEDE2041A681929F7EC4004FF15246627C0ED2EAED4B767E9AE1CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.716{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099192.GIFMD5=3C31ABC4D2FE5B18827F6EFCCE82A1EF,SHA256=1395BADEF1FAA1DBFD44972A6BCBF63A6089F1645E314BAB7A525FC425AE710C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.693{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099191.JPGMD5=C98BCA175E1767127C37906DA018863D,SHA256=F59540FBC069F1D7A35470E94C68BB71E294D9293B4DBC9A05DA70A4D762325A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.690{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099190.JPGMD5=409A2534F17BC2267E2BB81462845B75,SHA256=972AECCED97B2BE87950E0E2D5F53CEB2B052E9C0FEB5EC9514277E9B6BA53F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.688{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099189.JPGMD5=8EB61C9779A7847AA75D1C966A46DCDB,SHA256=08A82BCE8618EE162135623EAD1B17437136AD10C994FDEB4C72884582B14B9E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.687{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099188.JPGMD5=FF028051D2BA65344280F2422A76599A,SHA256=A97EBF9BDAB755E700A14347BBB9641C0BCF4DF7EE63D0889D45C3FD6A6D45D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.686{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099187.JPGMD5=E46A4BEE53AD6465BD1506A904C1DAB7,SHA256=AED37F8BB12227D1E0FAE9C618EE96000735CC16B61F12501C84CCBF48ABB837,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.685{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099186.JPGMD5=7B1E142606D2F760DDA1B39FEAEF2ED0,SHA256=162836DF23EB6C625AFD0C56C9EB9BE5D98D86007C88A925C6C0759E6E9848C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.684{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D315E1A51507D91E0C961EAA309EAB44,SHA256=DEE78035E1DE90B31185598645634C27A1196863CF4E43A36527BB7D11E7E6C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.684{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099185.JPGMD5=60320A32433143F246B8410C1A15AA3A,SHA256=83791007407BF45170C67562A8978A3319BB8CDE5B0854976528280AFFA51D3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.682{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099184.WMFMD5=A2701C3BC3E56606198B56BDBBD8537D,SHA256=6FCA1E4A75EC886D3EE638901B0BD96D41B6C882613DA617A5D7B963D982BA67,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.681{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099183.WMFMD5=63CBD573E7A58AB44A9EC343CF831844,SHA256=6FB8959FCAF8B5ED2E75A367E318C44EFC44EF678614ED100E0DDA7A42A3EBC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.679{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099182.WMFMD5=10DEE097815F8E78AD0F399AB26F7936,SHA256=6E35C3D5AE9FB62126205E6349409584B06BC4631B47FC2B901D2DAC7ECC088D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.678{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099181.WMFMD5=394EEF03D573B19F1EE02D42DF750BFA,SHA256=A8521B2C132087BF2B36E7622CFDC3016B0D7ECE70B39E1730668BE9BBB304F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.676{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099180.WMFMD5=E6A29AF5A3EDA51430AC45AF3F9CADE0,SHA256=32599425F0ABA4FC1BCC2E1E7477A309F6DC31E4758915B4CBF4E0D689872B43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.674{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099179.WMFMD5=6CB813931D26AE3C7184A7CC6EFC1E29,SHA256=A0E40A54C341A59662CF0F69D20DCAD4F394740F41E41C260C2D1ADE088DB3C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.674{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099178.WMFMD5=42587AF8C91703B78737D9984732D735,SHA256=94E6A10842A0B843C6FBBE82CD3998F100BBFD5D47870BA810EDE58FBF454CAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.672{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099177.WMFMD5=94CE3E7EAE955D9B6D1937A9A60FE243,SHA256=5B676C7CF7A653C558DA75DED8A7C0EC92E7A0DE3B1391FB5EB3D6AA9311AF78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.671{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099176.WMFMD5=4ED9B0B1C4081446BC2E336F2C071FA9,SHA256=13F5BD3D4E67AF3AD2B3D0A5C48B19184CB6B3BA6EEC26D50C1098C8E1FDE65A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.670{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099175.WMFMD5=5556FB1FA133C42A561CECF9AFFE72F4,SHA256=B38F33B5955F92791FF99F283716019BC7CB140C7F188948F5F410B13DD3BCDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.669{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099174.WMFMD5=5A87197750FC417EDC55FF08A338A8E0,SHA256=15A5E8B580551836AB2536F668E794F91ECE0D25562AA298F1C4A548E01B6180,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.668{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099173.WMFMD5=DC2E00276B20DD5AEEDA69F96094A1AA,SHA256=7A4C95B1AB90EF60B607E724FF5B1E0592812A1D363FEEC122057C0D943D205E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.666{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099172.WMFMD5=028FCE456E9D9F603DD988A44A2CAE57,SHA256=33F61F1287562E6ADBBC58D529AE350BB318031517F53EB5FDB7058A04923796,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.664{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099171.WMFMD5=6DA040777F26F86178866D9F8A04DFAC,SHA256=661FA26D620E33F9EA0355A127B73CC3AAB7F9DFEE65BE8499A47CBE0890AB9B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.663{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099170.WMFMD5=800DACAA5B96513ED840BAEBB748C724,SHA256=D05060B0E7B5091EA2FF75CCA1BBF8CDE0D2DBED783DA875AE0DC4B0698E5D4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.662{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099169.WMFMD5=190C4BB5BEC915371D2DE705A6B54B25,SHA256=A1B63CB432A5D447C8F33084536851366E7A424C218E4AB93F07DE09E417D6FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.661{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099168.JPGMD5=731683311B5BE2DB024601B2E185AA49,SHA256=382667AC11D48A880A63EECD7359EFFAA8DC9DDA204BFCF33AB07EDE7411D3C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.660{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099167.JPGMD5=8C462AFB795E218F3CD5984E04FE2F04,SHA256=26BCB572BF8CE82DCCFA90F652FC44693BADF90C3A8E6409339C95E650611287,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.657{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099166.JPGMD5=80DA28EDC3C53FB5B3CEA4D5F0F14E93,SHA256=D41158A4F1378D071AAFF971017B61DF30056BFE90D9D991124D00EA7513CE2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.655{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099165.JPGMD5=534728CA45061701D6786F42AD1E8557,SHA256=873087D980676039D8D2F2DE58F1D202CC868E451631AE795365E145421F1346,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.654{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099164.WMFMD5=2E9DBA38B0A7837A009EC7D3F62B0537,SHA256=F739055B643E1E83F16734FF468009631BC49D46251733788AAE03B05E34FB2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.652{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099163.WMFMD5=F477BF1C3752851BF16600B5437318DA,SHA256=7549BD73B5178EB65F12F09D5CDEFBFF81FD07148E5708B8583D30CBF42F06CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.651{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099162.JPGMD5=352AF77E708AB53E79A1E4D0B68BDB52,SHA256=16AA85AA36E37F8A4C407D620147C0E6D7A8252BF5FF5A9E9EB9EF4E13B8FB15,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.649{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099161.JPGMD5=8B1F2F4F69D6D8B5728EA8A9F31665CA,SHA256=BCE8EA0BC7AF4787D225B8FBEB2EC5690C066551D89D9C1317BFC34760CB83D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.647{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099160.JPGMD5=1D0FEA5B3CC0BB000226C193C2C18D30,SHA256=5E8F287D26238B1C2F9D50FA3CD202C3D788A4CFAB75E940975114336023D900,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.646{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099159.WMFMD5=A43CE59ED98F2D159924474F463DD585,SHA256=3F4F074C488EEC5A2D968BB3A46B302253BD4B3C0D684CDC43B5B23ECFD5AD12,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.640{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099158.WMFMD5=54419003F779F6D274AB6083923F019F,SHA256=B8DEDC3CAA967D8730AF09FA1DA29AFF4D50808E819573E8364C80D78B1A93C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.638{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099157.JPGMD5=7EC27E52E31BA37833DD01562580A837,SHA256=D689CA774A7DDE6BA8FEA6B976AD08641DAF0BD0330B6447F56ED2277DE27B0F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.637{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099156.JPGMD5=F21650ED969A963BC76340E158DE559B,SHA256=B71C1BA71D3C05B166D4EA401FE51CA3D84841C9AC328B945B832DCCCF527937,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.636{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099155.JPGMD5=6BA77CCF7D4CD3D2F6979C93A0DAAF90,SHA256=3BC7600F462B823BE4025C6352A7EF889286915D591522959B18F7CF6868B5C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.634{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099154.JPGMD5=F4481858D5B6433EE85383CC89429398,SHA256=7409DA6BC5A71B1A05BFA8B435E466814A443F25E452AC44CBDC2295B52D5280,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.633{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099153.WMFMD5=574360E3FB73BF13DFC8F66599911111,SHA256=CC742259761A2BCE5B1B1A1C005E817B06696F2EB15D6BB8FDC4B17129CD6BFE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.632{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099152.JPGMD5=B350D7E37BFE3D050D6FE82C9430C1EC,SHA256=BE9E344744341C4AFB624CB9119E958F62C813648E61A4614C06B6BB1F1CD8DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.631{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099151.WMFMD5=E48FE6ECEEEF045DB564CAFD007A0376,SHA256=2B0F5B140C4FB9BD376047FAA0A0C4EE227AF1875C4C2385F62570D806E9F8FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.630{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099150.JPGMD5=12BA6ECBB5EDA27C94FAA20B1264927A,SHA256=54A4B1E50E6FF5B5A3CEAA9D7AC5C54172C8CF63B114A9A9AF198D9D99445E0F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.628{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099149.WMFMD5=3971729E3C05C37367CD2A18B43BDA3F,SHA256=AE204FBB46B3184DB3E040761686EBB149C5D6F78C257C048851671F868B9F35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.623{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099148.JPGMD5=8CA2B8EC2ABA0864325E9FE22732E4CA,SHA256=C0A8772CD037CAB574324125F1EE7D22269937DD4B5ADE852186135A97FD4E4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.622{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099147.JPGMD5=291217B4D93FC85AB48D7440ACD4037B,SHA256=6CCFBC8550A7C939EED2DDD38C5B3F92B5BEA0888A82F068CB75B9F744D89600,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.621{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099146.WMFMD5=52C9CF5262714C9BE4857652F0531650,SHA256=3F2A003967E01496CA292330E9C3AD1833B1EA8D5665ACDA9FD74A04DDEAC964,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.619{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0099145.JPGMD5=68532E607C4A9694FA85FC0C1E384124,SHA256=BE8843FE4D8BC1B0C09B5FDFF04E4F212BCC4F2FB95F0C6ACA1A9CCB5CDC47CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.618{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0098497.WMFMD5=2E79E8868FFE5D8DEFC5C625325400F8,SHA256=F39628AAD1548FB9C1780A4E4E272F1F248A8162570382952B19B147FB32E4BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.617{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0093905.WMFMD5=6BC0C63F51D573BF1579C82A32FEB208,SHA256=B350D09668898AEE423D29F5AD680518569786B622A62E46DC03DB82D7818190,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.615{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0090783.WMFMD5=0CF80446962C72CD26C8FFB8E31819CE,SHA256=1FBBB6B84F6A4F8255CC541CD4A1B2A55ED567458B4C13D5B6E1A4A0595780A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.614{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0090781.WMFMD5=A8A8DD08D8F60B4A0A2619C44A40CF55,SHA256=FE7E99BA0B9D6E5455200539AF5CE69FD78A960D40CD673FB7F2BDDE6ADEDA47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.611{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0090779.WMFMD5=7C643075969B02656579777359A0E282,SHA256=2E4E952F19E30EE2A4067359959B187E91BBCEF4CD1A485B6F93764E19DEA1D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.609{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0090777.WMFMD5=5C1AC24D4455FAA950DAFF89621C6018,SHA256=FF991F15EE5D3DD92706E4848FB19B527F532EABD519DF8D92F6FCDF7F6EC45D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.609{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0090390.WMFMD5=DEBEAD8934D3CD92000C54C31CAF222C,SHA256=BD180857ECB88B15ECF04A51FA9531D18927DF0E614AE7166753B18CC39C7839,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.607{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0090149.WMFMD5=FB3904AACFD898298E6F7B5F8474C9CA,SHA256=81DDA09593B1FE2CE42F836A4434F322B61BFCEA3A538060008B440238011DA9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.604{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0090089.WMFMD5=62DF021BA01DA185237CD197CA3FACC9,SHA256=094FB3D7B8651DFC5AB9A92D0701F39C424743429E78E5FC539EB59A1D4D93A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.602{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0090087.WMFMD5=34E26DE80B8A08EB760FD87B9A9A5D0B,SHA256=B2B51D06108893E9E6AE0792C08C84B5FB2AC3CC5F245A8FD837C0AAE1AC3A6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.599{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0090027.WMFMD5=E86999E9F83ACCD020B25B73BEB986CB,SHA256=CF1C296C7344A20810444636B8919B418149C2BF8532F29CDDF9CCC6ABA9480E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.597{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0089992.WMFMD5=8A8702D4B8A265F691770611E06A5192,SHA256=C3C2D2C1891EAA7DD7104E2CB66F7F9E256F506144CB2B8E2F892E549F586C09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.594{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0089945.WMFMD5=D0F4FF3B8CF1709B44E940ECF0674D6E,SHA256=9072E65827CC06C0BEF5309CAA4FA688DA7DE6289E21069460D52A8FBD531ADA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.593{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0086478.WMFMD5=45CAA592B2801E10727F41C49C0DDEF8,SHA256=F86EFE833F0630B0B1CAE55989C2BA08F13843681AFDD822B130187E69C064B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.590{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0086432.WMFMD5=25FB32AC3BB286095F230844445C3E69,SHA256=2BABFD2C1716C162434AF6C147F5B0754CBF98BE110A6CAE531486FE3B3218E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.587{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0086428.WMFMD5=2143DF0081E0ADF971CA7EC4154A1EAB,SHA256=3642AEEFB6C01C11AB9CB713EE0B67CFA7967E4B9CD47510ACD55CD21BB7191B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.585{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0086426.WMFMD5=EB97B22589C6FDA232FBFA1B85AC1073,SHA256=D6E55EC3CF055B2F9356CCA83B6596A783C1C374E02D134FFD840D8440D30644,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.582{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0086424.WMFMD5=F2362A659A7F84BC309571D4822BCAE8,SHA256=1E83D9F9B9FAA324D5942C5125A01BEEF57FF9DB0B9BEF22D62717D670AC367A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.582{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0086420.WMFMD5=603BBEC007ED7935742F3DA7355CF533,SHA256=6DB82246CD4DF8519A293DC5D18604E8CAB274C36645FCEFD83068512C61CD69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.579{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0086384.WMFMD5=C2644A54BB147CC26C65F106590EB766,SHA256=6DBB169AAECBE982B6D0C082F2001127087720BCE3741CF6921DE383021D85C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.577{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0075478.GIFMD5=62A85E60306AA561226FA1EE64FC7C51,SHA256=5BCC9C1106F4BE08F6B1A4D88F64D42FB80E536C65A023B1B084EDB6372D3CC6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.576{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\INDST_01.MIDMD5=46B9C43766298DE9A91BB7B5C81B09F0,SHA256=7C3D56B1096A83FEFDAB543B15DA8371070CE61849557638281B4B2B07BF23E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.574{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\IN00957_.WMFMD5=6204A2325F6E15136EAED76C5C594499,SHA256=E39454601F30002EB27323CDE6DDE8FB0B9FFB4EC2F95871B21ED5F77AB4277A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.573{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\IN00956_.WMFMD5=5BACBF7DE88981F080A6F93670C9E678,SHA256=B215B973B288999DCBE967692516112708EA5BC37D4257221EF72A10A565DE58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.569{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\IN00919_.WMFMD5=8495DDE5F8BF138DE9E9B14D22C4F6F8,SHA256=ECF20A5EBF0049AF922C2D78ED9F5CB0B91C3823F9DCF7201B7C6391F1A9E1DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.568{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\IN00915_.WMFMD5=72648692F97450FED7ACBCE8F99DE66C,SHA256=4CB7A21868AEAFFDBB36730CCF4A61E428807A2367CFEE4A8135638776D35936,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.567{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\IN00557_.WMFMD5=D8A4373004FC89BEFB4125460ACC4849,SHA256=EEB7E25A9DB6A173201DFB8F59CECBA78659A265142B4A9F314CE2755ED90DA8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.566{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\IN00351_.WMFMD5=3C6AC9861A4F8EBA74719B607ED90B68,SHA256=E2AF294FB697C62551C98A6FA288DEAB06046E1FFC7C6D6DA7933B94178586C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.565{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\IN00346_.WMFMD5=7FE72DD43AB8BE546364AA689F20CED7,SHA256=D060455879707473EF3D4B59819E8592BE82FCD0EF101D87E54F866F8AC7A9D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.564{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\IN00343_.WMFMD5=9FD1BC4AEC0D3534CDC2FB1AEE642995,SHA256=EFAF51497AA08AF95716669E9880E44A86BF17B42BF081C24A93E206A2BA536B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\IN00233_.WMFMD5=6F155B1C035DAB700BDC1BB0B545C5BB,SHA256=456446217D22299E0F344C72129A867A0B72C86E68DEF46E42444DE4AE6F62C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.562{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\IN00204_.WMFMD5=031548BF33839399BF41A994F7D27E95,SHA256=EF27BA4600346A85C3B57CAB1A37F95FA27EDCFB020BB9E00DAD50F3FB7B935A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.562{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\IN00177_.WMFMD5=FFAA994D6EE02067C68212EA595CEE09,SHA256=FA5C5966CAAF51364AD22DE205ED2BDAA4A5C8C425D96690A80C6E8C1B1F8933,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.561{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\IN00118_.WMFMD5=E83EF96DCF491BEDB1A874A5DD0815E7,SHA256=22E7F6F4FA13DD67B461F79A13EAD05FA323B62069A156D46A36A0F8376A3B98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.560{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\IN00046_.WMFMD5=9000A41E9CF6DA1072B7D4231305AE56,SHA256=80C1940E08EDE2CBFF3462011BA9B774B54EC8D2163F28AFFFF008E57E2035C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.559{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HTECH_01.MIDMD5=3483406B7942AC84D30871364E8BFBC9,SHA256=35EAE2096A24BB21B5084452D0DDF41BAA454F397DFCDB81506BC43D5AB4D1CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.558{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HM00426_.WMFMD5=662F3A0358EAC57E5F11AB5C0B94CFD6,SHA256=365E16385B1BA8E9FAF753D5D8E02CD6DEAA693BFF76926F6FA17D14DF40D654,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.556{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HM00172_.WMFMD5=603F6143EB26506E05EA58472107B970,SHA256=8BE02F2926BFD9A7F54FA2DC8A5EAF28AEE9EAF200A9908F61742ACB566205CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.555{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HM00116_.WMFMD5=A08723BE74E6B8C792CA894AA5372CFF,SHA256=C87C3462AFB0109DC75DA4536427100E892BC2279905E86E80452B81948A9A10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.554{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HM00114_.WMFMD5=381D07F6ABCA8AE10110A3AEEC506EE1,SHA256=A7D87FBE788CD580A4DE5BE69A84A6F9EEDDE08D4E0C3F5181ED330478D9A268,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.553{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HM00005_.WMFMD5=F55F654BDDE6B909780D24AA48D1784B,SHA256=AE6135660312464D59AB1FCB2F380A094D24FEB8601935A64F4C1A77079F1151,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.552{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH02313_.WMFMD5=76B923FDE5FA80F28ABE2BB7396EB5E1,SHA256=995854282F7559386FDC6492173708D63DB480E49CDD677C0303285DD73B69C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.551{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH02312_.WMFMD5=46C9AFDC44A8ED5E72BB7FFA3B7DE9E6,SHA256=E37EE32EDA1B5262AFC1D912D4A17E29F1B702614C4C6A319547BEE362A92964,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.550{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH02298_.WMFMD5=7A8EE9DF73F630875B56D02FF7F42B1A,SHA256=DBF073164AC365070659411C1138C7289E38A82B1BC9D4AC3480907C5327652D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.549{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH02282_.WMFMD5=DA8C7EAEAA94CBAC4997AD49B5B13D78,SHA256=D4EC1DC787164A8414C3D1689C0336047899561761DFAC9F303429831C045F79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.548{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH02166_.WMFMD5=951E5C6E20CC20E5E76AEFEB0BBBE79C,SHA256=D9200E0B4DE870AF9DF703F2F69EF8C136B668F0EB622C094A1CF843C13E1B21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.547{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH02155_.WMFMD5=7E1C605B5CD9313FDB47379F5DF3ECD4,SHA256=26D322B56B2E13CF381AF9256CF70197162F08A843A4B1D7D625F05E1BFB2143,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.546{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH01923_.WMFMD5=92A4332A034DF02DE382E2AC54DDF935,SHA256=7F95C14090B1D5A1A354FEAAEF04EAFD35ED5CB26D69220EB54804E09302988E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.545{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57A0C619FD45AC116376F314EEB1DE3B,SHA256=D17F265D84A99E308ED0C09A4060CCDBA3CDB4E7008422E94623D94F55BB50A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.544{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH01875_.WMFMD5=AB48EEF5FBEA6842B51DC20F07BFE220,SHA256=01AA74342629DC184A25D337CD3FF6BD41F302F5BFDF37BB19B277BBBDC5D5A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.543{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH01759_.WMFMD5=76F7B4E118CEB4551423B11F829FDCD1,SHA256=65260388597675863D6C24C3EF01F1516308EF319BCBF1872969F6EC80EEB7B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.542{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH01618_.WMFMD5=D6BC96E72288B61F7E2CB82A26C432D3,SHA256=508DCD28CD237F346B0B2202011B76BAC187FA5134DA05C6738A33820E3F6EF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.541{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH01461_.WMFMD5=563BC702A0EDE3B675AFEFDA7CE678CA,SHA256=D7944585C2F800BA0E9C0C391D2D53B306CB792DE0F710B3ECF385F2D62938E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.540{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH01329_.WMFMD5=0DADFD5325F0E57E84A506C5E446B613,SHA256=790121DDCC49A8463D472877A1BDEF9FC205107E6634BDA3E8D7F1547588A24A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.539{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH01291_.WMFMD5=DF7E69214C9294BE5A884952280B87B1,SHA256=F04F41B8D692F9C1CFBCABA4E5BDEBFCF8846BB9DC7A4D09B56A6909707BA519,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.538{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH01242_.WMFMD5=041348E80E673ED2CD5DBD5953B55F1F,SHA256=E1CC4CBACBBC0825F0329408442C2DFB49D2A55CCD590102D4E2033920A254B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.537{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH01080_.WMFMD5=356D68FB5FCD0558BFDF68BAD08F81EB,SHA256=DB88AFC96509077DC77E39BB909F357E55F98E7EB3DB5B8ADF10CC45D84D33E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.536{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH01065_.WMFMD5=11119F06A646959ACCF46F2B6F159509,SHA256=07DA086AA209F92A803DCF713A5681F3376E97CF6D9460A1050AD76DB54A4D37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.535{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH01058_.WMFMD5=635842DC5850A236093AC2DCB76C6960,SHA256=B7B6E27774612114FE394D23B6C2254D8C94F047B483FE631D187519B6E2ADDC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.534{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH01015_.WMFMD5=2F7666BC57A2647F0793F880264024DB,SHA256=C2EFB61E65E4298CC30EB5A8DC452D92978AFF3B91C68E6E12DC53610F90FAB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.533{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH01013_.WMFMD5=805BBBEFC12D6BD104491359EE634F44,SHA256=19081CDE246CDFB70736D8E47A58EE4756817055E90BF52306128B6BD70C34FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.532{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH00693_.WMFMD5=C9864091EF3934C0293075A39756CA9A,SHA256=02E1616952D7A94E45EC1B00480F7F44041EC8314BF7D2927328E14FB30DD697,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.531{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH00688_.WMFMD5=8BE95DAADB68DA6584213F9D59074DFB,SHA256=BB761A0A9895CA3963B8C3EAB5CFAFFF5EA0B6DBFE1FE7D7233EA97CE9054371,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.530{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH00687_.WMFMD5=ACFA9AC5D919D1DC85A06CFE17EA95B5,SHA256=8ECCEBA07CC3DD0371CFFB1026E9ACFCAFC1ED4FFC4EC5B6C665060EDC654548,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.529{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH00685_.WMFMD5=23575EE603E7D8CD2FCAFDDA306BB651,SHA256=BBD8EA8C01A57CE01CF3254ACE3F87D8F46E5FB2E0973FE66955AB29293A72D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.528{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH00681_.WMFMD5=1967B5957C45F16EB1572199AF8A462C,SHA256=DF10E0B1F88A206F21679A69ED71BC546B8982DDDC7EE02A611AECEF231600C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.527{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH00669_.WMFMD5=4DEF28B764B9988A4A7AB3CCB75C8F3E,SHA256=1B7405F53D88619CF4974C80AD70EE2DF65D52341C62802FDD34E1455C74272C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.526{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH00636_.WMFMD5=10D696C712605657C7506812432AF542,SHA256=594232BC077CE06DE8E2A3D9A2F2C29A75A6AEB601E4FB747BDE209FF0BA82FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.525{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH00625_.WMFMD5=F11D7FEEB3FE068561B1B10B7F31A627,SHA256=4043FFAFEA8AED993D26A2ED294241AE20259519E8FAFAA4059BFD7718E93A28,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.524{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH00623_.WMFMD5=059EA2875212F254AAFF902810BB6187,SHA256=7214995F65FF42CF3BB69FEF8F23707448CB602B54A8C190FE20493CFAD41347,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.523{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH00612_.WMFMD5=DA3F0BFA7E82E801F494AB8ADF098515,SHA256=CB19926736540EB4DE8229C165FEFC998FAF5507AB3076CE6DC72DB09A5ADC5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.522{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH00602_.WMFMD5=1896BA6253E83280FA1A72733891FA2E,SHA256=0FCBE303AF5494870A84C9BC26048E25E5613D0F169D127CF7E7E9EEFBDA77A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.521{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH00601_.WMFMD5=2944962137128696927FCFAAD0A905B2,SHA256=5FA66E6B3DE7E6064FCA9F399B60282316DFAE273496345042A99892641AFD20,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.520{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH00546_.WMFMD5=B5A7198B713FDF0064007E3F3D811BF5,SHA256=F4C08392F821394D01F0B491803A6AE7D5C8062FBEFF0F3F480694F2E876EA6C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.519{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH00527_.WMFMD5=3E5252AE5BBB7E51076D21176526CEEA,SHA256=26233B868C5F6E7CEC85E303118D6735EC9B40830D1A1B2DB57218CEBE8CD537,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.518{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH00526_.WMFMD5=0C78E787EFB858601F1566D010660BB0,SHA256=A5FC79DC2E6E69CA74D8D0B030425F932DDAA531B1FF2B54778D442383BFAF1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.517{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH00524_.WMFMD5=B500BB4EDD7E951784DBFB91F8BECDE2,SHA256=FE50311C36F2B5B3FE9B9B6022FC69F68BCA3252431C6001B798261CB4E539CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.515{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH00513_.WMFMD5=D2A53876A98AB4055A04F55EB512CBF0,SHA256=7F603C1BAE169A4629D64373C8F23D57E6D40786D8708657099BB8ACEEA073E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.514{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH00443_.WMFMD5=CB88FD533A10BFD0A56BFE85890530EE,SHA256=0A62475D905E35443DE82C00941CCEE8E6045C35A305B8D3A9D389CF976B64D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.514{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH00334_.WMFMD5=314911F5F9737FCCBA6D46BCE14B79C4,SHA256=C743A992F35FDC8406D6CBF8C2D765A98B35F8F8B2D7982DB447A85A33298398,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.513{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH00276_.WMFMD5=3576998BC6AFC968669F63C95EA5BD1F,SHA256=78E2154226E6B15B45D337C570C493A97629661D7C6185F0EAD6D8D84D78E8B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.512{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH00260_.WMFMD5=EB1804B36BBDB3632D83CA2DA71A4D81,SHA256=2D9781CFCE5A8DBDA5EE176276D9FB5F10194BE716B79A48E36DB86D5796CAD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.511{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH00241_.WMFMD5=C4EE88ECAD7FD1190181834080A2188B,SHA256=F3C512D486766F91560EF2A47B9B6A6ABD10A143EDBE3F0A049278A31787EF99,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.510{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH00236_.WMFMD5=0268F37A7800F8743F39B946AD3282F2,SHA256=FA8F7014724D41B2935B00C1F640060C9A21C4FF1AA1EF8EBA9368AA367DC780,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.510{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH00235_.WMFMD5=82F181F16AFDC303497374216A8ADE38,SHA256=25BBD73CAC74D9FD4AA57EEF283C0D41E2A27A5FF19DE2EBA1CAF3237C564603,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.508{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH00231_.WMFMD5=BB71569957A06259D1CC1A716B892283,SHA256=A213AF74B57AFD57E01E720885D5C0CDD7213CA29FFD1287A865B33FA835EC4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.507{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH00084_.WMFMD5=AD6192939EE170127253C11914E0E38F,SHA256=FF567E24D6D7BD176A134263798F55E2EC103E48D57ECB3529FCF3B3A7D0B901,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.506{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\HH00057_.WMFMD5=911C5829B0D0A8E91670509E22D74921,SHA256=FA9BD8D1058C413ACE291914E879BAD0EE749508D11921193E7677F0CE23ACC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.505{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\GRID_01.MIDMD5=BD633215A6A9C445BC70EC092B7E8635,SHA256=AB23D6398D78C5323D383E9C13C650652AD3678CBCEF82EA2834B09F5E6EB007,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.504{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\GRDEN_01.MIDMD5=EBF06B1BDA3ADE032ADE1AA2D26A132D,SHA256=B4EB9A85C68595030E318609BF2D5A624DB654A07A2B9259E1FE6A20BCDF4FC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.503{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FLAP.WMFMD5=61A0CBEA19154EE23DF9FFB688AAE7F3,SHA256=4108EB323DA12E05693AC0304C916A3EE620A83D4EC5476EA8FCB3947D53E001,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.503{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FINCL_02.MIDMD5=84865662EA5CB4AF151CA0D805796764,SHA256=44FAE3DD1E8C7B9D0FFB303E7BEAE390A71E21A5069D0F6B1E6DFEA857EE4378,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.502{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FINCL_01.MIDMD5=9674C8316187CC7A53FEC44CAE9D2CE5,SHA256=6BD4BBAEEC303EBA7EEAD97E6E7C2FB0CFC98A1650289144A12D9ACC111A6414,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.501{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD02161_.WMFMD5=E9DABE48F87FE78E05D0DA8E9BDC2E3F,SHA256=1290225031A2F2E9A7ABE9C9A605E46FCB39521A8F55752E5C53E21331A5742B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.500{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD02158_.WMFMD5=AF01C2C2301ACA114F856BBFD581256A,SHA256=AE5C0D86ADA9EEC3D619E1D841ECD76AE35F7A29AC42AFC82A6C564BF8471B1E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.499{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD02153_.WMFMD5=ED2168B2F9DD3C4BC1C8BC2E778E4241,SHA256=CEC0C23C9B207080B50E15AC43C074675E4943C9BBD5B349D9C83A6177064FF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.498{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD02141_.WMFMD5=5A8750EB7418CE77DC5765B9C78B86A5,SHA256=A5469EB70E9DF326A9FAB0AFE0E51B85DEEACB619938F0A6AC17CE16CB6FF68E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.497{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD02116_.WMFMD5=FE63CAAC61A5ACFFD306FFD736CA1600,SHA256=114A25EC2394242742FB86C58AA0858C62A986823D28DDC06670CC32CE30B56A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.497{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD02115_.WMFMD5=85299D36F18622FCE7025B4E801E77AA,SHA256=559AB97CBD9F9092FC2922123B7D1226BE219E943DFF828A585C8B291136FD20,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.496{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD02097_.WMFMD5=54B0677EEDAB60FE5258B3BF0A05E83F,SHA256=50BF763EB68344ADB88F0D7B7644A191D2916A449EA826EAFF68E64521AB7141,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.495{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD02088_.WMFMD5=DCA410211CB5C8CDBBDEABE2C6E5D8D4,SHA256=A8C4EEFE6634346B72C4A0CFA624A4EEE77D02FFC34952AE58532339545C51EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.494{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD02075_.WMFMD5=FCC28C5B39CFF5BC7D80C94009900497,SHA256=355BD24ED53202BD7EA964DD5FD4BBD9099AD8EE9601A56072E2C69C17AAD3C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.493{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD02071_.WMFMD5=F97337885C426F97B6D3C1600D14E7FD,SHA256=10A367E5C31F43E06FB20CCE63A1E463D47BD6C76CC92A04FDB31F2F678D6C17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.493{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD02068_.WMFMD5=EE12E12887FBA5695B438C6873D12D26,SHA256=2EB5465C4D394BCC29863DF317BE8A2ECFE906D40919F54D28518E2628BFD3A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.492{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD01660_.WMFMD5=DE54ADEBB4737C7BDE7045FF2F42EA7E,SHA256=9D6362FB573D0A05F88DF7861AB04EED9CC5267E0B96DDC34AE17291BC804F66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.490{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD01659_.WMFMD5=906391789ED92593E7A2166183A26332,SHA256=44DB725B703555C5E58EEF777F2E1DA1F203D50C603681D4D99D4ABCB4FD9187,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.489{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD01658_.WMFMD5=F252EF84789F589E0D10E9B51D9F0804,SHA256=E10B5650925AC24F6DEE92D16310A546A011BB6F83DA3C9CD2371B8F846FC70B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.488{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD01657_.WMFMD5=62762F26D100AE355E61FD051E2BE82A,SHA256=1E60A782477DBAC02A9CB109D2597AD97F73B60360D37ACE804E69137071AF33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.485{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD01548_.WMFMD5=B99864174F42D1C48FFB23CDB806FE80,SHA256=C171DDB1819D41E7FDA2E77C7F48C023ACF342F7ECD02FA014477651BC684443,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.484{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD01196_.WMFMD5=423A64520988449501C93C8DF3E65873,SHA256=78D70865D21980238184C2D23FB09A5D5A0ECCC4D15A9245DA9930B068A98084,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.483{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD01193_.WMFMD5=2C4B0F250AB7DDE3EB411D98982B87F6,SHA256=F9FF1C818FEAF6300291ACA4C5FE6302B06B43930ABB17DC8CAF51E63ED9C8E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.482{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD01191_.WMFMD5=0117EB4DACF079A139F52B3B1627308B,SHA256=D4AB92CC3EDB9BA246F801DD742CB2DE4AF86AB029BC37AFF9F5A950B204D909,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.481{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD01176_.WMFMD5=9427C1967CABBA82F864BDCA097EB0BB,SHA256=5FDC567692E0EB9CCDA3EA3A48A8ACA181E16F00A81C22CD46780273D7494CAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.480{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD01084_.WMFMD5=AEB82BBB26526254E5A6C359A3C6B723,SHA256=E80B242167DACD8605DBDAFBB00D5B4BD1536E3801711FDDBDF25C56FF2C041C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.479{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD01074_.WMFMD5=990F1C672A512B6CA13154AF582235B9,SHA256=B42DBC4E09B84672F4AC52CE21B7A75BF1C5B195EFDB774D7A87D6A1AA135CA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.478{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD00965_.WMFMD5=45B9F7802E6A903141D0F1FD96969D56,SHA256=7EDF942C04A64B9BC020D739FC45C74D8336702E7210888D20C63700F69B9746,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.477{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD00814_.WMFMD5=090F63FC5EC3C0FBC17DB63B4E2E5C44,SHA256=C193CD01E10E346789ABFA2232FF96AA61CE3460E27246D635325B64DDC10E97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.475{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD00799_.WMFMD5=218DC071E88F6372D4E0BBE69E0CC2AA,SHA256=0B06437E58F4CF6CCD5D987684FE3C63982FE963FD77913C4BBE0D181A67752A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.474{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD00779_.WMFMD5=56E94B5F20B4765A7C3D7D829ABF24FF,SHA256=CE5A90B4D89A4278DEF22643E137BE9AE51AD9B09D2BBC961804F73B450F9129,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.472{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD00775_.WMFMD5=94BB1014FF4D110E8608E8C86FA70C71,SHA256=39C8F7334494A4BF61B8ECF2CF5D1F6F097E2B8145F19AEDDF3DAE54F66456FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.471{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD00586_.WMFMD5=64853C144B2F1A70DBD21930D42A4F08,SHA256=954D68233E73376276DAF61F3164DCD2B9A3430C1AB033BE12C42CA64434EDBA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.471{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD00564_.WMFMD5=B6DE6EB4CD7A14424972D6D302B529E7,SHA256=80FE2E38E00023C881EBA5C6D52D47E2BAB6BEBBEDC6E39C0E980CBA0E23D5CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.470{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD00544_.WMFMD5=B80BB0B4580D703138C47A69E1B7D7C0,SHA256=191A4B9B6B3A861426E804122EF803AAC03CCC36A077E9FB76C60CAF936D26D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.469{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD00543_.WMFMD5=2D4D6776AE6E55763B5E2AFB87A2787D,SHA256=20ABF7A1A9A08E5B397664A84AD21F267C488F5A72E516D059AA48ED4754E391,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.468{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD00459_.WMFMD5=5C5240A42E7171381A65A230E075CB30,SHA256=01AA1966C00DB68B20AF4F6F650EAF26F87374AFE433A30DB025A4B52ED93ECA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.467{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD00455_.WMFMD5=D3EAC6587E8EC0B76D62078FA5B3623D,SHA256=4929C9D0527C0B8749D5A2EADA42C90BC4ED1933A7D4C4BB9126D1777E900CD1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.466{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD00438_.WMFMD5=FE3D427A3760563A4855D024333E3751,SHA256=23C38DD4905627EC4EC0CABAF4A7BA1502B3F7360978EE00DF3921690CD083F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.464{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD00435_.WMFMD5=B8BEF879587B55DED77F69839D2AFA2E,SHA256=B97D087BB4521FE9807B845789835873517C6DABBAA22D75BBFC3445B808FE2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.464{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD00428_.WMFMD5=81B7E9FB1BB2AB04F3FB71CF419EAF61,SHA256=128328BCD38319B4323DBFF966558E4C19A82C61FFC5251DF5A1C8085B3117C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.463{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD00419_.WMFMD5=D2DCBCD2C217F3BBE60BB702176C404D,SHA256=E4BBB9543C60699154DD01FFF8436945B664FB64CEA6D2544B4C8725EDFE4DA1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.462{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD00414_.WMFMD5=4004D8AC0E0CC7E420C9F71279CCF673,SHA256=E8F22B879F0A6A0A35AADC5A7744AA6680C0A98BD2822951AA22E1809699AAB7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.461{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD00403_.WMFMD5=941539F5FB4DAE4E30943CA4CE17ECC6,SHA256=3FB11FEF47D2231C31AF9E9ADBF0497B3AD70EC16CDFFB71B57E56EE5E9666E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.459{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD00397_.WMFMD5=9EE5CDA10B3D403870F30FB401FCFC97,SHA256=316201E19FF3F6FBEC3A95277CD9551C4FF72D42648A8A211ABC64F755E9D534,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.458{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD00382_.WMFMD5=51D7006E5E1F7867EDD33ADA4CF950C5,SHA256=BAAA3E7105A853111C178B0E52A62D21DFD6604E2B81DB97080DA1C359137AAF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.457{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD00369_.WMFMD5=1E1FF845B0BF44DEDA341CE1145233EB,SHA256=BB40F7AC6A8A9D3023FCABF1A1C06C4E7363985AF8BAEF446F08C6007907F641,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.456{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD00361_.WMFMD5=B957FADAF809284C134B36F6D9B4C44A,SHA256=582713587071F49C2FA7B043B0B8BB9F6021E221F240067C89A26A3D699BEE38,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.455{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD00336_.WMFMD5=BBF4FC8018EF952896B561358561A0C0,SHA256=3C38545826C1588FA87F1F673C828604BE51847FE588D0368C46A4E8E26C45BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.454{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD00306_.WMFMD5=281908487CF3B482129A63C0C5239DDA,SHA256=9333F9D01230EB73DAA6DD98106C4A661302B2281AF3E0A9E997197759232ABC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.453{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD00297_.WMFMD5=84A29F42611D348D853FE9EF51CB2E3E,SHA256=DF2A06874824F62491A769FEA97B8116A94121222DF1B9EF84BF55B8B6A3276E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.451{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD00296_.WMFMD5=7F1EFE3445AAB1EEF0950100E84C3BBA,SHA256=D1E9F9E59D78320D68998DD433524B7BAB95E3390EEC13625D08F66423E3F785,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.450{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD00096_.WMFMD5=7BDB2184E6AA70EA0A3A0F111754902D,SHA256=4BC278283C3C7E64E326D27BC071B5BFD6F6DF0CEA4C4B9A7567840D7F048EE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.448{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD00090_.WMFMD5=02AD947AFE8E575D4A0FB7F919ED0EAC,SHA256=3749912D6A433809E694B981EEF31B83A797651C65488637C04F2E457B265DF9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.447{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD00086_.WMFMD5=3AC13C2A6E3C6B7AC4A59F1070566D97,SHA256=6768C990184E1DF58F22397958A712BC01A31566598BE690F6EAA6DA7FD0D524,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.445{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD00077_.WMFMD5=2A70035DA2452E85546DFAA0E4FCD639,SHA256=4421DB0EBD89B34250EBB37D969CE21C6142377FE33A30B924CCCDD4E875A724,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.444{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD00076_.WMFMD5=094E63064C55D9468E8FF9C80B1E6191,SHA256=D7A2D96DA4A9D9C7E6750502C76F07A09CE068BE3800B8A6A670FEB774D92054,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.442{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FD00074_.WMFMD5=410B716CBAE1A339A9951B58922223E9,SHA256=C281800569489861D16F2FB1D3E2412BB4873CFAC7C00B0B3A6E14917EE13E41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.441{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\FALL_01.MIDMD5=4DA7502FFA7CB919BA859B9C45E8BE0F,SHA256=09CD7122CF29DFB421FEFF77AD07134FF84700B856417C95E0BDB999BABAAE65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.440{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\EXPLR_01.MIDMD5=2958046E6E642BB771BA766A7D832EAD,SHA256=03624CF7C6BB14EE384BED06BAF2E7CA7EFDD43F3B8C80777B838F3D32CA4A7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.439{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\EN00902_.WMFMD5=3DDF18EE2B0AFC56CC2ADEF7A647633E,SHA256=018A675B79AB18EB7CA90E002A2540AFA3F1243D283CE1CD394FDF54FE6EFC1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.439{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\EN00397_.WMFMD5=8C13C05A73E84858A75C71B439FB4013,SHA256=2BDB153FF02C5567653A11DC9B0DF506F0A2B17BBF36A8311AE86392E1A82F01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.437{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\EN00320_.WMFMD5=A69EAEDE3384DE71EF138398F09ABCF6,SHA256=8DE46AD5231AB985D41BADAED62DC0697050390C4A74717693FEF7B1EE8DF62A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.437{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\EN00319_.WMFMD5=700E1EC6FDAE1DD15A5A417E413920E6,SHA256=71E829E3B4EF2E8092A4A996440D559CBAB7D4D6AC64D772CF30F3E349694695,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.436{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\EN00242_.WMFMD5=7A0FE79C3743421236C5729D8898EE34,SHA256=7799F6C8E171323B6271C72CBB6FFB0AEA37D5EF345D5FB20D297F6BDEB9DC9E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.435{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\EN00222_.WMFMD5=5EE2296F210BD35833EFA5FF1349BAED,SHA256=4E73471F0C0D2D208D1A26C24F2AB359CADC8B0EAED749B56262BF5EE99B54B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.434{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\EN00202_.WMFMD5=CE60753DE104072598BC7328BA5E62E4,SHA256=21FCFF21BC4863DFA830F27E55202D2E7B24661066603C74405FF541AEC05C70,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.433{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\EN00006_.WMFMD5=CB230B897A2CE7B59CED83E77347CC31,SHA256=7CCF2647E7EA4A941A9EAFC1E9D9CC7F2C9629CBC34FB8CB6AD351CE30A768FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.431{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\ED00184_.WMFMD5=EB40D79340396916F04C2DDB37F14897,SHA256=5D84A3266444A87B535B9C8B192B5D5580D3AF8EC01ED59641D0A3A9C3E2D633,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.431{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\ED00172_.WMFMD5=157E9EE096B5BEC1AEC532A363D05407,SHA256=B6BED86D4C79195BCB6A08AA759DC71CA1ABEEDF86C197C386B0EA7BB19BB8D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.430{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\ED00019_.WMFMD5=55AC905602CAC55417009312E9B0357A,SHA256=D48C63858D7642439608051B31E042FFCA09AF00D275FBD31486728C126BBCE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.429{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\ED00010_.WMFMD5=7EC3CE0F224BB5CF1A3622F495FCBD00,SHA256=A9CC955CE855C272842B5809DECFB5C00E2BD9F508226BAA7F186E510C859B24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.428{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\EAST_01.MIDMD5=8D1EDFFA7C29D7E4540E0A14FDA328EB,SHA256=EA3928025362E3A7AD511E3179FA4DF59824A6F1E4A2C5F6D8C94C9272A2011B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.426{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01793_.WMFMD5=0EB4B64E8378E0CD0B75B530820E029C,SHA256=FCE49FC8956A6CFD20CEE578C2A1386CFC96A5ED3D11065DBC2AF371EA07865D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.425{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01772_.WMFMD5=2AB1CBBFA2CF80C641A23A5914ECEAC5,SHA256=08A0B743D1B07F590D271277E65BC3821AF8A529A469330BAB949EEE35448696,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.423{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01761_.WMFMD5=4C271B513B9F9B15085AAB31B7A1E97C,SHA256=1EF80C3CF0711A8D382D627FB1D478999787B1564FFB5EF2180A9F17148C8D5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.422{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01631_.WMFMD5=B5715CE30507956C03DC1904ACC7389F,SHA256=F905FA16E36DE938420B87455508F3583A772124871D054ECDFA196526A3BED1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.421{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01630_.WMFMD5=A49EBD16DD6A65B93AB2AD135434F541,SHA256=FB04094902572B2057E1BACDE7D4CB3534F1A142F0C3C92D3A0ACD52CC1C61B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.421{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01629_.WMFMD5=BC3E30E1629223A6D714BF35B5A3E12B,SHA256=BA6E75A116E3CD28ECDF335BD1C395168581F6635944BF6626A9E672E9CE5175,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.420{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01628_.WMFMD5=42146B49D94FEC0CD9237F6453E5ABAE,SHA256=4BB61B208F21CBE84980EE586511DAF8D984C487ACF75F39E40C1F3376929C8E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.419{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01586_.WMFMD5=6B11A79D775862FF4F08F354C1CF5630,SHA256=32DA3DA60CE67E0B9A7D030BFBE485BEA29FB223FAE332EB5F4454911680051E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.418{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01585_.WMFMD5=DC7A2F58B86889B606D52BDC7A4EDAD7,SHA256=3EF557E2F095D31572D24C13E89C80ED139BF0742105FA45A36BD6AF94FC68A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.417{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01434_.WMFMD5=DBE9A1DF8D5E917716DE8D71152E5E00,SHA256=669CEA4E5CEEF6807A0DE6E63B74B0CEF95BCFA3A7E5CFDC0F3AAB87B459C9BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.416{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01366_.WMFMD5=36EFB85C42A507109567E394BE6A958F,SHA256=16669CE5527EE693A9B878D44A086649A457D51C1F88B4F98AE06545DC2CF0DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.415{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01186_.WMFMD5=5CEDC1D6BA17E5BC76230E47B418BC3A,SHA256=67E1ED2DA1B7FD26BA79368527F20F4BBA1D72174EBEE9814DE9FC9B58151A49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.414{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01183_.WMFMD5=337D1ED78977F9060E144527CC6046B5,SHA256=2B3B9820D0300A2AED32F031081FEFB0EEF9369112AEEC7670B2B0F0FAAC8628,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.413{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01182_.WMFMD5=8B1C0C272BDF785B581A586D1D11A22A,SHA256=7D9ADA18D9274567F02BE738FD105B42CCF3F1FEA3AD2AAB679EE3A2A11EA180,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.412{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01181_.WMFMD5=805840DADF6FB601381046AC937C5544,SHA256=4C63D236A6C327212F4B9A838A74429ABB1E949CBA5C7006DE48A5EF3350CA53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.412{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01180_.WMFMD5=3312807F70A1751FE705F004908636CB,SHA256=6F71103EAC4CBE2B8C200294CAFA1240797A452304F5670F7DC7A32E8C0CB16A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.411{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01179_.WMFMD5=70C8E371EFDAF2975AB7F653242F73A7,SHA256=53DB0815FB2F25A808A4AC528F28FD32379DE73E8FBE3EB41F48A0D03E865F45,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.410{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01178_.WMFMD5=373A9DA52116A476CDE87C1A0030D215,SHA256=D3ED28D9AB2D81DF8BB28F91B8705FADEBFE35738657FEA1454AE84BA8A1263B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.409{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01176_.WMFMD5=AE29A32626F90B7C8B396898B59B4E9F,SHA256=435AFBCBA8947437E238D94BB973996C1FBCA94CA59A453C2755A3F0033093AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.407{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01173_.WMFMD5=6AC8AE8BD86CDA0775C3BD93759438A9,SHA256=12B69DABA415C3C2C90A8B7892413575350BC326A37A1A80DA7D5E18FA37443C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.405{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01172_.WMFMD5=CA39D8994F7170E8702EFEE36C088A9B,SHA256=81D24FDB5F9088075B696D8012E441C2359E8F22CE23DDF1C11EF2669A8DE104,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.405{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79A219DB3F5981F939CD9DEAE365E6C8,SHA256=0F4DEF757A7E9924963E989FD3160452382613CB702B5E3490B6A02B1C07AAE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.404{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01171_.WMFMD5=6AB36BDF013C1602A49DFD086EA4498B,SHA256=585B23A9EE96C1730ED9FCA10C11431478897D75A47FB040831E9F792E036083,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.403{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01170_.WMFMD5=8E4A1C5DB5B450E0365CB725F9A42519,SHA256=6ECC13C39673C8F72678C701B23F322C584BADF4E27E3A5D01FB49F8747D7E5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.402{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01169_.WMFMD5=B7A07F08D323E3F33DCFBF62605BA381,SHA256=B1237D35BB40DC05793C945601640CA89D6D182787EC213E907A6E3BA74DA4AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.401{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01168_.WMFMD5=A48231578A59604EC6588404904BB7C2,SHA256=8E7FFB23B60EDFCCBBADBE7E8B0F292002979A2D7C007BAB543CF60786821F85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.400{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01167_.WMFMD5=6F25B26783C097D5E3F82A05E47F4759,SHA256=F8BFC6E6A577807C703BA8C62EC89900C7886D7F30516F883B17F81763A76DFF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.399{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01166_.WMFMD5=8B846110436BD48A71A53CB690E76555,SHA256=A6F46F2F76B9F9FDA730E35C29492BC23857FDAD15C3A26756C69032B88D7B43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.398{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01163_.WMFMD5=BAFD288F41AEE0060CBC37077E718DD9,SHA256=EB4102C7A42E51736DF52CFF679A0B6A24EC074D7E415224626373C1A1ED1386,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.397{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01162_.WMFMD5=0964A67B2552C332BC500D49275B6EA7,SHA256=26299AE5DB740243AAF55FBC973A345FD359C444C14A5FF83455EA0CA1FBE65F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.397{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01160_.WMFMD5=0EDA26930843C106E3A4F1DDAC28F62C,SHA256=E892C9BC7DBD28C5EC9212D623BCADF7BB72BB8C9E95268907DABD2590758DA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.396{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01157_.WMFMD5=C5614C0603163BEFE8C3ADAE36DAE522,SHA256=62AA3E7984D5EB9B5AF7CC1271C2F5B9EAB86A309803C8B212D498201C4A8F41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.395{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01152_.WMFMD5=1F256FF3F379574BEA64477A55A1C141,SHA256=A12D42D51859FF36F1A4D046CF8584FF608404B69609A121C428D018EB91005C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.394{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01151_.WMFMD5=A498092A45B7FCB0347EA5612A9D3735,SHA256=8BE78D21C7EFD85CB99FD36D911E60228603BA2646C8BBD1A8C32C8F274DCC32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.393{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01146_.WMFMD5=8F29A3C315FCF53A3EF31175349C45C1,SHA256=C414B34BF1ACB4BDF7E21BDCFCD838BA949610DB2CAC652094083D804B08FCC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.393{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01145_.WMFMD5=E70C427793DF572655E4966F686ED9CB,SHA256=F030E835FBC23AD1FCFEECC9A212BC3472B82286B9B8D3F08B05254A482031C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.392{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01143_.WMFMD5=70A01497FECEA4A7961B64BB04E8FD30,SHA256=9887154D0A90B2717ECFDBB1C56EFA1989013195CCF574A04D6525BD2077041C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.391{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01140_.WMFMD5=7267E0857A43BB1F12941ED7789EEBB8,SHA256=99B1533D8D7350D36C30228FF4130DB12807B2678A999716570A1C2BBE4C679E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.390{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01139_.WMFMD5=D87C4084B871CCECDB4A514B7FCDA78C,SHA256=C3A97C50236D12BC0AD1F85BD979FE0BCDFCAAF23DB0F735ECEE09ABC85AFE9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.389{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01138_.WMFMD5=C99DA6C0CABD4724E802A1182288AEDD,SHA256=8B65E5F930C5F3F655E9E16ADD55F2E0442AA5A0FC67EABE13EBA632DA8974A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.388{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01039_.WMFMD5=5FF3CD1B632776FF24D417AE7F26FABA,SHA256=99D76923D916FFA6DF0C133E9C7E2533C3B86495529582690E2CB8CE70A63530,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.387{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD01015_.WMFMD5=964CBAB7360FD2D286CE2F0AA02A3CC8,SHA256=94984C9973C248015898F7C1445B902F202E2C7A985F53798CBFCA49C3CBFCC6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.386{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD00705_.WMFMD5=9FB283D882BAB5E50A4DBB426BBC29CC,SHA256=16D456423BD3BC657B64820EA91285D317A14226301E55FAB1D790A3F6AEE52A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.385{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD00687_.WMFMD5=F68BBD20E0C61737CAE65ADF236C2624,SHA256=736E3C034209FBB679E8D7918F04FF604DCD80399D6DDDB6FF7E1DD712EBBA8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.384{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD00449_.WMFMD5=42199763FE4998ED4E44A5C30A57EA5E,SHA256=8573CA4DFFE053A0312538BC5E7D2617C15B51C3097A310CFDB497EA8B9F6110,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.382{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD00448_.WMFMD5=EC23BF720E8E7B9A259AEE47E20542B8,SHA256=23F28DB41D929FFC773AB27743EE0124EB5FC043E8D1BEE69A014573CFB83CFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.382{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD00437_.WMFMD5=975DBEAE3FD57DEC0C2AE796E73F2AFA,SHA256=9A146BC29419533B3629E451A99366EEAAFDFFCF2F2E3FFE164B833B32DFD527,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.381{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD00419_.WMFMD5=C4D347D9519D48AE4119CAF772C65FA4,SHA256=A05E98DFDEB1D038C952CE282E3CC362C66278399360C0BB46E6A22CBADF92E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.380{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD00414_.WMFMD5=85ABB56CCD2A1403F9A4F9CD91D7E0BE,SHA256=3156B83E19B6A27517664D11701B7E2A93516811E971646C0D40E4D1C20536B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.378{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD00413_.WMFMD5=E0B908A7F7B471267C8D7671742930C2,SHA256=45C87F72B6F9F67551367A23AFC77B7CA197646BB67A2812EF700D239AD467C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.376{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD00407_.WMFMD5=DC5FFF07A0584F3788750B25F475C752,SHA256=34228455E2CE91C1B6A837BC92333621F3C3B7751D68A9DA46240794F368F585,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.375{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD00405_.WMFMD5=79F27D6D3A326BF785951E83E39260DF,SHA256=CE5A9638499798437536F244E8EB577EF410F15C37C2D2417EA0E715AF8D8E33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.374{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD00372_.WMFMD5=F1FDF0A0CE06A0C73B69BDD45A3C5275,SHA256=726D56D5CBF6590E1B66FBA9068C2D4314841D9630361C8B6A9DEF07488FE6B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.373{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD00297_.WMFMD5=991E3A1B71D9EEFB1D8BB08E9831A000,SHA256=65951E8260AEF3E8988901D2402F2BF6E46876D035E6858BA9D116CB1F44BAFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.371{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD00261_.WMFMD5=635712D32E3C8B597D69A41FE9C11C1C,SHA256=4C11ECA261180FCF50C750D041D1AAAC5C6773549491066CDBC1848A7E88ED8F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.369{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD00256_.WMFMD5=F6549ADCB2DCAFC7021F82E2EB3E50CD,SHA256=619F3F0D7C15553ECD87228CF3C89457F9DFC072C60F3B70471E09A75DAAD158,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.368{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD00255_.WMFMD5=E4672DD6F2DB194B4EEF71B6600A6438,SHA256=91E60092710EE6553883C6212BD702F1092BCC82333942155B7D06B84E8510BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.367{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD00234_.WMFMD5=1C868387195CE3D47DAEC68FE41F34FA,SHA256=633EF706586519850FE74166354C08A981EBDB307BDB0C662627AFBD68EF26C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.366{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD00121_.WMFMD5=938FEE6FD7FC7CFD4C1B810474AC0BF0,SHA256=672E7BDEBC0E2B6D5E3D049F5D6E9634F467976104917EFDEB4DDF5A360FAE71,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.365{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\DD00117_.WMFMD5=476344FDCA4F860B907B6231DC09DA10,SHA256=ED390C0FBF2C8BFC749B5FB34873D6693FF6F2DE2D9E115C02B83676C0C37B75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.364{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\CUPINST.WMFMD5=B9BAAD6A02E8B4F51F39F6E585738368,SHA256=0F36C74F69E4FB8D46AC46CBA81F15B147A772259FCD5C0C529B71A58A7C6CEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.363{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\CUP.WMFMD5=67E1688B6AB551C6DC85A2CF7E006BC2,SHA256=B232B240C0974C279D2FD81D66617880AF9AEC85CB2481A06562FBCF76A2C682,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.362{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\CRANINST.WMFMD5=31BBA11B84D955630781347801D4FE82,SHA256=8541180B2A615171A3F7245089CD58C3A135D7DBF7AECD6DD7CB999C9B8C11BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.360{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\CRANE.WMFMD5=7D5EC2FB4ED1F8F1F6476CC3BAAD270E,SHA256=A64E76FFA56D7F7605C6FF2A5ADC0F8744AE58DAAB52B7100BE6BD80A6377E94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.359{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\CMNTY_01.MIDMD5=76A899E2617A599CC044F76A049AC7A5,SHA256=1DA2EAB2F5B0E9A6EA4FCE236FCD08ECCB26183B4995DBAB0C2791CB154D7ECA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.358{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\CLIP.WMFMD5=8104FD9C4BFDD04F7CD0AC2B4234881C,SHA256=D76DDE03FB2B883327B491BE2A18E2CC6C7A386C7EBE06F328C9184B541E96D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.357{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\CLASSIC2.WMFMD5=8D35E39DE31B5DF0EB8CEAC92FCB34FA,SHA256=07148EFC9CD22EF8AB508474728CB0D6FE12AC34354770223DD36F9CA5D2A909,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.356{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\CLASSIC1.WMFMD5=2CF1DBC243A29FC3FF788E985B40E207,SHA256=4AEE5EAF4BE69B2A3234DCFC9DF03E090A7D02B142A69EB29A12066585E9E9E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.356{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\CG1606.WMFMD5=88E74ECAABF1367BC04F960FBC66448F,SHA256=1257428A1292BDF90626A66020230926590D9B06C75B28C424E9125AB5F52624,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.355{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\CARBN_01.MIDMD5=33BF6B0E81B4EB7E48F71DF1C1788078,SHA256=62C3A13B3B580D849AA2E6363C59E0C8AA4C4848D3C314BAF7EDEBACF7DFD358,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.354{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BS01639_.WMFMD5=1F0568821824452AD134E686000FCBB1,SHA256=73BB3CF029A20F0534046EDA4B0DD35D7C32CDD7AFD8AF727800D059DAC524F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.353{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BS01638_.WMFMD5=59FF330744D12C9FD1CF43DB0890727B,SHA256=E7EA56B18178DB02C4C0EF3E8B2EE21B428A39B4653D95B5340AD8D13C72D64A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.348{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BS01637_.WMFMD5=43813977F5397B6A8B66867DA7CB5837,SHA256=172EB4D73A73CB867C2092158694607A26F70229CC3D5193E12EEBD66D9473BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.347{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BS01636_.WMFMD5=A7825DA4D71020AE27440890252281B6,SHA256=AFAC579FB6C345E12F6AB6D8C4DCA45A3C3713CE3219A2F8743FCCD6372A4FAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.347{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BS01635_.WMFMD5=ABA7178DFFF6476D6BEC901E9579B559,SHA256=DF655623DC4FA6464168903D1DA94483DE61F61605949643AF6FD4F5C601B459,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.345{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BS01634_.WMFMD5=AFA305A78649F4E51ADE9748E231217F,SHA256=1D44EA89186238226231D3B531211C9AD6849E0389BCDDEA13EC88518874E773,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.345{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BS01603_.WMFMD5=2B5BE68773C1D459A636F5A24057447F,SHA256=6BF648BC2C000F5D3EDCB99A10A0FFBBE5A538C5A573F8FD7CB663157B0BF4A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.344{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BS01080_.WMFMD5=8EEF51840801D67057223D696FBB0FED,SHA256=BB7D98DCE9C6F081202C6F6B9B7D11629EBC6A7F0A2AE2E1C66DC8CA172CCDD9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.343{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BS00453_.WMFMD5=6BF7FDF5412AC428DF3E1585445943D2,SHA256=7F40480D6FA89A2A998068290237C521698D6FF74C726861C88F57697F7140BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.342{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BS00445_.WMFMD5=76C44D5AE4B6326F83271F9218E34B19,SHA256=8F855699FADEB0EC35E4AB21ACFB337B18B698EA3B5CB9B87C35CB56E03507BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.341{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BS00444_.WMFMD5=A8B016D827AD838B1C3EAAB948DC0F61,SHA256=1F0BD1FAE758958CFC1C12B550996A7EC55A33284E9305D8B7C88E826CC1E871,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.340{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BS00443_.WMFMD5=0439CE5865E4056B1F913AF29417DEFB,SHA256=E0EFE17ABDB695D0B5388CE94CF4A73302B0440F0479FB216AD706B32332CE20,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.339{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BS00442_.WMFMD5=67BB32B0BD8CB6096E41729B2B21EDAF,SHA256=ECA876F65B897697CE7C00424D6A41BF297894FA2E54C56034032B2F85BB8733,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.338{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BS00441_.WMFMD5=078E1941D735AEE75A3699F2A3C61F98,SHA256=E882A2C9EDCF189AC18C955880160B15DB30D40999EAE2B2E79AE7E1AEFF708E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.337{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BS00440_.WMFMD5=0DE3A6D6362B3D0F91FE016F4419CE89,SHA256=E28C68D601EE32B97525FA2551D329A6436E47054655367B7EA2ADB74DB84269,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.336{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BS00439_.WMFMD5=F1BDD54C50CB8309E2163828ACA5BA41,SHA256=5C987FEE4F22B745325A57317033401BE0EAC88B9FACCCD102221F0A6A1C5F51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.335{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BS00438_.WMFMD5=EAB2752C2FCCB0774767C4425599D767,SHA256=AC615B8E751D85718FFF7020D0E4CD9AA68E6B348D48B9828D48C26C6A3223BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.334{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BS00224_.WMFMD5=25A1BC3E581691E6717E238CE4D4E55D,SHA256=F97382DBF846510938134FD2848AE4ABDD0296A9BD5414532B1873A775302E41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.333{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BS00200_.WMFMD5=477B6CB3D27F2A87527AB36A885240E3,SHA256=F3A4CBDFB459B2C713F005F5D13C3B58C76FBF7E0334CF45DB37F5241E330023,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.332{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BS00186_.WMFMD5=314AE4BFC1C78603EA771341AF0B0BA8,SHA256=A2AD0B12D519FBC27D094DBD301EAE38D647EDDAA8ECD25C1BA1C55835AE93D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.331{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BS00184_.WMFMD5=B3E90220FDAA15E80F2AA4FCA04A2D22,SHA256=2B9CC93E527C11DFF9E0DB2075B644816F591F4E6A375A0F55307F74FD17F047,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.330{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BS00174_.WMFMD5=82D795FBEB8F4AA459BFA28556C5A717,SHA256=3184D2E7AA1A66373DD6CBEAE7AF32BB54CD6889E4A8C465D0662EEB175D4952,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.329{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BS00145_.WMFMD5=64DE8DDC73C724A33299A96D6A4BB096,SHA256=8904C31178048279DEC102B7DB0054DA2C0A7D29FC24535EAFB0356A06712290,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.329{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BS00136_.WMFMD5=F9630705DEC83435D5A1EEBE6535B261,SHA256=709F8BD68E4750CD823131B2562971559BD75F7163522E3425D9CF11B8831596,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.328{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BS00135_.WMFMD5=662E995B4D88C93D612113280FBBDECD,SHA256=BFC638EF5D06CC2A6457220C057825A893A51ABDBD14054F2344B58D42427C5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.327{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BS00100_.WMFMD5=6B776676C9ED054D1105995ABD158819,SHA256=76AC2780BE3C83C93695C5A995D8C95F76DBF1BCCA50479FBB86CF8FB22D5193,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.326{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BS00092_.WMFMD5=113D2B1F87DB6E8614F69CEC18406EE7,SHA256=DD95225718517D43DF93BD1E1E4A46AD5D562BF3229786ABE77F318CFF4309FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.325{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BS00078_.WMFMD5=BB74A8D6C108E3815DBE89C164804FAD,SHA256=9F52EA86EBA7BC8A9C9D8D6481C7054D64D445F8F70C59B2F6CCBCB5BA663EE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.324{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BS00076_.WMFMD5=EF8D565BCE61D1661E27B001C87A0421,SHA256=0B2B33E18C2CE4759138757D56708D3612DEB3ECFB3CA18C34B44975CF8F40DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.324{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BOATINST.WMFMD5=C6BB70FFC5B41225F46F4799A7DD068A,SHA256=A058110E0F1497BF913D86B48FB3F2451C4F04BBD388EC80DF31896B4C871147,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.322{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BOAT.WMFMD5=E1F3724B86447D322C844F75B11AC8C5,SHA256=03B29E8AEA29B712B5A6FFAF812207E3DCA31B3128FE78748801D8DB2E6EC9D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.321{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BL00985_.WMFMD5=6A57F5394FFC9D306C7C4CA9308E27C3,SHA256=2CF1D816E803CB5DBDB3B9CEC0E63B8F7E893A9670FE0F9A84BE2A1EC68AC7A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.320{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BL00932_.WMFMD5=A19A9A98872F20D95F1C501DEFA33F58,SHA256=F2871BF35867D805C2267D15FD034A1F230B40CA025D89350E8DE1D7DD7871E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.319{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BL00923_.WMFMD5=11EE6538E787DFDBA0654464073EB752,SHA256=F9407AFFB34FDE669D8F4473653490ADE152871A933C30448903D20775BBCD1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.318{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BL00921_.WMFMD5=64DD23FC6A1D43AA096B0CA3B1B7F033,SHA256=7FB3CD2B1D2E18C090E22BD2EAF29BCA213EDDCD00CEDA465649718678441FF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.317{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BL00648_.WMFMD5=8FFBD47538407A6FBBFE2BD7FCEB0661,SHA256=230A376BFC5C8168B68D6278DD8D164067E9551CA8E9D4363B8A69EF10F2D7A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.316{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BL00526_.WMFMD5=7495ED85BDC568B1147EC47DE99202DB,SHA256=FD67DBCB60652CE4F413E049F29456013B4475069ED1520B9A4C85E92D6C2D8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.315{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BL00525_.WMFMD5=96A6BCA737B16E5AAC5AD5C263F86AC2,SHA256=8934DFAA8C45BE1304A3B2B2128AFD61B1A1648F1C4C14ED4AFA0D058D9B7842,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.314{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BL00524_.WMFMD5=F4EBDF8B41B74B6B16B6F8620070F27E,SHA256=BC3D0B0A3892515D08C3B547F12E8C6DC9FE7709893978473D122881CA67635A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.313{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BL00392_.WMFMD5=0F5A5495EA68AE4217A80D0F363AB610,SHA256=37D5D5C8EC24B0D171EB7BE5E38ED2DCF8770D0F620D8E9544269D269C57B8E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.311{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BL00390_.WMFMD5=AD85A98915A6E7F79544A76E3EA7FBE3,SHA256=3DFEB71E29A1FD6E331E74B1B154AB63C8593A8B86B3B45097F56E3DC7501B81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.310{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BL00296_.WMFMD5=1221CD74F3E249E74DB74D16720133A5,SHA256=B91B69E5EBDC4D67F86A650532D20095490EE7312D38AC41A3058DF78A551896,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.309{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BL00274_.WMFMD5=E2066338D806156138B3644D49CE9AE1,SHA256=92FF506F34282C80913DE88C113727BF96F0CD412D6F41D2AC1D5183DC067CC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.308{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BL00273_.WMFMD5=D734FBC8A090C5094BDC56916366CDC8,SHA256=B7FD368E0FAF7ECF2A91449C051E135078508902040BA7DCDAA4EB852267BFB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.307{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BL00270_.WMFMD5=FDC3090808F103089385564BCF5909B0,SHA256=C55BF22F538886D9391916CFB4C368995F5DD6DB90D7D07E91533AC0E16FBA4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.306{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BL00269_.WMFMD5=48737753335F0A6C8E4064DE5FF41B6F,SHA256=8D170E045B9196BF4176A99636D17F75F3E6DFFD3E40291BDE6D703EC230E44A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.305{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BL00267_.WMFMD5=B08CBDF8E54F990EE3893F777F516CDB,SHA256=858F573D3E6943698376F6B41B74A571211553FD07BAB29BD8DE5E62BB1E6880,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.304{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BL00265_.WMFMD5=A359F8EC432A8857C37587BCCACEC9AA,SHA256=BEBDA40FEC5A6BF83C49A166EEA74077FF727BC68D61F1EBB0F50CE99001BF8F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.304{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BL00262_.WMFMD5=52C60B73D45A1F01910597811276C380,SHA256=97E7B989E6FC227914AA4FB7883BEE142A07AD1B90387645A2B8B350535980A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.303{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BL00261_.WMFMD5=A2312BA7E32AF05FBA1A4E62F1498348,SHA256=CC84604456F7D56E764E512C10633B1C0CEBEA11BD011E474F4A3B0D8E1F510C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.302{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BL00254_.WMFMD5=DEBA7E916D86AA5A86AD16E1D856ECFA,SHA256=AB90513A37CFEC483ADE13A083F856056186CC4265D1154A7FD259CA0CA6DD00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.301{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BL00252_.WMFMD5=C42335700CFB235D86A7F9A7BD7E4123,SHA256=CD3236C11B05377F45154A56B48FC544E923E44D6F337E2FAC7B40232444E237,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.300{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BL00248_.WMFMD5=C11590ADBCCB261A8ACD0FBFB99176C5,SHA256=F1D903613384DD98D40D28380EB7FCEBB9DD3B64A130EDDEA058AD2D1B6D6B17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.299{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BL00247_.WMFMD5=87FE1CBD1BF4440BFB1D4DF2EE2D6678,SHA256=1F8099E4A75027D87D30D6F7877B8CB9681BEBBE77588C6EF961831FD148E67C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.298{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BL00242_.WMFMD5=D226271898086F562163E3E2437CDF3D,SHA256=ED81C2549393BF51E8DE91B20A6CC9F91F0BD04B124D49C19F2D31FC51BCE45E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.297{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BL00234_.WMFMD5=CFFDBEA51786BADDD1A77B92A80A4B07,SHA256=81436C08BE99A9D56504AB4937B0A389FCCAEC1B7B72CEA54848979CB27205FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.296{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BL00195_.WMFMD5=ED6BF64C2239077BE768BC17D137DAE5,SHA256=3C7765971517BD4605D227E78822206FBF4A2D8DFA899D1CE38E2219C8DA37BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.295{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BL00194_.WMFMD5=F4997320353C357F10925920D1CBB6CA,SHA256=CD96D028E8AFAAF6293D0FF11B3E95D9C2CBFD73B5D1BC410B99106D9BF69911,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.294{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BL00152_.WMFMD5=A83901913BEB72B5DF600232B66ACE58,SHA256=D9EBF25F039389CAF603AC328B67432C6BCE59489DA65101B95A6BABE789B1B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.293{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BL00148_.WMFMD5=CDBD4719649B86DB54C925FCA777F41D,SHA256=392C564A7D1C7446DB3A28F71797A5E63C31C199B872ED5FD05489D6F14D578E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.292{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BL00130_.WMFMD5=43CB46968F190FF76ABC76FAE469566B,SHA256=63586D39920BC0E8D8E5C94CB8568AAC7E531C959B2BDAA31AECC7DB4BCE988D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.291{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BL00122_.WMFMD5=B5516257BECF013F8D140CC89E853172,SHA256=C055480AF121F2180E4D1DB8FC689CC1B6E34A0DC8B567492668CF9AC6871456,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.290{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BL00105_.WMFMD5=44494523387494BCEE526700EF5462B9,SHA256=28F927247B34AAFCED081CEE4F481CA598E072E538BA4574D31D3C4A233E0A62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.290{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BL00098_.WMFMD5=3BEF1301FD37CD508390C67E2AA2632D,SHA256=A1B64ACF1B39AD6E61846761A5E15F29FEC56C3066B94B31DD74ED7E86154072,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.289{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BL00045_.WMFMD5=33D750DEF3E99AA9DE103F9AC20BE8F9,SHA256=B86A2BE698C9208A3C5DFCD3BFE64663600C6F3083451765DAB0630BCDC98C4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.288{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BL00012_.WMFMD5=A14A55237B8CBF64A3A45197C97FA7B8,SHA256=6FFF69CBD216F04743DA6CF36FA398183488EE7DFCF7B0FAC38A986948A6E654,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.287{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BL00008_.WMFMD5=E491B4D3FCFA778BD88EDF894DD592E3,SHA256=6BE0531236ACF33A98E25CB07BA38872579DF59470A499D4632C90FA046FE3B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.286{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BD20013_.WMFMD5=2B02776A4CD7E7A83542BFD21236D638,SHA256=FA14994191E281E37CC8C22C4A6C49ADB8D789FE975AD04428DB8FB3DB5C7049,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.284{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BD19988_.WMFMD5=C377C2A58FC14547815212A8EA9CAAE1,SHA256=A2CE8368ABC65C1C011C816CDD84ECBDB28888A3A5DFCCC6B9F0C9F764CDD55C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.283{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BD19986_.WMFMD5=8AC4432E89C73013BBF7A75BDA20ADE0,SHA256=CDC7FDCAA46273984FB31DE0FED0A7AF9C30A90B076B494887DBDDDB1DE1EC89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.282{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BD19828_.WMFMD5=72B33B17CC62128C5CFB41A92A4EB055,SHA256=105DC4B506A29F34AFCFF0B8BB096770AD3D24700BF20B72757EBDA1F8605948,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.281{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BD19827_.WMFMD5=C21465CD247F3750603C88123FB60F26,SHA256=0E473D1CCBBD9AE74FC02CFA76D800242C2BAFA7EA7B8FFC1A188BDD129BAD0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.280{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BD19695_.WMFMD5=0297635E32E9589C797DEC178AF4D207,SHA256=445213266764F92BF27A543DDBFFF65C75D4DA72F59FE8AD2D6A08FEC57D1B71,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.279{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BD19582_.GIFMD5=0E72F85B8C0C597279C8AAAE3B1ACFF4,SHA256=0B96C616FA61FC89D9979F09A53739E966FB456BBBFAC094900D3E06E6768AB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.278{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BD19563_.GIFMD5=A352C1C826DB3F462547706BDD8AED84,SHA256=4B84F479D03D460A8BB2B25D7CF30C7664657CF279D28F1DD5438280DF5F2A90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.277{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BD10972_.GIFMD5=9E3486DCACAE26FAF429FAA54A6226E3,SHA256=1AF37E60B173656080052A2A513BB7A38A323D7E4503AA7BD0D72B31121F1E85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.275{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BD10890_.GIFMD5=C1F1B8AA5F0D4EE1F51230605BAF12A6,SHA256=DE293FCD20A2185CA1F10CCDEBE6E7B3D93786459BD40CA5D5E4CC8D5F7223CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.274{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BD09664_.WMFMD5=DD87A0126E966267207AA167B3A40120,SHA256=2FE861C5683E59562323449F371F8A0C730BE240895CAE857570A1732DE16EEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.273{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BD09662_.WMFMD5=10A81F200CE1B2D1A61F7D9B755F73A2,SHA256=6ADE9D57ECDF03B1F75010CFFBBC6F4347209AFEA0AA24C8344B93032FC6A257,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.272{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BD09194_.WMFMD5=13A099DD57C09581DB894A8DD22B1D73,SHA256=DE1544DABBD65C26992565017A4358F8336FFE8F55C30264D5D5CBE38A0A0D12,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.271{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BD09031_.WMFMD5=396CD9869CE47A1627240F38CDAB5D63,SHA256=5180AF38F8A3DBE746BD4F8783B18D543789668D275B33BE4286FFF999235EA9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.269{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BD08868_.WMFMD5=CDEF95D10FB9121A59DC677181C4C044,SHA256=46A080B76870FE52EED4D5FF1CA35E5228AEBF29BE9ECD2E3F627993EC942683,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.267{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BD08808_.WMFMD5=E6EAD4172E386DAFFBF5FA2E77BB5C6A,SHA256=80AAEF04ED63053AE0E7D260283A51155D515A3A4C027113F3D09D7F6134FBA1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.266{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DB3A0CB527B66DE80B47CB5DB3CCDC5,SHA256=AD93CB4B5B07056C80948F2DA004C3040E59BAB630B2EA97456E000118878ACC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.265{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BD08773_.WMFMD5=52448092821EC4570EC5F305DE7329B1,SHA256=EA3A0D6C9FCC34B0236699AEF048742CFC293E60A8C3AA07CCF5D67ECE5BD8E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.263{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BD08758_.WMFMD5=AD33B59469156002FFC695EA43AB4893,SHA256=FBA3E7963C8207BB77AFB502B21D98138109F20E074BDFE0B1510B04E3B8572A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.262{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BD07831_.WMFMD5=F920A71B55FCE29447CC6D69BF99337F,SHA256=83DA135192C2224DC6E1FC3BC56828F3D73D31646E25B85DE0FD7F29F5109C2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.261{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BD07804_.WMFMD5=BD76CE413D7DFF0D025CE085298037A3,SHA256=F73715AB28325712C0E8E88DD3DA69C25A44F3AC78F8B6E1B6474C9D42042A3B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.260{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BD07761_.WMFMD5=66D3184A38DC3D6631EDC8D3608BE2AE,SHA256=D09DD5D7C264164C57BEA90F053233AF43FA00F75D2A870E70C4AC6CEF2DD03B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.258{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BD06200_.WMFMD5=9DD99D96E55113400422A464EE178E37,SHA256=54406B6E65BEFA3B1A34F12C7857C4A1C5739CA22675C57EDA332B036A0C328D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.257{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BD06102_.WMFMD5=04583171D83D200469AD6088B05449E2,SHA256=6ECDAD323AB883888E2F020B14C5C25F47EEAB83C4B012C5AC8E8B9FE129EFAE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.256{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BD05119_.WMFMD5=62DAF0C3FBDD135CF8EC477F2F11E17A,SHA256=ABDCD97429AE5ACBD8BCCBBF039014CA4A5752E6B41DDA6B4E729979CB64A5B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.255{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BD00173_.WMFMD5=5D7AEB72711CB674739E6E33B8073E03,SHA256=9B7326E05EB808947CE451B50FA9F1EC32987330547FA98CEE00C155A528EE08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.254{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BD00160_.WMFMD5=90DF7DCF33142BE48B3DA9EBAE224B57,SHA256=CFEC77B263D1FF44D4F1A64010D8F9ABFF5E78A71793A8296AE7E8DF40BB94F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.253{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BD00155_.WMFMD5=01BFABFC6EAEF253DCCB6D4D45196C6E,SHA256=BBEC61FFB1193A8BD1A424E75C3259F26E88155CDD405CD6191F4100FAE9D96A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.252{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BD00146_.WMFMD5=D489913C188900F7FE8DF05BD0A55FAB,SHA256=E327E6AE80F24BC384A3892226B02A72600036B1A48E3E6F603CA5887135866C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.250{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BD00141_.WMFMD5=AE6ACE3B1756786D1DBED721E7A8462E,SHA256=86204EC45B9EE029BB2E6EE1422601E8405EA7C059B083326B3DDFB73BE3FF7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.239{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BD00116_.WMFMD5=47E36622EA6B81DC5818092517C6E616,SHA256=F3C3ECA3F2789BC6E51EE10B461A88101757269178DE15B11264CE32CDDFAFA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.238{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\BABY_01.MIDMD5=0628838A120768F518472ACB9F83E89B,SHA256=55A3C3911C658865F8A2398CA0FFB0377F33A36B685D8441DF9D0A70AB6F7DF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.237{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN04385_.WMFMD5=DE3BBBA31619BFCFFFEC40796A9C7C47,SHA256=E103F7E4FB9C87D9412526D18E2700AC1073FAAF8D94EC78217F0E8157A6081C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.236{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN04384_.WMFMD5=E59BE0BC57614ACBA6CF4F9E6316FF47,SHA256=E5F357F5A890913F2D17E1292D8B61A5E4CDE9A14FE8AF443E24F431A2C93B1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.235{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN04369_.WMFMD5=6F19C844D26845FDD6DBC81163CF0330,SHA256=ECBD0D848F74FE28FAAE41B442A27F83F69FE0F5AF4CB941EFE6A06BF03D0150,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.234{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN04355_.WMFMD5=D05533EA48BE853BF7A977953588F10B,SHA256=5F96ECFD4B31855BEF7CFBC496300F8A86EBA4AA65FCC4EA7E20DBBB24058B7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.233{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN04332_.WMFMD5=66B7EFA3F048B255A6873F0CEC560A4D,SHA256=65B017076AC0C3638A3DF5F39C54261EDF5C4ED08200BA1CD7570E0F9ED922EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.233{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN04326_.WMFMD5=27680B89A776CE06E6FD08935739C9CB,SHA256=C46268500623904F8CCF1984319E1328C355870CA6A110FD0539E3DFE2B45B2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.232{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN04323_.WMFMD5=A211A2DF3778A9560D3C5DAEBDBB5202,SHA256=A178363267084CCC361E83909FB3FA36907B4A8C79D34B1E26F8F5C4D0F294E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.231{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN04269_.WMFMD5=3AD4CA38A9950EFDB9BF02E37F77E6D3,SHA256=40ACCA01879B04D09E7231A7A41B20DB713CAD7AF9AE8772D3A024DD19D73EF2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.230{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN04267_.WMFMD5=FF994A6CBE31EB773DEC9F88755AA64C,SHA256=7C4EF7D46FC8D740C9498C8AD9CCE11AF493D004EDBD2953FD71657D1C2BE0DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.229{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN04235_.WMFMD5=003761EA7F781196A115D9F7AE99FA78,SHA256=13FFF405082974836009BAE068FD36BAACE292984F1C11E35914293909EE8B28,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.228{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN04225_.WMFMD5=4A9DB6E257D793C130C892BDAD13BA1F,SHA256=F4FAEFDDEF0D28C6FF19D5797F2F5CEECC48FDC85C00BC371A6922E6A19FE3FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.227{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN04206_.WMFMD5=4DD23D28C59FD710B56F55C0E25EA32B,SHA256=4F08E9CC8AFB0AB00EEEC2844CA06626C33DEA102938C0AD27754AF80034CF7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.226{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN04196_.WMFMD5=E557EFB85A6210068F2F3DA0A0C16E6D,SHA256=A446D11805F8C54FA4D74A7EBDA770EE245D1243906F00562E3E90DB000B2F7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.226{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN04195_.WMFMD5=65F0E577179155795A20189A36BC32BB,SHA256=49F0EF178BAA1986F148C6C784D76027FD80107596E0FBC9676170E84844FA25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.225{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN04191_.WMFMD5=8C3E32E36A35C8CFEF5CF83DB54DF524,SHA256=FBB1574A09AEFBED52C7FC256B57358F87557FF1A00DDE0CB91ED2A142828283,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.224{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN04174_.WMFMD5=DC49FBDA2E53723FD4132501AAEF81DC,SHA256=397D03E185959CB2EF569C92C1BA23EE196BDFD78A2F44B39C025F7FD64FA4EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.223{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN04134_.WMFMD5=3FBB5D8B8F789F1E4E346AC3E78A97C2,SHA256=FEB29299AA9A45A7019FE9CFBA7A12EC7C68FB4952B44A0F09A18866EB42E94F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.222{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN04117_.WMFMD5=189D5A65D8432F5DC0559FBE98BA3144,SHA256=63B73E22DD901686AB51898B035DF8944FDE9F71107BF1A2EB3B99EC21A7DE5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.221{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN04108_.WMFMD5=212F30692752A282EDB0E219F86AACD3,SHA256=E9E562C117C4CEF9900DEBA5274308EFD43BBAABFEF1D2AB872703342B623E25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.220{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN03500_.WMFMD5=2451AECF982BE7D155B79A774E78835D,SHA256=60B4E1A5BD21F79EF3FBE87C83EAFFED1FC0BDA72DC79FA0E03E0D115DD00227,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.219{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN02724_.WMFMD5=EBA8D1703E9ADF90DFDC385B65ED7056,SHA256=2BF7C1FD54812BE96A3493E0E880CCAC4192B8BE37B596C6AA162C5B3219AAB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.218{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN02559_.WMFMD5=E31223DB3961D3F64AD4A5FCD11E2819,SHA256=3AFBDA7D689160B6A4B58B52E4AD11F748D715AEC92EFF367CC76ACC3C6F76B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.217{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN02122_.WMFMD5=15FE603146B75D55C2D1DDFEAB0261BE,SHA256=F877CDE05B20B4BEB2F32C80D6682D79846F7D249A86320C136EBB8E5B9D378E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.217{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN01545_.WMFMD5=BCCC5E5A95F5EF9774D78F93D16341DF,SHA256=0BF2067A3ADE65F1A74113E1CD22A634F2DEDFB1D142CC00A9B9FF8D45E34840,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.216{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN01251_.WMFMD5=A532A091F445BE07F341A5BB9B77787C,SHA256=E9640ACF70804D649CC6D238FA20601559A86388B357AA11352F7EAC6AB96674,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.215{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN01218_.WMFMD5=ADFC633897D788B8871C62251FAE2B78,SHA256=2D40BEF086F75DC4D96A6A1E2A3E8448E4C651B5F3425EC9905602295530D0AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.214{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN01216_.WMFMD5=F3F56A700BFFE32B64EE86B2AB0194FB,SHA256=A7EC6BF3296EDC8BE0AD78D30657F8E8357EE1E96299B4641D6BE590ADFD921A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.213{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN01184_.WMFMD5=D6FECD845218B2F50DB187531D704CA7,SHA256=2AB3DCB8EE83DA9DB0F9D641E2D6FD8C15970568E115301ACA7E5D3D290FD8A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.212{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN01174_.WMFMD5=EAE196AC607E13323A692FA53FFE8D31,SHA256=DB16A89C5C9EDE114318168226A73F423EC4B0B22D3D3D26DBB5531BBA731DC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.211{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN01173_.WMFMD5=3FA8AA4E9C980D130DEB070F6C5338FD,SHA256=036F9267C03E7DA59A9133BD7D7CFE7430859C08EC10539BDA29367E77A74451,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.210{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN01084_.WMFMD5=D9673281DDDE2451C4DB7F9BD47DA1C4,SHA256=0FA21A4FFE30FBE168D7613CA6FA152C2F13A4F26722DF5E10FEE89CC7ACC403,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.209{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN01060_.WMFMD5=E58E157DF04B859ABA46E894314928CD,SHA256=4B24CD74E4CBB70E68F859F7EC6D22EC2D958B59586959B5FD4884854444BB59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.205{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN01044_.WMFMD5=44DFE7FD680BEEC582AA4EB3C5F07CA3,SHA256=BD09FDA27AF8D3646C4984A05938A7FE007CB126828B55C9D87EE5E20981107B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.204{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN01039_.WMFMD5=BAE60BE5E3A3D5DDFF03239DE4F18972,SHA256=0EF243D0CF9155B966529EDA38B094409F23CB1A7FAA1A4D043B383D9A127DAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.204{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN00965_.WMFMD5=6AC7105BAFB4846C1917CFAB48CE6F4E,SHA256=8DCA4872ACBC99504029AF46029C6E96553FDED3BC6188890DE0B5BD3F3711AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.203{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN00932_.WMFMD5=8BDC5B20C6EB532A7D97086EDBD4724C,SHA256=92F385C3489EBD31F1AEAE331917EFA3303DDCD6FC11E95962FBB182EFB4AD6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.202{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN00914_.WMFMD5=5B21139AD2BD6442864EE68CDEBF8EF0,SHA256=8B774EC8EDE769C1343BF61811B3E9B0AFBFFBFDFC985E412F41ADB73BEDE0B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.201{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN00853_.WMFMD5=7891EA2F728FE0CC8A05B790B9C1BF0C,SHA256=4A8D6FD286E7BA09CFAF3E699FE4CE6BDD68060D599CEA3B1E9828DF87932579,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.199{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN00790_.WMFMD5=F5F4AEB43E2CA141A4F91B87CF6503D4,SHA256=792FFB9746ED028B2891379DFB3B52A3E8A1DA3A4C7F7552F28BAB6A934DC94B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.199{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN00015_.WMFMD5=95091CAE6A5547B7158DFC6909E39EE5,SHA256=52BAE2DBBDACBE3C1CD94CA784EA5709052A10C9E99482B39FAD93F4FD32C340,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.198{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AN00010_.WMFMD5=AF0F64C1F166F245CCCBA735926341AC,SHA256=24AF793E442261819CE9724B856DFF7BCE374664E028130C1526E0E503313E86,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.197{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AG00176_.GIFMD5=7D052F06BB26118664E16A362A625722,SHA256=CF9892B9B3D8DDAC876336D116BEAB91195893937C8BFA8B8220B96A9795DB84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.196{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AG00175_.GIFMD5=76E0739514D553B628AB13D5367D5874,SHA256=8A3A12020B0D2CC27A3739B8F3DB49E6BDDEC83B790BFF4D3C51E0C809655958,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.195{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AG00174_.GIFMD5=21BE4A52703F35D937BF67FA78475842,SHA256=146CE423B63DBCBC6B5E2F9FCE9F2F533ADF27863FEDB894681206EB8713042B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.194{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AG00172_.GIFMD5=48C307A9A96FDFA4CB4DCFF50106CF51,SHA256=77DA42EA9EC0D273E5FE71917827E7F935420511E52515E80371ADD27C63EEA9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.194{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AG00171_.GIFMD5=EBDBD008AF8BA734D7A6CB0F328F9ACB,SHA256=FAD820C3B4349F796E01EC7DBCC4DF55DE8ED08EC812FF7B6402128778DA29FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.193{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AG00170_.GIFMD5=1371364A88FB7B9EA97ECD3B04B5E262,SHA256=E7B377F2DF34A68B1C325AC9BCED27530888DD01A56AF07D74F9C7E7C6B0CD80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.192{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AG00169_.GIFMD5=716C63A5C976CC363C57975C40FD6D1E,SHA256=88CEFD711AD9F8964B3B179A4D8A37DB05DC8F34198164D2DA77731D63A6C5EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.191{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AG00167_.GIFMD5=120AAA23468A53D54E6F93E62D554E24,SHA256=E4EED8934D99F9B1BCD186F685A449F7E35B4A9A1B38331D1C291B4458404D0F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.190{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AG00165_.GIFMD5=A01E67ED18B64D9F53821BA2EED46555,SHA256=848D7E8FFA1F485C83868E2B53E02D6E307A606855335CCE61554A3CC839D4C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.189{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AG00164_.GIFMD5=7D60FB8CCA993EA1C9ADC0DE1F026E41,SHA256=C26D0558CFAE6CC1B9B8DFCEB30EA5142398E2B04ADAF26254A6CEB691383F1E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.188{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AG00163_.GIFMD5=383213EF7F2BA06EB0B2D60F3B6CF5A5,SHA256=2C7CF6D155E71D38F67005060842F7A85887EF08F9C1495966F2C178B799BB55,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.187{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AG00161_.GIFMD5=5320A6DE1F6D810BAA21E5D56E9B8982,SHA256=6B67722066F37EDF0D34A50780E67FD9193C5E36473FDDEC389D52686D28700F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.186{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AG00160_.GIFMD5=7B0CE00455F9CCCDF41A3F1BA4A9F041,SHA256=8F02D33621BE22D85D8F821332320C97C2208C75E5FD10E368012DF39AAFE35D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.185{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AG00158_.GIFMD5=F8BA91E5E84E27173DCF9279C7C3DE31,SHA256=546B880CE92961730F17BCB9B3B2BB49F967C0EB02F4A4000A79E9344A5132CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.184{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AG00157_.GIFMD5=77AB2AA03E7A3FCC677D136A4F8875DE,SHA256=0E6325AE25D3BE6D879B124C79C2C144A8FA307F8974BABAC0ACB86BE9E3705B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.183{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AG00154_.GIFMD5=9A6292262446E4007A45BDE905F8009E,SHA256=B86A785BDDD9F7C5D6C53B99AAD9901C454717B6BB20610142EE4AE92B18E06B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.182{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AG00142_.GIFMD5=CCECF61D62CD20DFB8A2E26DB5C7F398,SHA256=540A1AC8D3E504CA28178BF19B8699A920ADAC2085F9CAEFA84D23571EEE0E9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.181{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AG00139_.GIFMD5=99374BC68A6BBF1D09624F8C0FE91DF1,SHA256=06DD631B0A58BDFD6F9C491F678C3CFD9436696A1D7546FD4FDEDF2EB1933FB7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.180{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AG00135_.GIFMD5=512B6A518E75023A2953BD27222DCA8A,SHA256=71FA443D5FD64C8B895DCB2F8F933C50666C90C15D2B657B5768A78BAE318241,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.179{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AG00130_.GIFMD5=F0727B2993E6F01C925FBFA1129B3ACB,SHA256=4554A6361762D4B088447647BC6F72C8AF9EAEA09A7490E38E9D1146FFFCD52F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.177{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AG00129_.GIFMD5=8776C625245F499B1DD7D648533F1AAF,SHA256=D3C4F00C94DA1FF904C9A9B23972A0F4A3278681E1204C5B3AE71359EC10DCEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.176{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AG00126_.GIFMD5=3AFA4234271C5B0453696482B58FD705,SHA256=D019D526657F76B1EB9CF6528542FDFF0DC8011DF7D6C7DC4F26E1B2ED967936,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.175{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AG00120_.GIFMD5=E33F577836AD852F39701E4B268F6525,SHA256=5E259EF814481CFBCDBA142757CDFCDF29AFF63B85B61352AA3CDB684718792F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.174{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AG00103_.GIFMD5=297C1130703A8ED6258CFEF48C85B871,SHA256=E6A99CF1960027949878699899EB40294C271912DFC1495296C2EAE3387913C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.173{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AG00092_.GIFMD5=7DEC2F74B6617095F85C4697838D61A9,SHA256=29AE1B71C3ADBE86C249D739427A4B2C3193725318A751D61E3B463DD2B07A2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.173{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AG00090_.GIFMD5=8D203038CDA89C643899682DCA92FEF7,SHA256=4901FAB9DFC0FDC81596ED32E48261A62D8848485EEA875136313F03D9C9B1C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.172{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AG00057_.GIFMD5=0795D9C007F6DC5476B6C1EC1489D106,SHA256=D827FFC39F261D77A02FA6396EA43D6EE25AEC845B22D7AC0B31CD6B4E049B4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.171{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AG00052_.GIFMD5=7403CA6B13E85EB7359B210B51E8FC60,SHA256=B044E68F5CFB4A2F992016FE52FF1C1AC9680BBDD56C349732BCF2BF4301959A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.170{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AG00040_.GIFMD5=31200427076448F7F4EA84104F080666,SHA256=4FA5DF99252D18B0E8ABC117011F744C6CA670D1DA9A851270C069C969AC2E5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.170{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AG00038_.GIFMD5=FCCFA7C3B2EFC41F9680E4FD29C2909B,SHA256=C22A9EBD50F2C1A600756682CC954366E521144718E5A2797371CF56D56E2A92,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.169{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AG00037_.GIFMD5=E9A590CCB3528DAD031EC3AAEAC1EEFC,SHA256=164AC19AE06A3C3298D2A586DD8087F2F1C3A217EFC9FAB97420972B1B092482,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.168{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AG00021_.GIFMD5=D6D8F4BB7426F5F992839A9FA88ADB49,SHA256=162AA4742B3E58A8E79CD7FD4C620E2A3990D796E324F2D7EC06CFD289DF9472,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.167{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AG00011_.GIFMD5=41F0F352FE278A3FAA618C1807D64449,SHA256=82245565B0CA21F1EE67393CF28C7CF500B2CE361F5D323FD3414CEABB412B5B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.166{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\AG00004_.GIFMD5=F402907DA253FE2A3CB22C0F9C638C3C,SHA256=715CE13ACDC157995CC5B4E3D5B5379684C009EFF7942FD6C5FC2BF918A208A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000323496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.160{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\vcruntime140_1.dllMD5=7667B0883DE4667EC87C3B75BED84D84,SHA256=04E7CCBDCAD7CBAF0ED28692FB08EAB832C38AAD9071749037EE7A58F45E9D7D,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69truefalse - insufficient disk space 23542300x8000000000000000323495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.158{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\vcruntime140.dllMD5=11D9AC94E8CB17BD23DEA89F8E757F18,SHA256=E1D6F78A72836EA120BD27A33AE89CBDC3F3CA7D9D0231AAA3AAC91996D2FA4E,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302truefalse - insufficient disk space 23542300x8000000000000000323494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.155{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\vccorlib140.dllMD5=7EF7EAB654DF53E087AC4703C9EA0B16,SHA256=13E568FDCDE1B7B7F2D1C97A474BDB8858F5AB761157F0FEA7201CCECF84B9B8,IMPHASH=D5EC94CA50152CC1E7188B825074FEF2truefalse - insufficient disk space 23542300x8000000000000000323493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.148{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\ucrtbase.dllMD5=9CD0AFF3E05FCA90BF9A227C94669DF6,SHA256=FBED69A52FDCF571DD37FE4CC63CB86ED3732B5B998807F14968788027C00754,IMPHASH=1D85FB9CE80726BDA08CAF2946EF5F93truefalse - insufficient disk space 23542300x8000000000000000323492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.131{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\msvcr120.dllMD5=49FB6E786B2F9DF8812E0E317CED55CB,SHA256=9461F2E4ADD5C650102ACDE0C62377FF86D9B19FC20D0003F326CCD474E8B7B9,IMPHASH=8F18E22935EF8B336E246EE763FBEC97truefalse - insufficient disk space 23542300x8000000000000000323491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.117{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\msvcp140.dllMD5=CB75D6437418AFE1A7B52ACF75730FF1,SHA256=7C4CE9D6BFCD6D9DB4EEF4E75ECDCF5A8E5320106E80F1ECA617439FA43F33E8,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1truefalse - insufficient disk space 23542300x8000000000000000323490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.107{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\msvcp120.dllMD5=8C8D1140787DA60A343DD11C1CDF4992,SHA256=6AA1ECE9DD340D05AEC43248592A78B70D21959DE8727F506D21A3A962348583,IMPHASH=D0A59246EAB41D54812CD63C2326E1F1truefalse - insufficient disk space 23542300x8000000000000000323489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.095{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\mfc140u.dllMD5=587C85228848E52AAFB3863FF1A6F2B8,SHA256=BFE1547439BEBFBB7A46F292BDEDD8213315E98D778D969225D2EBE2D93FE297,IMPHASH=B4F070F0028C97D4B44509B262314B3Dtruefalse - insufficient disk space 23542300x8000000000000000323488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.037{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\concrt140.dllMD5=D1BA293F1D7BD7B38DB8953821D42E9B,SHA256=B3FDB569B567C2B82369C1DBBAC1B6C5BBD74B5E03D2357491985BE064DFEFF7,IMPHASH=5F9B23BD4B0029001F687A1AD625BE31truefalse - insufficient disk space 23542300x8000000000000000323487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.031{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\AppVLP.exeMD5=3DB20DCD87214B8A6C8A6477C8317E9E,SHA256=29706E31AF945456F1F5D2D094A58A6DB7044646A9445B91D3B0ED3D504B7377,IMPHASH=5DA94827FCDF1267AE3D3F4C73E8C3C9truefalse - insufficient disk space 23542300x8000000000000000323486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.023{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\AppVDllSurrogate64.exeMD5=E68BC971513EA3C96EE34EA999357E38,SHA256=7347ADF3A8D8654984D576F5298C660A84E17E6DAFB7B65244489605A0DE0EB0,IMPHASH=47C13E25A3BCADE5032540F2D252C42Atruefalse - insufficient disk space 23542300x8000000000000000323485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.018{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\AppVDllSurrogate32.exeMD5=09F69FEDB2A0FC7640E58482A1D2E376,SHA256=0901808E159E5451C16DADF667F3654FF20C17FF04F37D9CE034E3B66E05CB73,IMPHASH=D290CDC92CA35FCA53F479585BA5C057truefalse - insufficient disk space 23542300x8000000000000000323484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.014{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\AppVDllSurrogate.exeMD5=E68BC971513EA3C96EE34EA999357E38,SHA256=7347ADF3A8D8654984D576F5298C660A84E17E6DAFB7B65244489605A0DE0EB0,IMPHASH=47C13E25A3BCADE5032540F2D252C42Atruefalse - insufficient disk space 23542300x8000000000000000323483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.009{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-utility-l1-1-0.dllMD5=F440DC5623419E013D07DD1FCD197156,SHA256=BBA068F29609630E8C6547F1E9219E11077426C4F1E4A93B712BFBA11A149358,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000323482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.008{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-time-l1-1-0.dllMD5=05AF3F787A38ED1974FF3BDA3D752E69,SHA256=F4163CBC464A82FCE47442447351265A287561C8D64ECC2F2F97F5E73BCB4347,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000323481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.007{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-string-l1-1-0.dllMD5=3A96F417129D6E26232DC64E8FEE89A0,SHA256=01E3C0AA24CE9F8D62753702DF5D7A827C390AF5E2B76D1F1A5B96C777FD1A4E,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000323480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.005{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-stdio-l1-1-0.dllMD5=53E23E326C11191A57DDF7ADA5AA3C17,SHA256=293C76A26FBC0C86DCF5906DD9D9DDC77A5609EA8C191E88BDC907C03B80A3A5,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000323479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.004{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-runtime-l1-1-0.dllMD5=C25321FE3A7244736383842A7C2C199F,SHA256=BF55134F17B93D8AC4D8159A952BEE17CB0C925F5256AA7F747C13E5F2D00661,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000323478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.003{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-process-l1-1-0.dllMD5=E18FD20E089CB2C2C58556575828BE36,SHA256=B06B2D8C944BFF73BD5A4AAD1CAD6A4D724633E7BD6C6B9E236E35A99B1D35F2,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000323477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:08.002{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-private-l1-1-0.dllMD5=B4BE272187CB85E719DFB5BF48BB9B1B,SHA256=CCAF41E616B9A872D35C8083CBF8FDC14371FA3EF159FE699514643C26A4EBF3,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000323476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.999{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-multibyte-l1-1-0.dllMD5=FF4DE9CE85C4B01312DF6E3CDD81B0FF,SHA256=D7E676B9F1E162957D0549AB0B91E2CD754643490B0654BF9A86AA1E77CB3C37,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000447892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:09.103{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C145FEF497F51D007585AD0863A5238D,SHA256=896FD0AEBBA250EFD6539C70C374469E168FF78894D67267CB24B9BE94B9A2B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.996{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02124_.WMFMD5=5174954DCD3D2A943AF1EB83AB6CF5B2,SHA256=3BE173E0091FB0C0E2B9E04337B61C408067B8F03BA6CBF9B763FCE8B581418F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.994{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02093_.WMFMD5=3002F076FCC81ED35EBB82EAD4318874,SHA256=4DF7AD06CAEA0DE68AC0BB4D535246BF46A1060ABC028E104EA8AF1A3B0E0A52,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.993{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02092_.WMFMD5=AC4DDD169E48F0C9C7FB6CD58BA5490B,SHA256=2A8A149FA963E002C26EA165A586F0FE8878F5FDEF75C21409491A88A9AC0E45,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.992{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02091_.WMFMD5=1EF1877FB3045DF15C3B32509B5AF0B0,SHA256=B4B8ED8562777EF7304D79401FD8B79962ACFD54D496107B7AC13A94ADB6F9A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.991{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02066_.WMFMD5=FFF92AE99EAF2A3F2F2D9930C02C7B5B,SHA256=40C65F04F05A8D7C2FFC53A718408C7024639955E92A4A0EE48B4E7603765467,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.991{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02041_.WMFMD5=EFE07D847ECF48E2C370CD80E025EDFE,SHA256=B850F885DEAA00166DCDAB0C1DB81D030D42BDF802E69C89BF29AAB406F7F4AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.989{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02009_.WMFMD5=486550FADA29C6687BF4283419919100,SHA256=29B0557FC3988DC9835B8F26990F7B8BEE6FA3BD474F5BD43092E3AAE01A7BEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.988{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA01866_.WMFMD5=47F3F145E9A5E1DBE7B98B44947CB26F,SHA256=6F78E8E97EE0664DF97AF96E3696DA347DBDBBDEA0A4E7B67E8566B70C6723B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.987{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA01858_.WMFMD5=9ADA330FD3B096498237F6217D7359A7,SHA256=FFF9F01F00DB843A1AABBFEE387650EF56ADB35FE62BD1D4D39B8B32FA6CC7E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.987{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA01852_.WMFMD5=4DFAD247585B61F9C2D345816AA7783E,SHA256=2280A5EFD6FF548F2E7E984FEDCA5333A4C609048BAD983F0DB6E3B8410758DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.986{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA01849_.WMFMD5=16471E0A377CE5ECC53EB125D66EE730,SHA256=5DE5A4DB34AC3F12A6FE620F9CD5A780D848DECAE53B372A9AFE71B305B312E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.985{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA01848_.WMFMD5=496ABA38ACB5F13FDA9ABB7F7A9DBCC8,SHA256=9315623B90577DA581E8E2B57F0CAA81077F7392AE24B8BF38FFA4D307D0A88D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.981{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA01701_.WMFMD5=69DA463C289EE2D9CB042A954646BB99,SHA256=0CE5F7CB1E9D6AFA6B6C427232248E8D6E9EFFFC46C9DDFDC41DDAED2D2FCAD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.980{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA01682_.WMFMD5=89B35D5A5AC16AADA7B8F5B852468CDB,SHA256=B106BCB0E5694FD4668640A8F5212F8386C14E06D5B539B4F5D0F84B1A755B33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.979{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA01680_.WMFMD5=1CED621F1F9CC0B27205F35322C3C16D,SHA256=A7D04C1CED7DEE5F984CCF95B8B56A6A80745C2C114BCD808C145B4F9075DDDF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.978{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA01627_.WMFMD5=B1EDD1034020103BC6D1170E398B7406,SHA256=8D4B998D69EE04536B03BD7B7801980F7288339D580497DC817BA7EEBC57C3C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.977{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA01474_.WMFMD5=901908B8E3B3E98435FD6CA79CBA61A0,SHA256=9FD061353E2BF70CBB1EC05B42CB4DD79CBC8A54484903757AB7F237303290B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.976{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA01473_.WMFMD5=81B85024B88A8F02603A466BEC0B47D2,SHA256=634240E7D98BC0CEE21E55DE5A313A97FF6C24E2E99BB95364A61FED0BE6A6B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.975{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA01472_.WMFMD5=9BB952354F5E0266D87A3C6DE874DBCA,SHA256=8290E4C69C6CC1671E3F18B6EA6626F21FD8EA70371B7D21C34326C553AD690B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.974{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA01470_.WMFMD5=86B0EB79CD2EBE5CC3F0E41425BEE063,SHA256=7F30B29779CE3613934796D6A955AF3FCD5D13A239C3D00B75F91A197ED710E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.972{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA01468_.WMFMD5=E83EEE8C6809F1965C2B79B39F243866,SHA256=BA0C74F2C229225A2622E2304D523561BB37D8CCCB97576EAB5CB975CE6E6AF3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.971{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA01421_.WMFMD5=38D94C657E346DC182CFBE95981797B3,SHA256=3B659D5B20F628C1DB6F95BC743816AAB7D6FAA58B5B5C9C2142AA70A4E0DE0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.967{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA01368_.WMFMD5=66297D42AF1C27406662BE29E60243C6,SHA256=3BD0463B6D74E305A2F9C128CB5375BF20A75132E434AF8EC9F4100651B6F131,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.961{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA01361_.WMFMD5=7A64D2BBA9FEB4A7FF57F509ACDE5DEE,SHA256=D0F12E5B2B136A3DDA3948B0F26D0E78F6950421312D0E979A0A591617BDE74E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.960{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA01358_.WMFMD5=8386C34BD0F580593BE6B1223858D61F,SHA256=3D4234F86F41A90870F1AFAE178B765BF9A42C5DB650C83EDAAABE28550BD3AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.959{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA01357_.WMFMD5=D80378B97144D54C6D413BC5E1CD8BB3,SHA256=3D947BC7B7D7DA2A39A272CFCE6D9B9C2D735B57DB3F56F5BC8A761B2D23086F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.957{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA01356_.WMFMD5=05CD5D133C376FF70EF4C25626F96B9F,SHA256=E7A835F29402CE494C7944AD45C66898C239EBCFDB74CEF87E5BD74E7D2229E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.955{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA01354_.WMFMD5=20B0FE151E611224F6C9B81D8FD9D3C0,SHA256=C8A992FB302347BF658EA5FAB99E2F6705763B7F72A495C54994898C5308A8CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.955{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA01293_.WMFMD5=8D084EF1E7526097B727C972ED5D02C0,SHA256=BCAED3233028713BA2D74C3272FACC94DC389270E10B3012051E1A22FAC71439,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.953{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA01164_.WMFMD5=9212B55711A7C28FDD8C637A626B1038,SHA256=6BC1F39BB44469974343FE32CF27EE35650251F320A42B8F027F53C213956E64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.952{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA01161_.WMFMD5=0BCE966FAB406ABE7909422E4B9189A1,SHA256=C1B7C3C7EC7EA72B89C7E12690260BF52C0919125DE23856766DCC1115CF0C50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.951{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA01158_.WMFMD5=C7E67B65C1BDE8049DD3F94AC2E89505,SHA256=DFF719FDD8CBEC97050E71E92F70CDA6763B2DDA821BEBB6AFE0CCC191DBD06D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.950{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA01157_.WMFMD5=606D2D482BF3C0CC40337E1BFD8C50CB,SHA256=850DF1A28EA24DEC4670C2E49C2330A5CBD8D4F4D8E8C668EDA423F267830AB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.949{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA01154_.WMFMD5=ED3C2CF8391F534D28D4791261431486,SHA256=E5652CB469783B9034C6C2BA1CF8FF02B20AD8D59CAB93C074780BF792868F33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.948{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA01152_.WMFMD5=B7B2DA8C303FCBC5AA682442A4FF316E,SHA256=D418BC180096751D0F9A22CA8E05E89AE6184F18A63A09FD2E30114F89DE6FE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.947{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA01149_.WMFMD5=5E1DE7FC22C6656ADDF5F5B79CD0685D,SHA256=F2E608FBC14293914F185406F0D466DF3456C533EFA6AA49E79A48D5FCC4A020,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.945{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA01148_.WMFMD5=606BD89CFCF656D04F5A358D1EE7202C,SHA256=D9E074FCD0401D7CDD1BA1D01975AF99E6043C562BE730127B933F5E8B9480E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.944{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA01141_.WMFMD5=28145F80DFA6FA8DFF6A68FB2EB052A3,SHA256=A4485C93F86129CB8D9AF9F7E8A7F55F314C340072794DE4840D986B714F67FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.943{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA01130_.WMFMD5=097F9ACD1635A2EFE38837B1EEA9A3A3,SHA256=EDC204080E2591284061834E242C2A8505CD76B88F481AA10E826D9ED4A6760A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.942{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA01126_.WMFMD5=19E93D86A957F79A6D76632550F85EAD,SHA256=E6F61AE259B189495DD30F297524D07CD40B34D56A717AC4001AE1C7A918E88A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.941{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA01123_.WMFMD5=AFB9B411695533FF744AB52FBFF73CEA,SHA256=08B4DF8815359DCB75E451478A26DB2FCF414085E3C8219357D6CB122A91714E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.940{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA01069_.WMFMD5=136EE03A297E5D58C656C649D0E891D0,SHA256=DF1BB6B7EA322550A85A5A94F34526AC1CD08D5EF40D4034459E3AD64190D74E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.938{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA01066_.WMFMD5=49FC784BE2EAA453C9E3B4F5085824CE,SHA256=392048903E7009C6158CF8E39532991A95EFB6BD7B47343B26599CB92550D834,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.937{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA01064_.WMFMD5=CB8D3198E84B0A6C71F8F28D2C60BD83,SHA256=BC659FAC9ACDA1DEC4BD06E6044EA57C6613C2B79D8386C92312488ECF9B7D22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.936{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA00932_.WMFMD5=907E2DE17829BB2D20E35B9E4BF2A143,SHA256=C92E1700FD2D148DA2CD89526B40E0731E8CD70666CAEABEDB56589A612337EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.934{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA00810_.WMFMD5=AA4DCA0AA03E706A36063ABF9D839BF6,SHA256=D49B5C82C0F89467B186862FFA4BDFD815344C7883462E2FB034D8CA4FCBC610,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.933{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA00809_.WMFMD5=90DEE1F39B7373A88AEBF02E7A73BBCA,SHA256=E602C44EEB6D3D371C21ED5B0046723578EDE1D714E45992A6B8330AF89311ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.931{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA00808_.WMFMD5=6D0E4BA1FE82F8F4F1BE7378F886DD0A,SHA256=42B43FBB44F77053DB90DE862C015D948CF510823AC2BC299A18EE8A85BD9D29,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.930{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA00807_.WMFMD5=2C834BA0646B2E6DB95B2A44E3639FA0,SHA256=0A40D47B6E29911D70B4B0D6CA2A54481A825E6DD8CF78B4C94449C893AC525E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.929{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA00806_.WMFMD5=8633AF5C09B1CCFF10FF5289B9FC8137,SHA256=5A8529FC36AFBA1BA742008DE21847D746CC074998EA571E73B9C36042E122D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.929{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F73EB8C86F22CA49B45575FF069502E7,SHA256=C405199DF130330CE5C0E0D371EA337A990C827518FCB09EA67FEC189FFE39BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.928{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA00798_.WMFMD5=163B1277B7E304FAEAE8470C6D09ED4C,SHA256=0FCB9453D8ABBB0733D2C412E68C02F973A7BF2BE9CF51A8FAD6BD3FD512F7E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.926{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA00784_.WMFMD5=EB5FDEE7C07A2619113A3F3406F08913,SHA256=21CA16CBC1B33ED1600258BF04C739EB1E5DF2982898B58FAD9B5D1C19912A2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.923{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA00641_.WMFMD5=B70C6E46C999BA6143A8353D5173585C,SHA256=2D034265C682757A18FA3B5A5D7319E42A65ED6125DB9CA65ED1EACE266A3E8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.921{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA00538_.WMFMD5=911129B057F8E32629495EFB356829B3,SHA256=B39759A0AD64C8770978051128E34D4D66CBC22940B5B8AB8197E98F5E05E05F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.918{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA00532_.WMFMD5=76F59C84A6B3E49A20D4FB7752E65B25,SHA256=417E868B07804CB1B7D5512012C8C2E448F7B3A71F393203F46298DE726E74CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.916{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA00530_.WMFMD5=0291E6ED1E087CF13E65B435D7749404,SHA256=977EBCAD4A85C038346E40F0C307E1E4B231B279932F762B04B1C5FB45EA90C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.893{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA00525_.WMFMD5=ADAD5435BC2BE7019BA50D3B19F10DBC,SHA256=0FC99DBF325952541448492BF01E814601EBF3F88F85AC91A4E9E454FD944202,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.892{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA00523_.WMFMD5=918998308168D0A57E84978B7CB0769D,SHA256=24995EEE625E6396C664390A371CE3FF1459FE35EC26A6224E2A733A994E3CD9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.891{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA00512_.WMFMD5=CEF3DEAF952004D462C9ADB2330D0F1A,SHA256=BC7EA6BEBCC1997EEC55A8EC6D090AB376AC6CF9130B86ED08B4A1F272B9CE1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.890{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA00494_.WMFMD5=83357041B362F7546A1993A65705D749,SHA256=993288CA5205A8CEFA09C29BA53A1DB264FBB3F28F63FF488B852664550F0C3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.889{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA00487_.WMFMD5=4B5BF46278C6FC586AFB6AF8833E3C0C,SHA256=DCBA319E9228668381D29C4EE023B090034257B1E96004902CDB19EC5271C0D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.888{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA00462_.WMFMD5=525F3CAB08977250A5583F5ECB28A728,SHA256=C15CDAC03CF67E96B81AF79CD11397A8CEDD50CDB5329540849BE80765CE14B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.887{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA00458_.WMFMD5=F8673C29C99ADBB88BEDD86BBAB149AA,SHA256=A3755878F7E959497A7236F3DF049E5F471602B9AB0E4EF1D1D4FF3E985EABE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.886{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA00454_.WMFMD5=4C42F0BAC4E0DAA4153964E53FA11554,SHA256=A1E823A8BAEC2188D317AF2D0328CAB4D4D915E73205DAF0797274879B7B894D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.885{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA00452_.WMFMD5=9456E62F7C75B8DAFE66D71D15E65FB3,SHA256=758F37BE264C5A9CDA87BAE13B12277ED9283EAB900184D3D2A8C3F2E339F352,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.884{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA00438_.WMFMD5=32C686D67516962280D3F7C34ACEF039,SHA256=7AD1E77E5685BF2A2E99D0D7A16A8A1D48740376F5FA65C0B3035A58EB7B2C8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.881{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA00433_.WMFMD5=C13EF177361F65F45F32FB92CE0AEDEA,SHA256=1F77463EB76301F0FBBC0A9E065AFA89CFFED44B49D13A5C6C2D9E9F7BB5AFF0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.880{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA00417_.WMFMD5=CD0D6E66ACA7458AFE9E62388014A6B5,SHA256=7B5ADD20F48480B45C8B8DF96E58C4CB9AFB7421E5B1EE7C6660B28E66F3A35B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.879{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA00396_.WMFMD5=D186D7BE56850E235A7DA0D430BE1A4B,SHA256=5973633C0865E46908D494C910B6DDA9D5F5AF9A7A0B2CA225930C6B0E429AE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.878{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA00395_.WMFMD5=A9D0A1B4073E06EE54B50BFC88569D03,SHA256=22CCFAFBD50D52A7B0E76919125D067F4CC785B7C8CFCEF394DF162FECA99844,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.877{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA00394_.WMFMD5=6951A11691097AAB4329C043457E41AD,SHA256=BF69D59E982993C8AB86B8F164DA7757A44BF53BE2160EB0C1234B9A166EE7FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.876{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA00391_.WMFMD5=9042719F4818B7F0D4D1A4BD7010E8DA,SHA256=FDD3C4E8B157243EB2D2F24E5ED05D861502C1763B197DE299A010BBC9999B64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.875{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA00390_.WMFMD5=5EEC488D5C92FCC43C3F054100E0E572,SHA256=7D33B80291F9B32DF9086DEE8B52CDDA266B4EBA51B60FB4BD82BA17883CFAF0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.874{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA00389_.WMFMD5=ED0D4BE5019A0C2E7B5C77DC273B6BA3,SHA256=D0E7C0F4BDB2C8F992AB12F6501047F68B21C2E6A8DE6AF3C88F4721FFEF31AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.873{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA00388_.WMFMD5=2054246E2747325DA8B066F4876DD512,SHA256=BD6694113F15BE8B9869A5B060B9A127B3453CE74EC2B8EED33CD210EAD2748F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.872{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA00330_.WMFMD5=CFD6A4AE8DED61F6F343F89BB1DCE88C,SHA256=4BBC1AC972715AE041462688043B995A74B348622F2233BD5E6979C56EAAAC1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.871{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA00238_.WMFMD5=B59220AD0B62AA9FABF010BEE13AEC5D,SHA256=08334D454647F88179FFFCC567531AFA26799C0FCC02A1ED06D3F1AF1BAC4B92,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.868{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA00068_.WMFMD5=4C46D755562C65CA150E3379FD4717BA,SHA256=1C379F4A08851A76FD3A6443C2ACB08427F9D9C280C6E19B6AB4C862AA13BC9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.867{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA00058_.WMFMD5=BD74F39AEE032EB96C64DD8DE6D1846F,SHA256=62BD8AD92E951C86DBA5FD0903A9FDDB75989DEDC2A8646E42BE12EE9088F204,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.866{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA00057_.WMFMD5=814E1F23984309D6AF94B337D6F2536C,SHA256=A87D40C953A5768F745F84D8B8FCA4CF7D244CC63AB2E7B2FAC937568000848E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.865{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA00042_.WMFMD5=F6FD0689E9DF9CA741D99BCE4BB5EEFB,SHA256=27EB913FE778F103581A206A71D4DB68AC29588AEF9ECA13C2F729559ED0010C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.864{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\MUSIC_01.MIDMD5=91E8EBC788131390A8D57ABBB467EE6E,SHA256=30FF883F1410766DD48CBDDCE7F13CED6028C4BE6D898DAE16ED189281EA5DED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.863{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\MP00646_.WMFMD5=8BBA046C52CD32D5A83E95A7FCDEF158,SHA256=FE8CCC587040DCA75D6ED5B3BD5DC9AF80ED5911B05852933544BACA067D1369,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.862{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\MP00132_.WMFMD5=05911DF93219B39F686E23C2F03A8919,SHA256=12CAF17560183AF3AACB13FFE5A0CB1E407F461034B30B438DF42B6D88543042,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.861{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\MP00021_.WMFMD5=99D28525AA398FC8C75C90DFC2ABC903,SHA256=80111F06497905C69FF74F7872E25B842C5F5B63540B3E412C9E97E11FDB727E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.860{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\JNGLE_01.MIDMD5=25E7AA3C9E6BCEDD896741261CF04477,SHA256=A31D64F4778F85D07BF5C755BE5DF787FA204E81A6DE6AA075E1D32F3D5A3F3B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.859{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\JAVA_01.MIDMD5=1972574D57B331DF75E3039F22754284,SHA256=29468592DE2C5A528DA8F12516070354CDC0F1CF130AEBDE570C91D1284265C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.858{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0400005.PNGMD5=806CF11F8C1CFAFBA6B8457CC2B4DAC9,SHA256=183954A1CDBB6B99818444383B0772DE397F38A7D7B52BAD2F8442964BED7DCC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.855{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0400004.PNGMD5=DE33EC486165E12EC0BB58795EF3C4DD,SHA256=F3633A35A9FD4687CE9A245B6E883E7EAD2C8B8B9E3E2ED2D3D461561CBD008F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.851{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0400003.PNGMD5=C8FCF48C9DCB57B30C4B1ADCA9C05972,SHA256=E931D7168A56BE1A9946A8D77B9713A070A9F63077E385B14741EDF60B9F04F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.845{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0400002.PNGMD5=1D65C8AD3EA2F96491B849C4D47F953E,SHA256=DF55E5BB8E7EA734FF8962AC958033D81AD627E062BBEB67F3220AA80C158271,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.842{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0400001.PNGMD5=6C52CEBD4D062A0BE128B0EF78B40D92,SHA256=8032018B3594E534729320FD2EFC7F057645FA0328EC4905166BAF073719BB90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.836{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0390072.JPGMD5=8F89B56E056B8915E8811083070E18D7,SHA256=63F9D6E419B6EC5DEA13BAE8A2AE7C7BB0B10D26FE2A936FFC04D54B3D6CF359,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.835{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0387895.JPGMD5=200DD8E95CABF409A803076FB6206F21,SHA256=651EA308C5ABF8818AFAA33A394AEECF37DAFA9B611CDCE51B620281E6F687E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.833{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0387882.JPGMD5=BE266FDB13F2A83878D3CFEC997614A3,SHA256=EFAA9A89233F2002EFE5967BDA056E5BA1003417631794152B2FC45BB51E7587,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.831{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0387604.JPGMD5=FB71989A1151394569CCAFDF3C80B57C,SHA256=42B3CFD0B3B81159C3384F4A68D1CB0E8E9A163CB4EA975FC7B0E57F02FDBD3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.829{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0387591.JPGMD5=A76B697A12F65688671F68F86D83D8C9,SHA256=45AAA3C23116CAC353BDA7EACE12961901C5D80A44A8C438E0D0916E0BA39B0F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.827{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0387578.JPGMD5=C38A568A00574704DF606C7426365AC5,SHA256=9CF882B0E852802096DF7998102C55909ECA7B9E64A0E5ED80E0300AF26FA6B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.826{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0387337.JPGMD5=3A653C7E43903865F99C13CFD861ACB6,SHA256=25FACF5EDFF6B5FDA0B35518B35D3AE39C2C0C77D8A0204750190C9F5B246377,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.824{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0386764.JPGMD5=E119BF6336D66754487F04EE9B906C31,SHA256=81D12DD9585620B06DFFAFB79A4C07FDBCACAF8AA777031F981DC0AED5141588,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.823{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0386485.JPGMD5=933B3516C05C8BEE9E9820FC999602EE,SHA256=F99B055277D6C1E84BE48C82CAA2301071F2B381F35DBF8019699DD0D6D7CE4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.822{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0386270.JPGMD5=DF7E3FDD2815F6685A6834621B1B45D2,SHA256=2B085034F9F2C33B63876BE1428506EB4BB57E5D6BA9AC35EF074F6C2F0D5CFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.821{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0386267.JPGMD5=32523CFF14011D7674F20C867C230102,SHA256=7F481D070E5090B9D3029CEA59AC678E40B659A03EBCC2E45020F97AC5D1D8E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.819{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0386120.JPGMD5=7582474A32337DD05F620B0E911E8051,SHA256=49DD7B86777470989003AE81BEE0C3D59E2DA900619527966425904F5821E396,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.817{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0384900.JPGMD5=356C8E7B5A7F5BFB3F81A264D681D35D,SHA256=25A0508FB5E72C43D00801B51C234EEF56F069DEB8877E250876E35317490492,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.815{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0384895.JPGMD5=E6E94BF650A1DDB596997B8AE75276E8,SHA256=F004716C5D016711975B9DA6AF4AD6D461926DBCFF27F2AB9435FF8130C89252,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.813{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0384888.JPGMD5=0B46932669029920484DDEB8E4A0D636,SHA256=D484D91C9E212CBBCB2E63B29EEFC63E5B5CE4981961DDC7B3F0377F44A688A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.810{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0384885.JPGMD5=D4A7EABF7250848B645C21EB098B54F0,SHA256=6013351F79D086D9183EAEE6B90C350C5299BC15C3035EF7558D14172086ED10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.807{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0384862.JPGMD5=BBB444F37AAA2D0AA12EAE975D49FA4C,SHA256=4FCC52C865E234BD1F228130C860F08D9D59BA950131C6D987E2E71ED83A7B27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.804{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0382970.JPGMD5=7D8D1601B067A602EAD3CE59ADF05088,SHA256=9090FEA2DB9FB56B7061A5BD08826485826D236BB9B031599300D7DE1BC062B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.801{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0382969.JPGMD5=ABDC1FE0D67DB6C9B3E18D7E9D186E21,SHA256=5E212F7DCB230EA7D70EC7B2D4F8893899B21C8FE07A13FC7992D75202B060AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.799{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0382968.JPGMD5=4371A56534FE3C41BC1E5D7707CC4902,SHA256=ACE8635BE9BC5530A901F63214D3514E98E7931E0DD7E3B7908A721B97CAB5D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.795{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0382967.JPGMD5=3F938DF310D5F7F716B938CCDD2B74F2,SHA256=15590F9B09D2FC64B62750ECEAC679292FF3FBC511267F0654CD81B2D80E2282,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.792{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0382966.JPGMD5=D86A15961F90F8F5537928D3E5FB3085,SHA256=65677F103B9A703E46F22F1C53CA0660896C3442CB6C2351D89ACFAEF61F6F11,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.791{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD78D827EFF52AF86850D9EE9C0A3E33,SHA256=48FD262BB4E0DA7E5176996642C54D64B1C8EFD79D73302258BF02018F5AB905,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.788{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0382965.JPGMD5=F27B3B545AFE1653D0A7011BD2A15858,SHA256=A6F8E5920CCA991959BB0A9C7D2E8905A44358839D1F51DFC882B8A1C4888584,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.785{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0382963.JPGMD5=64A224FFD755D441B72806D5407EB2B5,SHA256=C7DEFA1439DBDD2D630F59F1E448FCF34254AF7288BF4BFF6AF5A0E223077A1E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.781{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0382962.JPGMD5=95660E7F223BEA4681EFBC549B45D66C,SHA256=23262988AD33E4ED7DE2AA6B2B9F19AE19B87C336D15B518E0708D98F1C143D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.778{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0382961.JPGMD5=E2B7991A833F40850C78919303881BE5,SHA256=B29CF0623855EB8D6AA58F8957AE66557F13A5E1622AC6137412EBC819140935,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.775{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0382960.JPGMD5=9CDFAEC8572B3C482820C4B6C0080924,SHA256=8243013990A2E25DA0786E34940E5FE85FCB7B5B16084F46CB4E40BE58991B74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.772{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0382959.JPGMD5=A9F2106F6C12FFF9BDDC174C4D9EEE10,SHA256=4AE232AF10BA37BD3B06090205C882FA93818ABF09FFA42F2558B5D93195995B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.769{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0382958.JPGMD5=24CBC59B28D921CD13F99094E7FD85FA,SHA256=6F9EEDA0407F781CCF8442DF260D38172BF041E4B08A21625E0AD6860C782894,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.766{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0382957.JPGMD5=79FAE4CAE267AFD37F554D0C43CDD2A8,SHA256=12A94C0CA341106DB8D6158093ADEF491E37D3BCA49EF3426E723528A14CBDB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.763{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0382955.JPGMD5=393C5141F17F51289DD7CAEBABFAD740,SHA256=76C25BD9A65B0E8D091EB2F4DD242AD074D1F999BCA4A7DD0FA7FF60BAFCBF4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.759{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0382954.JPGMD5=CFBB851720559CAED0D39935E4637B54,SHA256=7D0289774A7C2EB2F266BA5C51FFC42C8FD07D9DD7974E5EFADD1C3BEF8C3AED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.756{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0382952.JPGMD5=3690E0CBBDA42A4066A97A2300137860,SHA256=F5366D61BD3E7EFBF7A8C6D474841999FDECE8580987C46087D6168B315EDC23,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.753{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0382950.JPGMD5=BCF0600A39C5582A37DB749320FDC353,SHA256=314B0B904421669177C779F94C60D6F25DC87297C863369EC12CE318C77E4067,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.750{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0382948.JPGMD5=42000B3D52D7016480F5D5D85C47632F,SHA256=CB6E7347EE755A0EE44B1716A2E13C37DD0DAD1B384A752272672FBEF6CF45B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.746{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0382947.JPGMD5=36DD2CCB55426E9B8020CECC2C2DB974,SHA256=BD649A9AEF3A5BED3801E8413C573179731C85B3E4D3BE11CC5AAECAA988B287,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.743{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0382944.JPGMD5=C5DA624C70896CCE2D9EC8AA81AB957B,SHA256=5B565E998E10BBDF98DD7951DBB0F0FFC05A3D6D2B1C06C5FC534055239B1DEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.741{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0382942.JPGMD5=593648DB0271300CB368034DB9CFC652,SHA256=D96B208AFE6D5E2FB9BC8B2E1973F6F4E7915372722E93E0DF962C8593B5AA78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.738{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0382939.JPGMD5=6C0D30A9B6D1DE1C0A6578B6DE7E0340,SHA256=AFAC393F3FAD0E3E75BB4F9719D34A0E70418C2E36F3ED2A547C9D427EDA9B39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.734{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0382938.JPGMD5=4533DBF060FC4F1EEA599CD55D135ECF,SHA256=FADBF6E852DAF01D2FE6725CF54B8C1196B8D72C9F183CBD41C42842DFEBE80B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.731{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0382931.JPGMD5=6FF57B4DC979B84873D3080DB3D0DA2A,SHA256=88E93D5F2711016ED623630F84D94A590F8932BA8C1E05DF2B4D6C0955E048F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.728{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0382930.JPGMD5=1AE3C69E7F83DD39E1F1B089B442AE91,SHA256=88558F43A6A3FB885724C6910BE7F267CD5EFEBDA7AAA02D54197C800C662189,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.724{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0382927.JPGMD5=5CEAE6CC2DA82CE026A6A1CD72A3B5B0,SHA256=4BC478F0BA9924E774777145B9C035A83FBD30120BDB2FF298A5ADE3D1B666BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.721{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0382926.JPGMD5=C83EF7F2B273F47FFB23771439062DF1,SHA256=5B4D2711FD0F547362B6F3B7A04D5ABFF997174398FF7294759741A9F8414F0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.718{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0382925.JPGMD5=A60977990F0803B0BB4B1146DF2B732A,SHA256=ECF07D14BD4C5797D55915BD6154339FDEC524B4CBD4BC501DB7CCC95C92C5D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.714{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0382836.JPGMD5=6948967820DACFF4EC2B29113E3DFDE1,SHA256=A50888B8272DB2F9184A6A7FFE9FC4380C19296B0E1B024EF4E81FB8E6FF7328,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.712{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0341742.JPGMD5=28DB5E4EBE1C0AA34D320A13B368F776,SHA256=534864F9BDE3836B12A2D672F5419C31AA10A9E7E74B806231B98178756420A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.711{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0341738.JPGMD5=1E7E24B861EA51A5F1D6E26FDFC837E4,SHA256=066A9DC21CBA102C9E306A0AC006CD762DC70CF9C9A4EFA52E2C35184027A454,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.709{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0341654.JPGMD5=2DDC58A92343E7A05B88A1F49361E87E,SHA256=0BF653FCB79B8EC0B725A5DA14D6B18A6EB5A0EE6081F068EA458DF4795B2877,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.708{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0341653.JPGMD5=8760A3D18BB132E3A8B4B96318978E0E,SHA256=0C6535466CF613C4037496969983EEA82B8CF9BA9DA2150AA012D19A6613A707,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.707{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0341645.JPGMD5=A5FB21C42675ABDB2C0F04B968C34834,SHA256=6947CA4C761991CA3ECE59C02AA57A7FB2CDA11F73CF18B3C80C2D525F205AC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.706{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0341636.JPGMD5=27F93E545F1B6B796B6A9A3CE330AF1A,SHA256=EAE592A30A7ADE3464EC9E77646E1BCD4CB5969F7ABFCCEE39F406498915FE7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.705{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0341634.JPGMD5=8855F81683F7341DA795E04AEB86D06E,SHA256=780C11A2C702D3F3165BABE790F61AE0DE708AFD2970747C2CDA9944ED777E09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.704{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0341561.JPGMD5=A6F9567326DBB950ED9D6A90BBE0447F,SHA256=CFFFFFC9A47D7A4EE46EF3D169A95F100AE97F1AB3465C0FC44DF2AE8BA7541E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.702{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0341559.JPGMD5=A8F243A39BBE961735811D363CFDD6B3,SHA256=862C138F613C5044EF69D6A0CF0819E55A061055FC069304C4C4AE7FE2472F91,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.701{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0341557.JPGMD5=71FCACFB473092C8FC90F82E28ED869F,SHA256=6B1143B839441AAEA02CB7E4689A40E66C4F093E95A314CEC37EFE646C874AF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.699{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0341554.JPGMD5=E55ABE237B248FBCBA9094A09E882F6C,SHA256=04BD48DDBEB3FB8E706273F94C53B71FFC61E7BB8D196131DE68D0BA12FED55A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.698{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0341551.JPGMD5=47EA2D10E9BD0CEA24D7DA39FE2742EA,SHA256=AB85FA598F02B07C2688CAC33B7FBB8890E8C9173CB02165C044F65A4CDE8740,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.696{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0341534.JPGMD5=DB096457CAA41227550D44D352E82C54,SHA256=078268E03EE27F890D5FD42D5FE759F261669C3B37879B8ED43AD39C63F4F442,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.695{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0341499.JPGMD5=EF382F69D3B48603731A3B72E77AA603,SHA256=093A1FB7C8B76C6D582C637DE9534161EF75883108268BAFDA062AC11BDDB4DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.694{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0341475.JPGMD5=9E4E544D60B3A18786196D14E61CE710,SHA256=27A60872B54931EC993D11E4D4B84D0D349B67C69D278BCA3318E41A1D31352B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.692{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0341455.JPGMD5=AD115FDBE9FFF8ED8BBEB58F3B6318EA,SHA256=C754780D448B5BEFCA3092CB0E2917D65564A8FD438230D4405BB6258AFA5378,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.691{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0341448.JPGMD5=999DA44CE2E56AB51084F2E337CEB998,SHA256=BC83E9E69A17A79CAE927822D0896A80C0C485DF1FE2C83B8EB9008C10321D98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.690{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0341447.JPGMD5=09958BA999AF339763748AE2DA9F7F25,SHA256=6CA51A6B1CCAEAAC35F42B26C2BE35361A565CF49A6E8EC83251AA24CCFCD36A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.689{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0341439.JPGMD5=7343DA7C4E888E5A9972AFA5999D041E,SHA256=7514F1B7DA22B518B82F7288AE79DFAE1C86E8BDED6585FCEA661C3BE452BC1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000324529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:07.487{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50994-false10.0.1.12-8000- 23542300x8000000000000000324528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.687{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0341344.JPGMD5=2F6A1A62860F13258C9EAC96869649B2,SHA256=D27F504889686B9ADB43303E185C9F3560F8FEF773EF4DDCBEEBFCF765C21B37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.686{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0341328.JPGMD5=6550D7BA1C4DE8F191200F04E2D23549,SHA256=B7127F7E2EAED63E37505A56DB3976547DF7BAAF36DFBC950A58761BD126E5D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.685{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0337280.JPGMD5=DDBF67BC2065E04AB04EC6724F63325E,SHA256=DB2A374AC78DA780827DA886B30D63BD5BA387AB14C61CCC90E016790C98CEC5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.684{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0324704.WMFMD5=61A734E99E02E07C2CA7B6CEFE6DBD38,SHA256=FB0120A9372D843108B00874B4E407D3F0969646ACD87BDF4D47DBD7E6BE1C37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.683{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0324694.WMFMD5=8A72E7082DA7CD86BB3650C3814B25F5,SHA256=3F8FA47587C387DB34FD630AF75CBB1295B54CBC494570E337B7B422C0F0819A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.682{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0321179.JPGMD5=EEAC829825B676063D926A4DFCBF9CAB,SHA256=56D0AE50C41E393044BA9A1D8319315BD18D46FDAB49582991D3630EDEEA15C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.681{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0318810.WMFMD5=667FA231E90E319BFB3DC1457C6B6D9F,SHA256=A3CF437DB187E5B61B014A4D1F329E0322B6EB0A951DF458E85F2097AF8F0763,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.680{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0318804.WMFMD5=46AE6EA6224B4FE1E3A1C56B7D76FAC3,SHA256=CF41CCE602A638B1D179BC980EA439DC800DD1475B8EA72AD500A6DBFCD82FB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.679{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0318448.WMFMD5=F0AAD05C5730BBB1FD036EEDC8DAA0CA,SHA256=2F20C85B5D910CAF5C8FD1F975A3EF18B9B79EEDF57FFBEDCAB3A55AD0478285,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.677{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0315612.JPGMD5=E66BEFC40C71C940595CF9120190E318,SHA256=4C7C7D828BA1C8BB4EF834F58A2CC9A95026CA6200019FA29E734DC8365F58AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.676{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0315580.JPGMD5=CF4E4F320283470FD5908BCEFF534F7B,SHA256=B976BF4BE836F347AED3E43F2A796FBAA6287A3720DF6CFC6B0878F073AEAE80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.675{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0314068.JPGMD5=D3B69A4221BD332C258C75E08303E01A,SHA256=3A1F069FDE1478F5BA39D3330221720200002A7E4A4E212ADBCCFAD56FA9DEB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.674{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0313974.JPGMD5=959892624631AC7AB0CDC1179C1C73EA,SHA256=775D217D69EA53410B9F99EA54EA43BB71E5C0F91103700B2DA3F9087F93FEB7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.671{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0313970.JPGMD5=D372DA5C926E7C8BCB17917C66C37144,SHA256=6CBB62B1C3F293DCC304B0D570A83B5D9A3EF6BCF99469C5D870153689FF9924,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.669{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0313965.JPGMD5=6D7A281A46EBB0A35589AB3F3E46E40D,SHA256=4E4AF6C162A46057CCDC9633D2702F605CF30BEFD6A4347224A3C22C177C470D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.667{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0313896.JPGMD5=57B5F329967C250BF090C2EA4BA9A627,SHA256=ACB0B3A9380C37EED038FF38DCE445C3F8475D16235D7550F0BBA7C8746BBB8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.666{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0309920.WMFMD5=867A01A7C638C6E40F1D3EE9567064FE,SHA256=718FEC0600E3A00B85C2646ED4E18CBBC6E09C100899AE3EA2A216FC550A8951,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.664{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0309904.WMFMD5=DA80DC26A5FF5052FC50B8736813CB38,SHA256=E9153E79B8EC17D4FAC5E38DB6CB31C5B3627F5C3D01C04E77FE1740DD8B071A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.663{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0309902.WMFMD5=93F8811D355F74A079832B36131A65E9,SHA256=66382C2A5F4B4B931C5F5F5161286413E3ED69A13D36767716122E042E994B41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.662{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0309705.JPGMD5=CFFD8A90F980BC7620A9A860FAAE03AF,SHA256=9A9C69E5AB62953F65E1BBDA543201D1C891F4407E08EBE7297F5497DEADF332,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.661{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0309664.JPGMD5=4BD30832B692BEF81C67147F18B7BC54,SHA256=A05979C0AFB8B92E8BBE1319AF3F5DED60E27B8F0D4354E69B674431542B23C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.659{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0309598.JPGMD5=0EA73932E99D155B2397E080718A2D4B,SHA256=308CE1AA90C6E0F4E674A394B6B1D27D73E1641FFEED30F2E342A04E18693D45,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.657{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0309585.JPGMD5=824F4D610BEE7DD087BC3884A976712C,SHA256=E823BBA8464E6E35DF544219D74FA8F681FC0A0CC610C39100219A3848E22A1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.655{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85C727110A26E3A4A380BD99D16A3405,SHA256=C460BE3D0E3BEE8C38A3C8582F387C0E0E8368C577926223EF45E6D085456B81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.655{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0309567.JPGMD5=43CFBF73B0ADEC4D46B689A4CBEE8CCE,SHA256=825299C1408A6DAA5ADA15E0C01F2607C90BBC8146B6F2DEA48E0880F8B30EAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.653{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0309480.JPGMD5=F25C14B8FA31D1219B7D26E416243AB0,SHA256=7FEB0F7C79E123BB4E6BD8AD7A3C77B61E7C039FFB05FB2688F9B1D9FD8A3405,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.652{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0304875.WMFMD5=91332F29EB87F22530E2BF5F18A68E4F,SHA256=F1585D90A88A4B078932FDA3F71D481AF656995D318827E821A7979157253303,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.651{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0304861.WMFMD5=74741E74AF299E1D4F5973CEE65483E0,SHA256=5F09C0F0D6F4CA5B0EAE374A20A21FB1DCA484734205E1830FEC7426B7D61BAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.650{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0304853.WMFMD5=81A182D43FF0ECCF1B895638B6290A34,SHA256=5D9D2683BAB87C7FB2CBDCBA70E7F622C1CEF9E59F459D46488DEFA551F3331A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.648{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0304405.WMFMD5=44B58D77992A82EF44C2160FB8CBCA3C,SHA256=B1EE866F05CC871ADF437D667480C3D4C5C65C8DAC102C39404E30EBB4654F9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.647{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0304371.WMFMD5=8C5159035DDC270C4971F62168478F60,SHA256=65714365FCF6D2B3DB2B1EEA7189D9017C57E925CF465B555D401029A7E91C70,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.646{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0301432.WMFMD5=36CBC8BCB1B0FEF107773DBD6F8E4D87,SHA256=77EBA951DD59B771E0BAD7094A3AF11F42633405537350CBA4E1F95204D93F68,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.645{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0301418.WMFMD5=BDEBAC0E128CB159FD0646290C4F4805,SHA256=6E3DFDED6A6C83DF66FC6441502B3067F1778C024BA4F70421A551B08AC8C54B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.644{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0301052.WMFMD5=C0B4E564E69E6BB3676267C3F6A3DFC6,SHA256=88E6DAE8A8E6447DC4A30BFD03E60B97DA619DCAA501FFDF98468FDCDA1D1E03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.643{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0301044.WMFMD5=D0A5578BE410F047EAD2D4002BC1434B,SHA256=82BFBAB167BDABBAA192C1828014C6AD7A5876E301CCE1ED93F1DD09843C9955,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.642{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0300862.WMFMD5=614D29D89A22AADB1F40D68889874D12,SHA256=29049B80EE929DB26F0427E452CA655AF411185B268583D6E6EA477F6398B846,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.640{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0297759.WMFMD5=AD9A79133F85AAAC5EF32C11C263AF91,SHA256=E12C120EE64970078F00BB2116CFFB99D112CE5587265A7E3C92AB00F94417BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.639{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0297757.WMFMD5=F44AA727ECBC0009423B1D67603008D3,SHA256=5C519B5337B31CB296ECAEDB11363043349402913BBE3C9E7F0BE132913C29BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.638{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0297727.WMFMD5=AD318BA7F85BEA84D80CE25EBD92E22C,SHA256=79F55D77636698D8B7CD6314B3D3E7A06FE33FD855650B0D409DF81D5AB75643,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.636{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0297725.WMFMD5=53B3FAF674735F9BE8F37BDA30B5DF61,SHA256=AC0D178FAB82C7191C62200509B829D189357A346B6193A751441A939BED9BCC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.634{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0297269.WMFMD5=904B9493A7B13E7E5C4F001C08B64E86,SHA256=48FF565C5780F1A6460662108EF2F077F47E7BE2CE81D264F87986075530839D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.632{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0297229.WMFMD5=BD12B921F14F4955042659BCA75BE007,SHA256=F7CDB147318C995A8813C614436FE4C7E6EDC77EB56879BFBE02CE2440FCACDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.630{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0296288.WMFMD5=84EDECEF87C64036CE5B3C5F07379444,SHA256=B15B0EB3C80146A4CF33C4FE9D9221960647228C9BC1C26804D4A6479C3EB5AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.624{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0296279.WMFMD5=F5116706EDF9DF2373EAC555383251BD,SHA256=4A7593C562C410E88185EAD8013F3E4F924AF8EB15F292E2B49E339B0C93D9E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.618{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0296277.WMFMD5=CB92503F6F4E9DFE2236153E84AA6B21,SHA256=BA77CA6C081696A26230A991B3B3F71B719DEC27374351BC3E451D46323E9FBE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.616{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0295069.WMFMD5=B174D01F37D5300FBD2310D8D5C7F676,SHA256=1B8C10C7B1F3645A95F936B0D408638C0727ADD59C939BACE918FF0C98665EAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.615{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0294991.WMFMD5=FF3D58B77A63C9B0851DDE0E11AD499E,SHA256=92710853B9903981D98A511F2AEEB2B6D53D5E46B54CCC0C0E03B55EE5C35FD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.613{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0294989.WMFMD5=F459A2B624108D2C5B5084D9AE3E32C3,SHA256=A156F88DE462917902A782A4ED439DA8C07F814A2610208D9F8A39A0F868857A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.612{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0293832.WMFMD5=326BC3EC6B7F5F1877D47DFE4E96C083,SHA256=D281C60E3B8241A9418C98C81AF92B527F2C670F0F17B2C2C087A2804595CA36,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.611{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0293800.WMFMD5=A2A108B81B12AFAA51D935F6ADCFFAED,SHA256=164D6EEF32B6E0E6E44F60940BEB44176C446E50C767DB2E9DDAC5C2EBC65C23,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.610{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0292286.WMFMD5=36B02EA27DBDA1519CBBF33201FD16C8,SHA256=F98D14419FEF1DE31345FBE40AE540A58F5AC9768948CBE722839B91B280B9C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.609{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0292278.WMFMD5=1156C4CEE39B95EBB9246BEC8538E85D,SHA256=61EEFF2AFAD2009280F25AC4A84E118208AA17DBDA9EC035A4834FD2B31D79F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.608{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0292272.WMFMD5=9B29F1D8F645B33990AA2D0FF6EFD62E,SHA256=91987254055270C744C6AB79DA2647ABF7A30692C9E4DAD4039FCA032EBAC064,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.607{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0292270.WMFMD5=7E4B691F1BC63A51AAAECF4EE256C299,SHA256=8B3D3F78D6A43B0F3ADB7B36D2574D563CA04B8152BA608634B6E80EC5F28FCF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.605{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0292248.WMFMD5=7294EA4870034910A514F70747A6CB99,SHA256=F0DD06BDE5C6F2DE7A5D40D79D070C4C18028DE639CE6A31A3DBB85EE73F827C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.604{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0291794.WMFMD5=373B7031889376B3A7CC226549DC029B,SHA256=46CEDED3A7715CA11A4A548B868A99E3D11BA8E4C1FD0A7F640719DD12B7217A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.603{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0290548.WMFMD5=7885B5AFB7CD344BE94F49E8A0EC6138,SHA256=6B350D6C80C6A7A8BAC21467703619EC153435038EA69F6ED0DF51C360E3B732,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.601{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0289430.JPGMD5=3E66E925715A36C3310D9993CD2736F6,SHA256=BBFBD18A9766EEB13928AD9D5129C92C082CB9345E513F8569706E095BA22DFB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.600{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0287645.JPGMD5=B48408139CC266EE489AE7C1CDD5EC2C,SHA256=B4B0F80FDD50FE2B47A786E81A6EF319F2069FABCB61BDE4C36A384AFBC2AB0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.598{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0287644.JPGMD5=1FEDC8FE91E28370841EBEB57D993E1C,SHA256=5511022213DBBCFEFD30C9D0DCF66F70CD7D2217E00F6F8FAAE43679958DDF7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.594{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0287643.JPGMD5=86176967EAEEA8ED8CFC3175C0E76E81,SHA256=EFC2FD83267A63AA0A5A04B3AFD4F5E7D1A0954CBAEF9F64998C3C11AE88DC3A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.593{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0287642.JPGMD5=0133AEBCED2135AAC48DADED9324217C,SHA256=98AD2683B01911F97810FC537ED336E35A5DF8956EB8DF9D3AB62C35BB90F7D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.592{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0287641.JPGMD5=9A8083D798DF200EE923B82C642D6A74,SHA256=1F6715855315501CA125A2895E24B704177A63286E6C8215A5892E952AABAA92,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.590{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0287417.WMFMD5=E62A1CF77EF951CD0956D1338AFC2A38,SHA256=556B468F7DC14BA895BC065B35DD75411C41FC423806C13D81D15BC84FB4216F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.583{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0287415.WMFMD5=6B214D6AFF15F1BB96015527772B5410,SHA256=8796A13939128EB5B9F5F510752287088A39451021BFF258785DF5ED99A9AC89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.581{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0287408.WMFMD5=F884B0B077E02287EFF7582943291DA1,SHA256=52E12195F40B0A6C61B71F5A28799ED6461B14753BCA89D7780D3C0AC0A505AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.578{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0287024.WMFMD5=EB94A7C9607B46330FEDF1A0AA45AAC1,SHA256=EA68FCECCAC2DAD9A7DFD7DA4569E0F2C8251C3C8E1878FFC9CA644CECDA1479,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.575{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0287020.WMFMD5=46215C4A880FDDEA0A1ED73A24DA0722,SHA256=D96EADB26101F7AF19096A281F12E0D7DF11A3D2AC1A5B18E9956DA27B0233A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.573{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0287019.WMFMD5=4F074FA92172C317F7AE3436DA24A9E4,SHA256=3057885E30DF2098E775D39776BB06C30922CD65D0DBF2E7A088E3A0AEC6A445,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.571{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0287018.WMFMD5=C067373A5CEE63005E7F08F49E38A02B,SHA256=134677B767F651FB1CA95855CD5131837C74AF92F34ABA68E4034E03525796B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.569{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0285822.WMFMD5=E899EB175EE554C5926A56E0157CC4EE,SHA256=8051B515B31C5E2A408B7FD673700E74F62691054042BC961834AE950CD147D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.568{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0285820.WMFMD5=9D98E83655C53B138739B7DF49012DF9,SHA256=B3178652979D94B21EC1B4BEECC31D8A74BD822F8A4E47ABBFAE0EA5E230D9F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.561{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0285808.WMFMD5=B06B496ADC2680E16ECF86F765302078,SHA256=1BBFE8ACDD1C364ACCC04C1155227A9DFEF6AFAEB167A7BB87D2F2561A0F937E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.559{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0285796.WMFMD5=1678FBE051FC1BCC75B4E63C66E9C905,SHA256=04ABADE35D078D2D21BE3133ED51149C22A4AE8DCFF91AFAFDF468176DFE2F34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.557{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0285792.WMFMD5=1D23E4E71779D0583DA48B52204BF860,SHA256=B6A0F248C603CDB7DC7B4B58A17174792E3ED7A879D451995A6CB4D4BFB7B296,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.556{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0285782.WMFMD5=8CF57A004B1A2913567090CBFD07BE73,SHA256=E29ABA1BB82539A0281729EC759A5D64A28D8786CDD87AD2B2958EAAB1F963CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.548{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0285780.WMFMD5=342D53D83E375472A78BC671B15B1F69,SHA256=D505390670FE38BA0CE8F744EC0EDC1C1164238CE8686CEEA2955AA82A3D0A0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.533{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0285484.WMFMD5=A8C5249ADBA66E84B33BF099C0E897F4,SHA256=7F1924B6225DAB148F4477B6A7425D0ED79F1ADEF1D51A11285C259C00DF372C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.532{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0285462.WMFMD5=F5EEEE8F7CC76FB207DC50A9A72C6B32,SHA256=FDFA214B10F3F3C15ED8BCF62FD05AA4CDD5B9B17224B7C612AD754101E6B875,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.531{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0282932.WMFMD5=3E2E6F7FA7BFFE3B056C5A3DF7F09035,SHA256=F6A60D117D421E97D1C34998C75DA61F3FADF5B4B128EA69BBCA49E233386D08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.530{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0282928.WMFMD5=FF0BB09DC612B8D148D83452205DF8AD,SHA256=96066DC6673FBB09B0E373293BE7AF9519C4EDEDE7C2FF8D0BA32D38862FD9D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.528{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0282126.WMFMD5=B258436C04107DC060BBC3AEE78F724C,SHA256=81B0B3A76C0EBEA9F789B5894AB80AD3AE5EFEF5991ED5E4338571371D0972D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.526{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0281640.WMFMD5=09947362483F43FF73DF43158C1AF22C,SHA256=BEB4C94D65C8B030B40B36CFB8D58658853EF2B55C169A2DBCF8A843723E86DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.524{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0281638.WMFMD5=CA6FA9EFF7F8AC9CEAB7DBBD36B51AF6,SHA256=CC710BA658BC3D71898007F5F61FA1DCA730AD6077DCF7BBD50A2DE30677D07F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.523{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0281632.WMFMD5=5DB51B0B930DFBA850AC45AA459127FE,SHA256=76E4C08168E140A0487F22135B3BE0DC3E68AC48886EED16786D5B2D078A305D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.521{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0281630.WMFMD5=4EBDD6A8D12AC79EC672DDE5BCFCDBE8,SHA256=4A992A25A4A869EBA1EFDEAFB43A5DE8BE987FC607A54DEA961E7DCB9CF1EDA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.520{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0281243.WMFMD5=F4F1A95BA9870FBE0B2B34D9FB933E34,SHA256=A84D63C17F8982CF874AF2FD7BE95416B1E566E778E53DBF687603D202AF8BDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.519{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B0E37C6137233ED3701CA110C1137D0,SHA256=A09A4F36CCBBAD6ADA0494574B1B2318C4285D3F625F16F10B28A6F50AD0D25A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.517{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0281008.WMFMD5=AE1E1E0A43E91FD0786FCC169D2829FC,SHA256=728889BCFCD96D2F2BBB6A73B980DFA2229B6D3EA2C366049085D435759E8C2D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.515{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0280468.WMFMD5=346738E13392AAF5BB59B7ED6A40282C,SHA256=65289A80D3A6B7A037830E2ADA4079D99EF2979873A31DA10B123AC3F337DC0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.511{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0279644.WMFMD5=59300A5934CF4B382AAE5D00963FEC00,SHA256=C06C81DE5643C00DB5AB7F7C08D62EF2DA680CEF64317EC948E4AD88F4EF84C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.509{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0278702.WMFMD5=48CE8A5A6AD87CD86FD5791DBE1FD8AC,SHA256=0FCAAAAEE6A85C1F6455C800AA02BD350212D51969FFED41C3939FDB575AFBBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.507{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0252669.WMFMD5=BE0BDBE3F3A016A17BDA3D596C9B451C,SHA256=0C0C1F4645EDAE04306F1C3A88E8A2B48D509D19D072145782EFB9E3C846F280,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.506{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0252629.WMFMD5=4DCF0CB2A908FF4920F0BE67175FBAF3,SHA256=E8E7BC6EA831AFBD7852E12933EA1442816B91FCAC764BB23C5D45A0908B2FA8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.498{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0251007.WMFMD5=A07E2F4BF81A643342D131078C0EDBA0,SHA256=0E9EE40CE9A58C19A8903B8BEEC3CE83C14719A8C98AD2100F49DE4A7A41397C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.488{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0250997.WMFMD5=675EE71AD396C792E7B24931C107A434,SHA256=7729E9DF1AC1EC6BC58D69C6C575917F3814C4E5657B09C10696B7E17931D70B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.486{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0250504.WMFMD5=F18F38357B7E0171F78DC162F52A0F1E,SHA256=811D8077E2609B8EBE7FAF2AA2B64A74CC37EF3CA8C44A343FD85538BFE81079,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.485{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0241781.WMFMD5=264D3A94FFD2BB37E68D4F737D902730,SHA256=DAFB58088113B6F817C51FF20C759531CD3AB370364D41CC8E5EB857CD707545,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.483{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0241773.WMFMD5=081ABAE148A8A97729D20224A8A4C844,SHA256=7A2E5A121BF5C878A1453D26EF435BB87FFF63857171AA911FA3E589F2863E95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.482{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0241077.WMFMD5=F2D876ADE382405A6DD67B3F27A6E95F,SHA256=97B238D812454CBA675071A9DAF261573D12A7BA48D1B21B868D73CA648F69DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.473{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0241043.WMFMD5=4CF7281985978091FA8B00C24527C9D5,SHA256=708DBD40ED00CAED645522E825D9DC9DC70F42C77D07175A9F284BBB1D824119,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.470{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0241041.WMFMD5=F43A6DB3E6129A87FB5337E55331C181,SHA256=E5BCD7A36A76BD42546F85AE563146E4F47D1326B5A0696102E96A68E90C6C73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.469{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0241037.WMFMD5=63D2529FA1C8FA4771533D05F7DD4C44,SHA256=CD412DCAD51C25415C5F9643AC98273425D26BE37B2553E802656C5CD6D26D86,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.467{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0241019.WMFMD5=3B183E188CCE739C1E98272D37DE6AAE,SHA256=025966690BE9D6B81E7CF1A8B9430DB423C3E34EC033B60A7F5F269BDB635557,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.466{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0240291.WMFMD5=B4B93D23B1AEFE0E13FF0B357525B33C,SHA256=C1D91E3B416133EAF774A0AFA105D499E768004EE1FD075EFA1FF6145CD3FF9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.465{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0240189.WMFMD5=44A70F6B8FC9C11AAD481DE875670E39,SHA256=5790F6B94DE0884D34ECAD68DDB1E31C536D314179166BDD2F7F8D5B894AD348,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.464{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0240175.WMFMD5=9A176FB6A601CD2B5FD60876F898432D,SHA256=F52F22757A1C37476122392420EB8893F348A6AF107C989D1D925B1D353C7A85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.462{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0240157.WMFMD5=6C0A332A5E0C7D42496A52035916BC1A,SHA256=425E90371EA75704BD6EB361E987B236B09AA268A15C24009B8A06C1F17300B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.460{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0239997.WMFMD5=581B6607BDEEDD5F92117E601669386C,SHA256=7FB98DF86A7A48D32755A31436FDBC70CC1B433C3E19540D3C3335B416FA3CB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.458{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0239975.WMFMD5=BDE82571CB5B3723B36F8956801696C1,SHA256=0B560AFECE0FC57ADA4D7FC43F171ACBD8B541E64D098E71628230194138EBCB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.456{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0239973.WMFMD5=663B933B176D4F6CBC20006E9F746883,SHA256=BB094460C3ED3F27AAF5B20F7B21F0BFD653D49B084DABDAEF4003D7FAC6A7F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.455{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0239967.WMFMD5=E17C842A6240C82D94C6426038CB66B0,SHA256=266FC66BBF957A86CE0E660CB42F36CF04A9607CD7AE3430FEB23B625B3AB42E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.454{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0239965.WMFMD5=49E468EA7ED93FA5D68DD381A202B5A3,SHA256=62FEA1E57A0E9890B730BD562D86B0FA35D5DCE06A77F9B61842EF0392C2F5BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.453{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0239955.WMFMD5=46FD31F6D5FC5662A0BD882402D1DD5D,SHA256=52B2A8B459A5044C4E7AF36ED0CC531422655AF1C967EFAB5920C2BB8381CC04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.452{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0239953.WMFMD5=1956734F142B982EF249F7C93DAEDF22,SHA256=D4DE7A9E3BC85BE9CFCC858F4735D1E2568F8AA1339599D12EB2B6DD8EE29390,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.451{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0239951.WMFMD5=5678CE64B9B98F680447477EFDC90EB0,SHA256=21CC11653DA2336656CF3171E1E20B4745892A85697AD0AD428076DF7F6E9B70,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.450{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0239943.WMFMD5=8EA31991966731D705993F05966ABB05,SHA256=94690992390C278E96E576B26E9A51AD48A5501128A41E93C656C9D9956571A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.449{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0239941.WMFMD5=76E7871A7A0C885DDE5CD59C6EEF684D,SHA256=BD112FF3BB22FF1E1258F49273C47E76EC3ADDB77C1A0ABE3D86C70657AFF87E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.448{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0239935.WMFMD5=EE76BEB1CDE857B6430524A128D787EB,SHA256=A9EF3089783F2DA6070F00610254D838C8A5334B873D5F834B48FCA13BC71991,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.447{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0239611.WMFMD5=E99D5D05C5F2387F342EE882507C777F,SHA256=E2D14F90AA5F680DF8BA0A4566059895BEEA5668A66449A690526B81F24E8F62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.445{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0239191.WMFMD5=F2439851B8E4E5ABC7639747F0BE628E,SHA256=1F3C1926D3A1196B55579D96995FC54F12BC0A4DEE96BD6D53ACE02C4219B134,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.444{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0239079.WMFMD5=0A2394D123EB2FB9AE251AD4CAD2BA13,SHA256=13A88B30BFBF039480E84CFE7AE0394D2F71B95B3D4F10F839948978596B8335,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.443{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0239063.WMFMD5=51F2F1BA01A0D94EF385D13D7E8F24EA,SHA256=E1BC6262D418FDAFEA033B4181C9A63B75A91D0A68F63E178A2EF8FE03BD021F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.442{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0239057.WMFMD5=E481F1A9B76C0D87D16594A298065D61,SHA256=5FC60E4F7CA782B69BF10465F2734DC81C12DEF582AA5841D689B72832152F9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.441{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0238983.WMFMD5=F40978668C33ABAC78940CC83550A2A6,SHA256=690D255FA17B062CC4C3BEF44E4FA88DEDC52D21746EC18AECDDFAB8E05B6B55,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.440{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0238959.WMFMD5=534E30430E293DA8240B2E768F2C3C6C,SHA256=D95581AB6A90F30B4EF1807583FE272E2BA4B21AE0A6FF20EA1322DED4D17BFB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.439{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0238927.WMFMD5=F259FD8B460DA0106624D449731BE51D,SHA256=4EC975F41430FEE6510E213346AC3F4DC343944DC879DE7204A4238C30FC8F0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.438{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0238333.WMFMD5=2F7389C4FE1DCFDC2DD2C934508B106A,SHA256=66F99698094581136488B63ABBCCED9A20013EE204C67050AF6E0CDA4B1C4964,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.436{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0237759.WMFMD5=25B4BA3E5168F0FFF4FF649132B0A180,SHA256=03672D6DEA089A824D868D8AD7E0EC1EFF37011F15AD60305D1C953AD0C7FD0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.434{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0237336.WMFMD5=9FA8B6D13DFAC8DFB412D39543909D5B,SHA256=CAC503756AA9E4412F3AEF45C9BC41E29B0D79C34AD5CA7E1A23245372CB0EFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.431{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0237228.WMFMD5=6F0E607F3D443418728A8A48E19E35C2,SHA256=1588231DDF05EA47F0327B4A4EB3D1E2A4A5C608D484FEC166C70F76B80AD2DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.430{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0237225.WMFMD5=0FC41F59DEE51562A764B82F7705EAAE,SHA256=2DE1ECA568A6EC156DF6EA88697481191153D88B119B6ABB209CFFBBF8E93AE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.424{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0234376.WMFMD5=E489920DA805AD8A993BAA476B523AFC,SHA256=DAA5A0A38C49426EED0CFAFDB8195D931BE93270D89C72CCBD5377B3A0BF75B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.422{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0234001.WMFMD5=14CAE3F056F2DC4F1FAEBED6DE623182,SHA256=6F2F7C114B2618D851770A044DD3B5DF530571B7F44AC332803529BEF6306479,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.421{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0234000.WMFMD5=3BF9F750D1DE1745D3A73076BBA14AB2,SHA256=80D0C239C6F4BC1502B4755E19D5CBC87F5B174B46325784FAB97620B0AE9371,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.419{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0233992.WMFMD5=AD2DA8E673F58FE3C44301D5AFD9062A,SHA256=78A897A72B16C117E47A3C82EB0FC19E311DC030ED2C4C64A33921FCF1064C72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.416{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0233665.WMFMD5=8F90C4AD9588FACD43A449FE0F8EF2C5,SHA256=C369891C8FD41ECEB82CFCE01B7DDC358AE47D14ACEB085B4620277AD23D8481,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.415{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0233512.WMFMD5=720D7E1F77D1D5157B4B103E6C1A1DF9,SHA256=C8FA9F21F4CBAC8A488475480A94842B8FB7867AB7648AA28F82642A6EB9C95A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.414{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0232803.WMFMD5=71F33A3150E6E51AE1BCBB52F846FAEC,SHA256=6386D3AA887F83303D79569ABAAAEEE9C4E355799A6AAA0BFBF449E181C78C1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.413{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0232797.WMFMD5=2605752AA8CCE9B972D142F163249414,SHA256=B42F16C8445EC377BA0A497AAB7CD8140535850D2D7E6C115270D43224026F01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.411{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0232795.WMFMD5=128069816D8E74AFAE9BAEC885AE78A5,SHA256=51D2B2500EE6C8F3DF9EB2FBDAD50611DA02B12C8A411F53C1DD242417D92E23,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.409{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0232395.WMFMD5=859994ADEF4A7235368197C33808C3DC,SHA256=250A68FDD14CEFE7250B2D70A34C6087E41DC7CEE40CD01E0F0BEBEA84967098,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.406{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0232393.WMFMD5=D9B3E97FD8EED6303C210B4EBE3A7A68,SHA256=BA7E0ABABA8C762A9E3AD27F9E65CFBD05B8AECD782CC0B2419166F3B016D2DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.405{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0232171.WMFMD5=FFC3056CAE8AF6FE5708DA5C84B11492,SHA256=3A5093ACAF1E1724F94DAB8CAEBE7E9B3570FA59F0DBD091E75E6C5AB8E1DD55,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.404{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0230558.WMFMD5=99EBD0A2296BD66FF71E33F6FF984389,SHA256=7F02E14CE21C06BED3DD3901B5953091CE596DBC63607D37598AE56341184A38,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.403{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0230553.WMFMD5=88B1F09E9C350E01629E9303DA833117,SHA256=3059DCF53C95CE51BCF576405A581C938BBA05DE36E509D991BBFBED469A409A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.402{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0228959.WMFMD5=48D0976DA0BE0C52437A076E997438DF,SHA256=2F58E1FBB56C6EBBC558528270BD332202E1538871EF5CF255988AFC9BF1E343,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.400{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0228823.WMFMD5=483D80836E136886AF9DC7EEF7821BA8,SHA256=CC0F437601B1C8CA5E9E07745819D8103966D0EFE2320503138DFDD4A8191F9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.398{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0227558.JPGMD5=6E44F6C1D963F21A153A0A07FA431B28,SHA256=4F42B0FA57D6CC6CCC0519ACB80BCC23CB38D7382A90B839141CD2E6D93DE94A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.395{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0227419.JPGMD5=B4367D5ACEE7B6D4E14071CA769ECD6C,SHA256=6D3F336A8AC9172C15225614C96A1544B407BD8E627678A582B91C4511999D42,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.393{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0217872.WMFMD5=63551B393388FF3A8EED84270861F5FE,SHA256=7F6BCA9FCEA30C94E74B4EF042F075211EC016820C335156B873E40C8CE43A2E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.392{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0217302.WMFMD5=235E1F2AC0DBE2ABB48D20B4544FF0CB,SHA256=B2B70D17404885C7936E4AAE907D901A338DA19A3ED6143835B39647ACC5434D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.391{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0217262.WMFMD5=58EC20BF559D6C8951ECFB1CD35FF342,SHA256=F3C98D63F12F7F087DBAD70CD871B139923AA6F329024040FB13413647850C6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.390{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0216874.WMFMD5=65AC7C06202926C9497DB6535A28D266,SHA256=6B4F305FA4D76B5AD6B553F083DCB707E60C7847AB94A4A8640830568EF8F4A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.388{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0216612.WMFMD5=F584DE485032CA182AF0EB6BC01B18A8,SHA256=263B0E35F5F584C70B45B789C644C6AFAB069523028438C4946A6E293035AB2E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.387{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0216600.WMFMD5=44B220CF02126B4AB565BBEE3626763E,SHA256=DEE48D0C7B9B2C95D9AD7DD6B5B25F255F5C5254C096AC0291F7D2C41D66A1E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.386{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0216570.WMFMD5=9DCC7B0462A7EA022C5E6E16B41AD2C4,SHA256=A08D83939168E7DAE8B38225B4695EE840D4AF109A0D9B4447BEFFE2827E1F45,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.384{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0216540.WMFMD5=7F66128CD6260BF3E4B604375325A117,SHA256=6C8AC26EEC5139EAC1BC9CA3601E0EBAD646F118E13130EC15F90C4944F81202,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.383{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B464E35F6C6ADCB9C9A77969851268E,SHA256=E3AC7B523AF00062922CD140084131EF0EDE325A31249E88D88EF60D6FD56373,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.382{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0216153.JPGMD5=991C9696D84D8BDE8AE262B653370D06,SHA256=6FADD3F544CCCEE26718B31F6BC16F6B2DDB72072ADC57B13B8459C9279A9DC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.380{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0216112.JPGMD5=6AE87A121608A2F9ED5608688185BC7E,SHA256=56C2D1176CEEBA6A3C25D920B7620CA5C354EDE47412644A5CE7C344D63F6E1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.378{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0215718.WMFMD5=B6BF73EFE7B4998A32DD36519B2BB4AA,SHA256=2C0C0523DA0E6DF9CD96848674195ACC79B0CB437EDBA3225642725F81137395,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.377{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0215710.WMFMD5=219CD09378101143D13B586E8BF85C4B,SHA256=36CF12F33FD31F4A0CF0F6F165F452F57B6BD96546B305B898A3C268964DEE63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.376{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0215709.WMFMD5=3DB4D0B126265C3EF7096F5109E922CF,SHA256=847548C501322A6A4EA13F3B3C478FB89ADA1EA5D25E3B6E7B70A1105BA9D05F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.375{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0215210.WMFMD5=9D0817F9B7AC102D096492F2A9E741CD,SHA256=DDB449D9A994F62B49AD323972C82AC8B896ABCA416C34775EF27B0D6652127A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.373{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0215076.WMFMD5=78A628CE924D83428B9D032537EA6460,SHA256=1F5719B28E85FBEE842199F1D558375A444C11F078D489EEB5C89D23CED233E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.368{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0215070.WMFMD5=5831A1BC569502AB5A05915555C3E6AB,SHA256=ED20E60B03BCD2FCFA20F62B7162E425653FB80E271F31C7D896EF387BCD69E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.362{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0214948.WMFMD5=973FBC27A70E6F53A9FCBB9B07267227,SHA256=2C45F697942EA4ED24FE1E255DB8F663EEDEF6D205F9D0E439740CEB7AC3B8DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.360{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0214934.WMFMD5=93DD008A9FEAE1AB410A9A8341EB957C,SHA256=1B9929B0F614B28D42AE240A2076E0452E6D3B5FFBBE658B2F26EF2144B39A5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.359{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0213449.WMFMD5=06CAC393307DF174EF225F1086A364DC,SHA256=129FBC76183C869DD3AE16C1F4202EFA79BC4E593EF7013BA555CC9EE584371E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.358{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0213243.WMFMD5=E05BC3D8F8029025DD34B9927859AA97,SHA256=D14DAC504960462214AFFFB4484BD1236297BB6696FEDC8E1BC2E1779ADDA6B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.356{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0212953.WMFMD5=48644681C43F2BDBE1DF8763C02AFC9C,SHA256=520CC0C30B970D08184ECCA152ADA7BBB13A37DD5A686FDA8CDAA5EEACFF5613,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.355{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0212751.WMFMD5=2FEE35C857C5AC53F093BDC4C6F7EBF3,SHA256=97086914F05503AE0E1E43AFAA85E2A121B21E78757583D90ACE605393661F7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.354{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0212685.WMFMD5=F0378D3DACB948A12CCD10E26BA64BE9,SHA256=791DABB53755A76EFB385962D1D16FF8B71278562380CB5B216A4EAB8873CEB2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.353{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0212601.WMFMD5=423D00899F6D212DCB17F3748E6CDD69,SHA256=D4DC5C186B9C5A6D9E22473F8F1EB1F99C0D797D41474041D3C016C745680FD2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.347{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0212299.WMFMD5=279E499F9FD03A70BF881DA68904E277,SHA256=1E3B74F1DEF130DF9BFC678CDC2630340A81C4B537689F140A91344DE24C1888,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.344{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0211981.WMFMD5=1059C00402A7865DD6F2B2C681258A97,SHA256=3D6316AA4872C8C757158D8C81974E2D1AEA3E75DCE3E388CD0FB6C1987924C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.337{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0202045.JPGMD5=2D9A5D7782094CEFBFB7E18E5F8B6B74,SHA256=4AF2FF1152B88F3DAE960A3A528292AED2325CA1B945D21535F405ED5C691530,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.335{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0200611.WMFMD5=FFB1360192582F7E81F5FA12FA32E741,SHA256=5918BACA4968520510B6850C0F055B0CD6592BC8FC2EF30C2A1F97448E4956A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.334{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0200521.WMFMD5=D0769CC9CC8F29CAA6125C9A2B9C6A17,SHA256=A6A23ACB330F44306AF651999525997B5E16A185C805A94C3DAFDAEE40B8FD12,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.333{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0200467.WMFMD5=A0D24BB24E1BD61DF712983A2EEB16C2,SHA256=778CD64F56F6E19B833DF00F2A9F00FD3C6C0E8DA78646C3994378659492873F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.331{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0200383.WMFMD5=57CEF3191F0589FCD845977ECB9B8E23,SHA256=BA98722000D85B016C8DCCE952A25C76DD5F72D16B0A039CAD2963B89F903F60,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.330{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0200377.WMFMD5=587E0D9132FACFB17B39AB70701C5A45,SHA256=9F935585B29EE82C41D183253BFA961C3C3B189F21EEB2BF4C88BDB15DED8D60,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.329{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0200289.WMFMD5=03904B583376027FC4AE43A755A55FEE,SHA256=717FABADEF427D6AAD7BED8C6016DAF23A2344530FBB7296A174595BE678758E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.327{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0200279.WMFMD5=C5DF0D2C89A464C0481C9ABF3AAC56CA,SHA256=C21211DB3DD7AED1EF13030EC44E467CABC84B143B7E88BD274BF3060741A048,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.325{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0200273.WMFMD5=07FA90EA1DCAA418F9D9891787115068,SHA256=0E8BFB43D9CD59DC9B2AA75096C3D16023684346A82EE0B5580A9AEE07B5555B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.322{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0200189.WMFMD5=EE95B916E27A28771DFC3880E00D090F,SHA256=B189BC6EC815B98A32D6E686D6E22016C34FB747540C0EC4DC70C512DF627F39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.321{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0200183.WMFMD5=633DDD52CFB3F91536D5F8641CDA93FC,SHA256=30947210C63252280481F4AD0A5021C8ED6B49C1B3F79F202466CFD0E3840346,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.320{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0200163.WMFMD5=0D3A079428F8312B1FA392C46FAD601E,SHA256=714D7AB325DC51E111BAF76951C1F1DCE3BAED203955394686D27F23C8BAA741,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.319{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0200151.WMFMD5=5779B422A6F024E4895ECBD16DCC4399,SHA256=AA81B33775766F512707EB487CCED56025B9FB60BAF5FF47E1DB82FCCB880C20,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.318{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0199609.WMFMD5=26E877B2548BFB730490B5069BE710D4,SHA256=D16C65A0DEDEBD3DCE0220AB5CD7075D3A5DB89EEAA925E9A009B482EE00D126,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.317{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0199483.WMFMD5=2F7ED0B756644FAC05E070E1C5724801,SHA256=E73D2E72AD475D26EFB737670ACDDA246C8D765453C5A59673F0B2BB35B6C511,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.316{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0199475.WMFMD5=A398D1B13DB00266FAF0A7DC3B68C47E,SHA256=6CAF0454A4D60A1ACF6C3B4AA7E1BB467985C73B82A21D2C4A55F472005E4CD2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.314{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0199473.WMFMD5=17BA7F342841789DE3B7217A3ED3457B,SHA256=6CB9A10F2041A547CAA44D9644B88081F74E18ED67B0DFFE2555DE2D1D84C934,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.313{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0199469.WMFMD5=797C3F2C6FCA0F873C2FB9E8FD6D77F6,SHA256=9FED3BBD311FEDFF874609B093C9BD980660CBD2E23541E430A7E812CD7BD5B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.313{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDBED6C957137A84A4AFADDFF08AF026,SHA256=A2C2B44E024E434C3196A5844191FA3D73EFD1F35F0EFF61466BEDED30E2A323,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.311{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0199465.WMFMD5=6FD2C053F38E51526E58D7E1B0DCA6F7,SHA256=1CC91856DD34B419A0F5A357AB2F860831EE1D47A3D4C2CE359B617F0596DE06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.310{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0199429.WMFMD5=2FB902015D1B8CA088B3DE007ABD2508,SHA256=8BEC61E8A59EFA97B4C7D847B2F529C6EEA500A689BC90148C0E675269833D88,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.309{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0199423.WMFMD5=62EE1E9BB4CB517E712EA3A305E5225A,SHA256=EDEB4C8E70B804F4CE71B6908802282FBCA2E6B2A2A98B800F563AE931A029D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.308{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0199307.WMFMD5=E03D5643F2F8862D2928920214F7A3B4,SHA256=2833CAB0E3F5BC0000229EFADDE64A97F7CE221051D25F5DC5735259575274FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.305{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0199303.WMFMD5=FFB017565D0070B220061DF4A817A6EA,SHA256=D35D59A583D9A717E083DEA5B6150E94F28A9B30908CE1FAB653C52909403C4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.303{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0199279.WMFMD5=C8411D57F2594974D1E23DBFA4264601,SHA256=17D26992063548C6D110454396033448134A67A670D6F9CDC7989F2A5E2E85AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.302{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0198712.WMFMD5=6EE14199E64F700BA79BEBCB349C1A10,SHA256=26A3E902F1FD8B908D73364725B129B4ED9FE0AF712B4DD3F8B8CCD358E4E5E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.300{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0198494.WMFMD5=2F8AF2E409E000F65D55AED38955CA32,SHA256=1D38D0F75A54B8968EC287050615BA98E00DEAD7EA0777138BD920098082B423,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.298{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0198447.WMFMD5=E21825588930980724CF1C5CEE8D9240,SHA256=8BE4F083BEA30BFB8E94E4147B68BBE22A7E4CE53A4FBCB22650EDB34CB3E6F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.296{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0198377.WMFMD5=93CC706AE16153D60F3A06431E488539,SHA256=60FAAB8756C5507E4E10D81519EC9875B829A528249E5588C4144347A344D6D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.294{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0198372.WMFMD5=F9E7FC78EB065EDE5DF61A861A6BF010,SHA256=55C14E4305B80B480BB9188917ECF403118A7269A1E12AB77730C73564C7E408,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.293{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0198234.WMFMD5=72C85E90AF34D3C572EEF7E70EB20BE4,SHA256=D84364A67AD4099D65165071A1DE5C0078A03EAEA798BF2574306D55968D9C54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.291{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0198226.WMFMD5=944CA954164E1A2E426C52A7884EDBA8,SHA256=789DD447D9E2FD7C972E4BAFE8959A813C0F834D4F451CA817231022CC0E095F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.289{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0198113.WMFMD5=DEBAE43ADF3B031D1B71C2E031571F9C,SHA256=AB496C620EFC264123755A6E2BD872C7E07C46816A0458B90B36C3379E23DF25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.287{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0198102.WMFMD5=05DFF76C3BDC4223CB2F546CE1845AE6,SHA256=DBD1766EE5DAE9EB15944DE34CE774E9DD3357CC345784DF2F2BAA60BBCCC4F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.284{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0198025.WMFMD5=6B7EFEF70B78425A27C45750056B331A,SHA256=1E695ECF46EE43093493B1B8B0C2A315FEC054F8A857F475F1674BA66334E79F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.283{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0198022.WMFMD5=E9C050376C53E77CFC13F5647AB7D132,SHA256=CB47EDC02E5AFC984CA1444A5AFE7C466BA60C737EFB519E3257B43344663D33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.282{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0198021.WMFMD5=87086A28748A2E45679D659CB33CF59C,SHA256=3522DB00D8AC722E0FB7426AEA3EC9BD6791E78A32D53C99795DBEAC79B21991,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.278{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0198020.WMFMD5=A91D1436D836607F04260F5AF5D39D43,SHA256=8A834F878572D8CFE5AF3AFEECC9AAA47CE647DB7411995B4B363D2FDA076B30,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.277{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0198016.WMFMD5=1A92771413863C3657DABB5708B955F6,SHA256=DA1BCC4AFAE3F8CDE1980F7E7352F32EEF22C5482101B031770BC2D077CEBB3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.275{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0197983.WMFMD5=581D4821D61A7518B22E513ED5BCFFA5,SHA256=BA759AC938B7E50CA280FA02AAEBA81E32FB0369A1B8A469D883DEA8B4B528DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.273{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0197979.WMFMD5=84ED5BA7DA5AB3E5E1A040583BFEA8B3,SHA256=003264074FD3830A5B9147B0642B8B088328FAC9441A8D275BF89D510940012E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.271{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0196364.WMFMD5=28A892D37258111108F32099070C9845,SHA256=6D9C35F8CAA3FF43CD7C99BC04D21C934000048DDADA4EA721628472F1A5E510,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.270{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0196358.WMFMD5=FC844A0D2C5C2921987130924515A9DF,SHA256=69AB7FBEBC0B42A4DB1172A102832FE20A939E22ED9D01188CEE96295F64B5B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.269{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0196354.WMFMD5=55305BD89EADAB3283F6121D8613E3BA,SHA256=215060C337061820F692B785568D553ADCAA9B0384D98C592015E3D4355DC09D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.268{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0196142.WMFMD5=02DACFC289F81DA05F02C2397C9637AA,SHA256=1C818B117F4C63A719285AB8A154A79F2DAECE2584958A212BC45C06653E4080,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.267{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0196110.WMFMD5=7B22BA9BCB4EAFDD8A314C02144D9DED,SHA256=F1CBF6D3087616A4D2E5269146623D89C31E71717577709C0F42CE9C7388D636,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.266{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0196060.WMFMD5=A4A06FC8E72CE3B97788E250F8CA290B,SHA256=1B5A9762852BE9325D6C50370332527E2C2C21298C21686348E1B37AE83AA9DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.265{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0195788.WMFMD5=076499C120C209258793DD3858443A09,SHA256=C644B3512E30C30B606DBF574F1E27F625242A24E52D0B66472DAC6247F754C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.263{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0195772.WMFMD5=383E69433ED7D61BDA2628F9AD3FE4D5,SHA256=3795485100AEEE108F898FAA1B521D622935FAA6CB0C1D76E64D2BE0CFDD313F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.262{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0195428.WMFMD5=29BE3074314A3CF22CB875BBA9560690,SHA256=9D12FBC0F1EFF23B8A0B9187041A2DE2C86F4BC90D5F17CAB7B5D65E455ADBA3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.261{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0195342.WMFMD5=79401126299C351B5C92F21A2915C9FF,SHA256=F68AAEB203BC3783DFC0EBCA5EE4D2B0BF283347DE6468DF1A9C9194147DF65E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.260{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0195320.WMFMD5=1DB6E9A372D683344482A9CB8686E745,SHA256=66B5437457C6457CEB53A73A9C246012707F05A98879ABD9D5449C4B7ED09030,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.258{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0195260.WMFMD5=EDABFAA442C6FA66C67A3D4705E64B90,SHA256=E3EED49F8E03CA5DB39DDF7BB349857BDA123B6F20C1D381E0D3C84B42BF3A8E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.257{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0195254.WMFMD5=E1072F5DE99A26FE403904F5FD059B3B,SHA256=1A1F166233B94D65FD27A952174D37711A6E1DD9D983D0F0FDEF8D5B23FA8275,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.256{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0195248.WMFMD5=FA16450D8D411E2B411E17E579189A36,SHA256=6A67ACEF5345218A20F0A3692DD4F385A1D7D25F0BDE283388420615BFE604A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.254{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0188679.WMFMD5=EAC23E8151C926D2695147280EF5E54F,SHA256=CFE5D1E5686F539EBA2DA46B45EFA2F911911F656741D0C8EC1E055AE6599563,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.253{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0188669.WMFMD5=A06306EC5BFC46BCFAD98FF7AADA990F,SHA256=4C9ED49CF9EEAC3045DE9C05B0DB8180166DC3CFE32F1580C2989DDC84E2E2A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.251{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0188667.WMFMD5=9DB8FFBCB39BBDE6986A614C4B8E19EB,SHA256=6A29732559FEA3E027A07E6FF751F47C40F02B9B821F92C8EF0E1DD837F46F2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.250{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0188587.WMFMD5=8997324715B80B495EFF6EF8A20E04ED,SHA256=7E9C3CAE3190892E467043C2CCC6355FA3002AE98B1253E5859D8B2873D3B0DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.249{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0188519.WMFMD5=5D733F97CBF6A4098146A4E89CA85409,SHA256=3CE8272ADBCDE1C40E603DB566B18241E73909C155317184C0C6E55753B56570,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.248{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0188513.WMFMD5=BAD1608FF90D856B8763347AF3B02685,SHA256=5A851681FB44CED48806A58A44386FF6DBC32DFCABF64560DB2941491E0CE924,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.247{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0188511.WMFMD5=52C49BA961AE10AA616976CC5A1ADA1D,SHA256=1C4780EF5A633F3A472E0AA4C201A8DA71012E0BAB980D141580B7FC9A37B5C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.244{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0187921.WMFMD5=F70C28C8E51D3FBC4E4BCF4E8A24B9BD,SHA256=E01EADD5664B33F331CF353013D88F7CA4B2E1BA806A129381E60E1A93ABBB8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.243{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0187895.WMFMD5=0A1E932E8E47D77D3E756577E50B97CB,SHA256=D6D28FFAA0162E32E356B6E53396FD43721DC71199DCD5D91407926C98028D8F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.242{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0187893.WMFMD5=BEEDA9F9C1A8E909E036929DCAE842B5,SHA256=20E3052C3DEEAE61A5C0DA99B649514186508DD24D861F1D2CA5EBB779E532BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.240{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0187883.WMFMD5=9A695EEF209E65F72A065AD17E35EFB9,SHA256=DFCFECD2AC5564829847ABCF417EA62A0E5AE16A0153E9FF5AB6B88737FBD2AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.239{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0187881.WMFMD5=52E76941DDFFC26140C016C2D497ADB4,SHA256=FE47C1C7EFF2D3910EB103E107632E2F5BCE2F4A3CF1E447162E46A03419E278,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.239{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0187863.WMFMD5=3122D78C3D11D93391155B3C9203D3E6,SHA256=66975CB0BDCEF8DBB3D64EA648421220ABE433340185A89B54EB2F9C7E42AEE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.237{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0187861.WMFMD5=5A561BC5853920794F7E617ADA734A19,SHA256=4FD5008235A2411E2AE613CEA71F95BBDBCB42B3CF875C42B5D6CC89505775E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.236{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0187859.WMFMD5=1C04072854ECD830D620810C247AA5D5,SHA256=95DACBB6E6FDE774D8A57DF7D376A937CAD107F3D8521AFA3A743CBD7E4725B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.234{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0187851.WMFMD5=A22B5DCA2F63DAD2764D38A8C352A900,SHA256=2C7E0E500F457479364975182E77CEF5F7D2F67A7F2624198866F0EB536E23D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.233{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0187849.WMFMD5=B93C451829C449A923DD75335BCF77D0,SHA256=6E5783C3C139161BB857EC4D529395B74199B39C03D36E550836CF1930C35466,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.232{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0187847.WMFMD5=E38C5FA9D606E6272B2B5EDAB69BAC38,SHA256=705E5ACA3442147A01346DA8D5F97122787AB103BE4383BE6C6E6CBF463BD2AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.230{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0187839.WMFMD5=CC3EBB889B6DF6EC4F4267BA71DC2E42,SHA256=C4DE0F708B356756C650BE62B266C4EC79739BB5F9964735B41B24DAC9430FFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.229{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0187837.WMFMD5=D57C37E77F05881E1DD5734BA489A6A1,SHA256=43E473FBEF4EA7C54A03C0CCAF783540B5CE5A9D5A9B011CECB689162C7A7BAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.227{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0187835.WMFMD5=6EA2130480C4F5BAB8F440C557699C01,SHA256=BBD14143A0C4AB131721779D78A33D1A79FE0B251B18953866B0AF889BABF8F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.226{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0187829.WMFMD5=A2D8A9450CC687D6B1169C4B972A9115,SHA256=B2A033E9AA9CC5F033620AF83CECD5D2DA1C262D08C220BAA08A0BAF787A3A5A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.225{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0187825.WMFMD5=04B180A452204D2C1A3890453DF30EC6,SHA256=06DF0891F2423A8559533C9DA64640DDD03BC202D498903D8A54BE7140D857B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.224{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0187819.WMFMD5=DFB03E6DE3789983AB468FBA641AD87D,SHA256=D18420108EE941C4CC5F656916179E33B8DCCCE8970AB105231B3E118C8D5AA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.223{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0187817.WMFMD5=1B23A97A99F52500083F9671B1DBB82C,SHA256=CC3511A6C31B2B0E17EA48F1FC1B8AA704F98573C0746DF8EC1594098EF708AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.222{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0187815.WMFMD5=B6DAE1CC058759007CE449AE8EC4519F,SHA256=20D2808F8E5616A1072799ABAA5A85B069A13DDDA796455E9D82B30702EE7B1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.221{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0187647.WMFMD5=96A936BEB8C96C4C828CE1B3B749C2A7,SHA256=5074C80A9FCAC26D58DBCCB6B15EBEF422E456523A6225CE149688F4DE2D09ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.220{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0186364.WMFMD5=C6173FBBEEFFA91112777716339D6D9A,SHA256=09DC38FA2E2CC4A3FC2081F1FA741AAA51811B21441E612BDB7ED5A0464C2B0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.219{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0186362.WMFMD5=5B752FF5D42CF71BEE188C4706F34A74,SHA256=8E0DB221ACE7785652D322D5D79AA921616B6801DB71F52AA55A13D6D3631AED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.218{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0186360.WMFMD5=6AC32842DF47EDF1BAA3274F84191628,SHA256=58B3FDBD440605DE9CAE4829163ACB2E367DF377288FE9DFE1D4794799E0DB35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.216{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0186346.WMFMD5=C754734657860291B6BD3BF66F45FA35,SHA256=4E8A0701822A94A86A11BBB2BDA6D8BE640277AE3644565E3B0FFE9F8E193FFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.215{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0185842.WMFMD5=C6DB2A90A079B2F40C8033447C1B63EC,SHA256=BD1A24ECACAF5ECF515E5AEE2B7309229861A8F4975E450A31DE3A665D023C53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.214{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0185834.WMFMD5=A4E451D6289C072FEB35A396651872F1,SHA256=AA506656D107B281AEECF023B70E7C663861E8E47B1C1C3FB22F2A234333C842,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.213{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0185828.WMFMD5=19E397BF20E1E1CBA9085025B7BF3446,SHA256=BA4B35684E3B232705B45271C06E95FB775EB3F562AB7E469BE1815D88FE0339,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.211{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0185818.WMFMD5=4903E93EED942D2074DD23806AB0069D,SHA256=157717A8D5799CD6CA638F9C33835AF0E3E14F7E5761E3623AEA598C3B64101B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.210{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0185806.WMFMD5=4E97F069C5B55E4246527FB11E645CC7,SHA256=B4D9009294701A80864A1F242280BDE904796C772FE4BB239EA05D3E2CDE2C8F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.207{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0185800.WMFMD5=83AFD421ED6782D6D812181EC76A2725,SHA256=9B4C471326CECFB6D01353E7C3E7634A6519DD60E3462FB9C532C99916D82391,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.205{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0185798.WMFMD5=2A47047DCBEA882FBE85EB407B77C172,SHA256=0D47FE98974DE1407F014CA563B148F4C8002D447E5843787E56C9FB4F2B8E65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.203{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0185796.WMFMD5=DC1D1C375C9B2CFA7D3F19762900488C,SHA256=237CA0F94DAECFD4D3D07322474DCB0A63B752087035E714D41A0ECF9936BF0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.201{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0185790.WMFMD5=59626E498F9114AEFB1FF02EA350FE5D,SHA256=1C0AC02555973C7A983CFBF6C31CCA0400DACEEC08EF0E2C0F89B4A83193FEB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.200{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0185786.WMFMD5=362335E4716C095F916E0098DD331DE5,SHA256=63809D559D7C8A325463EADB249F7EC0F5F46DE4478178AB0E7B83DBF8417E1D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.198{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0185780.WMFMD5=D8F6506F4718049186347FD7540FA04B,SHA256=6BF361B05170AA82AB1C7815C4EAC68A4D212ACCA0409B66C09E4A70B33FFBA1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.196{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0185778.WMFMD5=B916796FD9C5A3EFE3C28E904B39E497,SHA256=94345028C4521954D56712A10017456110E06197CAE80641CB27B6DDB9274B78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.195{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0185776.WMFMD5=92F09C81F109FAAF6CDD20A65827AC0B,SHA256=929EAA9F9ABF0B05D4A60D73B04138C1B21C808D8572D7920F35AA3201F5AFE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.193{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0185774.WMFMD5=D85F9C0B398A5809723564F1AA11FC3D,SHA256=61F5D7B7A72E8F9773BF660099811C57783AF579E40D8B731E57BC427B61AA62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.192{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0185670.WMFMD5=6375881CED1280DA7C8090976CCE7334,SHA256=8813503D43C0B36AB19C220EDC78D27DE81176D8DB555C2BEE9CFDEECABFFFE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.191{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0183574.WMFMD5=463E63644ECC87D9857386CC466C6125,SHA256=6F3D8E48B1A7D57E572DC6B5E97A89F7217EA02EE0187AE9A6E62122A4393917,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.190{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0183198.WMFMD5=05879D8EB3A6C3F17B8377D92CB1BC43,SHA256=2774D2B9B261D4FA6E21DCF5922DFA2E1BD7DB079D2923322BE066EFF4F91E15,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.189{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0183174.WMFMD5=BC48AA8DB7D45902C7E3133135DF74E1,SHA256=D65EB1AC864CE85F478159B2E6026FAEF5456AB77D66D04334CC619167B84957,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.188{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0183172.WMFMD5=D19112716B1B32BAAD5DBD5DC6D8B31A,SHA256=711B27FC856127C27800B1502277D2A29CCB0B34275C7A6E2BD586BA9273162A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.186{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0182946.WMFMD5=A94ADCD0B36FF528F9179C8ACD29D9F3,SHA256=07555C99D7B0B4EAED87D3F24DD4F04318E7068030078029BEDF6895E26FA08C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.185{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0182902.WMFMD5=B21C9672C0838A6FB3F3082AA47E8643,SHA256=3D7039012708BCC0889AB4169D494AE05FFAA352D1062E471EE64DA409D6C6F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.184{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0182898.WMFMD5=DE050FC7895F05894D840F00771350DF,SHA256=7E8626B2729105AFE71655F268C447C0731044701D9F4474A9F05C0619DDEB64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.183{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0182888.WMFMD5=671A471E46BD1624677D32AB2EE63FAF,SHA256=0CDA3E5568A3F06E19B2E362C8D6ECC19B3AA7EAE58E824507ECFEB1670E0497,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.182{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0182689.JPGMD5=3DEE3E01F5B050C305ADB92030BE6364,SHA256=F60C594A7EC3AB8669CCEC99E6CCB4451E4642F5D7D7B3FB83D245B65C60DAE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.181{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0179963.JPGMD5=6614C6633032B406313E3D96119FF75A,SHA256=95BCB3F7F3BCDD3F4EBF5500D8AAFCBD269AEFFBB088555C344F48E6445F3480,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.179{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0178932.JPGMD5=636A3123FB636C29FAF3547A10163C35,SHA256=644ED323406B7CA96EFC75E4EDB20F09D2A376EF37B7EBABFC413799C886AD07,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.177{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0178639.JPGMD5=FA1189A0B6AA8AAC273F2FCE96F9A674,SHA256=75B48CA4BEB6CC0F8A3F4DD35676C8E40A710F9AE57D22A429AE32FAEB03AE42,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.176{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=573AD5665356447849A111901CD7F595,SHA256=53CAD09B2CB9F3538154C11F0C3B756859B46AAA576FEA59722C2E27303A0F07,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.146{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0178632.JPGMD5=6A0FC41F26E2D2C09B92AA918F189B25,SHA256=D688B8CE49529FD1F6821067116E301F22CBB872FB45BA7BC4C4F1F916F4CF31,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.143{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0178523.JPGMD5=32B02BB4B9D99017E3658E87C67B60A5,SHA256=5ED01C960F96E225FFE0B552018AEE6CF82207F7639F010C506ECF3CE74E802E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.139{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0178460.JPGMD5=ED5D6209A139E277518573AB0944EB7A,SHA256=EBA3EA8C86497CCC423E906B9EC123C02690904B4443700CB0F8DB0CE323294D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.137{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0178459.JPGMD5=369E97ABE816A5998BCBA306111AABC2,SHA256=DAE257DE62D950811BFA3B1F92E2B2D5F621764E18EE3CE7FEAF63F72925FE5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.134{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0178348.JPGMD5=8287586B355E4126D5ED4E897881D21D,SHA256=5C9EAE4D5628BAB3D517B3378D9C13A29438624466D31EB14497B59CA75A84FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.131{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0177806.JPGMD5=FF452C0A572D1436985DA3A724449B26,SHA256=596635982F49B1F83105A5D4D688C24DC6CF614018C8A3A7AC87373C17F86887,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.128{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0177257.JPGMD5=3F935DBA5D532383A49D0AF12D21DA5A,SHA256=24FADB44E951EA1F031039E4BAFF65D1E63AF990B008137AB7B3B4416AD8FD63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.126{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0175428.JPGMD5=BB89B53AD0C6926D2C1CD52E89672E74,SHA256=4ED6C9875AFA52D1B19C38F2DB4A67AA15991CE4256CAC979EE7ECB1A8B89A45,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.125{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0175361.JPGMD5=8EEEF4C93A7185DE4F2945F2D571EB1D,SHA256=CA23FAAD385A0B9007D596F4E7A2520A7E7D4EBEE6DA2CA70C1277FE533FD81D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.123{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0174952.JPGMD5=07593F38C88BE6CEB23FD8C804E3E8E5,SHA256=1762825E5D841804023FFE8AA4F627A4A07C43C09021C39836EE24AEFE008881,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.122{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0174639.WMFMD5=AF61A915FA39A8FB28C05DB73187AAE2,SHA256=93A8BAFEB6087FD07422E5CD3D801A618DF7FFF9C04C26F7C6F36B0DF1B689F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.121{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0174635.WMFMD5=E7FC5E99FB2FF2588F5AAD27DE9D2BEF,SHA256=B0A8FBB613363DBCE9BF63C017C3E4EE0D00BF200BCEFEC1F2236E09C2DFFFAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.120{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0174315.WMFMD5=B1CBE583095FDC90948DEAE15F6FDFD6,SHA256=1636B2C2B0200C0686AC5C644CAD4A9CFA0A155D0379D013D7C8886DC6C7D7FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.119{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0172193.WMFMD5=3B7F00F846AABBA679B10C41814FE15D,SHA256=CEE48EDE2D0BE8B84D54F046A3B537407CDC8A6FD5D05C2674AE751A8AEAC199,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.118{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0172067.WMFMD5=8696854C05E885CCE618BDF50E0E21E4,SHA256=36CA7AC78F538A4F14884F56990DEA29B741CF92A3200767BD30BF5928E33EA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.117{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0172035.WMFMD5=B5E6ABD9033A377FAE5DDAC413E96ABD,SHA256=950D483519CEB311E054AC2126C1F194F22B429DD8BF13D476D670A0BBE4570F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.116{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0171847.WMFMD5=AC78274061C7FF3104B7A31C7488A9CA,SHA256=071E8010C79F560F3C88B85947F10D83D3623D10B0150D7C248BBA45B8B32CED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.115{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0171685.WMFMD5=858E61AC6AA7CB63A8A6E6D51E341725,SHA256=228EE7A7E76E8D60246AB0377605F7CE3C59BBE98D89B1403F891A491A30D2C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.112{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0168644.WMFMD5=438A766367475723950E3631645F4F59,SHA256=48957DF974DFEF99C4CFF2DAC4C5F2906EE714F09EB6E78FE81420D48FA27518,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.108{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0164153.JPGMD5=FFB71EB436C01F53F6998C70AA8277CE,SHA256=51C10183E88CF43A854698EFA663099287508367D951551E9EB9FD151B5EFCE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.104{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0160590.WMFMD5=2D7F28530A83987CE95ECFD52CF9F400,SHA256=1D1C8853F6FB860019551276A301293910E5663A8ED1F5D1D79A27C2340D13F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.102{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0158477.WMFMD5=E66EE2A758B731F6FC8966055CB1407F,SHA256=E1B9318417365A8D0D78527F8CBE8064A9CF3CC94F4A2FA005E0C3526A64C423,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.100{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0158071.WMFMD5=4ADEABD68DD048F34453B784CE004F19,SHA256=5406303947F64CFB3004B3BE17A1026547FAEE8338463DACBF70BD0B624CC2EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.098{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0157831.WMFMD5=5A02F3E27B3234B6359E05EF995DBEFA,SHA256=257B9DE6E307B1AF834BE063C3A8995B92D53868B835FE28976DD41E00DEF890,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.093{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0157191.WMFMD5=C4A0C15EA9F183459BDFB9A3528F30ED,SHA256=65BA4A246E9EE189996C941D940B48AD6CB7B984BD7E3EB590BDFB810851E4E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.092{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0157177.WMFMD5=C8F64307479FC972999D9759CC682156,SHA256=B2DE109D588EC6FF575CC07628CDA6FB35592DCCCF0D8788E86B75381062A0E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.090{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0157167.WMFMD5=EB694A239F6EF43CB9984DF35FBF078F,SHA256=1EDDF8FB255EE854100814124799BCAB3834E8069BC9539717F1BB66E8D6AC4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.088{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0156537.WMFMD5=3CD37B27E4C0CD70F3C9717A8767B35E,SHA256=CA63DF5F88D563453C0C61DEEB2B45DEDEEB3911684AEB39D75C2D6E9CD33750,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.064{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0153518.WMFMD5=90916C7AE3A6FB3E6AC1CD3ADB63BA28,SHA256=72D0A992374CB0A7004735EF7D5270DC0BC186C485F505BDE28BC1953CC52A3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.063{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0153516.WMFMD5=AB7109CFB0740DA440811680EACA268E,SHA256=80428C36719D513E4F736C089C922D298FD57E32CAC2B1E4B6EE98FA9D9FD405,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.062{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0153514.WMFMD5=120D41452DF527DCE5DCADE3804C8224,SHA256=0747BF4F2348204D3BFE87C2076E9D6907A7E683633CFB82DF18843E36637061,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.061{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0153508.WMFMD5=966FB9245E7967AF1F18D83F334B7410,SHA256=CCBCA505AFDC517821286844929C09839FBC727FD59310011C4FA2BF8749FF93,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.059{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0153398.WMFMD5=C6799E580B0963DC61027BDAA07ADDB7,SHA256=D3F06E7E0DD16FDDE0FCEF8B727354185839257EFADC6027DFF8C8845BDA5812,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.058{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0153313.WMFMD5=4B05E470F971B1F821F2C49E43412AB3,SHA256=9EA82B4A263D6AB8A22050E09DCA4A068046E956458864FB7A786FEBAFB48E21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.057{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0153307.WMFMD5=5AA4841CF1D957A3765F8968E1D4A23E,SHA256=F71F65AECF8D9BCA88C180C0B42D51660D4EEB10A524F6C9C9E53253FA00011E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.055{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0153305.WMFMD5=D26E84123CD48ECA4D391D0FF9F4674E,SHA256=49F7913C5B15220304DBDE3957C62F68A131CBA0B566974613F3EDE996B6CEFA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.054{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0153302.WMFMD5=5771461A48D21ADB65E7FFEC3BA4DE09,SHA256=C8F4FD2900777892C99A947B71944281A9CE1D13796386BC0FC961E923C38397,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.052{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0153299.WMFMD5=BCF7DD88EBFD062FF8794C4C76CB23BA,SHA256=AF64646A8A56023BD98477BD200BA686CC71BC85B505E87405DB364352A0FFFF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.051{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0153273.WMFMD5=DC920818F93A7CDC8A0D8BB72B348EAF,SHA256=A45C1F56A29608C614E22A6F74035F5243F32D0A95FEE059E17B4E776952B8AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.050{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0153265.WMFMD5=6E713F0DAA9D5A62A9F6D49C36B70DB6,SHA256=7A6CB95A47AA3E2CB82BC426C4C0B246535828608CC9AB233644589143A4AA6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.049{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0153095.WMFMD5=BCB69FDE4AD05A6DCFE855C66DFC30F5,SHA256=BA99ED5BB697444764CBF167E930D65BBC6EE1765444DA1668E5F75C3F1FFAAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.048{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0153093.WMFMD5=9FD44910E1F9D3AFF042E72E668ABDFE,SHA256=44EC39BA0957AAE3D979D5CDD811081F859E64F7ED5B32BAC6675FA0115A163D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.047{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0153091.WMFMD5=09B8050A4029041E776E0447D9B21A79,SHA256=B0FFBF3DEB29738ACD3608434C8E8AE8CF82E05C4143CDFB4F6359645D0EFCB1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.046{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0153089.WMFMD5=A72EE3F017A27B72570F06F819F8861B,SHA256=C5F06E9B40BCE34D69F2DC63FF0BA247A3868377005A34F23EE35E5DE85A446E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.045{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0153087.WMFMD5=DF06FDBB59B88FC8ABA9DB23A224A023,SHA256=4F3CBE83EC45872E9486DDD696CB697800752B9F32CD791641AA0383B08AF2A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.044{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0153047.WMFMD5=B3949F4CC7EBAAF6D6E3D22C610B7639,SHA256=9EA2EB79E6A3D9A23BA0FCAEDA66F20B06836EBB565736487996D0B4FE8E9562,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.042{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0152898.WMFMD5=73AB343233BC6F8B620B1930867B2D06,SHA256=2FD3F5A21025A3A5B4A11F979E7F31595F01F5D98D4EE464904E0F4795D1955A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.041{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0152894.WMFMD5=ED35C6DB28FFE9C54AE87AF201E9870D,SHA256=429A389B1F8B0A35794BC5EAB49FBCBD06B442B80E1D32E195A7B61986C964D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.039{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0152892.WMFMD5=9A62700E85B26B31BA9A416DB9D212AB,SHA256=D4362F04F3854D267AB3BA8EC97D43E45FAE7DF609054F2B45343431C350177C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.039{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B66C5025CAED00DE2EC861CA36063AC9,SHA256=7B18C9C204277977DF5C14BDA5772FDFAF0BA661721AF6BE9EA56684EE0DE30D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.038{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0152890.WMFMD5=5BB5C91D33C3AED955BC03F1815C69CC,SHA256=5C5D0500FBEDCB49BCE20077877B52D647AFE2CC7C61BED4BEC5F49D4F889E14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.037{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0152884.WMFMD5=C8F2CA7158D6DB1DB40BB9E883790200,SHA256=547D2D23A3425F89A2C1EDFA52CEE0BA7C508C9FD7BF0E2B9D5C6302CAA3493D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.036{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0152882.WMFMD5=545294787CB9DCF19E58040CA17FA321,SHA256=8189EC0852279FCC7624B87722F091DD76822F66E17A61D0DCB127B21BAE8163,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.034{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0152878.WMFMD5=2F0D1350BFF5260F5AB10F3C4F268013,SHA256=F7EF17A00B8FC7CFE510DE964EE9DB76102AE0615D4F1C78501919075799CEEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.033{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0152876.WMFMD5=4FE73177954F6183D55619184F955F4B,SHA256=707F84A6E3DA554CBC4B29B18FE1F08814074B6A99A5F880464B465FB9FA3144,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.032{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0152722.WMFMD5=94231DADCF06BFD335070689668CD602,SHA256=72BF32284D985EEE964ED3E4B508CDBCE001897F19DD99D2C68CFC5E84F21BF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.031{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0152716.WMFMD5=AF5DEB4A262A7214C392965B7507EE9D,SHA256=75AD5D1660326E53F12D0791AAAA8B68E45AC61E50D8C2AF4F7F2BE350CE0075,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.030{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0152708.WMFMD5=BDA39A8A3A3661E79A5CED9EC641FB30,SHA256=8D27D353FB2E9D3E2062F0108E490E573B97D13DF5458556A8F7774BEFBC2355,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.029{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0152704.WMFMD5=5EB42B845FA1C810E4D4D621695620B9,SHA256=FFA2352E1EB2E40CE38A751D541F0D3874FA594B36F80725725B5481A56FDAF2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.029{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0152702.WMFMD5=5FF7FD26F9D9E02591216B114A96E3FB,SHA256=572488C6205670D4F183EE14AB59FFD660C3CA7DDE1B92CD322114A5D410021C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.028{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0152698.WMFMD5=86B1CD9B90F0F4787C2376871FDDF341,SHA256=B956CEF2E8E8CE0EBDB96FB622E195B047553CA1E707D93E9FE3201311573149,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.027{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0152696.WMFMD5=FA2A7CF48FC3961E34ED96AD04600685,SHA256=7AC686C682E7F3FC82C1CD43780FA084C66C28928D0517838865D91E1D13EB4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.026{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0152694.WMFMD5=95D3215916F374FF89B626DF5C951332,SHA256=235DEA815F294FBC7D2697B3E90FBD815D0C3087FC8D7EDC6F05CB0879DBE5BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.025{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0152690.WMFMD5=8A82113F56A8BB049D2B70E0889127A9,SHA256=D50AC0D1CADEE997F9EF3B63CB410754227994C5FF3B1D855E6FF4898F976F15,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.024{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0152688.WMFMD5=87CE5FE138C3AE2263ED015A9B1FEE20,SHA256=552393A2A19DEB6F57F41ADF8FCB5F07505AED1528C9C9EF26AEF7A472480C97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.023{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0152628.WMFMD5=17D4FF5B795D13AD9A960ABE657E6F42,SHA256=C7C7067D8083A091DC2F52C3A0EA795947A9CD7CDD90F418A6001C8A9B4E432E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.022{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0152626.WMFMD5=43383816B32F56DC951701E3F32A4477,SHA256=9C894AC1ED2A79BD83D13D3126AF231CD1304A69CE58DA1212411131416DF627,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.020{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0152622.WMFMD5=07BB307F47FC6217C265536737EF2A10,SHA256=21BB274A4DB6052216E1E6FAF5C54A6010C2303CC9DDEBD2980CB95ED9ECBA4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.019{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0152610.WMFMD5=3BB2FC78F13ADFAF53D7CBB265CD4E45,SHA256=5E737550B0695C8549FC402DBB3AEE90408729318D537CE4F3571A8E8CB103F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.018{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0152608.WMFMD5=5B8484DA5EA40892E60D0A77AC4056C0,SHA256=661E1B3E2AD012EAA460EFFFFAD3171F3ACEDCDF188493A4200A22F5EE46A369,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.017{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0152606.WMFMD5=D36AB9748730A913ABE0FFD4C7224473,SHA256=CEE6E12E69AFE36ACA8F49CF05768D9CB8B901785553086576117B2504E9C933,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.016{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0152602.WMFMD5=744234A56AAC3AA45A0E53DC19642576,SHA256=9D45055A10A8EE92302A2FCDF471C875804D05A157C6C521B1889110B454EEC6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.014{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0152600.WMFMD5=C293548E46A9DB84F6FFD32DA9CC23D2,SHA256=824C9686A9D9CAAFA2A71CAFEE699C629E6B3E540625F833F3ED3CEF7AB20466,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.013{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0152594.WMFMD5=A741BE115F7D132B5063D307A22314E4,SHA256=027921B0C09DE2B0FB3501A423B328C693AD34BBB5AA73237ECFA1DB9DCFE0F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.012{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0152590.WMFMD5=27A537FC556D66111230458EDF534FF5,SHA256=063EBF2CB6D0DEC87262DA7FD68178FF5D3E208B68E0AE637A82C84A55879874,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.011{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0152570.WMFMD5=AAAB2D0344E77CB111E788B4EE9322FC,SHA256=A6260E443EA28BE796B02CEEF88CE3201493935AB33560310C031F007E32D621,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.010{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0152568.WMFMD5=4CACF667B4598C93B3A26B643C0A3D96,SHA256=36B3B651782CC23CF766CCFA04CD2AED977C7FDFBAE9C0518E2C0872C4389E1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.010{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0152560.WMFMD5=A49DE5E78A8956DB5962A2B7D692E057,SHA256=831B94AE7B0C35C756F6DD805BB1987B9263CEC1B5EBE24FBEFF0D0FAF9C7692,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.008{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0152558.WMFMD5=4D85D2AB71E00BA52A54DC3E3D6373A0,SHA256=4C68AEA800358EFC61F2782C45E6BE30B2C6D71264A2C0BF96EE9564631D48DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.007{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0152556.WMFMD5=656971D8FC4F7E637FA63348B1CADA3A,SHA256=DB113746404433552DAAD435F507A867DC74EDA12D47ECF474BDB065823B5926,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.006{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0152436.WMFMD5=AB33E4363D60FB79AB5A84D667D5A227,SHA256=46F6E5B59BAC71246DA17CCAAAFB62CBB0B2F1DC5296BCD653B3B3FF806D26F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.005{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0152432.WMFMD5=A73C07E0CBE4190B33A5E9F2464B3893,SHA256=A06BABDA3CEC394C7AD44E689723CCCD06C2685E35549621994F1707ECBD9D5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.004{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0152430.WMFMD5=9E4357B9AC6A874A8B3214FD2DF22D52,SHA256=96B0FA89CBAC57BD610730DB11A53E0826643E64372BF8BB8A0F4863A65B7F0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.002{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0152414.WMFMD5=32C408E70297121B24F6B63B3AB48753,SHA256=300A8F4CF8529DE4E6C67AFC5B4B2E84BC41E255CFC978AB317BAE8C9EDB7F4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.001{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0151581.WMFMD5=A7D34F6A36C6B68D96B427B95FE49CC3,SHA256=CB4696424AD1E7CFD3ADB31E8E49D4E3A237120AD6B4186EE04D823EE9679530,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:09.000{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\J0151073.WMFMD5=2A1A02EA230FB5A5B92E8773E96FCD81,SHA256=55054CAA6C5B71F351A8852D1A1F1BC06C95ED2BC6B9C41BF63D807545D66460,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.998{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\fre\StartMenu_Win10.mp4MD5=E75D071DC0416AB3F32DE43EA7F12DCA,SHA256=E08C4F311CB6DFDB02BC75DC1F0BE305ABC5FD6C69BB6F3DA260B4803C26A594,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.994{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Wisp.thmxMD5=E31B3F90DDECD848F12E08DC125D4C4B,SHA256=D616240045DB7E9E30840138C8CAF0C554B09ED4259A6D6BDBD422B58B3846E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.984{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Slice.thmxMD5=C6BE245A2474B3CCA49248F8DE86AF9F,SHA256=1D3B0AC03AB2A9CEC89A78CACD6CE6B0B4579A3F93B86110E93218E29658047B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.971{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Retrospect.thmxMD5=126269588DEC71F54D53B563106D0500,SHA256=0C11107C6CF799125DB9352E2F3A0D2B9ED5D55CBBEAED66D79464058598D94B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.953{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8503D235A66AE00BB9451F250581B5AA,SHA256=91E9DB9E7951545FEA9B0F158386B81ABCB8D85B6E665EBB7A4AA2DDC9F86C18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.951{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Organic.thmxMD5=476CF35ED8367EB98237B6428266D6D8,SHA256=71739BEA66F1DEE0789A7675ADD098123EC0E8E45EB74D707F6412B28FCBAE81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.858{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Office Theme.thmxMD5=82A1D813419E2C9F8745C6BDF7FDA9DB,SHA256=A8D4016EA143FCA5C3E5EF5E1C2C3116A971F6C4BF736B56FA9142352898882E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.853{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Ion.thmxMD5=EE05203576F8F268CE558BA73F5BDFF5,SHA256=53D01AD9850E60110718ECF3FDB661FB4A67AC19A67345D52B83112F6CBF1C3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000447894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:10.200{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=284363D734D8C3816258A134D33D97D6,SHA256=91F1909478D36B2A4BD70E986A6DCEF7A519937B05D5D4455C2A5764D96AF050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:10.141{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\respondent-20230127093833-102MD5=ABD21C848C86C8C4C327246443A18885,SHA256=621828FF48080C628607F27990B50D4C7839DD5149D1A5B05A104AE9C04F6CF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.827{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Ion Boardroom.thmxMD5=BBDA6B092206019EF60EF8FCECB3D53D,SHA256=F286164675AB9C83F72A4E8CB39218F9A6421EBE58A2D2C86532AEDA3725354A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.814{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74254C8721715D1DC31C238EC73585EE,SHA256=3AAC727327C41CB4E38F299F0FD99586BAA54A79526FFCA5C55E78462FEE2208,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.797{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Integral.thmxMD5=AD1C52DB4C29726B3A2D28DDA1110F76,SHA256=7973C1386416C251569ACC3CDBFE04DA848262A9A2DA998F915E000BFD6B52B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.766{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Gallery.thmxMD5=EC5EA899CEE6C7769EE14C36DDFA59DC,SHA256=064847F763EECAEE610A3B524A12D2199A0715838EDA59EC6AC627FF8968CAEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.735{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Facet.thmxMD5=8EBD58005DAF9C4EC15AC2530D3A4A30,SHA256=D3AB94FDC32B10903AD444F6F3518F93C3D7348FB945168DD8140C74BB7D7E26,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.719{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Fonts\Tw Cen MT.xmlMD5=CE569DF98F0BE86481FA817B9F2B4328,SHA256=B7DD4B4032E294648F3A0A8E50CEF1271218A37C25E4C992431AFA43D22177B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.719{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xmlMD5=6D04B897B4FC66E87E137C535782884D,SHA256=F164A2A668A8ED20FB216AB64F0A4E9808B4BBD0190C6BD21E495BE0F959E08F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.719{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Fonts\TrebuchetMs.xmlMD5=95A7E7E8B3C35B6C36130676533E8D45,SHA256=92847066DBB3DB5A55F90C9785E0FF64CE9FE26BDC5866F1D222C182786F5789,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.719{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Fonts\Times New Roman-Arial.xmlMD5=5460AA7714EF9F10A170C365BDF5C18B,SHA256=54A6403951D3FC4873E767E70684B5E6B35E1B97738150D1A2470A4E2CFADD8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.719{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Fonts\Office 2007 - 2010.xmlMD5=463605A416FE8DEE021247B14C8ABA62,SHA256=83AFCF532050C7CB935B71C907DF2BBFD17B9E103331A7F95085610403CA3FC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.719{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Fonts\Gill Sans MT.xmlMD5=AB15D2B522F964C4B9F1CFAA5DC997E0,SHA256=5A0C6A1BC377D9B5958CF2DCA0D24489C82280D232A4268F83224DE246D9A29D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.719{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Fonts\Georgia.xmlMD5=C4453157CAF25B9E47CBB3FFD945A31F,SHA256=4B3B493573F242950D104957E2AF50FBEA73855285078DF29FCD308C8CF7F706,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.719{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Fonts\Garamond.xmlMD5=B5164034ABA24AA08B73D76286ACA3B2,SHA256=C3C87A25970029FFE268696543BD10CCF8155E5A66253F936E6B8C1E59CA3D57,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.719{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xmlMD5=3D5832F3AFACF334BFD7CA80241D3942,SHA256=27D0151EEE65CAF1D4B13892965C91044228542F6F5562389C85E3BCE800FC3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.719{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Fonts\Franklin Gothic.xmlMD5=D3B8A0C15819F1473431B8F2695848EA,SHA256=595A482676AD85C7D2C14C2671F2F1345FC6D4DEFE0BCCBB2ABB571694A11050,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.719{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Fonts\Corbel.xmlMD5=0754AF531FE21C464E91580514B1EF9D,SHA256=63DCA3A2A64F37A4D7AE8314D72E5F9028DCCCBECDC451758C7C6A6B4C4A7AE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.719{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Fonts\Constantia-Franklin Gothic Book.xmlMD5=92FA9BC1DCA91990FB77A8F522D38647,SHA256=0E6438BDEED1D24B6E72CA7564E15994E08CDB48094ABDF840335BCD6BCA0356,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.719{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Fonts\Consolas-Verdana.xmlMD5=037FB60CEDDAF7609EB705C34C17FD63,SHA256=EFDAE60C2C05C11FC73D29A190E544CED449E212D8A7A24ED6F5470339599879,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.719{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Fonts\Century Schoolbook.xmlMD5=CFCE6DD2B8BAEBF235AC0740089464DA,SHA256=91953F57064F46F7484AB3360204404C4BEC5C5875AD1E3C5CD2843670F46C54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.719{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Fonts\Century Gothic.xmlMD5=22FB14F36358B58DB85AB25BA76A0BE4,SHA256=BDF30D47A114656078371BC55BA5C51D59CD681A1D7010CD134458D1EB8B5133,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.719{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Fonts\Century Gothic-Palatino Linotype.xmlMD5=65F03CC5FA23AE7EE8C6859364D698BA,SHA256=32D0D481EF784B4A3B70B721A1552CD52AF9A511CFF05D90EEB191518AFDE90A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.719{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Fonts\Candara.xmlMD5=17E50BDF2340FC9CE7E45467904033C4,SHA256=C671E4084A4DC7708763ED2DD706754FB024349E0D8832DFD2C15AA32DF0D969,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.704{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Fonts\Cambria.xmlMD5=954972942A63ADE650D93F36A541BDDD,SHA256=96B67FA3024C6FAEA7EAEA299329EB6AFDE2A6289DBD12AE627079F87EBA1DDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.704{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Fonts\Calibri.xmlMD5=992D5D2024F4978C227D9AC610269788,SHA256=679ECEDE45B2B98D570FCB4620FF55D4C8B86E859E86989D42B87A625C61EB61,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.704{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Fonts\Calibri-Cambria.xmlMD5=F6E8A52AF0C75441DFD9773650C53DF0,SHA256=A5E556327E6365455431F31A42E52CB2EFF80A4FC4A834F4FBAA0CAED89F4B64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.704{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Fonts\Calibri Light-Constantia.xmlMD5=23BE801890BFD5DD1FBD678DFEF62906,SHA256=4AB549AC96DABF448719420ECC8368D21BEF4067EC8D7EDC2D163B1615FC30A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.704{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Fonts\Arial.xmlMD5=6DEAE140E327527FB3950C28568B843F,SHA256=21A0360D7296112164F046BA5B90333CC815FD957D1AE8B398A64DEDD69A1780,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.704{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Fonts\Arial-Times New Roman.xmlMD5=5E0DE1EA5BFF6A1E73BEFBAF834DB8E6,SHA256=26FA6848AA2B6E85D9CA3DD0389C9B3F5AC9F202092BFE81BB5BB983E5515CC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.704{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Fonts\Arial Black-Arial.xmlMD5=69DAC39F23E9CB71D0CE94CBED668FE9,SHA256=23F6610F341705A0BA4FD155611F3984FDD0FF4CD035BE9ECAAC71EDB1D41CA9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.704{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Effects\Top Shadow.eftxMD5=E4C46F946CE9A4ADF78341885965A405,SHA256=629FC4F95EDF719B83383D38676CFB0EDFA2ABE3EA5F80FEF1FBCE138387E284,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.704{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Effects\Subtle Solids.eftxMD5=AB3938F09FECF057B3B4218A4FF4CE11,SHA256=604407B62F5EE72EDD7DDB67D8157EEA807878D1BF103E6B872104083D00E5A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.704{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Effects\Smokey Glass.eftxMD5=F00888AF1166B0FCA74B2FA41FBB4196,SHA256=411B88486B9F750091C8284F5906607E8344ECD4873F5F6D248984C9A6C02781,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.688{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Effects\Riblet.eftxMD5=FD6F59001B7059475EDCFE00E98ADBEF,SHA256=F20E43C89052884837D6097BBE1D53987C05CD3037FC4DB07FE94FA968A2EB14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.688{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Effects\Reflection.eftxMD5=073466386D7A9C72AE25539FDECE221E,SHA256=0649A8575E7289D5DDECE8CC8FB0837BC81E96C9B42724678C77192D17A8A3CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.688{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Effects\Office 2007 - 2010.eftxMD5=1CF5C03679EBD87D8BA4D47DCE1AD615,SHA256=6241021CAB54627A4161B7ED18BD20A0575FDA6760169F7C90FD38C8FE0ECDC3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.688{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Effects\Milk Glass.eftxMD5=721B692AB0B107CDAF947D0A84EB5CBF,SHA256=5AF25B93A06F0F0BD3A857367FE651583A41A45928BB490488C518F307ADB54C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.688{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Effects\Inset.eftxMD5=AC6FAD47FF29EAA54C468759E05D5784,SHA256=1F0A41CA55A704A78F1B7ABEE7A6F30EA754FE6F2534C583A6DFEEFA40099798,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.688{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Effects\Grunge Texture.eftxMD5=B78E1DF8F2C97C032104FC4358D83F56,SHA256=79833C4A7B91B79B9605BACA5AF026B852F4A814A61DBC105B8B703969A32051,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.672{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Effects\Glow Edge.eftxMD5=D112AC88187ED62D87D922A5014FF022,SHA256=5E2AB5DF584FEC7DF82B594D9375CE2CD442B0CE1DF8E98DDB256B96F01C06F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.672{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF8EA255B390B7F3F0DA18B8AF43F90,SHA256=6ED2BCC96B4EEB08BBAF7600B0BDB70B1ED756B8E54084E5177095B61459A866,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.672{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Effects\Glossy.eftxMD5=A7E47170E14C627AC56DB25A53D67988,SHA256=2521A375D86B418D782C6933DCE2B9A49AA407776974B7830890AD17C8FC7A3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.657{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Effects\Frosted Glass.eftxMD5=8829B8E160BDBB58D7ECEEDA6596F334,SHA256=86DCC88C960FE7F0B9FAFC29B7A3BC6D1862A1E07B9CE98DB5081454956CF691,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.657{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Effects\Extreme Shadow.eftxMD5=1DA1B380B2DF7EF309742602C79E347A,SHA256=CD2F0AD5289926BE9725FD53FB92B2F23DA12115B54FAFB06614CA6D60C682A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.657{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Effects\Banded Edge.eftxMD5=EDAF876B1FE1304318535C2B937FE1EE,SHA256=C92AC05E7F69E7295D8CB0D20CC0598D14E2E1AB1EBDB4BF8F12DE19CB6BBC69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.657{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Colors\Yellow.xmlMD5=769200F906E3F84945F30815A0E65685,SHA256=463ED85916671FEC82ABCA6268CEFFCF783A7C9F472486F94391415918349A5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.641{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Colors\Yellow Orange.xmlMD5=4A7887B3A5658FD7D5C959F3C67E2F72,SHA256=21753ECA8BCF996483421102298AE8691C8CA62584CB596A670ED3282BDE9642,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.641{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Colors\Violet.xmlMD5=0FE15D53FEE73539C9B668AAD1EFBAEC,SHA256=BBA8DB5F33F54F0DC764DCB2CA3837A01629F2C00065AB673C16E71BD6F14161,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.641{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Colors\Violet II.xmlMD5=3A3862C67B705C7A2065242EA8E73A1B,SHA256=6632D3ECD6B6252EFC7D8F757365128DA6F73DEA0B775811053FF54A8A083F8E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.641{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Colors\Slipstream.xmlMD5=6B5B7D36FB0C242F6E86BA1F56D3E5B5,SHA256=97EFCA1BCAB06CAB1723248D9E4D6D111EF4F891A3E5948591346E2BA8E499F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.641{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Colors\Red.xmlMD5=CEA91A20DC90548A8B8FFAB49E015146,SHA256=0DDC023BE25E2BDD93BCA49D8D1BE6B6C8358E3D70830FA244D72A3F8DC7A391,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.641{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Colors\Red Violet.xmlMD5=58D03B7C60B11597F3E0B85D17813CB8,SHA256=A3434095A1EDEE4D99A2062DFFB3BD70C204984AE78975D5BB8124C394CB6A55,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.641{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Colors\Red Orange.xmlMD5=2530F3A9CFE37D27F01E47A4D8C91014,SHA256=996A491D3847A98CE986E659CA5F7B89708DC645D4380EE0382A1F34874C47FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.641{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Colors\Paper.xmlMD5=C699F9E547465108C9B51569B77CC42C,SHA256=10061B53BB595557324C1B8B7F7E705A2225ADC9BAB4133EC309853A5601024F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.641{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Colors\Orange.xmlMD5=96E4251C88E597FA7053CA995EC108A8,SHA256=BE4346C34AEDE2460C93BCEA421D7C655492DB43F5B06A1460E378A11B2CCA21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.641{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Colors\Orange Red.xmlMD5=A1932BEAB824C96F89BA2F10B4428FD5,SHA256=A3AB0E39CD871904631396F977E1868CE2C9DB9273FAAD088F651CCD84CE1D4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.641{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xmlMD5=36E5098835C490BB13487475AFAC0336,SHA256=094C9CCBF89D2EE78E8B3CBB72611D3374D25F2908F21B4F15F02836703BFF8B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.641{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Colors\Median.xmlMD5=A7B7C140A0A5F983BC05FA81D7DB803A,SHA256=37568CB89AC2E4DE9A633278BBC56130AE17A3EA86176A3EDF2AFC63B702AE7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.641{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Colors\Marquee.xmlMD5=4174939E9B677A3F8FF3FD359EDF8E13,SHA256=72A3C9E428CC96690824CDBD5428681CB3E39A0373B1F440C0B869F729C737BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.641{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Colors\Green.xmlMD5=6133EADD056DBA345414FA8804285E03,SHA256=D67B8D1D43C138601E087CE18FBDC8925E7BCF9CFBF4E5B1F51C032A4625BA00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.641{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Colors\Green Yellow.xmlMD5=CDEA251BE79CB7F414313FC6E1DECAEB,SHA256=DE3D90FA3408EE38CA5901172765E8FAEA8B74AC4FC9C302817B35FEC015F26F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.641{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Colors\Grayscale.xmlMD5=9EE5E3431203E0109F2B67ED7B7112DC,SHA256=B3B1E270FA3E412A8255C6FA73D11578A9DAA085B62D2610DD9B55DC8BF29084,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.641{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Colors\Blue.xmlMD5=DFC1A532F07941F960743F61F713BD2B,SHA256=4D10199D5D8C6D14C7F9029086FB258ACD723F543D5C8F04FF39FD2E3BF4672E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.641{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Colors\Blue Warm.xmlMD5=F841614942BF35D03DE57D6BB7D9EF07,SHA256=F8A67FD91379A4A88808D377781AA0A4B64378D267E8B2E80FD392B70E32910F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.641{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Colors\Blue II.xmlMD5=481F9F11FE017A325CB466969E1C2D3A,SHA256=8103B4A709012F35752F2EE209181FFE8A90EEFB8C65DCA9E754178CECB23435,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.641{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Colors\Blue Green.xmlMD5=B241E9C38DCB089898C61AD0C43692B5,SHA256=DC07AE0C5D1EB47BA1E5D81CFF256D658545CD0A7F5B4C5D5929B134CC58533D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.641{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Document Themes 16\Theme Colors\Aspect.xmlMD5=03EE75936EAD5185BAB35A90892140B2,SHA256=9C890666D56E27189323E869304BBD220EABD56CB87033BDE55EEF3EE7744620,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.625{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\Publisher\Backgrounds\WB02218_.GIFMD5=3BFC0875F7BF204874E0AD75B7A0F7FC,SHA256=4D8D48F59F831CD30C34A6FCC7187A470577BB555B6664CC08CBE1B1CCD4274E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.625{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\Publisher\Backgrounds\WB02214_.GIFMD5=C9AB7077FE4722D9998A04607F88494D,SHA256=58AA13D853752315851B11209F0FECDCD7A52B68FE75074269978DF595BBD299,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.625{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\Publisher\Backgrounds\WB02201_.GIFMD5=A6A337523629BCEA29F6E6F2EDBAF12B,SHA256=7EAE5BAEFB14682B20547912A163282BD46CE8CC0AFAA8586B959A8C038CEDA9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.625{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\Publisher\Backgrounds\WB02198_.GIFMD5=41E8D23F205FD3E5DA7BD364EBFFACC7,SHA256=976AF56606F9B939FB26BFE4FE024B6448E74600B963886E279EBE53C274D13F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.625{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\Publisher\Backgrounds\WB02187_.GIFMD5=6CCC3C8355FD806B1D8132047F43239B,SHA256=83635CD19EECD114D2AD9BADF5BB9709AD1A4A2CB4B5B6A55F0A72EDD25154D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.625{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\Publisher\Backgrounds\WB02134_.GIFMD5=1637340B01096963A7E0DD543B73B1AE,SHA256=67AB062D526758E10C7FA35A1BB3E5A63C290EA63C897471FEF99FA14329BBE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.625{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\Publisher\Backgrounds\WB02116_.GIFMD5=B2B588DF4ED34E2308641C695C6B127C,SHA256=F58EE91C7F0B09D3A72A72EC0386EAF6C0DE98A6DAB46A5925F5D558B5B36CC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.625{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\Publisher\Backgrounds\WB02106_.GIFMD5=5012E89B843A8AFC67BC1AE216485C34,SHA256=C32BB78D38895BA954E998DB45547277A25779536FBE2F5F9E2A4D8320DD09B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.625{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\Publisher\Backgrounds\WB02097_.GIFMD5=C66D6B7A2E7F29191199979B0699B859,SHA256=7A858AF9BF83F8B0495DF7B7A3348130CEE404B83B83DD749E54163D87A36271,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.625{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\Publisher\Backgrounds\WB02085_.GIFMD5=F91C1D0DA1B6F1BE3B44FCAAC106883F,SHA256=DA385F95DB027A368E4C7D78A3B3E9DBB7F090A5BA4325C48AD54B8C8F5DD96E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.625{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\Publisher\Backgrounds\WB02082_.GIFMD5=973966381BCE700669FC5D8351B6A0C4,SHA256=7897B8D68287A086C5D2C5AA4DF855E07240E192F7C3CC6C792E9C179E87D286,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.625{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\Publisher\Backgrounds\WB02077_.GIFMD5=AD59B294A51BA4F622E8B5DC04E995DD,SHA256=597FEB460253797D83607A81988E07C1C0DA495D232767BDCD41485B6F5F6933,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.625{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\Publisher\Backgrounds\WB02074_.GIFMD5=5A80035D18BE8E02DAF3D77F715B4AB2,SHA256=5D827F52A7F6F2DE0DA8DCA09BBCCABE255498684222003DD396C7CBBEFD7B2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.625{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\Publisher\Backgrounds\WB02073_.GIFMD5=79B22D8B0F019CD9FD650F7B3AC2A6DC,SHA256=7045ACBD4EF35D5DBAE8BDADEA20E13486D42188731D26C7A34F1743C2A2872D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.625{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\Publisher\Backgrounds\WB02055_.GIFMD5=B659F56519100974D22AF7691B726901,SHA256=971FC93B8ADB38F2E4176AB8BE733CF3444B6341D104C0FAB396DB81CC9EF8E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.625{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\Publisher\Backgrounds\WB02039_.GIFMD5=E6EF67833D7E7731B875BCEE213FF7C2,SHA256=BD1092E6F9B1DD719ED10F9CCB39BCA767F315250F3A1FEBA64444C03E2AD263,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.625{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\Publisher\Backgrounds\WB01741L.GIFMD5=6803624CB2CEEBD4F6B952D58F9D4567,SHA256=0F886AEA7986514748DE0131758C87E23A71591D8C254180E45A8B0C2E3E4077,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.610{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\Publisher\Backgrounds\WB00780L.GIFMD5=4F1A733D3E5266BE970493E55564A8BD,SHA256=182437785D97A81100FBE5172B15A12052FE5AD82FD2DFD48B09FC4BCBBF0447,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.610{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\Publisher\Backgrounds\WB00760L.GIFMD5=8B6F69F7F16E2D3E3D856DA1A1C12C8A,SHA256=55CEEF05D4505D20F7230C1F01DB5509F004AE0F402BC977DC89C9B3C73581CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.610{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\Publisher\Backgrounds\WB00703L.GIFMD5=AAC9D0F1865B924160D43C1DE3EFB873,SHA256=18F22F8CBC2BF362010D2046B1FF7ACE5C12224DF34826F38EFD28B44C0B78BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.610{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\Publisher\Backgrounds\WB00673L.GIFMD5=18264DE9A0AFF8CF42C18B475666551C,SHA256=2C1E0C5ACF419C7F4BE559601DA09557EB7D410A62A4C0DD02F8111085A76B16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.610{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\Publisher\Backgrounds\WB00531L.GIFMD5=2D5E62E796C9FE943AA7209A5B1D5CED,SHA256=0D0DFBEC1CCF27A665648E0D06D5E5F01CA13706E88335D489E02F113DBD1AC5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.610{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\Publisher\Backgrounds\WB00516L.GIFMD5=60FD036F59962E477AE4415768C84A0B,SHA256=701E3E0D99FEECB27C03E2CF603EB40DCB5481533A0378A4EA0BE41D0852E9A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.610{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\Publisher\Backgrounds\J0143758.GIFMD5=424ECE0917562F82AE9834EFB896F832,SHA256=EE73010AC473A4364B3F87DC51571CC50624764AB955281941942449E460C94D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.610{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\Publisher\Backgrounds\J0143754.GIFMD5=AB6BA80CB8072CE73DB9253C26A356CF,SHA256=6DA0D2772DBD674D6B2150CE9746200FF5CFE86F89CF4BE838040420132443E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.610{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\Publisher\Backgrounds\J0143753.GIFMD5=B5D8BAEE15FDAAB5E3C8F6FB54F61C4F,SHA256=0034B0AE58E3D9172C4B81A3582B6947E77EE8962E6B502004C71C2B2E59B829,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.610{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\Publisher\Backgrounds\J0143752.GIFMD5=8136F3EAB1DB3DD4AD1E58112EE82971,SHA256=49C5003CE371329E586F4B32A911869EDDC2F2FA2FEE8B6B5561A96D9ECB0965,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.610{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\Publisher\Backgrounds\J0143750.GIFMD5=14C37D5F96E81DAEFD181A1841169854,SHA256=B52722452896C431DD817C6132B01FDA49D0B3B315770742C6B86A3369747F42,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.610{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\Publisher\Backgrounds\J0143749.GIFMD5=B575E0FAAE606ABA9EF297348F61B963,SHA256=7C3CD555CC41E1A323432AEB07F0999CE05DF72B561710637447EDF8A5943531,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.610{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\Publisher\Backgrounds\J0143748.GIFMD5=09B510CB02B7AF2AE0757F7DA93160AF,SHA256=BC6E383641CE590B60844B0F8750D72DE64549E5D3552D7546B039F5D4C88E35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.610{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\Publisher\Backgrounds\J0143746.GIFMD5=DDBB967D45AFC2978E9E0FB5296525C1,SHA256=9292759F812917D33F79E0356CF5758DA483484092A94359272C6BCBBD1465DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.610{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\Publisher\Backgrounds\J0143745.GIFMD5=3FC965DBD83EFABDBA3552128A447011,SHA256=231CF735FB879DD640123B361509E4C9F2576E3E9A3F7C93667997DE6597D57C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.610{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\Publisher\Backgrounds\J0143744.GIFMD5=82204A2E9D87F484DF6A53C94FB01CA6,SHA256=E331E71D49D69D49162467028369D9F42089731A7B05E9863EE8E39A5A452A76,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.610{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\Publisher\Backgrounds\J0143743.GIFMD5=AB84EC1FB7DC6FAE1666134D47DA5CCE,SHA256=CCD61AC5B0EEDD45BC8236E4A79997821F099C7BBB3879A7D1D80B16FD3A67C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.594{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WNTER_01.MIDMD5=7901A60C290E660E75811586A5660EE3,SHA256=BA8818AF350D976ED7679D879A7A93FCAD882D2D39527F524DF67F8FD1011DC3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.594{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WING2.WMFMD5=6FE505A9074CA56BDE445FEC5C9CE201,SHA256=A2C769D89104A24C90E304FB3BB8B60C27A4BEE0E2048FDFEF5C7E1AC6F11B18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.594{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WING1.WMFMD5=4014974338010D2774CFBCDB3080B59F,SHA256=4D858076E5623CCD182D8605C1A648C3262D3BDEB8FA795FD64BB67D6128E3F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.594{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WHIRL2.WMFMD5=C41CD10A7912FB6F14423EA19CE39BEB,SHA256=FAEC7248AF7099DB6BB8B44E0951B2E765389F3E4FC995BAA691458FCA662AAE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.594{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WHIRL1.WMFMD5=B49D7096B397B8425172A693665A1B97,SHA256=0FCAFB52B6EE282760A4AC06FDC6A8EEEB08720C98D7C021A253B4E4E7114E97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.594{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB02229_.GIFMD5=C1F76A45AD09920E755D330CE3E0431C,SHA256=E5FC5F13500C08A8C51843E9CB6E6012DBFFA3ED7B737803F212754B3D4B6253,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.594{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01843_.GIFMD5=3BA845D2772AA95DF4836C95362251A4,SHA256=7EA82DB9AAB0A9C78017C20112E0C9B12FE58D635EC27A7D47137B72B16DAE96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.594{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01842_.GIFMD5=D7FB84645BCC6290338D3D0D06947B16,SHA256=0C5B2B56BD92ACA2E38B2C1A8CF6C0531DF1DBF41952AB084F5823E99A345177,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.594{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01840_.GIFMD5=BF5FA3175269919CE8FCF7A90731CCB9,SHA256=0925FAAEB5D67A328CD6DB32515FB12C11E7A16CF2397EE3164F11328861C68B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.594{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01839_.GIFMD5=55112102C8B1394D7E64D745E6554241,SHA256=E4BDC55CAE60A8AA2555FD6A9EAD5BB32BC6B14856A9068577709FD2782FA496,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.594{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01838_.GIFMD5=589E1FA0DEDC120C040745EA1B712450,SHA256=FE3CE8949FC17508A754993D52DDD077B18956F81B00811578354ECBBC062821,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.594{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01770_.GIFMD5=27308A2395F13F9BFEEA1CCEE7164BA8,SHA256=5F0AF2D3A33EB652E60786CA1F3710BCDCC0D84B1134E9FDAD7ABF0FF3C11F2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.579{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01751_.GIFMD5=EB13B1004A208B6C6DB26A0774D9A546,SHA256=67B8DF11825CA6D71484AF97EE5D011D64F5F6BA5C6E81011A3B9796B4C500CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.579{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01750_.GIFMD5=CA3CE416759B147826780272D7915FD7,SHA256=198E46D595F14FD287DD68B009CA3165B619EF272BFB1D35BFF14ECD2179A43C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.579{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01749_.GIFMD5=CC3F75480A4A01365E903AA5185E9300,SHA256=B03891D7D399A4424FAE4A6B56598A30E0DEA1210909F26459F0AE10722CF58E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.579{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01748_.GIFMD5=15ABAE734A9B08BBA229CA01473F6259,SHA256=E7315EA314EA13026F5405CFA063E6FF08431E2B274FA061CD3BA350A86AF8B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.579{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01747_.GIFMD5=6BDE269B3002A8389BC4E5526A132BBE,SHA256=94D3527839C4F6A0C5617F1D7740DF9735903FACC197E167D73210AAC669F54E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.579{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01746_.GIFMD5=54AA1B72E82E73A09036754AE5F1DCDC,SHA256=E6BF68E06E24713D9E3CD5E01E1041B823A2D32C7E4E564CF2665F4A8525B7BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.579{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01745_.GIFMD5=A9CEB2345C0E4BACA4C1F3019694D4A8,SHA256=CDEC2D0B29C8DB5A298F635D7D3F11AF29F1B4CEC1DB39DAF320F7167328E768,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.579{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01744_.GIFMD5=395E433937FE012962B31BAE21444685,SHA256=48EE6764562ED5F95D38292042A230E578A23F7421764C31DEE0C821E93EAC21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.579{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01743_.GIFMD5=0294B6FFFD9B3AC8F84E4FD5B70AC3AE,SHA256=3E717D8B950601D8E96E58108D84954BE92289855AB75534220A361FEABA253D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.579{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01742_.GIFMD5=22601C31608AAE80D5414D06A9A3580A,SHA256=7E3486E201A1D92151B099EA142B7223F8C71891C58B64CB0E3E650D3BA7A7CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.579{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01740_.GIFMD5=7AACFFC29256C493156504D4E0178747,SHA256=28A12A6CB90D4D1F77EFC885BB5B89E6DE8CD4D27278A9536AEF7CE6EC084C87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.579{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01734_.GIFMD5=3FE849008773E418D53DFD732FCF77FC,SHA256=1DC46B67C5001C5EBCF5BD1AF8C8DE4918BC143B68A47E0D939B7108A74C74F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.579{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01330_.GIFMD5=8B8FF838C7FA78C82B1F5B0B7A080268,SHA256=CDBB7D962D3E618EF8E1A1DD3EA1032E021C5322C39A816CDFF82216D95956EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.579{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01304G.GIFMD5=06784463052DFED981C8B51AEC3EF273,SHA256=57467C83708C4B4992FB6A8B4FD1921557121CB5F43CBAD5BB903D4A266C2A6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.579{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01301_.GIFMD5=FC0B728319A67A19A11D05C4ECB0348D,SHA256=34FE1CBD5F27B3A42BA4F9502B7951987144495CADFE8C01C6776080400B9862,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.579{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01300_.GIFMD5=B1279FD8FCBEF60225F3758F1A225AB1,SHA256=43389207A81814311723AA592D4E326DE2570B51882049BCD56A887A4DE35979,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.579{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01299_.GIFMD5=2864FE4820D7F922A4BBC14398038DA2,SHA256=B2D0076E1BF312E29F249947F6CEAAB1F3AAC17C0BFE8B5975494C693D28C5F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.579{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01298_.GIFMD5=E27116377840F48737FDAB2B5DAC568E,SHA256=3C46DAE9B4FC70E9A9E0F9993A7D01E34D63A218CF2FEDD219CB1415E991D4B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.579{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01297_.GIFMD5=86DC0E2F942CFB062A8BCB3C0F3E208D,SHA256=9547ED12A230CDDE6A9B45FAD271A79FFE13C4B7919AC719905896605C043BDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.579{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01296_.GIFMD5=34D9273CCF41B182F84BFD4EB4B9342E,SHA256=796B46455B4FB519C7E180C75483827BFC261463200EEB70BC3F16C2FDADB122,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01295_.GIFMD5=829C4C12CF86F4BC901DA5595AAA371E,SHA256=0CCC0879678EC1F2418680062AAC0520B441225989FDDF7AA2C297630799E2E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01294_.GIFMD5=0775D7E483F0C6BBB438D2E4BF32E94E,SHA256=F66847DC872D071B18FA1B429CC999FD853E91C8FFE3DC87DBE538A477268626,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01293_.GIFMD5=0D9892DFE819E839BC8052FD2B670C43,SHA256=416F3A85519648F86282C1D59D65E3F2E8878EEE8EF570FC65E8FCD39AF04E11,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01292_.GIFMD5=6F86E0FEFCBEC71F9AE913D1794514CE,SHA256=C2AF38A905683258C989C2859F40369CF024136A3B3935D54FD637952A992215,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01268_.GIFMD5=6E956E35074FD36FB1FFC1CD25478870,SHA256=315C7299921BD593746A14BF3C4A960BB7EEA2AF0C680875ACEA3E908FA92CE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01253_.GIFMD5=9DED530921B27F9FD843819F16D3655F,SHA256=92DFD58173786C23662C72CD542FF0D5F160B371C11B6D72A91CF226092ACC64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01246_.GIFMD5=CF1B79ECFDBD37D95C1793928C1C6740,SHA256=F034C4BD23A8D3DB155253FAED9475C3F47EC9CD00C0BB923E64D01A892013C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01245_.GIFMD5=0ECC9697636710DA8AF2766627814A70,SHA256=2B48E75ECA9473A40BBA4A949DD85EA30864923AA87F5416BE12D47EE9F58CDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01244_.GIFMD5=AD12B8307B27314095D5C97F7775E64A,SHA256=631113E0531F2CD9ADC55F3AB827DA4188C8BBF516A14760CCE45DAFCBDA24FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01243_.GIFMD5=2F66BCB77122B7929E74107A331340BB,SHA256=551F554C863E07EAD92EDAB92AE84F3873E1DBD606001D3028A12697001FE90F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01242_.GIFMD5=905EB885AABCCB88660D2899B12E3140,SHA256=3EC22BF5444385C968B4E9F083B46A35BBE1DF5858C524CF89CA8324373ED71B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01241_.GIFMD5=9653EB671FE97CAE91DF6D08E6E75316,SHA256=CE4FFABCB072AB66C835718A901187D0FDA1143BA32053EE7ECC50B2FC313C3A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01240_.GIFMD5=9159C2FDB51E1389DF0CF3A50EB6BBEA,SHA256=0017AFEACA7FAC8B3488D7C9A70098498DB4D78B2C5BAA8AC6AA9037B4D4526C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01239_.GIFMD5=0D529D7E71BBB12B99ACF060AFB28254,SHA256=37192E90B0E72AD019C46BC0D906572EAC39D1C70DC95E8BD29F86EF7801C9E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01238_.GIFMD5=407CC3631B4F745C0625510435769B1C,SHA256=522B151C2ED3CF3FCAB92AFFC6BD91ECCA0A1D549F67B8A39E0BE07A0004E36E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01237_.GIFMD5=CDA64BB28083C5EF85BE18A36611ECC9,SHA256=77DFEC06A9A6EAED4A8E449B3DE639D806FDF2B7B377B7A72A81A9294E5FED2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\WB01219_.GIFMD5=9E0DBB3DB83E3D276E3A1A68DC3B6138,SHA256=A57B84823E34F452B67813E325C9CC2BFBB4B6AABE77F9BBD1EE4BE588BDC016,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\VCTRN_01.MIDMD5=18BF39A1BBF0BD8C1DF92A6720A72945,SHA256=E4462ED418AAA8E3477C9087386E98DE0F7E8168ABEB896498BA318D2F83FD46,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\URBAN_01.MIDMD5=8660C485DD9714E0CCBF9E9AE88B26F3,SHA256=BB4823A479DAC5522DF09B14DBA05D4858DEB746C5E3BE1C5536F00BC8871854,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\TR00494_.WMFMD5=E2065DBD7AA842AF935191D8516A5CAD,SHA256=6EBF5BC787A9749E95F4568587BD5174FE77C11095F0543F13366693D49D9597,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\TR00482_.WMFMD5=F0DAC2D1F0AAAC32C979F9CF369F766A,SHA256=6C5330429D7B434EAC762E5148898EC44579EC99872246A1B87675A23E6AC033,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\TR00402_.WMFMD5=4D17DD1025735D2A2063B2678134799D,SHA256=5F7C7710569752C46C4106A00B8E340C6DCD65ACBFF0392631F415161CC1D9D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.547{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\TR00233_.WMFMD5=39BB3CC17280EF16A264208740B277B0,SHA256=4C52DA23DDD29A0BECEA202A14FDED9FFE7D92FEFADB6A74848058A639C28126,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.547{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\TR00232_.WMFMD5=6FC2C214BCA98A7C9AD1BE3BCD46C266,SHA256=7AF823E9C41A88E9019343773CD4C91E2D1EC0CB9BAEEC23DD8B15A20726A7F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.547{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\TR00178_.WMFMD5=FBA71759CF09C64FDD83A37ED1936019,SHA256=A410390BC0D66C1C3760EF656751279AF367F433EB29B946EA8810FD8DA704C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.547{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\TR00172_.WMFMD5=4212836CCD239030ECE040E5752C0751,SHA256=E9198AD77ACD83B0734C1B0C2336A2A91804B6FB66691899B94AA353A5D04462,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.547{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\TR00126_.WMFMD5=5C4B085CB41DF5D9AAED191F209B642E,SHA256=C9D40047D9C0914A66BCDA31AB0085136C1C36C90EF384968CF1F9D5FA65CF9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.547{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\TR00116_.WMFMD5=0B3F1A73D0CA91A8B48A472442CE65F0,SHA256=4EDB1E0358100F3998313DF65FA20256C9A637056C1B6A7B73AB2A638632C40C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.547{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\TR00097_.WMFMD5=D449C94C0F8B87B2A0853A27FE7EDC8E,SHA256=1F6C109A2FE479D07A66E124A8F80461BDC5B5DF9B8D24BA2715929C7F106DC6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.547{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\TR00095_.WMFMD5=2533DE9EB72287DC15F588A1A8CAE731,SHA256=3A681215447E6F3450B2BA339776C6EA71FA19DDDF5939CAE0CE499174875B59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.547{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\TR00006_.WMFMD5=E3F558E0CD73744D9D81D66B9CDF7E77,SHA256=DED1B47A43652D9C4766298F40A035B861BBC4EAD9EA0148544889EE48C9D72A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.547{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\TN01308_.WMFMD5=58935956BA0D6B576804FC6DDA959D9A,SHA256=22F47F8D11BC36DE72E64438402EB29D8122B4C5DC8CB5DD61ED0E2E37BC5C5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.547{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\TN01165_.WMFMD5=2CAA877C04D44DD3C240427D1BAC3F9A,SHA256=23859879E24DA4250AD076FEED5723807C27E11F74242D6632B295FECEDAD671,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.547{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\TN01164_.WMFMD5=8A32F3D80D14FA946EA74FF79A4774FF,SHA256=2F29C07A2E42C3F78AEC873E9A44C50F62099A6590062478455980F6A71E1757,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.547{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\TN00687_.WMFMD5=192535E6E7C269359E25761C0C1DDDCF,SHA256=58E1F4C9BAD7DD82C1E02424004CEE86F27F5F02BC8BD2FE56503FDB4446AF52,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.547{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\TN00411_.WMFMD5=B1295D1F29F6419109B538FE63AB1ABC,SHA256=BC13BE47AEE480E057B6B3E6502CC9D19036224517124B9D8955D4438B5C5255,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.547{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\TN00330_.WMFMD5=CAD008B402B26143FEF22F4004787873,SHA256=B22619DC16971B42825D39756B39F9EB92A418614E41BA500EC5C17A63B63136,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.547{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\TN00255_.WMFMD5=4C0C339FDB3FE95CBDCF0F5A6BCE0F97,SHA256=B6F55B71AD261D5D79F7F6039BDF7626A3727C15FEC8DF557022FC7A978F0D4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.532{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\TN00253_.WMFMD5=5B460E266B91DFE65491777FBC506AFD,SHA256=673E770A1FE5BDA9007666E67838F43010A0E0A978105BBAF401969F0BE543D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.532{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\TN00246_.WMFMD5=EDE49E938059AA3869AB759D01522A1D,SHA256=6739EFCD4A9EBBA8645155D24A8E906F7E9B30A4E27A37C0B61B946AE3F5F21D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.532{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\TN00241_.WMFMD5=0EA8B9F64154125EFD4712467A567805,SHA256=9AA5E9721271D336427FA725B1654ADA344845C94D7773D089A36E1F5C44D9EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.532{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\TN00234_.WMFMD5=77AB61AFE2E5D3AA46F41587C3A53545,SHA256=6208700253C9BE0A3027D861EAD43B2C62CCB712E408261E4633F80B9211454E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.532{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\TN00231_.WMFMD5=D696F62510DC666A891049154A5D678A,SHA256=1FACB62DD4A56651A16710E922B99D54D4480DF269AE2C78F8BFB0F1A0B06E6C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.532{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\TN00218_.WMFMD5=B44AE8D95FFE29207C415584F398EFD6,SHA256=92C54D03974554871608048B979029517F8130ACB56FD74693C18BEF88EF04EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.532{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\TN00217_.WMFMD5=81802520A9BBCC978503997DF05C0E4D,SHA256=65019430B91FED6115FF6AAE7DAB83C123132243F47AE3EE2026DD0FB5C187DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.532{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\TN00211_.WMFMD5=FA8E4D6C6FCDA3E0AFB8329EC58C6100,SHA256=27A11CD7B3D67435D86920E046D67F48D7554A027D903CA6FD9A91CCE21D1B2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.532{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\TN00095_.WMFMD5=34065BAA03BC70A48E77045B2434433A,SHA256=77A1920E88AD0081B50A450A194D0570E750977528D4F9B2C50994E510760FF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.532{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\TN00018_.WMFMD5=799520051559F6BF206E34C1F300AEA9,SHA256=75BA9D078ACE58A4BF34AD297C687BEB9368D02FAD2532BE00667EB058358802,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.532{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\TN00014_.WMFMD5=D717BA7CB60C0812F4F3C142885E4406,SHA256=F8BCBABB10ADEC58C32E8BDDD6A2967938AD59C5BC17B7A6177E1AFFD010B4B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.532{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\TN00011_.WMFMD5=2FDF7344FFD00F98409EFD44CC152213,SHA256=20DBF8FE231DE6EA4A6B221ADCFECE2A26E23EC69762BD2100506398284451C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.532{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BE8CC97A0958EF668B7C38C96C91299,SHA256=8DDD067195DE838D7734539FD1AEAE40406EC3AFA2A43FE306F35B60AF7A606F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.532{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\TAIL.WMFMD5=56B1DE000BBD854F391FF1FA6DE2D8CD,SHA256=4A004E930D6C96E73880DBCE7356004B8D4E9B0665AF4A991EF495E6AE547C7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.532{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SY01590_.WMFMD5=070552541A61AACE68FBFE3C5BD4F040,SHA256=40A1510D6AB08894931B7B14CA824C870F6194CA7A11A53D27F661FFB411599E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.532{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SY01572_.WMFMD5=66C1AB6A635F9731C8E2610A2890FFE7,SHA256=D92695574E1ADAEE1FF59A0298D11BCC1EC26C7670110FD9EF3B1A86D7E43CA3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.516{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SY01563_.WMFMD5=6EE2E5FBBB70805447ABBF5E733E7917,SHA256=CD70EF8057B214280A9AC0F0AA0740FEBCE28492834A7F0068C27F565FC0F636,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.516{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SY01491_.WMFMD5=32A999BA9AE148E82D97006E8D411FFB,SHA256=FB79C44A462A8239EF9AA421213A97BD9AB08AE5E674BBF387A52714520FEC4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.516{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SY01462_.WMFMD5=26E2123FBBF9F39C5817221057C185A8,SHA256=8FC4C08855D8A7B061C99E738DE84B03A2B8AA3E1F81D12CE3AEC0FF0C841A69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.516{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SY01253_.WMFMD5=265533856A67068C7F1CA9CABA78E6D1,SHA256=77B3016D97A61B0EBF2DC4E0E12D91C53B85E413B43D373082A3083B07F263CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.516{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SY01252_.WMFMD5=70E3F5622B8CC63EF5AE5023FC993CD5,SHA256=79032163F8FC229204CF6894C52E4E24BE8596DDE77AC6DC22A3DE65D1E6B41F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.516{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SY01006_.WMFMD5=2442BE87C8E949C636D45BB2F03940FD,SHA256=D54BE227B23C7DB4EBFA34BDEA3AC7EBEAE1D821C45B5D28FB6623068C221B77,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.516{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SY00882_.WMFMD5=C0DE753CA0A00410284D742184A4CD85,SHA256=B73AE4AC25EDF8522E6ED536882081D58BAFBFBED1CD4E703955AB0598654274,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.516{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SY00795_.WMFMD5=91554826FAC9CDD841935172AC7C84A2,SHA256=00EA7DCF923E0C1E0C732D1D98A6F9999E520BABC6CE92DDB6E8873348364BD5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.516{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SY00792_.WMFMD5=9DF602D53D91AD3D6B85ECBB17549758,SHA256=25EFC095085E56BFEDE6406CF8DF2B94D709A3D142230D72D312BF71C1654271,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.516{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SY00788_.WMFMD5=0F3FC1D8AD7C7F80BC6DBB0DB021FD2A,SHA256=4978A9030A536C1F5CA5C26FC983D0B2CB1FD08FB4A27D6364A64BFD203FF082,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.516{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SY00642_.WMFMD5=34AED888E9D4B4162A79E28CBF76CEF4,SHA256=00FCAE8289C39E64022358090E272CE09DF4D0A3FCC12668BD00E619B8158802,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.516{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SY00560_.WMFMD5=4671E32CEFC6A6E465EC0232059B60E9,SHA256=9C80435B1B5ED3EF441F5456FC16D3696628DF545AEDD0B06686CED8BA47FBFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.516{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SY00170_.WMFMD5=024DCBA0A60E56C0DFFDD06F0591B883,SHA256=25C332F625523CA94C0B1F6D8D708F7C38A060BD5A68CD4EEECD2A20BB8099BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.516{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SY00132_.WMFMD5=E369BC42299F666E4DA60E83DF68C1AF,SHA256=8FB058A60F4E20C5FE648E10B3D4A882469D5AB1F57759D3F1F5A97F87A29675,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.516{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SY00127_.WMFMD5=A2499E2AAA68941477CE53F25E18EB8D,SHA256=8AFD2C69CBBFCA0EE2A0161E3FE178DADF94E8795720935472E69E3539EC53E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.516{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SY00110_.WMFMD5=8FC1933410D6268FBD5AC8D22667D940,SHA256=9105ED11855191EAB5A05CAFD16B993268D51FE9832D78BBE082B24794EDB133,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.516{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SWEST_01.MIDMD5=6A1FA4FB024AFB1B20E4AE0D33A08C59,SHA256=96BEE42D16487F7F7D68B7B562264ED2C87A0C2510D0EDC9069A2A7EC2B70E9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.500{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SUMER_01.MIDMD5=39CF8960AB29D56660276C18EAFA1725,SHA256=57EFAA2A8C63D058BF4D0336B20A3E531D860604FCC05AD9A885D2B7907DD26B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.500{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\STUBBY2.WMFMD5=A08BFCFF3F293B1E7F9B0D2D0DA1A829,SHA256=274B4B0559F3C52F952B45EDDE6F99B775391892C2AEFBFCD4197363531C1F0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.500{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\STUBBY1.WMFMD5=DFE8ADF20F0377394BF11CE08ECDC0F6,SHA256=6CF4DF6136D517F3CF4F10F42167A06C15FA4B34C7246B45DCCC16BCAD7D8F11,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.500{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SPRNG_01.MIDMD5=79ACEB3CC571650B1FEB432323B2341A,SHA256=A22F9267B3B119296F1FB9D6F571A31430AE9661FD18724739F3FDA88DD2B7A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.500{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SPACE_01.MIDMD5=D816A1D9CF181DDDD82561EA0B906F11,SHA256=0AB9371CAD4EA349A72DBA84D426053A3ABEABB2808CADBE290C03423C454B16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.500{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO02958_.WMFMD5=3197814F7950E2FC3BB4A6337A064A3A,SHA256=F0015EAC3A7FFBDC47B2746EBC79EFB4072DB9F900648D82488C7B7300D7E78F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.500{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO02886_.WMFMD5=FE8200C0921ED8BE82A0090689D21ED3,SHA256=F828ACA2AD58FDFF70ACB59BA243906705C2EAC31DAAAC4F88F63BC6E7E1F08C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.500{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO02862_.WMFMD5=3939DFD69A6D7DDCCE6804C1C02B259A,SHA256=5BC46E10BDF0E9C16F1D17D4F81B6E7A59946D794A8CA0BC3BC37CFB0241506F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.500{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO02794_.WMFMD5=4630F41114E555368B068651DA9BD47D,SHA256=B432B072DE49142C2F1B822FF8E7A9E9D10380837C1F875E2464FB35A36FD8AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.500{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO02793_.WMFMD5=3F40E686A997524D54A87874E3C5DE4E,SHA256=9048DE11BBDE88E5A3B25B14CC3FD5E139009E81CE8F9153D424E92892F4B1EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.500{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO02791_.WMFMD5=046BFBE71F1680D4112F396EEF45F231,SHA256=6E185D4BBA43B5AA983DDE489BA88A596DF198F72BAF3FE9005C604B0230D010,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.500{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO02790_.WMFMD5=2CC154CA91F2A64D262BD6D55504C93A,SHA256=D551981485288776AA4523E86FB3DE3C35794C57D5711A8F6D8EAECFF9FFFFF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.485{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO02617_.WMFMD5=81921BD8E40ADC628E6761019A285B60,SHA256=8DDE3570E3EA4A375E4E87A9F17E7D8C55C5A8AFB20E0A4D3F0269464BFB0286,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.485{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO02578_.WMFMD5=A7E63BFFD91D8F6B28B804172C98A97F,SHA256=007EA7DB70BB53D84356877F7837E430BE082C03A25BD07AEE77475C920535DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.485{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO02465_.WMFMD5=9E12E0AEEA1A58E5343BA78ED903F569,SHA256=D7B7A21BCBF14AFD2CA8C4D20949810C04A89DC2A6E883C0437E5F4981E43099,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.485{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO02464_.WMFMD5=2E31F00F333B2F2A100BAAD71AA6922E,SHA256=E0A8CDD64A7C6AE231E28E599304783B3D6CD5B43937FEB061A97D51F19918DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.485{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO02439_.WMFMD5=B512511F05C1F0CF9D933790AF6AE5AC,SHA256=0D33285502364C4EAAF5A66EB3ECBFD09B666191B06FF5D6CF8A6E3128CA4F55,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.485{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO02437_.WMFMD5=1F6BECAF9167397D5136DD466791E188,SHA256=9D4A91968FCDF66FDA18F01136D43CFA2C09F194374375549213E7D9B44A266A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.485{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO02431_.WMFMD5=F2815D3BEDD77285CB823BDEFF6AFB83,SHA256=296B819747816B0D3FC6519938B01C9F4C3C788C1AC2A7EE36153FC42DD81D12,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.485{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO02413_.WMFMD5=32C859E51F6754AA86F5CAB3812A3E60,SHA256=3CFF934A4A50370A75DCB39EFC25577CEEA01650E4A013D23F26D69FC5A926F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.485{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO02276_.WMFMD5=5E30738F67F1EDECB56DBD03A500CDEE,SHA256=EF0BDD1727686ADA0F91EE3EF2E7A7D88A3AE99EB75D6A380C48776B80E1B728,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.485{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO02270_.WMFMD5=297B9EBE416DDEA46C1DB6EA2D76CF65,SHA256=0E48CDF381E2767F7D3B4239E78592892604DB258701619A893C8301E7D5ECDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.485{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO02269_.WMFMD5=F521BB9955B79B406EA34469531D7778,SHA256=A1327C8B5AF219C101A1AE852A72EBDD25481D92CD649A1747C8251149C13217,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.485{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO02268_.WMFMD5=7B15BEA6676A7EC014F4CC8855007F71,SHA256=EF3F86DCF9633552867D183FD988A8119EA37FAE14D7F6FEFA6EC19BF74BD7FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.485{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO02265_.WMFMD5=29A76CCF10819E38F95F37DCFF519788,SHA256=4E79136DB1FA30A3547643D3BF7ED61BF13CE86945F4CF1CEE64D76C131A3A54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.485{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO02263_.WMFMD5=E60936984A4AAD734588DE940C30D451,SHA256=EB50706B15FC20884E690A58A6D95F6119DC3C6173FAD23E2B1258C09C970511,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.485{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO02261_.WMFMD5=4B4658F0CF218B36087A5DCA6674BC62,SHA256=AB75F47634E4527BAD24438C6C1AA001598168BAF518A0CB2DFF830B067CB74B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.469{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO02253_.WMFMD5=A08B94344B4A5CD3174F5CF00F45D7C1,SHA256=5305537086DB75AE1C9A103ADDB163A1C4328376A1C4B7C0F83048F3C8944A56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.469{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO02252_.WMFMD5=490F7CB972CAD4E6F91DE437FEBCA617,SHA256=5C52418D4670CFE15DAED8AFB7ECD4E5E9C41DF6A6D082AFF17DA026291BC32A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.469{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO02233_.WMFMD5=3A83D1AD4E0E58BEED0E3D7BB96A9BF3,SHA256=F09A9287A2A8A9652F71366AEF82679420D9228400BE8FBD487FCB43FDFE4318,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.469{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO02228_.WMFMD5=B142A58C930DE2C450485BEC45E2178B,SHA256=1FB4B6577C11009453D57D1AC5876F41E3787D5E812B6A035CE612CE3FC8D99B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.469{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO02227_.WMFMD5=A370B40700B4C32E62C515AB150ED579,SHA256=C655FBF869F6FF574E4D4EB7D0BFEB821017AA0850FD036FEC94E7D698941354,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.469{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO02094_.WMFMD5=920C5D3778301B63CF16513ADFBC23A3,SHA256=410C0A95C9336654988EAF7B6A839F623CB026C19DC4D03DCE98B78D242B4A69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.469{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO02067_.WMFMD5=A8C9174064FA9518E725A31E2E79EEB9,SHA256=81E203A5ECB3E14096D829C54317A892928CB88A5A328722BCA4B884E7534B0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.469{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO02055_.WMFMD5=8EA6581F01FC5B9D690ECC90928DC652,SHA256=B8581AEFBACB83BAA6E69766679C57E967CF2DEEEAA78F2D532CA89201FAAEAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.469{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO02054_.WMFMD5=DDBDF02F11965515A29E8DD8B11869DF,SHA256=6AF9507B32DA532A8207907B0DE89B1B53998006935538ED887DFF9FC41CB780,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.469{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO02051_.WMFMD5=8DD47277BCCA70AEA932482F72D2E9FB,SHA256=694A076C1E18738EE7C5892625D9E4BEAB982E1A0E6DB9C3FF50BB85CD72CEDF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.469{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO02048_.WMFMD5=A5165F31E4CC09E2BA1F3A459BA1B8F8,SHA256=78840B23A8AC1662F7ACB098B706EC4BD237C4BA6FEAC1E43F5BC549A1FEDBD5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.469{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO02045_.WMFMD5=AB341B48C328A1C320A60D550A0C9CC0,SHA256=32E6BF51FF48498DACE25F5994EE0E8AA311EE2516D36BA4723463DB78EE34A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.469{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO02028_.WMFMD5=C099BBA864BC615F89AE47FB73AE11DB,SHA256=81F30D7525B31388AD2D010C5E36FA963C588D5BC8EC681F6FFB5238F733BEA8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.469{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO02025_.WMFMD5=1590F345E826EA2DE9D467AC85856960,SHA256=D31BC65F10CBC00FA98C564231D72A399D8015F5BD8B798AB17BE3EAACCE3AC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.469{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO02024_.WMFMD5=9DD8B201D28FE3C0FC51B4840B494BDB,SHA256=E8214B01579B36B41FA29663E22B00D38801AEC2F80BDDC3DD357CF2E56C2B15,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.454{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO02022_.WMFMD5=2FF72DFED716335E2FDB8598A464A50E,SHA256=5F2EF04A5805243F515F286363A46B9BA6ECB8777835859037245B05DFC7E29A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.454{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO02009_.WMFMD5=201A021CC864DDF5C997C5B02355DFFA,SHA256=C4053BE2051E7748EC420A81CBB2B63295D73E6E4E09A2A90127B06F0D39AEEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.454{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO01954_.WMFMD5=A1C9D8AECD692B4BEED770E74BA8C710,SHA256=A6DCAE7B26AEA0513367565AB285062E0A0A8FAC3795581900E3C08CBB0074FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.454{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO01905_.WMFMD5=7ADC2016AF0BCEA122A43D1027932D7F,SHA256=84A4283976C4E10FE4C41E840CF0AA5CBF81DFB09F2C69AE5E8781160E19D892,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.454{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO01805_.WMFMD5=477A05F4856CB7B4E3D43FC781BCDABF,SHA256=253FB61F3D0A902D724A8A859D29E298F1BAD6B8CFFA5CA440B4F2E7EA2E2DC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.454{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO01785_.WMFMD5=77DEA40D0408B9A0C935D450896FECB9,SHA256=2B2135012C499DAD827C634832195E9828187397215E1B89D72396F778CD9908,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.454{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO01777_.WMFMD5=88111EBDA0D93562EBDE63E56D8C4403,SHA256=31F7AF0996FD566A8E4ACCC5B87A609064D9D3B40AA0D3E25699E28D6E08589F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.454{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO01575_.WMFMD5=EF07F3732C3C38830AEC4A056DB181B7,SHA256=B0DB03274E238E6A59E7BDB4A4CF48846EB9B5A0103061A81EB90A59463EAA65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.454{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO01569_.WMFMD5=C2E2F25346041D7FBD85B53A1D6AA908,SHA256=E646C042CA6F3DB07DECA5B4203012D36BB357E653759E589FD57E0DD51F523E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.454{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO01568_.WMFMD5=3E47E16771CB5BBCA4157840FC8568BB,SHA256=7E8890B1A0F6FBC9CF1056576191447D6F390F14F6C9BA91FBC6B365AA50FCBA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.454{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO01566_.WMFMD5=00C1F97152AC338AE0D50FEE0B36F298,SHA256=A0A96B02C7130ABA04783BB2EB661FBA9B450A587B6C5B1DBEA31391D5C385FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.454{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO01563_.WMFMD5=2BCBCD46B002E89944ADADF06D7B555D,SHA256=4D0DAF9049C58DA42FA41B4698353B0B2783129AC6BFDFDD0A76F3877EE72DE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.454{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO01561_.WMFMD5=21B3995145FE887CC84FCAE7943B4DAF,SHA256=13F1970C4D112F39985FBDDF68D5E1208B5860C02DE1757C04C000D9F0C40FC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.454{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO01560_.WMFMD5=3DC0EE03E3934B23343AC9AF63336839,SHA256=8FDEFBF2C082CB82701C7BB1C8E2D38C9523F88E2A1227ECC949FCCC866D9571,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.438{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO01236_.WMFMD5=5DA19F5DF38085B7FC591DD2347249C9,SHA256=856366B593F7F2616490F61808DEE067506BAE8FE99A144263ED7212DA12D79B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.438{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO01063_.WMFMD5=C3C7ADFF35A2AD171C28976CB6338EDF,SHA256=5835A9F3E939057213465274C2E9CB297C7EB422B67B9759FEB2D239594E7281,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.438{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO01044_.WMFMD5=38E62229784C1862CE2A68F13FDAE7D3,SHA256=5AEC6740405FD531844027F269D1FD385BB9604EA7AB8D22BC059EB492B6E06C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.438{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00943_.WMFMD5=1CB1731DA03F270334B13DF5A6C631F7,SHA256=9E2415773BFB8BF9F0AC3AF40D358E72224EEF21B6DFBEE697403A1744B36C8E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.438{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00942_.WMFMD5=BA7E285899E6418CFE2E823FDF02B443,SHA256=885EEC1598947837C64B1D6FC0FC20DD45976E048250FF3449CF3B5D3DFC2282,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.438{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00941_.WMFMD5=E264FDE4381FACDE1BA878082F8D558D,SHA256=7ACED587D787C1E47566CB068C812B4BC466BDF2589BFC6D8C4FB031B53D6F0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.438{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00938_.WMFMD5=1CEB9D3D13A7C46163D24759FB3AA977,SHA256=6888173CA8876ABC06F9723C175B5B7A53FC0A847C2A873E091BF48FD05EAE5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.438{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00935_.WMFMD5=6466FCC855F513CEEB74F99C9EE95891,SHA256=2B01E57714493D3DDFB68222C576B67032EA5BD7C889E289BC83518FEFFB2B07,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.438{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00918_.WMFMD5=BA78F264FDE515E6229C94AA8A4E7AC1,SHA256=03DD789394C9EC9C80844D8FA86B3AB0F924D4204A76EADC1F0075137E235F6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.438{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00917_.WMFMD5=D9AACEAE8053D8557290FA8735C7F20A,SHA256=64907D6A4C7E174C26B1C7A5640231205496D456025000D293664BBAE5995844,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.438{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00916_.WMFMD5=8BA3A225DFFF1CE135EB84691BD48FEF,SHA256=4DC3A84FBD19D9E845A485C903BA98CDB8E0B62177058DD65764CC966D3AF88F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.438{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00915_.WMFMD5=614E7C9352FBFD39E71B972A743192EF,SHA256=FE828CF94AE67E5F22462B117B0D2E32E5C30E9B2D18A294B44BA7AFB44F705A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.438{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00914_.WMFMD5=C54A8DFABA29FD805674B45E6E3B4EDB,SHA256=8A895430A7441D835808F8D34CB348F65CCA0F89BE7C115AFB196771C888F797,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.422{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00913_.WMFMD5=7443FFA422F712537CAF5E4D1D9D623B,SHA256=93DA728916377DD2A4B23CD44BFC4C992A65A4A55CD8A401FAB051D333541CBA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.422{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00911_.WMFMD5=CCA61CEA342DFF046AE8AB7BA8814BC6,SHA256=FE52019FAD97267F1845A2CB87D85F7CC0C85D8CEF6A60D641BBF6D4F70931E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.422{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00910_.WMFMD5=F43902C3867B56B1BB6A02C8B6B86CCF,SHA256=C53526E40FC762F8DA26D612064C7931325007550220AA057F8EDEEA66EC5E25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.422{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00837_.WMFMD5=AF8F932E90E58BD2FDFDE9D44D425E90,SHA256=67CF7F0F0D46A78F60D04E401238412CC0B3EF82F08B2E82BD17B57966A49671,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.422{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00834_.WMFMD5=12FCDC514745A64085ABF595DDF4316C,SHA256=84A02FCDB31C3C7C7B858DB6C5490784BBB0513AAC08999D035968E9218ABD49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.422{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00828_.WMFMD5=B9A0ED482122B9BB56356DA9E3161554,SHA256=B45AC261E1050B4CD34B0364CF2A170D2A36A3516F4F3F2CFB016BC5E7936559,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.422{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00820_.WMFMD5=5B388F68E52DA57A50EF9458990A8D1E,SHA256=7DFA9E7B8D905B30AF53D3014E6B01CC13A607F2D304D41E96EDA12A4DA3AB7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.422{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00783_.WMFMD5=A616A8CEB50D0A87D3537ACF95AE4E93,SHA256=472CA1C93FAC7CAA3BDEF523192F74A73CD6C9F2E5C4F9B981DFB3D349098AF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.422{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00768_.WMFMD5=FF3CA440C761C613EC052975D44F008F,SHA256=063C18535AF7BE7482906C1516C55E366F2F6B7414B602A6012700A25F7C9617,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.422{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00736_.WMFMD5=BE0D5BB3328381FF89516FE8F75DE137,SHA256=A594693C188CB5AB79C2759ADB780B5B48E0B7A40E1835325519CEB26893951E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.422{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00735_.WMFMD5=892546654C964F0E903BECF44480C113,SHA256=713CA4338325133E6EE34F5195EA3F4AAF9D9C84BD0B653891182ADBC93FF657,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.422{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00734_.WMFMD5=8FC3F0B57656B8E5C275BBC58047B187,SHA256=09861D37D69641C4520746D832A89FC5C9547BEBEA7E470BBC400C733B7D327B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.422{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00732_.WMFMD5=03171CCC8A2BA845080BC0A5764027EC,SHA256=50ACA53C5ECA3E028CD1765DB94EF6DFFBDB9F4688F7024F53EC80ACF83842FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.422{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00728_.WMFMD5=73764C586723D104D0A8BDD98BD08F4B,SHA256=885791AD35B690853B4D5280EAE14EF0A8FA3C512192951A4FE2324570203AA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.422{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00726_.WMFMD5=620D750EA914546024ACC1C5CC41819C,SHA256=0C966159D7B125D5FB224E440F70F80C4DCE22707F54727B06C0F05F585686EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.407{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00704_.WMFMD5=4CF2E0AD6FE3DB99876E6CAAF1856002,SHA256=55AD52D225028961A51D9BC5EAB1565A9938D53674EBC1C52D3B472C1E58D4C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.407{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00694_.WMFMD5=BAFDC1DC91B253BCB97E8336BEFDC3F5,SHA256=C9B5D9EA55C20A27AAB3F100C80AD93E59788A55CFF2B743356AC23D268C3483,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.407{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00683_.WMFMD5=DDCDB0F1E81331E1525262C37447BFB5,SHA256=38BAA662697B905A505DEB4153DE02DA3998BEA54F38A7AB144B5FFE0761B52E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.407{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00671_.WMFMD5=56A51AD7621A140843F3E8706DCAF580,SHA256=3FD3DE1A2F429B45711A4E4FB33E03FA42A74B92336C553E6D3E51C6A9F2A41A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.407{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00670_.WMFMD5=050B08BE1A30C37AF77DF13E83B5A9A3,SHA256=040361B9F9D009CF87AD99CAEC3C38E56F46A1085D7B634BE913B0EBD1F42072,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.407{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00668_.WMFMD5=C28A863A4BC3C4E0BA658BF18129F88F,SHA256=EB7ECF41B70BAE127C839311F00FB36CCC7039389CF54A308E40AB8CEA2A1FC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.407{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00656_.WMFMD5=BD05E7D5822BEE0B1915FE23C0EA409E,SHA256=F5D756AAD07885021E1B9365B314754B58F2D7A2E99A3EAE3C8B258BE595CB32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.407{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00638_.WMFMD5=82B3F6B364895E14F35239CABCAC5A53,SHA256=4EB6FB7D3E1B00F04DB1A73D7838580E6B84AD43C00E5CCBD817311E211D4B59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.407{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00633_.WMFMD5=7AB8D34414F76D57A83577AFE83511DF,SHA256=AFBDA6BB8DB92F15CE39D13010D60D80B4E33A1348800949EC46658A2BAB518C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.407{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00629_.WMFMD5=25D65B993C93234827B3ACB0D0F61839,SHA256=07884EA4C0C47D57362C9D062484C1ADFD9299EEE3DFC5517C34D548FD51B2C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.391{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00610_.WMFMD5=B63AB1A2CE36590D76B82D6C68B1574F,SHA256=7FC53FC23E1B1E5CF169CBC7C4122EB30BD51687B21D4E7F7B60E9F6E5F64895,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.391{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00603_.WMFMD5=0E9D8CE0FCDA133B42B169624CBCDD59,SHA256=CD072B3E378E36BF4BB3CB869386509393A1074C450D34E6206AF7D17D24086D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.391{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00555_.WMFMD5=BB23B93DFD72FC5F06ED4D479B718AF3,SHA256=4734823A0A92A354CEE824DED25CD0A50F59EDF257AC3827A5BBB73455685299,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.391{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00513_.WMFMD5=EEF71C8F14B9790E32722A0601AF3878,SHA256=D27AA47AE314AA222799CAAA9AD1F128D68AD0C542D6F9267AA0451D380CAF38,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.391{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00505_.WMFMD5=999431BC17B1DFB0EB1ED55C7B70B2A6,SHA256=192D36A2EFF2EB1D0BA2EC9F760392F7A198382FF465C503A2A7B404A4984AA9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.391{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00486_.WMFMD5=BCEBFDD53CDA91CF5123D97555D8050A,SHA256=90079726D970011CF30AA63F1F2BB4E98B14837BFF8963263666FC4D0A456661,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.391{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00483_.WMFMD5=6C732DFD6DE2A1A9D6EE2B2845C7828F,SHA256=1AE3DD404D1451A0B5253C00BB13D6AB7AFDB02A80F73171778AB71605814ED1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.391{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00479_.WMFMD5=89E3F8DE2C462111FC4A30E781AC40D6,SHA256=FF09A7AD2C60794C1BB27B867966145E72DA6725E323A4A139EB21233A3785FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.391{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00476_.WMFMD5=636BF7408FFC98729BEECFB05F0393A7,SHA256=AF2AC53F893681E489DD7A4AFBE82A0EE469FAD4D7DF4DEC531A5315FFDF924C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.391{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00466_.WMFMD5=D0DE1371EF6814E06020AE81AF56C95B,SHA256=64E06DA470774A12CB6A28014B9667CBA7C9F147FACDFDA8595526926F52676F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.391{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00454_.WMFMD5=FB62D640DFA3A64945796B91E5AC6425,SHA256=436030813AD9D1A7FE46A34411DE2741B261C6576CB15550611E1E63EB355757,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.391{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7231E67113610B2DCA5CA89B09A8D7B8,SHA256=A0FB862F0E0685768ECC1170095678FF2F3A1940E6EA7C05048F6DBE2BC9D4A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.391{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00453_.WMFMD5=5DCD6AD7DCFB5C2FB220F8CCC4BE3A0E,SHA256=9E7FC1783C8201C31DA572BA588B3E0C91958DFC2175947844C292EF539DBB06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.391{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00452_.WMFMD5=8DC82EEED8CB1CF420EC34BB06AF647B,SHA256=49B6406C781D9B9AE3234E231FB13BB69D74DA9BA324DAB540FE88695D1496EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.375{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00444_.WMFMD5=CE79BDBD778B7C48AE8DE3F171F69704,SHA256=2F7141E3641990C7A99431055E5A21EB5C8DC30518342CAFDC3ED3D41F01B1B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.375{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00423_.WMFMD5=BA98EEF79B33552C9DACFF776EAF07E7,SHA256=C826472B173739648FC5EADF0F939BE5401071EBFF24728D080289429A7F7AB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.375{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00416_.WMFMD5=780D23077258C8271D3025C5DF79890D,SHA256=59E75A2D73E8F69FC2E2F244D8739BF07B5F2542C4E90EFCB893C4C5E56D5FA1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.375{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00391_.WMFMD5=A27449E667392359D93B35785E612801,SHA256=EABFD8F4927A471D5D0EE950255567EF7C6A479B31D2538988D5E1B8B02DEBE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.375{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00390_.WMFMD5=6B3C1E7C6B08C5A240137F9E805EDE8D,SHA256=8E041821E25B3DE8468F3C2C54F737F525294706D649170C0F4196E3B0D790C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.375{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00382_.WMFMD5=AE1656C75BDFC1D8FCEEED8ABFEFBA40,SHA256=6F43C4846889BBB20652C59A89341D3900FED0E204DFCE3E6B82B1E07BD6ADC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.375{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00373_.WMFMD5=79578AD0E544892A0C7E7958C9825318,SHA256=54473ACF9A78CD667DBC566B185C3940E8A928A1A252226A9742CDE8E6DF91D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.375{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00367_.WMFMD5=752182003E3D9AB4E836A7F2523F4D7C,SHA256=720876354523D997217AA237B0CA41870516760E50EBF4B5F2A1D2474D976381,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.375{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00364_.WMFMD5=10CB9725C3A98EA1F534350924160BF1,SHA256=D2CC5D05380607AD2A2BA670E3257079167CF071DF575E460D16EF564A703EB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.375{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00352_.WMFMD5=32E1336858F72222F6E52545A82A4BBA,SHA256=14997CBAB5C342B2977F02A47C15DAB913A4F4CD97824FC4D68014B81ACC9AFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.375{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00350_.WMFMD5=A726A7D8CA7AABDFAD8B77738F3B09F2,SHA256=4957B376C1CD01B714BED65904E53E2F100D87CEFEA6F71B4A2A291E185661DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.375{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00345_.WMFMD5=405FBE795688FDBC84FC7B5A75CD12B7,SHA256=B4D21671DE5B7D23D6CEF7EB3AD8BEF112B14E0AFA18E528BFBAE4CE855FEE1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.375{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00333_.WMFMD5=22D6261A3487AE5EABD6896029AF0758,SHA256=A7003FC9384E523CEB9A94E1822B3F494D8DDA27EDEB456C8519773189120EB7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.360{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00305_.WMFMD5=8B26328784F4170BF6FC4DA54A62A49C,SHA256=509120F4E53D219C7C9EC18C7D55B16ED1553FFE12197919AEF0A0CFE7A2F20F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.360{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00299_.WMFMD5=B35CE95719EBE7BF974BB84D42760473,SHA256=5EE7AAEDA2006ED1DEB2556D8EEAEB2E0B1BBAAC5AC6B5B03CA153654F5E42BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.360{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00289_.WMFMD5=4FC0E68FB2A159C46BEBDD123F985250,SHA256=4BDAB37D90315A9AC6D82733F66B89C63D6D8A517797122DCB264EAA9736DDDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.360{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00257_.WMFMD5=86FCD8F1035E56DCB17E2DD7D79B327D,SHA256=A02EA753CE4A0BA1118D6D749D30189E8AAFD0E79C0D6657818A538E87205AFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.360{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00223_.WMFMD5=D16F50FA4582E48DB9119653AF1606DA,SHA256=2FE536ECA582193CFCD64DF87DE9BEF39F36E9341FC0E301A9E04995D478B1A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.360{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00222_.WMFMD5=FEB32A1DBE3752E3202F318A38AFFF25,SHA256=618F0CB52D0D3243B96E1EA814E05CF58D1E90F770A404961E5DB7E1691271D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.360{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00221_.WMFMD5=42C33C97E31CD3EFAEE3B3DA89398969,SHA256=7FC8C6063AB0BB45DF80C3454C06A7D1F384E273CF33B07F83FCA53E2EE603BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.360{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00212_.WMFMD5=8EA26DA36DA8213FE6FBFC3F4AB73115,SHA256=D270B42E895A89BF90066B1517A82D94090A8F3DDF5DFD30B78EDA8D90971465,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.360{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00208_.WMFMD5=CA0F610078ECF5A2394494C28280155F,SHA256=338E10C23C463324C81BEAAFB09D5C3A3E506E8AC6C16D85E688A70198160F6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.360{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00200_.WMFMD5=11D699313422DD868BBD39BDBA4CA0F8,SHA256=26A866554E0F4CE54D1C0661513352736ADCAB4768DC6D2174B275785CCCBECE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.344{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00199_.WMFMD5=FF446CA6B2831B1A59D4FB592473F91E,SHA256=FC362D344B6FFDADB62589E4427C4985C6265BCD0E306413B0C264BEFCB4E4E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.344{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00197_.WMFMD5=84E4826AAB0956B1720B6DB8B9EF79E9,SHA256=6AB02C9710F58DEEC70892A188C423D051D94EAAFB6D290CC94470BED1C0B118,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.344{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00194_.WMFMD5=8594BFDEE4F74EF83355328A901821DC,SHA256=5693A7F77C55C49548FF77C67D1DE49F27082BA8C454C7C6D31C66F042C691CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.344{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00192_.WMFMD5=10D1AA27DB06014EC39E3F91CF343D8C,SHA256=CF83F2FF1B435D811EECA7A3AEC527B40B0EC16D0321C873604CE425C4D68970,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.344{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00191_.WMFMD5=54EF231EDADE52E709C210881A10E7A1,SHA256=45E9D8A589E046F9B728A69BEE0B01D0809060884BF87D83E28C0D8393AC3346,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.344{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00190_.WMFMD5=84344673FE88BE462DE07E112332E53B,SHA256=A9476C30C1ACD8CE49F1C2EAD6C2F58DC1A2BDB2792BAE68021AD064B33E1DA4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.344{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00183_.WMFMD5=CB0151A6EC87E961F5D4FE314397AD96,SHA256=DFC3C24FBC4FA8D7BCBD88F459FDAFA0EA46D38A7CB77963132FE3910B999A96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.344{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00177_.WMFMD5=373E95F646117CABA979EE42A645AD8C,SHA256=D3EA8AF9DA22DABA595F0131566B3102CAB5DD445FA0FF7DB2D27AF0015FAD28,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.344{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00170_.WMFMD5=BDFF00D1D3173A0CD49441AF82FB6627,SHA256=08420C30F792765048424247860BD35D9A02D0C4173A163B14807A512584057B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.344{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00168_.WMFMD5=5D5DC94B984620C8F0746E7DE65FA4AD,SHA256=5B9081B72E484149CE9029600519C2328F678827D05F2E4D3E3388DBB2F9E5CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.344{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00166_.WMFMD5=010F9AFECC2699B9551DE4E3D1D45ED4,SHA256=7F83CF58E54B001AAC0AACD7726BCEF76F6A31F93AE17389EFF41902D05635F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.344{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00159_.WMFMD5=FD10D649F748F5C7F774E6D82870485A,SHA256=8DF1F9F18E075B14EDB10FCFA16EBC9744652B7E0C2521AD4997457E006C8ECB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.344{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00157_.WMFMD5=CAD580A92FA9A59DEB63DB5BB8365D65,SHA256=ADD523B58A0AAD2AD49E5B98A0431D6F114414FAAAEE5F8DE82CBEAF23D5831D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.344{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00152_.WMFMD5=45398BA0207D4F9CB301B29F0EADC7AA,SHA256=FF24EB1D8A4CDA74E28C391C9FDF969BC67415EB7B760C99D03E324C1E204D38,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.329{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00018_.WMFMD5=470D43B9D1C7873CDDA69487B978F7F8,SHA256=8FA30830A1B4AD53BC5910449529BB4FB79A8DF48DCC1753A92AEB2925334124,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.329{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SO00017_.WMFMD5=92E09082A53BEECFC5A4F129D3C3E5EB,SHA256=9B692C1230CD2CB435DAB9A8CA5C47349EC34131A1EBD93F466948829E507A60,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.329{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SL01565_.WMFMD5=73535C84EE3D2A689D06E38A4AC096E6,SHA256=56D9DB003E42A819F795DC88C1B1F770FD5952215493CCF108413B3BF432231D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.329{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SL01395_.WMFMD5=0D9332D21D016A03682777DFF84320BF,SHA256=5BADBB51C508E06D0FD6AB5CBEBFB1DAAD688FCA66E0AE3FE687791B4E73FC25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.329{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SL01394_.WMFMD5=7A7CBD2ADDBD10F3671385E927D03FFE,SHA256=5021A3DBC6B793F37F3A6FC18D9D00A72027A4FF439C593FA028963B5E12BE93,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.329{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SL01041_.WMFMD5=C4D5D6347519C04D4A55D5C7A36389BB,SHA256=314607DDB298FF45770EBCAB4B06955E28EDC1654C9FEB0727B4B143FF0C6580,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.329{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SL01040_.WMFMD5=3A3334E4C5F5A1A03BBE9851723F83DB,SHA256=9180C98CA307247F5441146A8B79E42B5FBD370448EC9504E50C269DE48A3035,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.329{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SL00712_.WMFMD5=180546C960C0CE6623F14724DA187C99,SHA256=9FDC21786FDC41829B3D75E6BA3A37C069BF44993D53AD12453CD5A23AD35B5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.329{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SL00452_.WMFMD5=59F8CA950FC8868892A4DCC1D6D4C45A,SHA256=E7942E135DC1D3347B615DCCCAF5C4DF48F611002E811D5E29DFA34A05C07F73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.329{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SL00345_.WMFMD5=86180EAD4A30F1B5F308B5F1D0C71EBF,SHA256=B6F28107EE2FC556FB014815A3F532A2A8AB247B2311E043D9E8CB1080395219,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.329{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SL00308_.WMFMD5=CA1892894F6AF3D900D1B17786877640,SHA256=1908F5B528BF6C65C508B93C174C34C9133F8443926DDE0C7215541BC9B70A97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.329{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SL00298_.WMFMD5=1DD5F29C3541F1657550C27FE77D6235,SHA256=7E69C1298773D99B6CBCB880329DE0F7EF4E22D8AB077572A620D0172AD7EE04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.329{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SL00286_.WMFMD5=D802343A01D9DF9A8FF7C48BE5B5A465,SHA256=691A1376FBC72CD8A944F164AF1E9ED69B03F6DFB6433BFF7F94317CCD8456FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.329{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SL00268_.WMFMD5=37757261D58A8FE94FA49E6DBE9008C6,SHA256=30ABE9D834146EBA91BA1383EC051D5BFD402E4F56593D2A1DC6FAEF7CB8E675,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.329{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SL00260_.WMFMD5=51D60CFAF67802DD839F03EFC56AB54E,SHA256=3FF671E885931ACC0AD59D431BB208A64B2FE92D1AE639C8DE5AEDBBAA2AF65F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.313{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SL00256_.WMFMD5=B7B76C073D415EF22FEB50EAFD4915E1,SHA256=CC03AC3FC37A0A819E4574B35103F0CD73517C148E5308AE5D0EDCD2F6C3BE47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.313{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SHOW_01.MIDMD5=58E877FBB78B5FCD0CEDC99EBD6C9375,SHA256=EF18E2C867542C18DE2543047FCF6916A7427B8C57B0B0400367A2470E2DF68E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.313{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SCHOL_02.MIDMD5=DE5C1809AE6E60EB19F71B15D0D29F3A,SHA256=E21D46ED42154D57DC4295704F98379D135AF98C11B7E3FF4CA85870EA219CFE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.313{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\SAFRI_01.MIDMD5=9B685D91E0AF81C64A2E4D00B86CAE78,SHA256=7847D90818B9DCF837C6208E2D49FAD4F409815FFDA0294CB4224DD76CCF2A18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.313{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\ROAD_01.MIDMD5=A4851D7AEE73B50F3701867659192C3F,SHA256=12BE71415E8FEEEC2FC7399DBDFE3BDE75A181E69538B2B0CD95542A1BCDC698,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.313{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\RECYCLE.WMFMD5=5DC54BD1E59F57C77AEEC87EDC04E063,SHA256=B970AE8656100E05D7D1EC64381356A1A0C3F57272AC8B7C5D5141C7E4264A7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.313{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\RE00006_.WMFMD5=D09731F5A4C79E20875D11C8285FBDDF,SHA256=9A910B2E0E33EAAAB96C512714C401CB6227CBCAC85B371FDF686C4C1C6E0DBF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.313{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PSWAVY.WMFMD5=525D75152D2992B83096A73640765CB1,SHA256=495B5AB575B9502217C83443CCEE7BD8E297A8B15FCA257D1488D3A4A2081F3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.313{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PSSKETSM.WMFMD5=6D5E1FC0FEB2DB6887E1AB752927DACF,SHA256=ABA3D338D6C7A89EEB960D2E53F44D5D4C0F544E1A189E1E53E1F307570EF8C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.313{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PSSKETLG.WMFMD5=AF22DE65CEA57EF3AC76EC243748E7C6,SHA256=28B042A1E2A252C42B3BDC979F5FDE3767DCB301837F9588B865B31F45B540D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.313{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PSRETRO.WMFMD5=47F1BAC77F79EB5C25AFEA09EE0522B1,SHA256=F1F97069CA045028C0F9E8F11EE9901E5E644605A5761DF3B287B0D109DF17F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.313{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PRRTINST.WMFMD5=B77C1EDACF5CCCACEE46D11B6A98788C,SHA256=40B6CD81D07F7992FAF87798179A6B8A1529C106EFB045FF7829DC1C73B6D189,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.313{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PRRT.WMFMD5=4A2567DCF55FC3FF7CF81C41DE537CDC,SHA256=7AAE585D65412F49D797D0795038F592A5CC688B246891BAA9D3149C149FF4A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.313{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH03425I.JPGMD5=25EAB8322D25D771E21A82876229C540,SHA256=A977606A895BCBD5173E0AB51149D1CC1AF0B3CEED178FDA3C0C9681CB9D8A5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.297{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH03380I.JPGMD5=7DA70F6CA2D21BA471FEDA731B4D860E,SHA256=6795454BF1D30DD9A3852727DBA6E5D1ED0EAF304B11E294CAFF8291CE311019,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.297{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH03379I.JPGMD5=CD05469AF65A035A033E4D74B04A3B5E,SHA256=2DA2A2A9B05BAFCBE7A6241574E52BC0EDA6B51ACEF8FDA3131504B8E086FFDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.297{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH03224I.JPGMD5=D66185F39B281523677689B0F1CD3169,SHA256=10BA56532F7F66B001AFF63A7FB00F20AE49940DDC66B2914B710CB9083793A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.297{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH03205I.JPGMD5=BABE56F1CCB2A2FA325FB2E77522B00D,SHA256=EC5EF5CF4CAD39B4F599AC188781C653DE6517E936C02B30D6817C3DD38FCCF0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.297{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH03143I.JPGMD5=4C4801EDAF87675DB222284BBFEF82D4,SHA256=EF1684305DCE3FE9DEC08B95389961179516B7004343D8A603847F22E09B5401,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.297{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH03041I.JPGMD5=9A0799B8B9339CEC6A61177419DAFD96,SHA256=A26BF81E32183B6A6351813A3CD2B3EB732A942C087A2DF272888EC1B5420DD5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.297{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH03014_.GIFMD5=83C9DE54BD0F2550BFD0760B1C39119C,SHA256=BC560D2CA1D7F783A7D6727E5773013CC7A2899D70857D30110C52755B7D57CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.297{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH03012U.BMPMD5=6B469D16E0D65416348E78998B0E9652,SHA256=E6C4A09E60E25AC7BBBB3DC9DCDAF6272E148F75CB135CFDFF6272FB7BDDEA2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.297{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2535CEF6141303ECE338CF8BE8A47E89,SHA256=44EBA8155D02B0741A32AEC275F50A6BAD10B300D0B4C9A2F260E62C0C5AEDB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.297{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH03011U.BMPMD5=F383C3D92875FBFF9018C6F775F15ED1,SHA256=4FAA91DC514EEB9EE825CAF1EC83F693C9DD925EBF49E1254792B58F01440972,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.282{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02897J.JPGMD5=254D2BB1BBE6B12EDDAC34C3E2B81C99,SHA256=ECA3CE106D4E0F622EBF80D9B18D36405240DCBEB4AE47694AED186007DAFD42,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.282{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02845G.GIFMD5=D40242738F2670C2E7FC456D859D4621,SHA256=6FA4A7C8766B672D0E69F304ABAA04A0E5779E30C38A7F947BD4D22944303C5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.282{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02829J.JPGMD5=C06B359598D5CDB17FBA998531B9CAE1,SHA256=1CAC73562ECD2899FAB4381E9AAB5C1D9C86FADAE068D90CADB3C40E8E98129B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.282{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02810J.JPGMD5=BFD25215B23A9BF8EA0E8CAFCADD174D,SHA256=2BBE18076A46D23758E7DB41BFA82820600D1ABE6CC95D4AF2B8DBF8B349D1FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.282{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02759J.JPGMD5=4F72BA09B29716FAB267FD82B43BA82B,SHA256=2AEAC6E5D724170B84DED91938B135B806C3C0157D06F7248F6636F7A5E4783B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.282{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02758U.BMPMD5=D058A7C500C03985BB02275B22864E8E,SHA256=90F7F1BFA817D4F79F20EF27B681BD32AEE2B6E32E1D5DDAAAD3549807927846,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.282{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02757U.BMPMD5=896BD2E3ADB442E977FAE496E0290D6F,SHA256=85E274B231AFD0967F7D4B4444339E8543181B6C8D5391B13B441E48EF555122,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.266{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02756U.BMPMD5=A8B0B5E63FA01C6A02FF6E5D4491855C,SHA256=44B3C21D0909AB683729372D09F6144B9F37B323249A4E9DEB65FAFB66AF19ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.266{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02755U.BMPMD5=1CAC1EABB2CEEDED07A65713835C12F0,SHA256=F079BCD70044BF3C0D7C7366737BB7F99C6CAC0521483FB145026817EE83364B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.266{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02754U.BMPMD5=FD9FE373F3DE7EE47F0AF0AD77E63637,SHA256=9D43B061EB7FD139EACE35F0D87DE58F06160FDE78B50222ED314205B472782D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.266{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02753U.BMPMD5=58F00117E8E2355B324855D94AA142B6,SHA256=2C3C77521F667A8E0D13C645A9A10D2C236011EBF6270A1250E8B13350369EF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.250{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02752U.BMPMD5=D479836E6EA0E702BAD90193AB1FA83E,SHA256=51CE6CEDB7391B73E62F32D9D88F6C0194336851469C32550F44E5F90CFE763D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.250{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02752G.GIFMD5=4E9CB224B803C0E409852161F0A322DC,SHA256=A1ECCFD8D40AD97C64B5DD7628E40A890F2C2EAAE111634FF9236780FFEF1054,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.250{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02750U.BMPMD5=A0D9A92538395226CAB4C2CB6209FD4D,SHA256=14336E1CE7EC916703CA11986A9DFE17C4A52434E38B69A874FEDE47148F25C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.250{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02750G.GIFMD5=B9738F7F68BC34AECDE4C1AF8EBAE062,SHA256=251D90EE49EDBEABCF2A7CE3B6CF2B679BDDEBCFD39D2B1A7582A5C787F01783,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.250{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02749U.BMPMD5=FCF760C2F92DE6C71251AAA978CEDEFA,SHA256=E03A5EECD4FE69674D43D8D2D0DD3244F427D37A8BA41A32AAF83B8FB365EC47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.250{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02749G.GIFMD5=581189C7D714C47C7DF9E2A4E8CABA3B,SHA256=94B0DE85CFBBBBDBB8C6523EF77C8B1BB48DC300763CF12420FE3AE1791E41E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.250{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02748U.BMPMD5=FFB521A49D5286A08BD4CDA80D6EAF57,SHA256=967750FCF886BB155E8A9F15653D8EE0F2C140B6A08C7885CD11D07B5E16D515,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.235{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02748G.GIFMD5=8F833E6C5D909B0C5DC3C8E67E386669,SHA256=75F334A44F0C1C047FC3F17A272BB1E14E5184493AFE097FF65C2E43374DAD76,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.235{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02746U.BMPMD5=55D97DABA6570B7516CFB2421BF93896,SHA256=E8238981358056315AA1BCF93F67A7F98571A92CB9DECF0B8C98FF193737744F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.235{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02746G.GIFMD5=DBD1C4C6D02738F9CC8C64DD837BD7AA,SHA256=10D7762FD6D5586E350F5DE65C1E4AC6C154207D8651B5E3DAD4394BC5104361,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.235{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02743G.GIFMD5=472628DBBC47B98C8CF2FE3839838600,SHA256=FF105068B5A499FEFE00A7D29083176E88383CB6E0E0F31DED913B3ECE346432,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.235{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02742U.BMPMD5=913DE6666719EA82F0D8501835E226BF,SHA256=236266652EA1701275AC1CBB9FFBB666A044966FD6D1E0865E74CF897016E88E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.235{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02742G.GIFMD5=52DA7919A284FBEC15231DBE7C259A1B,SHA256=13FF712C4B0858D9E6701D4C998C6264C98E82822E96BD6DFC1E39F00473B65C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.235{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02740U.BMPMD5=1A793A29DED4FCDB70B2B0B0D6329BF4,SHA256=2FBFFFF9CE1404BB22215019EAA7B96FD29BB745A5CD7F0DC5CBBE85FA551D27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.235{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02740G.GIFMD5=BDBFA6715CA0B04860019D2D0D7709A5,SHA256=3E35AB98B852999E341C4A9662E1B6D22B0C6833E0BA3601C5E13F69D789E21B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.235{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02738U.BMPMD5=59EFA68551F0E2F1F168428A7E0D035C,SHA256=2E6452CA2E4EF72D24AAFE66ADB566D9C0699DDBB3FDB3606859E0F8B122B552,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.235{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02736U.BMPMD5=B79FE2E3CA9CCC58CC76C16AAE05157F,SHA256=B7B6CBAFA724571C39D4472DE5B1183C9CFE7F22C7DDFB0C8A32EE15F87DF844,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.235{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02736G.GIFMD5=7DFF15D6982BBD3CB45B68EDE3A4A3C1,SHA256=EE659AB99298F506096FBA2F323E46BB663DF8AD381394981F14601B3E919E85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.219{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02567J.JPGMD5=0AE5DCFCC462ED2FF3FCC3642F596FFE,SHA256=2DBC77741B2DD4C2AECEA89322EDCAD3410EAB13DC5925AEBCD433AA6048B2BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.219{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02503U.BMPMD5=83474E0DE01733F0D0699D65CA7D5CFD,SHA256=C10C12E9CD80F08A7573B7ECB9901DFB57326542805CCD4607746E073136F4E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.219{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02470U.BMPMD5=833FA6D98594A3BAAE8E5CCE605089A1,SHA256=21E9CBD625D29584BF228F3DFA48798181230E593D68A01CC5ECD8AE8A807B1E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.219{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02466U.BMPMD5=FA1830FB91BF6D20452090BF5D8678F0,SHA256=761A9D746D73DD94DDFA76BFC2398E3E86E2D64F6AF96D589E78C673071E603A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.219{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02417U.BMPMD5=6DFFE750F8AA233AD074EFDA6310240C,SHA256=24AEC1EA3FD2AF55DDE8F74B6AAB8F2AC004B9F322C0099F53B9DA25EB2CEB2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.219{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02412K.JPGMD5=B88F2EAE1D70A4E230F075B8205C5EBC,SHA256=5D357F1ABF9253D24A0DA341048C1DBAD54E928BE72DEE14F0AAB0C5C6C4B39C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.219{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02398U.BMPMD5=B39845C66904F2939D3207F98C9424B1,SHA256=7703EF0D27B7ABEE3DA61A3BA6BAAFF69D18C8E4572DB0286CCEF61474D2BCEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.204{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02291U.BMPMD5=B52BF73F30BE75E93ED18CD9BF7064F0,SHA256=4E1FFE7126C7746B84105B31FB5F72632D07B48D350C81F1181BA5CBB416F96E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.204{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02223U.BMPMD5=1CB99145974364EFC4BF2F9270EBDCC6,SHA256=585510BAD37F043A15587ECACA4468CED3F5AB5FA6C8A1BF45C9EDFEBB9BA668,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.204{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02208U.BMPMD5=0BB4DC75AF21140D8CAB57FE6D2AB4E2,SHA256=04D4BAD167F8F3ED7C84ED67085653CBC2A803967906FE2B224279833580EC67,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.204{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02074U.BMPMD5=9FE8401115BF0A3FACC8DC5A8ECA7D74,SHA256=F87C88FEF339BAA91FA5963AD5343D04B4AED6D65AFBF17293AD7C8622F543E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.204{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02071U.BMPMD5=F951647FFF958DD2A3DA820CC3353963,SHA256=364892B866B2F2E4F03CBC921CD0D90C9B645CF237A3D01076C91D7F2268708F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.204{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02069J.JPGMD5=AC2728F64AAD121FDABBBD24A8187CCB,SHA256=61DD89788E6FB02A8D7F02F76492A99AA0B3DA3A15578A3614FE60F767406B87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.204{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02062U.BMPMD5=25A92AF06BF45FB45B78D649C1D92F5D,SHA256=E0F330803F5EEE160DE87926D1972DE6C63F6D66A0BCEC65880F6408EC44F3AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.204{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02058U.BMPMD5=87E42A10F3479E5C6D8FC63923A97B24,SHA256=73C19B416523FEBD37615D007491143AE6F011870745BCD94452A4CCAECBC9F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.204{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02053J.JPGMD5=9FE081A94F7A7D24F3BD1036128CEBD9,SHA256=B099D2A6CBF652E6B8FA74545841A66A9D828C2D6A1931D64E1686C354AC0CB2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.204{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02040U.BMPMD5=E9C917D5F255FD106CBA3833EC55FA04,SHA256=F8B5C38574A7356CD70F4777F3FE953591DFD780AA4CA0D2D1EB76AD8E8C362D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.204{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02039U.BMPMD5=57C1A360DD6B359D39E4C1E2610BF887,SHA256=DEDCF57E0F7AB6484EC58631C713CEAA6D96011222B4E393A690B70B1A12045B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.204{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH02028K.JPGMD5=CE8823F26BCBAE288F7980285635B346,SHA256=C32473C545C76F6FC1353DBC3BDD9136193E90611E67F482479966E183B3E700,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.188{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH01931J.JPGMD5=D0F88DADB9B5933AF10207D6FE305331,SHA256=8626A498A2985EE64CB03C4C950669045D321AF8E0CDE0B8A354FE193A61179B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.188{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH01607U.BMPMD5=8650E6C931CA2DDCF09D00E7058AC0F9,SHA256=2BE44C75DC994E3A80672EFDBAD6AD7CC08B04C13E4775273485B8E1C49CF5C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.188{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH01562U.BMPMD5=B27A3EFD7926D72886887B6587404FDA,SHA256=30E6789A2191C6F06C4FD88E832BB5A998DECF4220FB5433E7A06D39C997231F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.188{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH01478U.BMPMD5=2A5EB62C21F14223D7DD7B8D4F655B6F,SHA256=0851B1A122BDF627BCEF497BD43FCA2A52EE49C791D35DB8A82232656C37AEFB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.188{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH01332U.BMPMD5=B28180AF3FA979DAF2D9E0E7D915FBEF,SHA256=A0DF9541871DCE6FB75A0DC6F39D0C3097F250417ED11440C324D3D5B62CB1F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.188{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH01265U.BMPMD5=E8D966CBFD6EDB53CFBB746B4F1E403A,SHA256=1D8BC1B34C186ED3D0F53FAC579282190B7A76EA0FDF761977AD41F260FDB2F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.188{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH01255G.GIFMD5=003C15DF0C06BF6B4E9E3A98B2E2EADC,SHA256=BA692CA576ED8EABF7E408322D8D815A5D7EE55D5397CFC0F0A472AA8DDD3C10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.188{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH01247U.BMPMD5=5DD8CB143153DC076707BB2886EAC235,SHA256=CD92BBF0B31C75DCCC1E073AB789772824493A88FC8F88CA3C680DC668B5DAFB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.188{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH01239K.JPGMD5=942208795976DE4D6AB1966736ED8DDC,SHA256=982A0AD9F81930ACDECBC178DFF5C2E4B8005C61BA7073681FA8C49D2BE735E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.188{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH01236U.BMPMD5=661FCA435353562236F6CD5AC7C908A1,SHA256=52AA80C495C346BAACB5C20545685EA3B944444105225DC19FE06CF0E17201B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.188{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH01235U.BMPMD5=F265CB9151BBADEB3C524487D0756C5A,SHA256=60511DCE35BE0FE7564C55AECDB6DD67D347626CA10BF00314B0DED269226B74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.188{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH01221K.JPGMD5=0D5A6E78FD46D5C65AAEF5DD6B07A7D3,SHA256=D0D16F5D4246B26DB3054BB7CB61E168E9ADBED07B5E065000C96608DAC66345,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.188{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH01213K.JPGMD5=3412A2FAB163CD31F55DF2B067A7BC82,SHA256=2A513B0BA36C0834D646DC6E9025D1A57BEB89CF3B9742258B095206319A5BAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.172{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH01179J.JPGMD5=94741EE5111CA53449E640E9DA55BF57,SHA256=8603443D1D29A4CE2B6299A20D2A299E086B237B0755D10DA654A3260E815BD9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.172{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH01046J.JPGMD5=A00BDE077937D21F2A5BA19FF8AA5AFF,SHA256=3DA0F6FC4AF3EE0FE8891EA5C4C9817FC82F67D88BED255853D0464E7BEEDE0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.172{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH01035U.BMPMD5=87DEAFE3EB39CF9ACA5C3E1F6DF21A76,SHA256=9C602EE8EAF1C34BE1308754FB3999E44D2E3A59292ABECD02B12D2D4B6870F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.172{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH00780U.BMPMD5=E716AA5FB01D1F782AF8E621C77207B3,SHA256=3FBE4601E3EB4F2552986C267708C36B695533293357813591591FB056684799,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.172{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PH00601G.GIFMD5=EE991FB15E947F688BFEA58BEBD1C7CD,SHA256=15B5A54BEA97598D5BB283E112CFDAC265FF837E65DC418789EF983516BFD9A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.172{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE06450_.WMFMD5=4673865E6137C326DA3C6B5953045807,SHA256=D912D761FDEDA3772BF6B1B4CF0ABAADC4FA219D5F8E86B4E5E0060CF8515C09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.172{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE06049_.WMFMD5=802AEE695425FE13EAE5DB1307A0E0F8,SHA256=DAE91F7A7A8E05AD1842C997682661575495EC61EC038F173BFB447AD67660F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.172{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE05930_.WMFMD5=D30C8E0BC70207BF0CF0E3F0B685CDDE,SHA256=2771B311457566EA3A5885193C4A2074D03A6A83870797B22E043FD526B44581,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.172{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE05870_.WMFMD5=F995CDB544FCDE642BB62950B38798D5,SHA256=0EEA11E4C14A6D87C72F2D5F20A5E6BA8EAD3E420DAE149E29D4DF6BB5007C47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.172{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE05869_.WMFMD5=F6FF76430D97831E91FE8F9B24785ABF,SHA256=76C67908D70435A40048BE208014E8EC1987483C3FCD38B30972D7158B681A91,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.172{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE05710_.WMFMD5=22E376938E48F7E9F13357F419F0C0DD,SHA256=9EDCC2A4AE4AE121880DAD0AE893EF2A1AC14892B38348613A2D27C1169C2814,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.157{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE05665_.WMFMD5=B7D41D615A6FA5E14CD785D541CF4AB8,SHA256=DACE2DC228EEC7E2AB1EAA9F45A329EBD13DB2012FF3353F50828E6388A152A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.157{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE04050_.WMFMD5=29A108EFC4DAEF50CFEA33232E0EC6DC,SHA256=F61F9EF53C5549FD652F00B9AE91450B0851A6EAAFCB3812AC9364AE60539E06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.157{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE03795_.WMFMD5=357AADC5C71EFBBEC77EA1D6EA66076B,SHA256=158CC037DD429907BD609105CC373100C0D78CEDE8BA752627F1AEA1279342F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.157{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE03731_.WMFMD5=D134A0E7A114E6FFC5B13C5611424AE6,SHA256=257A330D42362BFECE61D7D166E14F2CA689D44C2393C816E29D02E852E10EEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.157{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE03668_.WMFMD5=447576871868B7BE9D4A12B4CC8272F8,SHA256=374FAD12A9535194263C22C390AF0F13B4C5E569FE4A9AE586C9A39C9E149AB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.157{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE03513_.WMFMD5=3B1469377F351759AE776760985A7458,SHA256=7913C7D045BBDB8482133FB481FBFF09CE4BCC9C88113D1C4D371FE2584B3530,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.157{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE03470_.WMFMD5=BF7267F7B321E6CC549BC33CCB2BB3DC,SHA256=147D3C80513743FCC33A3A8E51F7E2980E328F644E7C6243A2807DC75CE61E53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.157{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE03466_.WMFMD5=5A7E2A0156FA165E3FE4F2630B50A21D,SHA256=F302DBAF60DB4F97243A1DDF763764D570364D8EF17AAF01217E4FCA9CCFDC2B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.157{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE03464_.WMFMD5=176CE70B750DC76AFC288737DE27802D,SHA256=0087D462B44764E8A08346B1F35E28087DDBBDE7008A5E74BE7882F655A1582C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.157{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE03459_.WMFMD5=5EF616B1CD986CD1CE8C65FD720E26A2,SHA256=5D6B47F3CAE26F70EDF6BA90B56417B197258F72BD9653BF42BF49BA76092FE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.157{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE03453_.WMFMD5=6B99928158BA20EBF12852A3A6DC919E,SHA256=5EEAD53BD789554A93BB5778D04FCF5F6571D5B5C3B69ED1AB91E5FCC07C8FF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.157{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE03451_.WMFMD5=092B2665FBB1C54C5115CAF7B9AE8BA8,SHA256=E8A8B619799EF283F608313C67B7DBB1283CEDC555AC89FDAA2F66DBE08D516F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.157{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1D9DC5CDAC1970940F360ABBEBB9678,SHA256=ECD827C81BCD06532838EA3A4203826AEFC18CF45F5271DCABBC4A894A2F470F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.157{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE03339_.WMFMD5=37904E0EA97F15CAED37FB84DBB9D13B,SHA256=938547A9C5315D9DA6430C2A44D7494AD90F90ED8F9F93DC1327E11E4582A5CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.157{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE03331_.WMFMD5=C47D89B8B08C7EA1D1B0EA97DDAC5419,SHA256=1EF2A2C02F4E58C895944F4910CD883C5BF51C0173D0D31DC516591A0CEE83F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.141{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE03257_.WMFMD5=571FD93FEAF1B44183F19F21AB887329,SHA256=3A52717AE8F39E7263FC4F136B056278CE49F60A0B00FA8D47A98DBE0E97E98A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.141{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE03241_.WMFMD5=9A8A6B69C97271090D21784E2E063429,SHA256=8EDF0E6291D44600CA611E7F949A77130354E6AE6140B6A729554BB812C4558A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.141{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE03236_.WMFMD5=69E5E0110DE33910AA733C25E9715A58,SHA256=2724D3C21849CAA8B6C0810E063A40F61E32A8F64CC94821AD7B5EA1AF2DCE4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.141{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE02957_.WMFMD5=89479B526D46BD869C1A345B8837158B,SHA256=43BD11143C1C948D0AB38CC347C9C9EEA282A35FE8E8498D66C7730F53B20D38,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.141{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE02950_.WMFMD5=17E9E2CE02038D6F34445E7D76498EC5,SHA256=388C6969E40659700A929FF2F75BFAF84E1B8F4CDEEC900620B9C4F260317D62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.141{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE02522_.WMFMD5=BC21C70CB237461B1476ADA502B48FE3,SHA256=35AD2A2050D602D71051AFD8B3698B233E8307840DD090EA453A0DA6D6448E10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.141{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE02369_.WMFMD5=5213652E6C4157E7DE1AD1A5BE1FE258,SHA256=E8FCA612F8553D747F766B81EC17AA8549F03BE2B0721A84496DA9688C910259,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.141{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE02296_.WMFMD5=F8F3F6E576743CC20EE4F0D1B86ED07C,SHA256=738E445713CF652564F9719BB23A8E430DA658B1981DB0FD402A7F6C6A361CAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.141{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE02293_.WMFMD5=20714F1617D5549A37B9E8F385B57EB1,SHA256=B8A4968F8D6FAC7969E6900391F2E6FA72ABB026EBB980F94554CE4B3DA45E32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.141{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE02288_.WMFMD5=1795D18435168CA329DD512BC7E93F3A,SHA256=E45A52A00E80D5E604FA72783ED139DA82CB41FE340A0BD3E15CA8D6CC350B76,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.141{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE02287_.WMFMD5=88DA19633FE3B434FBB13DD4D21A7588,SHA256=EFE1A2F325ED9B79E2422B084F3E655D892BDC5922DFA42B9546DCF46AD2031A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.141{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE02285_.WMFMD5=941E8E1425F0E6743B879CF46EAC7CD6,SHA256=7E5A60FFFEA9C44FBD0A8CAEB6D6B6C31230E4C81DA85E0D070EF9EC12DA8996,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.141{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE02282_.WMFMD5=6F8E60085C9CBBE15BECDE86382EB745,SHA256=EA19D3FA0B32AD107AA3D36EB65387B900F43697D93143CDE6F70BEFB57E5C3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.141{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE02280_.WMFMD5=B4ECEBCBC2BC9A7CB19DC3D80146B849,SHA256=93018D4EFA173EBCF7969DB86E6C4E500B280EEAD21C1F9E22A67D85215E106B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.125{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE02278_.WMFMD5=4A1BEE5257CE33B07E7DCC9BD3A9E08C,SHA256=49288649BF9157711D3EA3E5DCA58BC0E053F83151181A28DC4CF48203A97436,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.125{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE02270_.WMFMD5=E39956E257EEDA5370165600557AF095,SHA256=C41EA13B2831C83F0E4BEF5F03FE3E18B5FC41880966E09B3BE67CBB0E985678,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.125{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE02267_.WMFMD5=061DD6E62097171264FEE5AE3563A9EB,SHA256=326535CC2AF71C440E15B0736E918F73179D6E7FDB18B186615B268132D706A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.125{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE02265_.WMFMD5=A5805CFD8F9546FE2F5C5B9FDA8C9477,SHA256=415D3B4324A8DE3404EBDA4BD59D36479F1C77B3B5B870EFA31B8A0DBBE5C0C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.125{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE02263_.WMFMD5=2097A0D282D6AD2B5B39B1431C352EE9,SHA256=F55B2C784F32083C236DA05818E3D8DD82A2B6B4B2C968CE1009F12328327772,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.125{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE02262_.WMFMD5=2E6427E5E8C1ED53CA9D15B80873FFA1,SHA256=8B99C52D164485EC0070877C8F776A60B2A13729DFC308DE2CDFCEE78CB3358F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.125{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE02169_.WMFMD5=296EACF14777D2877FB3611D6157EC7E,SHA256=D689E9E021A1410304D8D6C3B05D356FC249778885E0BE166A1B19448FEB5563,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.125{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE02120_.WMFMD5=8ADA67622884FD86723E020C97E4647F,SHA256=EA3BDBBA7EDB31468BB755D442549B518FAEF8EBF73E4D7A2B053A3C40AB9EED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.125{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE01797_.WMFMD5=218D031AC79EBCBAE7C5C66DF7FA9C6E,SHA256=7C863A2F7535E608D82B9641D2A31C38BAD416BDD01BF1652D7A0E5CF51129D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.125{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE01661_.WMFMD5=DB159D8AE5351E724BCE76B38D8B0ED8,SHA256=4EB86BE8B24CE45D29F932B6D344688DE4FF360BB0A5613D9CB8B1307E4E35A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.111{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE01191_.WMFMD5=BA473F9B3A2EA8E96019272C09C052C0,SHA256=46DE5468DA6FD6A9AD08CA22318CD086F3EE0009AB7F08F1929F9CA8A4936910,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.111{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE01172_.WMFMD5=A1C26F053989B2FA03D596EB96FE8880,SHA256=04FB901CBD8FE345FA8C54F69E630FB079757BAABF029EA9BBDE13B5947281C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.111{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE01160_.WMFMD5=7C5FFE4E3BF3FC05B17C94338418C826,SHA256=66285C71B698D6B19FE4CEF15FE8B62C31B966B10720D126ADAEE254CBA6591D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.111{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE00998_.WMFMD5=7A17F7240511BC50A407CE7397277DC1,SHA256=098EB57E9BFB7934E40620F66ADB3F61A960B283E6532062D9520C0AEEB88E82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.111{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE00934_.WMFMD5=5C1208117438214162737D808CDD6D3D,SHA256=E77CE90AF443BD0CE52A36A817D9FA55E8BD30BE800880AA735679C0545D66F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.111{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE00898_.WMFMD5=5C2D49A777A88D5FA0425186EE763A85,SHA256=0AC1FD2067235CE78B1737157C0350EB0035E7B67DBF188A9D5C35F7F8C6D79C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.111{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE00833_.WMFMD5=E864F0CC31844ABC8669D560F225078B,SHA256=A0E2B6E0A4ED0B83681246B793AA3F1033522F0849C82D4ACBF6FC21646632C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.111{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE00737_.WMFMD5=DEED8F39383FFF593277B04CD387EC29,SHA256=56E088A7D11D785A25D9F5FC405D03CBCE8FE18C129BD5AE81A690A1950E823A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.111{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE00726_.WMFMD5=E30798D4CC922A94CF05C75C13E46D67,SHA256=953444F109A1F00D93117CC25662F126F0F2024AA03EF382B480392AA7165EFB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.111{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE00723_.WMFMD5=665B8B34CB1E8BCC67DC114D7BA69D22,SHA256=7607365A20DBA0E07D4BAD678C6497499DCDB516E6B06BC06E77AAFD81F99084,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.111{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE00720_.WMFMD5=2E20187E7DAF3640BC68735A7F6F4A9E,SHA256=739C9D90B11EE9A8FD265EB1829BFC27E847E8F6EE507618194E53ACD19F70DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.111{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE00693_.WMFMD5=C792F0FA03C2433A60638E18C0A20DC6,SHA256=D652B10CC8341C5695A0F8CC975A245B69FA800CAEE1FDCC6E3CC1A920481220,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.111{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE00686_.WMFMD5=054DFEEC114DF169BC9159915F03E86B,SHA256=287ABA199714925836C329DBD9CBB98EB93E63EB17B1F9E9A659E18EC12BC2D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.095{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE00685_.WMFMD5=45C2CF0C40C0B95866830A5C62845BFA,SHA256=65ECE95DCD03663AEBAC81E76133F52456886AD21704653BC6870CCFB306332A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.095{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE00668_.WMFMD5=0BDAA8DF56BEDE7E9F5D3DA076905340,SHA256=4FABB3FB2796500A4825C8619DCEC59C1A6E3765A0D5FD5292257183AD8705BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.095{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE00640_.WMFMD5=BBECF40C6AB6E53B4B3FBAF4BBAF3281,SHA256=FCBE5BF8D2476A7920DF0999C2410E2F94CE4EAC6160BA0AAC0BFCD037357387,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.095{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE00633_.WMFMD5=BFB8876EC267EFDB42FF4F2BE8246178,SHA256=74AC7845262883D21417D3C57E95789C60B3470AE61C3968C59D7B9296883920,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.095{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE00608_.WMFMD5=6214AD51C752892F5CC6C092C8AE513B,SHA256=E9D5DEEB437090292C739880F7FC58212421B21C992ADD5DCA5905EF278E4829,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.095{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE00578_.WMFMD5=62105C8BA97EAB59BDE5501BE8EF60A8,SHA256=D0BC83BC0F9DEFB87D69EF2400D982824E70E66D48855571A08E0C0B13CC0592,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.095{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE00563_.WMFMD5=92F83FD244F6330290955735880C069D,SHA256=55EA6335D92DAEF5B6295F5AF29C4DD385D3A01168705FA60053EFCC0B15DAEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.095{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE00559_.WMFMD5=CC1B7239A11959ED210844CCBA459CD1,SHA256=500EDB2879F79BEC453D5265386ABC8CB5732432804437DFC858A24E673FD9ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.095{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE00555_.WMFMD5=08B86306D587927D3BA00C2C0D578E4F,SHA256=F8F6ACD5BC9A32D9539544481667DFE161240C1AA575535FA2C5C60BCF0BA55D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.095{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE00542_.WMFMD5=C2AAA97C76D402B1FB07539805D9905E,SHA256=753274724CF3BECB4F8E700870EBAF7828F2C5BFCF97F5370B5C0E694D42EF84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.095{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE00531_.WMFMD5=7F789ECF7A14ED50E293D4F4D0D6F5F4,SHA256=7759577F7D1AAA839C58016700FE57E2478A811B65323C01F6B0E5D8FB7C4D70,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.095{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE00489_.WMFMD5=A78F824A9580F1595AD43537C10C2658,SHA256=563E6557929BFD125BFE25FC9C6BF442A5CD3EB159660220C3CA59E216869013,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.094{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE00485_.WMFMD5=48DDC2034556A5277E7E4D1692676694,SHA256=6F99490DC29BE52EAB84A322E06A1FE33036EE96AFFCEE0CC50AA944453119B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.093{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE00478_.WMFMD5=7750DE99B26987801F9126661B5D84EF,SHA256=83D1907B61793D001934CDC59C00329AF0E213DE8D428072A0BD2DB6065E6B61,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.092{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE00468_.WMFMD5=BD804EC7C6CA5E9D1F6359FCE578EA32,SHA256=A96F20F012E526D19B9F48B68BB33E17D044663835407390EE990C9BC2BB1842,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.090{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE00272_.WMFMD5=6120AC1DE46F2C316FF8C5872627468F,SHA256=2D678F915256C168DEE44070DDD456063E565CCE1F782A1B4D0AF69B25822A31,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.089{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE00231_.WMFMD5=0ACB505D0EB4D6753FA850BAC3501439,SHA256=65A9E45375A8F4069333F460EEAA796462F00B6A94A3715351FDEAEE1BE1EF5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.089{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE00052_.WMFMD5=F62E25955D88DB2B4AF21A4BC660DE90,SHA256=E6FD709B4C69F248414C940152358AB12666B903BED596FBB41CFD1D1FA5F42A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.087{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE00050_.WMFMD5=50711B7EE66975A0DC5AA26FFD48EF01,SHA256=11AC87FB80DEC09969644A4222587114ADCB8386A390CA5CA7ED80C3733CA988,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.086{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE00049_.WMFMD5=30AEA1C6312003FDE0511D0E6DD07A97,SHA256=00B3AFBF6D3A33F5F4022A78CE2393851D7A650BF4B057100621176CE44DE9BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.085{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE00034_.WMFMD5=62664DA832AA02170533EB6F49BC2821,SHA256=0486EDF72D34FFF9603F4F0E4DE90225D4AB2CDF0A43B1206209B995B81B8539,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.084{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE00014_.WMFMD5=5903FFB2FAE40A17958FE113905F681C,SHA256=B397448C5F55E950813628C2DCFE969E3D3C11AF7A9D7AB876F76FE9088252A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.083{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PE00013_.WMFMD5=9A27E2B96575AA32B6D8F879C9B60C5B,SHA256=DFC79F0D9B5B3D298EAA5ADCFEDE9F984C10F4D20FEAC518A88084B46B014BE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.082{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PARNT_10.MIDMD5=6CF5A9111FEC0E52EEC4E7676CF3A1E4,SHA256=D79E7B38361AA437DCDF360A5AD4EE0D6AEF62F2EA0DB4C39CEEAF23261B168C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.081{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PARNT_09.MIDMD5=60E454EA05EE72FF65B10D804D9AC127,SHA256=FAB6C0FC2BD25A68AC7F6BC4760F9EC67693B1F462D74137AA6DF10032F07F0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.080{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PARNT_08.MIDMD5=5BD3E0E419DD72EB10F6DAB87CF7B09A,SHA256=1593B34D8933DC8B27FE0AD53FB39D3A7450B37C6F4F3A72B91EB9FE3F5207EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.078{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PARNT_07.MIDMD5=74F40D6867D992415897995B519EFC89,SHA256=B40DF5FA3E863F15ADCCC950C9B441314C31C8323B83DCC81D7A32E0CDC2176E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.077{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PARNT_06.MIDMD5=4991F63D0B25D1AA186784427CEB6FB4,SHA256=82A0D63EF35B4C309E0D9FC0039E87C4FDD284C38478DC0DC831B54225142B6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.076{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PARNT_05.MIDMD5=CE44F3232A8FE5CBA24102FFB22A1B59,SHA256=1FF3FE657CFD8BC4616046CD5D310C3011B8CE1C15D9465C082F07A9EFDBC089,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.075{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PARNT_04.MIDMD5=FE90A7B4FFB3A7BEED7D93460E66B1FC,SHA256=847867E8556465933A9A9F75E6DC979D52C23438CAD03EF1428549744FC8A1AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.074{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PARNT_03.MIDMD5=D7CB37E8B27C5F9666258150EC297393,SHA256=FECBF1AAD05C1B6E25D98F0DD9324D0F59AE07CB2730A90152DA6B3B424135D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.073{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PARNT_02.MIDMD5=95976B8197E709AAA2A1CFA8935F7043,SHA256=9C2304F5C0662ACCB1F176304714227C97FE635F321E1FA2630895179D05B3A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.071{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PARNT_01.MIDMD5=EFFBCF6772596D32C9937725BF187AA6,SHA256=C43E3AB54A51412237E39BB5B615BEEF96660EF6D1F24149733FE0E41EC21FF3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.070{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\PAPER_01.MIDMD5=2D4FB03C4BBEB0269FE2CBCBF989B051,SHA256=07EC1473038F8F9BCF1911931DC8A54B46B58ED1DB96F7EE4E1ACDB8F8B69EAE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.069{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\OUTDR_01.MIDMD5=993E09A9686FAFB434FB3A7D07E48299,SHA256=F72EBCA8EC6D8AD521569C9D5CF6BF7549D43865B2A168B6E1078DE54615A828,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.068{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\OCEAN_01.MIDMD5=2BEB3272B3A7361E1AE54167BCCD0B5F,SHA256=6DCBC7A55EA913959A8670BC2B92ECE1FD84270F4B4F19E671E22D024026AB9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.067{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NBOOK_01.MIDMD5=D9CB5BE8DCD7F6A7C2196E6C6BAB64B5,SHA256=71B146FCD64E09C66E12A31A29677BDCC5ECCF786D91A846502FF8505DB1F9EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.066{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02453_.WMFMD5=652DFE8188B16DA0A8E6A5B236EE4B62,SHA256=78A09F4B554FD9B412FF79FE914A75709F7C4C28C8E1AAEE8BDFD82065A4F49D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.065{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02451_.WMFMD5=2CCAD4B27529252DDC679A2218AB7076,SHA256=10331B1F49FD694CF06B3071A5565AD4DDB1E1B3327FF5F0C70FAB4B957B2046,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.064{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02450_.WMFMD5=9EF6A9E6D365D47291CEA6434C482818,SHA256=C72EB66D86F9C09A183A3912ED18FAE0945005C513B508651522977A91D7432B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.063{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02448_.WMFMD5=9EC4244BB6D1E6C9AA94E612E1CC2875,SHA256=78AE24DB7E24510EC233578AAE5C2D38EBA98E7F8959E2DF16272CA1702402BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.062{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02446_.WMFMD5=996182D3652FDC6CB6F3702ACB9E7249,SHA256=517A219FE96C212D5ED46F05D3D672A9BB1027F941D72A1C73B11983905A40CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.061{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02444_.WMFMD5=F9D74E5A1A7A255D050C8F7ACBA77DB8,SHA256=532A2C0243105B5265E2F7CD957C766883E81013197A27AC6AD65D12AEEF64D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.060{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02443_.WMFMD5=AC74ADEDAF365C0D857BBB0663F4001D,SHA256=41B65D5B3464B72C4A752D8F18C3977072105E442C5C21060F1E20B6FB13452D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.059{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02441_.WMFMD5=25AF35A8A1B30E031238667BD7130B4C,SHA256=EFF1504F05BAFE5FCD5468B5C66E1CD58F8A04A1753E41C45FB6896FCEA87782,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.058{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02439_.WMFMD5=6596EB8F2183D1A6C5B07587AC03F746,SHA256=1FAA21FED17E1E7E6C84EEC69640B5DED448F254ACDA7E4ACC1A32BEE6F59F3A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.057{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02435_.WMFMD5=6C09C270B8BAE12647C3F3C0BC93B12D,SHA256=36EF34E997BA230F02E6CDB2F8EC57C9E6F5A5ACA2F3F1FF9448B5735F0CDC24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.056{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02431_.WMFMD5=ACECC4EF7433A23787FB52650D455B72,SHA256=867F2515BDE947D7C00F794CD594BC160688710ACABC811E2DD4E7E16E4B400B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.055{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02426_.WMFMD5=988AEEA424A03F7782DC83A7A9E9DE5D,SHA256=CBD59B9455E3019D357D9A2D92EEB694E0D466F9C29B3EA8A8CAB7B39FE862C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.054{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02424_.WMFMD5=68A5433B8DDC78E1D9DF71BABEDE4488,SHA256=B5F1BBE05F11B2F278F6B49C48CF773B58F7C25FE3DE0CF1663E66B77F4D4E93,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.053{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02423_.WMFMD5=3A819BD6307A99BDF57CB0C678876D49,SHA256=747671DAA6B83168BFE89E25A5FCDEA38BE35C9E1FB4A4DC5A8C01D8501C3508,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.052{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02417_.WMFMD5=5A53650839B747A255D50C759E9C9E29,SHA256=1B9F63D7EA1ED82D5D36E9F1AC22988C7A26BE06D72367BA94F074A39BFCE209,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.051{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02413_.WMFMD5=420C702653A68397B3D172C93396E0F9,SHA256=7C30AA7FAADAA905FE52FC927B521EE9BBBDF03FDBD57560BB433EEB302FAED3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.049{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02407_.WMFMD5=27FAEBE000ADBE290E640F0279BF8467,SHA256=9DDAFDF883F161677093EF9A921D28286E61AC884C3F7DD00E86AC392D13422A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.048{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02405_.WMFMD5=FABB1917FD807B4C927D5D828833BA3C,SHA256=6592A09ADD685E8B886EB9C7046DA7431FEAAC554FDEE685B8A4A0C749DAF94E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.046{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02404_.WMFMD5=B914D8E4238D937E5589A45B642CF472,SHA256=0E3CD53551519DE70C2EFECE4BDED15F595526F1073ADADECC561AFA80A8EEC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.041{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02400_.WMFMD5=61C3B68291337037A4141F9C1E276A3C,SHA256=EE0781D39EE6C5AFEAE8CC2D443FACF556865F8B4655A0DE0F53D7CED74456B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.032{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02398_.WMFMD5=30E1F50FBDBB86D666A1A4152E5FF5C3,SHA256=78A122ABEFE2038BDCB29087E9295B1A052F330CC4606C4D61CEF1E929DC0D11,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.028{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02390_.WMFMD5=F5D99B3F295EB694EC4C2FB27D119418,SHA256=655CD6080E858C143F0A6E38DEFA3B9FB2E4BFF6093607ACA444007D06BEFB08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.023{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02389_.WMFMD5=E483A733A9FBB44747702E2446BBB0D9,SHA256=9D9A1255B3CDF31ADC71457B1DB76E06859E58F95CF6ED54FDAB85DA135418CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.018{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02388_.WMFMD5=5666E7E2F0A46612582CDF2FDCAEF3B8,SHA256=8B70C8ED5479AB4C6342EE34EF5668B6EE33CD0ABD0ABCCDC7E2D8CCDE7ED45E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.017{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02386_.WMFMD5=4A605F35E7DACEE4BEC67A58063C2636,SHA256=95228121FF2A7F5441EA6598E7F4A39861EFEED6E7F85032314476362396DAE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.015{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02384_.WMFMD5=3B01B7F02A24C5C9AE0B22779943D865,SHA256=489FD1D8B8A34D24049746D78B0A766CC54123FE0B6E2723F79A11B0C9034199,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.014{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02373_.WMFMD5=D84C208419E869DF0CA572E741CBC7BC,SHA256=BA2461F56CD1F07591D0BA763D135E5C15908B28C66570F493316652FBA7BB06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.014{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02371_.WMFMD5=1CBCEDAF1AAFF5F099743187E4616534,SHA256=95CFBC107B809E4A4968CBE4F67077C837A79347ED0ECBB65E15D0536C390436,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.013{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02368_.WMFMD5=22CACF41CF47093B7414C993BD6C9C91,SHA256=484200777D722D63614D3D407F5870EB924B5CABE5F46FDD20DDE1209C3ED71D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.012{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02361_.WMFMD5=113D68115C522D3F500A7DD1284CD28D,SHA256=1C3E1C640EA8AE76D974110765821CD9D78CC4D5F007E6B8E781A2A9FA43DD0F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.010{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02356_.WMFMD5=66C11FFDDB83A50A7254C315BF913D12,SHA256=A2B790FBCD1AC3666BA7FDDD7346089E05B36CA510286525CF0819D92BC375A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.008{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28BBB9ADECCA3D9179C164927F45CDF5,SHA256=244DCB84695BA496FBE485833F312C8BCF992844A69140870A6F78BFB2025D47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.008{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02264_.WMFMD5=F48497FE1DBB430DEE68084FDAC75957,SHA256=F957C6A3F2650E07C1BE3262ABEE08AAFB64DCC0C28DFD046E52266EEDCC55BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.007{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02262_.WMFMD5=82E8711B3E29E2C1621254202143EDB5,SHA256=04DAFC4D6B94592952A532E2681F36AF1F3D4E05FD5C4774DF694CB59329DDBD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.005{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02127_.WMFMD5=4B45CA05C132D83FF001042F665619FC,SHA256=287B734D449237F5B91C750463B36D61C573BE6711C14876E054501A92109F68,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.005{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02126_.WMFMD5=FAC6DB342EDDB29389056AD4D19DCC7D,SHA256=2861FA5456890347D52F5968DB8315AFCF2C454BAE358CA4A0BE1CD0A0037D51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000324689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:10.002{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\CLIPART\PUB60COR\NA02125_.WMFMD5=741A89C8FB372002CF33B73E970C64E6,SHA256=60DC2EEA0BF53D5E4A8C62171053DCB434DDD26274E325DF3F94A89E88817E8B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:11.927{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92F2609E69B521DD64ECDC3859588C60,SHA256=4E92CD4B8C9559723E4C3C55FCEDEFB29A049BD4C2178B76E416E7A77C9DD462,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000447896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:11.186{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F27F56651DC502CC424EAA90D6823DCB,SHA256=5A4DA18CD240449A0468017E96B270E64B8CF9FDDFB99325BF2C9D55FC3CEF45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:11.513{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\Addons\OneDriveSetup.exeMD5=57BD20860B333E1F0AE01D612BF5D8A4,SHA256=8E38A8A019E4EB0D2D12DDB43B5216CD3EB78EFB85531A598090E825DA640E08,IMPHASH=0E0F2D94DEC3CC19CD327330E4012D60truefalse - insufficient disk space 23542300x8000000000000000325286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:11.022{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\fre\StartMenu_Win8_RTL.mp4MD5=3B2587A7EE0B3607386FD15EBBCF9E56,SHA256=A2F6010CCA01E73B1BF3FE55B71203C4D605519B757F9D11CE29179C5EB6ACD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:11.020{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\fre\StartMenu_Win8.mp4MD5=89767C3BA28300FC97CBEE6D92BCE086,SHA256=CA41A1E25D44E813AFB8A02767F751100CA94D86E8F4959AF3CA2A26E549D683,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:11.017{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\fre\StartMenu_Win7_RTL.wmvMD5=E7FECFAAC32340D84D4DF1BDA47A072D,SHA256=0CA8633B8F2DDFA6C882D87FD9226B21270BE95786B25E7E7745325EA8418070,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:11.007{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\fre\StartMenu_Win7.wmvMD5=0353923129F14492A7AB21EFF185B7BF,SHA256=8D8CA972C30DDC7EA83DA749EBECAACC1FEE40592336E4AFF861F8AA48563D78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:11.000{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\fre\StartMenu_Win10_RTL.mp4MD5=A1C9A1D2C2FA6C62EF9D998C97015EBC,SHA256=75D8EA3A8BA110D2023AD18D6D3D1A81D80C6B81666E757370E24CF9C82EA3A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000447895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:11.157{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\surveyor-20230127093831-103MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:12.374{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29990C22EF5A52DE63397DD9C90E6AA6,SHA256=43AEF0A9C82DCB2A94BD346513F4006F2165511D3369CA3C99816F3FB0A29A7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:12.993{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\C2RManifest.office32mui.msi.16.en-us.xmlMD5=2A21B58F2BCDFF1519F2E2E7DB9126F4,SHA256=083CE6854A3A2035602C47B3FBC0A7DAA6D75DB2E73CFF095D30D2C8E397726F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:12.992{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\C2RManifest.lyncmui.msi.16.en-us.xmlMD5=3F13855D845CEC1CCF51A8D073990679,SHA256=BB5924A1BBFE28B391DDB7825C1EB2AF5705CF32FF50101D98BC26768FA86258,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:12.990{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xmlMD5=B1E0609279B4797E2122571565892FC9,SHA256=6FE20F7A5A0055F7393DECAEDACCC5C8DFE34DC774EBB88F2DA8DA7ED53E89E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:12.987{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\C2RManifest.excelmui.msi.16.en-us.xmlMD5=E9C203E95FF534A23332813BBA206D71,SHA256=40C737AB2257D84991BE44F967AEEE9C32049783F30BB965E4631E70180E84A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:12.985{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xmlMD5=6FA3C6FD4E2214B02A02292D1D8D172A,SHA256=A04EADCB14AF53D09BBE934DF614000D636E5468EDF107C51333B0FC744BE71C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:12.981{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\C2RManifest.dcfmui.msi.16.en-us.xmlMD5=2798405065BDA739DCD566BEA93C7AB4,SHA256=10F7137327BB4531C70C7208E87D0708A7F62CDF42280C750EB0F52288387800,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:12.980{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xmlMD5=C2C700712404345E807C1ADEB0E40093,SHA256=A656062FD117220163B0DE532C3271DC8D8E0684FBB2D2618121F6EBF4A58354,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:12.978{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\C2RManifest.accessmui.msi.16.en-us.xmlMD5=D71B228AEAA9FAAFDB18523969F2ACBE,SHA256=9AD57AB3DF2740D4758AAF667171F3EBCB540AE177A78D8754B053CE08098CA8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:12.977{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\C2RManifest.Access.Access.x-none.msi.16.x-none.xmlMD5=2C7D500BF26A39EFE237966C6F374F5C,SHA256=C839295079DD7F0D013EF56DFB4EB44D9A0092D6DF3AD5AFD0843D190AD42A3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:12.973{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\C2RIntLoc.en-us.16.msiMD5=48A4697299505D83EE84E1A8082C76CA,SHA256=303BE86CB1716AB4FF30D1DF17ABA7355B59028871B8BFCD5D7C925DCB5418EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:12.971{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\C2RInt.16.msiMD5=E1BBB29285FF3E08C66F16A3F9BFB315,SHA256=33D432D7542DB245E327A2D549907E1E7CA98F785D9E0010F0AEEA568D1C1A16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:12.888{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\Addons\Teams.msiMD5=F335C918ADC98C5E641A9B65B2083CB5,SHA256=861F955FD50DD3120E58436E0E943C02D4DC2027C0B180C6CD5B8AFF0BB9CFE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000447899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:13.461{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C8910BF2617851FA961C6B6BD6D4E3E,SHA256=876AF4A66269CF40AA0455F5630B369646ADB8FCF6EBB1D9058F4EF984AEB344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.998{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365SmallBusPremR_SubTrial2-ul-oob.xrm-msMD5=7FEBF15D5099DE3D0B33F7F94940D38B,SHA256=87475E3F52422AB5AC0F23F5A61C64B9D9D12E4E306099BCB5970E0E5EBA7DC6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.991{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365SmallBusPremR_SubTrial2-ppd.xrm-msMD5=E6C6DAB1EF72EE96ABA4610ACE4C0516,SHA256=FCF54CB498C39F3511B277B1FF9D467334C3CC8A2913CE1F4A04DE6703D1E08F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.990{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365SmallBusPremR_SubTrial2-pl.xrm-msMD5=18D3AE7DC9171059361B6D448E69294E,SHA256=536903D535D5CAD8166645EBAF31EDCD7151BB4953BF95ADF02EE750FD936BB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.989{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365SmallBusPremR_SubTrial1-ul-oob.xrm-msMD5=4F710C6A4B22B8EAE3ED60CCB7FC76FB,SHA256=846C60ACD80D4DF1A495A0E1BC606271E31E985E832EBA3E2E4EEB731DF7B725,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.988{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365SmallBusPremR_SubTrial1-ppd.xrm-msMD5=8565CBEED189EBE6CAC5F055DA671D75,SHA256=DDD5BBCF6C83BF197CD169F3C2C64E4E957CF71F2E4A902BC4F2923D68C7E168,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.987{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365SmallBusPremR_SubTrial1-pl.xrm-msMD5=CE0C479D41B537C7FD68B93F2AF2D798,SHA256=3BFC6C3EB0AA92F4158277AB4DCF85DAB523F23E23C7E9F9F773162A9B8F3AFA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.985{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365SmallBusPremR_Subscription5-ul-oob.xrm-msMD5=539145BA2F576E89CD6ED6971DE9B4CA,SHA256=280006C64982D8C99B80C94B382C1393457BD17F96A25F8F6EDB6D938E8FB4D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.984{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365SmallBusPremR_Subscription5-ppd.xrm-msMD5=A1AD4D7E4D4F993377C1B75B181E167E,SHA256=093312BAEA49DD75564194CB62DA94E00971672E4CAE5C70096BB4DB7CD8F3FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.983{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365SmallBusPremR_Subscription5-pl.xrm-msMD5=E3AE7EA224F2CD095B4B1B0342DB3240,SHA256=3EC2AD90EF2D79D0A6AFDA35D2B68E324F24C0614DD3C760412DBB1AE7741B23,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.982{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365SmallBusPremR_Subscription4-ul-oob.xrm-msMD5=A96A93C5EF534EA677BCA0783E2FC896,SHA256=DA9719C2DA406CB6727CF70E82D3849BC3BECF21853F4DCDFCA5AD66927E0B35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.980{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365SmallBusPremR_Subscription4-ppd.xrm-msMD5=F73CA803BF4853EDB95A8D5682650452,SHA256=36F3BAED031993BD930CE9096E529E3A0AA4FDE525F19852C5515905A794F9B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.979{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFA6AEFAE81C15A6E00E0CE6985C2B49,SHA256=816E173526E4AC3C4E2777E7800A34F768392E86991180215E4BD51A77FF058C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.979{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365SmallBusPremR_Subscription4-pl.xrm-msMD5=680201D9E957E282332BB43074EEFBA2,SHA256=F9F0CEF72E6ED87A601EE6F556E55B6105989E630C434AB2D1ACBF8551094B51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.978{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365SmallBusPremR_Subscription3-ul-oob.xrm-msMD5=4B2D904468C11C34C72F9E470D7A438A,SHA256=F4CEDAD9D592E20EAD00E951335578CC4D730E70EF732D54AEC9C1A801A5BA12,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.976{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365SmallBusPremR_Subscription3-ppd.xrm-msMD5=18F1C4DA173FEFD39CDF808F287AAED9,SHA256=B9D83D973F057FA3274847D7973D4CDD1E3260DD26080D2E7CE7020A1ED12DC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.975{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365SmallBusPremR_Subscription3-pl.xrm-msMD5=B4F1D6AF0A0721B8D88DD8870FBB99CA,SHA256=AB70217E2EB2D8C8D7EB114FFEF05B9FE3C3F1F849D362ED3B378B48833AC27D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.974{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365SmallBusPremR_Subscription2-ul-oob.xrm-msMD5=29B0253CF3EA97C293DEA356384B1B79,SHA256=0EE7C999A3A627B874A475454CE847DCC0F5F4578C66C1936DEDC5E0E2B17CE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.973{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365SmallBusPremR_Subscription2-ppd.xrm-msMD5=0CB6C726CEF322C59939F947F6759249,SHA256=5FF478B4E1D6ADA38BBF67F6409C0007D85FF3B99727E3024D109C4FD45B228B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.972{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365SmallBusPremR_Subscription2-pl.xrm-msMD5=D6183C9AF1B8A0B3BE3AFA4040C62DB6,SHA256=FF5163CFA97A2AC8CB1D980A32277E4383AA9AA294DB7C416396AE767428F58C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.970{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365SmallBusPremR_Subscription1-ul-oob.xrm-msMD5=CD725D0611CDFC94D783789B18F2C540,SHA256=59DEB857EA089D83ED48058A0C1CCB868B66B02ED19A504D0FC7B2A3B32E602E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.969{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365SmallBusPremR_Subscription1-ppd.xrm-msMD5=2C7361916B915FEC78E9D3EB70EA033A,SHA256=1F1BA453D2277B8689BECBB27936E86B6167498360CB09C8C38DBD1208ACC381,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.954{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365SmallBusPremR_Subscription1-pl.xrm-msMD5=847228F8CC8B846054A95EB5938F1D40,SHA256=43E400B9146338CCF71FDC8297FF73F379571B9DA4B1B88768DFECE26E6648E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.954{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365SmallBusPremR_Grace-ul-oob.xrm-msMD5=961F4B43879DE0F9D39AE5D3CC05E481,SHA256=8CD44F93DD91C91B1FD579943F754738B84B970910BD2634AC75A00A31826433,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.954{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365SmallBusPremR_Grace-ppd.xrm-msMD5=62124B7BFF12593BA1B60924E0527412,SHA256=5E5B9702FFF29B69E8E34AFCA1E8C2A09507F7FA7D9F3A7EF2955A5B462C87F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.954{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ul-oob.xrm-msMD5=5912AB4330FC5762D120F5CAB7EBC7C0,SHA256=96EFD2C8AB43F6DE7FB0F2D58C2BA7808B5C8F080E1C68E630799EFAADED6A01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.954{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ppd.xrm-msMD5=A8B5FD142D7CD01230FC7D25D6DB731D,SHA256=C07FDA0EBBB9B99460B4FACF7173DCD14CF70E97B661BB40DF661C37E9AD2103,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.954{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusR_SubTrial5-ul-oob.xrm-msMD5=8BF11E1F4D840FE9F8EAF5AFADD034D4,SHA256=AF1424C063CDAFD833F1DEE3449851CFC469CA58978FDEF6660D535A4D1660D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.954{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusR_SubTrial5-ppd.xrm-msMD5=3F0960BC2A918615A942100CA3FFE5A4,SHA256=5DBEE49A5E9EEA5437DAA152F48F9B1D1FAFB61A37F51145A4C26E0C896270AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.954{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusR_SubTrial5-pl.xrm-msMD5=3130AB41972BAF48DB81C76FE73DAC90,SHA256=AF3E9CC88FE1AA294B84FC183FF1AA3AA9D24FDABE15688133F321C62136CCE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.938{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusR_SubTrial4-ul-oob.xrm-msMD5=EDA67B29B5CCFBB17CF1FCE3E825C558,SHA256=47DAB92E9273529021E149586810A863773A1A25646E541F7D35C6E4496A2147,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.938{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusR_SubTrial4-ppd.xrm-msMD5=67916657AACC3AA088446223F5E1A7EF,SHA256=9C1F05362C192CF0022E1A90ABBDDA59C8D2D64E6529E4D71A461C6909315942,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.938{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusR_SubTrial4-pl.xrm-msMD5=B7DB6376061B0C0535AE11009FBB7949,SHA256=52ED1599031B1FDBF94387068586C20EFD35FE7D096CC07AFDE00BEC9CFA47A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.938{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusR_SubTrial3-ul-oob.xrm-msMD5=AAF60AFB64C515E1A35C530BD65212B0,SHA256=DBB43177E76AC7EAD7C797CF6D7918520A7903DA3E9FF685C45360C25F29F3F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.938{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusR_SubTrial3-ppd.xrm-msMD5=D78FDB6488C2F43E864CEB6773EA24DC,SHA256=C2E2074732F2B0B45106EC48E0D870A615D57F607B6F2CFBD02B745E49E6058E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.938{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusR_SubTrial3-pl.xrm-msMD5=84C89E64B40E8EF1C41664779BD7BDAD,SHA256=6C7B95F310A78165584E18DE59A5A34CB686C603671DF5929071983F94F203B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.938{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusR_SubTrial2-ul-oob.xrm-msMD5=87E31812589772C4AE7E553B36065F9A,SHA256=4B0EB30731A6E493B772014227DCB8AB8328A7E378A984F19DA5AF84C47365D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.938{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-msMD5=9057614833D0A4DFCF5173AD96FD6AAF,SHA256=72408ECAD1DD180BEBA45B1A8BB35D6E195666A31CCB51F16137075210A89E44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.922{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusR_SubTrial2-pl.xrm-msMD5=79775964BB77A08FB893D8A77AD881F2,SHA256=94504EEC2A0EE3C96376CBE030E0D4D4FE4D102C81DF2C5CAD9F47F849BC6C46,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.922{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusR_SubTrial1-ul-oob.xrm-msMD5=5921AEB0B1021B32583C2A3C48015B86,SHA256=4A59A57AC4275D1A8D01A6E849E9F29DBD759E9298B728AAA79FBC5B44FB2A60,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.922{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusR_SubTrial1-ppd.xrm-msMD5=B68C4F6B56B17339004335A53B284CA3,SHA256=B9A553AD1578A99BA5A3EAA81A566022800271352482C4C448DC28F6ECB2265E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.922{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusR_SubTrial1-pl.xrm-msMD5=988F486468D40AC6E578CD31EFBB7B4A,SHA256=B621468E3C2019E00251E3B95D12838F015D41E79723DECE0715FB28F68AE892,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.922{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusR_Subscription5-ul-oob.xrm-msMD5=5B1645E46E668CE8592C3C6B1E7D678F,SHA256=4DFAEFB18024918AE4910A7D85C411B13B359E29E38E15C33219C50A8C8E8169,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.922{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusR_Subscription5-ppd.xrm-msMD5=119CB135D74115F4D4C79DE3111DAC39,SHA256=E078C9B985BE330F48FB76AB9C0DEF06713D269A24CB66432EA370AC999C88A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.922{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusR_Subscription5-pl.xrm-msMD5=1C431D5C2DAF0DF4800DC75FD5E451EA,SHA256=F3190E7C39304FBA8C93AE6E4692BFA64A7DFA899E5247A93EA9D5F9A7E61F93,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.922{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusR_Subscription4-ul-oob.xrm-msMD5=992D5A549B4D00E963F84E6410B7FB21,SHA256=A8389FB24A0054CBB915F6CD073298D44BE8FBA039F3120ED069CBA5168532FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.922{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusR_Subscription4-ppd.xrm-msMD5=20607EAED63877F71E78DC60CB5EE2A7,SHA256=701EA411719D6D186141217FB38C01FC541F068CFD89715220F411A2599E1E87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.922{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusR_Subscription4-pl.xrm-msMD5=6F0708EB6460A09787D6D05928F198F9,SHA256=CE5E8DDF6F5DD6766831B49888A21E972F8CB35E8D8D3A36FCB53823C48D1612,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.907{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusR_Subscription3-ul-oob.xrm-msMD5=1CEB9536D490482C1C263259BD3B391A,SHA256=5940D36ECF6B61F19594E14767E78C1F52D371DBF4A9E6E6F3F41D029A006082,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.907{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusR_Subscription3-ppd.xrm-msMD5=623AA072C1CBC90F765AEE4D2D06818E,SHA256=7D6327C83FBAE59A9DE411C94300279C09E75B4156C0A9E9FDBFBE8810BC1ABB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.907{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusR_Subscription3-pl.xrm-msMD5=4D7342C6AFC6BBFB3EFAC698F8184FE7,SHA256=2178D5CAC432463012B813A77507D81A7E1FF3CFD4FAFD5B8AECE0FB764071E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.907{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusR_Subscription2-ul-oob.xrm-msMD5=46CCD93087EB092F5042A404967E3D58,SHA256=187484DEF3C10F47BB6C2FE381D80876F2528F6EFB32ACA2CD6C3C6F97FE850D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.907{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusR_Subscription2-ppd.xrm-msMD5=72C1D6C5A79674B262687EBEC5D832E8,SHA256=17637EF5A80A76B51E9F64CCB6F327F702975D12F429D198DC4628E22D73C6D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.907{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusR_Subscription2-pl.xrm-msMD5=DFA5A6D11446A1BBE16FFE9E7462AA9E,SHA256=45D0641A16C9CF0CACBDC7CF5D762DB0F33D920AC6B8097914132A64E107237E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.907{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusR_Subscription1-ul-oob.xrm-msMD5=6F1EFEEDC9B4C0D91D85E907AE8936C8,SHA256=1D9D1351942EEDC55E88B4BF3FB55E07C18E00B420C9DA3F8A9D43B77B93A7AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.907{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusR_Subscription1-ppd.xrm-msMD5=0403BC5071DCAC36F5EC6D2DBBCBC2E6,SHA256=2BD7A91AF225BD3E0D101C287390E79B46E587E85C3E46A5010CF6EE460BB514,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.907{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusR_Subscription1-pl.xrm-msMD5=96C21446F0A9F55E1820835DAB38A367,SHA256=440473C3D448BFAA849B9D358358FE159041F64B98CC25AD8BE95B8422D5CA20,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.907{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusR_Grace-ul-oob.xrm-msMD5=A87B708BE8EB23CADADE9AE20C683BFB,SHA256=D7B1E32FE516D86F42BE3E40DB8CE99CE780ED93B800E1649B4A67CC5A71AC08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.907{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusR_Grace-ppd.xrm-msMD5=A6DF5B707178521D839261B8073BB763,SHA256=E67102DCD37B1DB685679DD0141815CB9B93ECA89E98058E3688A6405A7F82A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.891{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusEDUR_SubTrial-ul-oob.xrm-msMD5=B8FD251970648A32310FF9A9020C79A6,SHA256=16B41F40A46D9445B1323C0B0354D1613FF2D7D2016B0DE29D2D282C4E6D9228,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.891{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusEDUR_SubTrial-ppd.xrm-msMD5=FFCEF36C76A55711836F03AD704F215A,SHA256=6BC946A56CC92992AE38E3F8EEF20C0820CB7A7A16C29023AA84CC41FCBC1271,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.891{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusEDUR_SubTrial-pl.xrm-msMD5=2BAB147B51DDBE99C97459E462934290,SHA256=6E0B3E7E8770F293EE2BF1ABD25884640EBDB5F97F7332817864EF843EB9A025,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.891{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusEDUR_Subscription-ul-oob.xrm-msMD5=213B03BEAA5E9433D8C644E50E8CF2ED,SHA256=9AB620A9261F92551579B7FC854EA4B8AEBC0EB98C57C5AFE86431D85AFB3B0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.891{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusEDUR_Subscription-ppd.xrm-msMD5=EFFC1191B73E920FC4F8D84DA15BC904,SHA256=DFE3FE7E50B3439732747F8D5961F316F5B15FE9B51A560D0A5A1C7E35B22339,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.891{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusEDUR_Subscription-pl.xrm-msMD5=BAEF56E65CE58A68BAC7D6D00778C33B,SHA256=D7C1E8EC2E4D99866A51E28E96AEAFBC583BF2D14D89DF610142A41050195399,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.891{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusE5R_SubTrial-ul-oob.xrm-msMD5=73B4EF97FF4A16DF8A3E8A357F380928,SHA256=7B0115A6B87B216DCED56A59DF16E2DD13786D47F1D7378BAD8FDEC13EA552B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.891{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusE5R_SubTrial-ppd.xrm-msMD5=28C931BE96D2F59717A07D36FF81FF40,SHA256=4A31FE61D795E05E8746F2305355047D897D3A9D8F22D16FE28CDEA298B13773,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.891{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusE5R_SubTrial-pl.xrm-msMD5=C122F414A0BF64FCFFE52008661B1FBA,SHA256=AC7E665C59EB2735DDBFFCF246418609036EEC1B1C658739A6196D2A6BDBC9B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.891{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusE5R_Subscription-ul-oob.xrm-msMD5=78AA58BCE00E618BAD93BED87849485D,SHA256=E2DA8A130B7A0E3A498331882709E6530A757062180F8254BD6E84979A43BAEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.891{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusE5R_Subscription-ppd.xrm-msMD5=27948760A07BB0CF9B6618D9C283BED0,SHA256=E357B61C47A3A8419B9BDD085CBC5F8D1EC65C8862491E390F9ED095EEED1D5A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.891{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusE5R_Subscription-pl.xrm-msMD5=CAFF520D2DE34C3A527BAB38C34F4FBF,SHA256=7657FFD2593F19116FC51A130A42F79A8EA82D57E4F3E3ED7302EF3B0E62D41B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.891{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ul-oob.xrm-msMD5=8C61D52650FCFA652FD4FF910B81EF44,SHA256=09D5BCDC14B20070AC7407485F0E86B5BFCDFFD7D9D99BB304710A9D0A0DED1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.876{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ppd.xrm-msMD5=9AE3F3BA383C34DEC63B44218F996586,SHA256=A49099F0EBD46AE2CA52CC4E00ECA84AD4463A7E4D1EB77DC6636CD4C7E58FC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.876{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_SubTrial5-ul-oob.xrm-msMD5=60FA07AD2DB286B95995537D3BBC22B6,SHA256=83BEDBFBD2231452E1995C0E950A37992E6D17F50A218D86992BE4F293CBDEF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.876{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_SubTrial5-ppd.xrm-msMD5=750B58A25797179628A3E2A92EE28EA6,SHA256=D950DC7E9E8CAA478D0DE93BD53256CE8DC403BD1BC070CD0320D05332E809E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.876{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_SubTrial5-pl.xrm-msMD5=FAFE0D0ED40539B20CDF9621EB612961,SHA256=4526F4ECFBA826D625CAFEB3A6E6F68B1126A997F12597A191D7B7C085CD4ABA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.876{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_SubTrial4-ul-oob.xrm-msMD5=D6BF9963591A0BEF66C201A0C978C077,SHA256=B82A7604591C218FB01271BE31FAE7CD36BFEB3E90E5E4C9267BE6DA58B2305B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.876{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_SubTrial4-ppd.xrm-msMD5=A41F4D5B5B5C97B52E44BF9797E1A9A9,SHA256=3A73BDDD64CAF042F1ECAB81E48469D3D95C8E55A1C28FDC8E16D1A5405777BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.876{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_SubTrial4-pl.xrm-msMD5=942A6426038167E680E93EF855179517,SHA256=13A2C29832B087C1D696270B64B46317C7242ACBE135D03AAF03F56B717869EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.876{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_SubTrial3-ul-oob.xrm-msMD5=5E8E6A8EAB8DD38746BF038850F05845,SHA256=84A3B2D18E196773A709BD85FBAE403D135D2564F79797CCAF4A582A51FBB251,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.876{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_SubTrial3-ppd.xrm-msMD5=EFAEB6EC9A5A60CABF1C2157E8E3FB99,SHA256=F5D2A0890DF6BB1C13CFD46E9CD5482185D2F2C039FAFE74386A6FAA4BD464D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.876{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_SubTrial3-pl.xrm-msMD5=2710EBAEC6C6AB54B326115CFACF2DD4,SHA256=C89285A4690B25A6465BC8FD33284D44443C6CA32BC6108B8C9B4F924AA449FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.876{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_SubTrial2-ul-oob.xrm-msMD5=99EC4EF7C7A20C78B4866589EF344227,SHA256=D92D52B9DDB752E8C56DADD55470D22BFF1C4C40FF3376355D1CDEA272049BA1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.876{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_SubTrial2-ppd.xrm-msMD5=4806C011955B3DBF827216D0B0C47134,SHA256=E7D19AC8936FF53F75E4616F42B4308B09DBB901D23387B4D857C8849231C8E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.860{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_SubTrial2-pl.xrm-msMD5=657663DEA9A4A0A19D6400CC2AD4BF34,SHA256=29128B3D8C1E391F4F6524CDB89D9B2D23CE84D2BB960A912D4DB5C349F49F6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.860{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_SubTrial1-ul-oob.xrm-msMD5=A23F02490946FB776404702A1FFF0DDE,SHA256=EF96EAABADFF8DB2FFF3CEF10CB455BEC1BF13E8647290302DCED308565A06C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.860{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_SubTrial1-ppd.xrm-msMD5=0FF7EE0D61594B4ADF01DB246F720169,SHA256=213AC4210C902341D5F2A43B07C43C97AB83C1458239AEE327F83CA6ABBA4FA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.860{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_SubTrial1-pl.xrm-msMD5=406FC96A572BFEADA8F33B68CBB9B649,SHA256=828705D8344054A2441823FE44455376A1F7F8DF1E1CC0322AA77A7039D44F00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.860{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_SubTest5-ul-oob.xrm-msMD5=EB4E308A3D36377AFDDDDCEBECD93F64,SHA256=2767692DEF225064CE10F5E11E76AE98C6FFBFF73F82D19B230F252BDF716AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.860{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_SubTest5-ppd.xrm-msMD5=B9D5D9429B7C1DB6BD88307A3926D056,SHA256=7CB11EDCDD604E5F629E3D0985C6602029B97213ABEB4B33E8E4043A1650C8BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.860{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_SubTest5-pl.xrm-msMD5=E7792BB729C7C398D559B87196BA6F12,SHA256=2F6D32F9D424D717DFCF2B1C4F9AEE96D037CE9D4D54C6D173ED37657B9FD959,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.860{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_SubTest4-ul-oob.xrm-msMD5=20C13DD3B10B3C0D915E6B0F2B055D0C,SHA256=07217A05C59F7DB339E5521DF5B4D623799FA0531A93C638D5024EBBE0EFD9C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.860{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_SubTest4-ppd.xrm-msMD5=4A829EC48882D8D6457A41A886E90AD2,SHA256=889ECD0CF3F6E81B2BAE3FE8F8CA1EBDD3DA10F90EB549D58EDBC8D9FAFD49BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.860{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_SubTest4-pl.xrm-msMD5=F21F588648F788BFBEF2571F006D7064,SHA256=13CEF34760A53C1C45A241E84099F9EBDE59CECC304CA0A6185A85E03E34EF22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.860{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_SubTest3-ul-oob.xrm-msMD5=4185F3FD0F464581167A4A87F6F116AC,SHA256=EFD35982D89A6A48133710DF22E9795FC78B4D097436B1D073683C41F379BBD5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.860{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_SubTest3-ppd.xrm-msMD5=F64177BF4CDCC7B3AD5430A19E6A10FA,SHA256=CAA2A501128666E2B533FDBAB36AB5DA768E0FAFA875FE59AE65E414B0CA699E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.844{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_SubTest3-pl.xrm-msMD5=B8BD01F625F84D385789540AAC6BE1AD,SHA256=C6F9706CF20C861C447DD4C545BFDE6DBAB4F525FE77B705D9CECDFB46618F53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.844{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_SubTest2-ul-oob.xrm-msMD5=2BB1F6B18877F6ECD9A8A342670942DC,SHA256=D06036F67554D0A0708945EAC963B3BF516240223B443FCDCDC56F8717DC908B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.844{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_SubTest2-ppd.xrm-msMD5=2527F07D5564D8C837FEB77EFE4CCD39,SHA256=43B7C1BEB31D9E871FD8DF25A5E2EE1EB3D864DC4DF4C77CEC91B5E88E9272B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.844{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_SubTest2-pl.xrm-msMD5=EA407CDDB84FB1DE2113BB69E049FE42,SHA256=B6CE19B187F22E134EB6BFA25B32645B34F8785E92C3D57401F0848DBB99C2DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.844{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_SubTest1-ul-oob.xrm-msMD5=93F181235FEDCF582C57385A602829EE,SHA256=88788C679CABDE4EC8DEE0F90536F797F37F63071AE871DCAE7526598B2F4C64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.844{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_SubTest1-ppd.xrm-msMD5=B24AA7AA6144B71F0E0702ACDCB3F31B,SHA256=4DAB8A3EE36CC858FBD3FE895AFD299B5B3D8315A843546499A473BC536D6D12,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.844{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_SubTest1-pl.xrm-msMD5=59DAE250F5686BB6E6915DA0063E84B7,SHA256=C0A63EA044CABADE8B5BBF078399F7305A487C43FD0F78E21560D7B04BBB4953,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.844{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8A1FC21A2B3D3A61E6A88D52A765C89,SHA256=E5E0D857863806F2630FD4D707F7F28CB0F7440B3B0458E97F4C8B36DC214BCE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.844{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_Subscription5-ul-oob.xrm-msMD5=50A7578B371BFE3D8EA8DAEFE621231A,SHA256=692CD5BA5880BCD763FDE3EB3ECE439E3CC07251695ECAE01BD192C691CE8193,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.844{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_Subscription5-ppd.xrm-msMD5=F62CA71157E9D69CBBE5E46238B005A3,SHA256=94AD7CAF5CA15D053DEDDA539463202720290AE6F3715D8124DAAB27ACD258EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.844{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_Subscription5-pl.xrm-msMD5=1429E4005405CDB9A6E2543800D61014,SHA256=66F2FE1E92D5E53BB5F911E532CCEE8C416A6E239F119CF26F783D7298A5DECF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.844{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_Subscription4-ul-oob.xrm-msMD5=E781E2AB8777B16436CE1E14F3B6E59B,SHA256=7F52103A4FA83F9838814600E34D9E86B32213533A6FAC741297D6923142F51C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.844{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_Subscription4-ppd.xrm-msMD5=A806389A52235192DE167C94B3787F86,SHA256=B6DF19AB78DD6B3FC5883A66A8C6B0D07E9547A53338DE0BAF179E9B80EDA5CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.829{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_Subscription4-pl.xrm-msMD5=413816F3B38DE0293AA5AE66AA2FA23D,SHA256=1DC00769C59464CA63861EBE89F39DA23BF99309A3B8F0F6746F0820D0BA9E3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.829{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_Subscription3-ul-oob.xrm-msMD5=232FDFB69D570F216008965CDA6A7C05,SHA256=B80B8D5CEF567C88F1FCB09B9A4C59326C5D85C93398D62DA8C399B944957DA2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.829{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_Subscription3-ppd.xrm-msMD5=B05904DC6621E01274D5AD73007FB574,SHA256=CFF69E72B8B67FA1FF0B9D781FE27400BC1DC1833729EF2216AF2565352E7ADA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.829{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_Subscription3-pl.xrm-msMD5=01006D60DB403E5952F71BDBD20B8B81,SHA256=E1CB290DD85E9A8F00EF2CA2A6E8A0B9EFB9231777EA233C8210DEF49C5D84B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.829{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_Subscription2-ul-oob.xrm-msMD5=C8DE733A4387493B77B09D5FDAFD971C,SHA256=E86A81F576979B3747BF3464B73207C740943B006346F27D733D3AE9E10C1233,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.829{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_Subscription2-ppd.xrm-msMD5=0B178E73A3A86C821DD91EED42F35280,SHA256=28A503EC3167F67DB8AAF2F71D51B4168B8E9DBD2CE7358893D0624D474DFF65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.829{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_Subscription2-pl.xrm-msMD5=6DB50973832C9C4C40A6C0A527CB9F4B,SHA256=4261AB07137B0C40650978193A5E3730107EB9DF9C81B3E86316057ECE3523DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.829{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_Subscription1-ul-oob.xrm-msMD5=9451914C289903EE4EF58E542002DF49,SHA256=A734F0E41826499F5E35E30BB0F6E49813DEB409C2EE8DD2FDA182C4FF82B4A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.829{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_Subscription1-ppd.xrm-msMD5=331C613A01DB0A4BBE077AF6A5B98428,SHA256=E138E333B07CB427A3022C6B9C5FC43B8D3662606A424D816C9C6E16C63D28CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.829{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_Subscription1-pl.xrm-msMD5=9F001BFA6B364D4FF35682F07729DA65,SHA256=13AA2A068375102E81D4EED79FC3E0344491928CF9F796FED0D0F573C6DC0470,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.829{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_Grace-ul-oob.xrm-msMD5=A101DBD2FBAC210563CDB3969ED450C4,SHA256=0A1D690909046C8DF64DA9222FDA5A00B04FEB1109F3E03F576E5355363E1F7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.813{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremR_Grace-ppd.xrm-msMD5=DBB0E28FA68374A1598E311B65EEBF83,SHA256=5D78EB79D01A30A44098DEC250493AF973484E0F838B226C0197BA7C93EAF62B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.813{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremDemoR_BypassTrial365-ul-oob.xrm-msMD5=BB99ED2405315EFD5E8A4763937F5855,SHA256=59A0C2BF4DECD33D623BE798FC7330D71C30BBBC367385A598F442E6E4497A4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.813{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365HomePremDemoR_BypassTrial365-ppd.xrm-msMD5=98320181F41AFB7975D75AE0BCD5715C,SHA256=0BA9477566A32EBA1B1E3E73375C04EC80740A9B6CAB95DC7FD08F94D60999C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.813{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365EduCloudEDUR_SubTrial-ul-oob.xrm-msMD5=676153573AE3F029C66050302C0772EF,SHA256=66BA5540DF26C9ADD03647724EC494E7CF075C8CF3D646A01413158AAFE50A5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.813{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365EduCloudEDUR_SubTrial-ppd.xrm-msMD5=5B7AB0BCD8B19A325F3FB71DD4F0B0CD,SHA256=E801CADE552AAA4CD232A9044D70734529E53AC2BF34EFFDC43ADA89F523CAEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.813{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365EduCloudEDUR_SubTrial-pl.xrm-msMD5=D3EF44F886DA16657A27BD4A8CF3AD02,SHA256=A990617A2E301CD6983142A06FDDA9EE8F1CE06ED605A1E1BF2A562A1EDA636A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.813{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365EduCloudEDUR_Subscription-ul-oob.xrm-msMD5=54FDFED6086424AD0C4859AC419D7337,SHA256=98D622D8F1A2FEB2295664B4507E373602F9E0B19BBC60D3C4010CD3987D97AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.813{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365EduCloudEDUR_Subscription-ppd.xrm-msMD5=EBE0F34A6AF9ED16E1D1DD13378BB694,SHA256=D58A2C0F8D6E509FA2267B25D2420E5C8D9AAA73BBBEA1B4845CCA193094B245,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.813{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365EduCloudEDUR_Subscription-pl.xrm-msMD5=63A18A3B072376951CBEA8FF2E3628AA,SHA256=E381C9AF9A9384F4655F6EDFFF20A979F828E2D467A43958C236BC26A9120330,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.813{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365EduCloudEDUR_Grace-ul-oob.xrm-msMD5=D20A4F7ADD93CA45A114F68AA25B3616,SHA256=70AA516DAA3BD7B25EDCD822158560EED1789072A7D02423D0AD868F14DA3ABE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.813{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365EduCloudEDUR_Grace-ppd.xrm-msMD5=759D6D8B62EC881A4FC4A07897198BFC,SHA256=9B2B2556A30B234B67C9DEA30D79BAA95F458939F2F7324F4AC3C69022051785,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.813{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365BusinessR_SubTrial-ul-oob.xrm-msMD5=9BEDDE8871E2B1B73BA1D4C47366FAF8,SHA256=7A33DC90BAA43CF510DB7C5FF44AC86D3552FE402E093F1BD4E725E9AE8D30F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.797{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365BusinessR_SubTrial-ppd.xrm-msMD5=876988C5EB540591A965DB9EAAD0A1EB,SHA256=8A41655DD1A400E7278F6889A5D68F9849FDC45D1DB944C22DC1EA72ECA8D7F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.797{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365BusinessR_SubTrial-pl.xrm-msMD5=C129A7C34B6E29AFD43A5CA260BAEA54,SHA256=B8D14134094D332366E132C3123C6B4FE7393A55F3B8FABB561D18E4CBB70F6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.797{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365BusinessR_SubTest-ul-oob.xrm-msMD5=EBE74E49A77A78923B4C48727C27CE57,SHA256=C6DAD5A964EA73AE78BC631287DB45206C451BFE712145EA6DA23A7297461C07,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.797{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365BusinessR_SubTest-ppd.xrm-msMD5=F1851712BF82B452CB588B70D1470E58,SHA256=9A91B4B454394A42415EFB5DE586851443FF99A06EFD2FA50AC12E32B93C35B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.797{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365BusinessR_SubTest-pl.xrm-msMD5=C2CCB6E005410788DD63A2E77ED34845,SHA256=20189719852E93552FB585C0B21FC64A1AA3843AA501F6CA58307CB2408B3D80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.797{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365BusinessR_Subscription-ul-oob.xrm-msMD5=802BAC66DAEE18A609D983FBC6590FC0,SHA256=5407C942D03F71AF04D24917CB30026D694557019411270B590169EFB859F215,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.797{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365BusinessR_Subscription-ppd.xrm-msMD5=5391C7D5A1A51581CDF1C9487F22E202,SHA256=D1D7E6AF2727BA8CC44D8783AAD61C8E97143C6E52538B35AC4C7D3043F8DA6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.797{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365BusinessR_Subscription-pl.xrm-msMD5=29D9A11E4FC24FE7F9A0BE12419F88D1,SHA256=54B2D6AE23A89185DA72ACC38A72DE5B17C75A793E69C75D57615E19A4B8D670,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.797{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365BusinessR_Grace-ul-oob.xrm-msMD5=39310247BB55973BFF4F7DF1EC4F3BB7,SHA256=6820C037279185C57BB18C9790739E904D44368A463BF9F5AE368C471F501588,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.797{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365BusinessR_Grace-ppd.xrm-msMD5=6507DB947DC467198447E9D7B0DFCAAE,SHA256=9FD8E631D6370DFB6D39DC386891A630753C40750F09A98614309954E2704B5B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.797{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365BusinessDemoR_BypassTrial365-ul-oob.xrm-msMD5=6533FFB353AA5450B856CA5027FF24DB,SHA256=C3E1B651842497F6ADC2D2D6BDC88C29DFAC71C52375A48DE5A493C9F211F805,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.797{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365BusinessDemoR_BypassTrial365-ppd.xrm-msMD5=6649B462A39A917A0D092D105BC43B33,SHA256=567FC93EB4231054680F3A52D0F76624D929177F29BF00D9DEF4E0AB6EB71AF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.782{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoVL_MAK-ul-phn.xrm-msMD5=9110F9ECB8541C58789D56C82EBDBC1D,SHA256=B03D1A231961A6F6F5E91075645471B9C76C7A29B02D74329F300A468C2F53F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.782{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoVL_MAK-ul-oob.xrm-msMD5=E73D2B52F571A62BB7E453BF9C03CEA6,SHA256=A2A80B58ECE5722CA66B1086F2ACFEC04EE5ECB58DE4322375CF18EFB5FAB72E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.782{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoVL_MAK-ppd.xrm-msMD5=EA0B1CC33D084A3C3AB18B38100FB938,SHA256=B97432076CD55E686758D3D6E11443AA2B0184106B1CE8D4C1FC445FCF9C136C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.782{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoVL_MAK-pl.xrm-msMD5=1C9DB5E0426293B2265C0828EB76367E,SHA256=427F4431ABF10B90DD8AB64A550AF602F61CDF3F3FBC90AD369BEC4C5532BB16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.782{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoVL_KMS_Client-ul.xrm-msMD5=D62A1EB6EE88C923006E4175041FD3EF,SHA256=F24BF29DF996A92B8211ADC9B4C03A770AA1810D6EDB187C76A4315142F6494B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.782{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoVL_KMS_Client-ul-oob.xrm-msMD5=AF15E4C30FD30D6D866DE676D16FFA96,SHA256=34ECA581D72502973190E77650B6617663AFEA96D89C345D7DD9FEF4B294A37F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.782{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoVL_KMS_Client-ppd.xrm-msMD5=26598B2EF4300456C9ACD369917A80DE,SHA256=18FE6B93E597EA9EF46F8F15788B9BA777FFCCA253F0A78768BDE5260E3E8311,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.782{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ul-oob.xrm-msMD5=B7BE3D69EAEC0F06662634B8F456342D,SHA256=77BAAF2A39C87DD9B959A39379BE375FAD80A21E6403EBC25611D72713E0EEF1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.782{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ppd.xrm-msMD5=ED0045DD597610F2DC88B5EDFA917639,SHA256=EA194D4F77E50E8706F84ED58352EBAE7BAB584842FED873CE92B2E265E6FECF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.782{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_Trial-ul-oob.xrm-msMD5=D7F5DA637640071B33066F85BDC1A71E,SHA256=F71CD36AC889E593EDEFDB5B07276A4D8FBD37B3F62AA2BAF9A5B7DB20447DED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.782{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_Trial-ppd.xrm-msMD5=307F9151DCBE0C3D10CB01BA837267D8,SHA256=A91D31B0494524A5F9AD3B868E9E988E8397DBD50775BCA31F7E12962CAFE250,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.782{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_Trial-pl.xrm-msMD5=A45D73F3104F4274EEB49D7D4FD7510E,SHA256=AD836EE9A57879D7EEE362AC310A0DC9A809F238403C0ADB74EEB4F4F5421C95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.782{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_SubTrial2-ul-oob.xrm-msMD5=C66B9D75A7678948492B189E3ADCB353,SHA256=570C5294D3EF3B25B0AE955C38212A7C610FB345DE73B02538840C50A6B338BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.766{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_SubTrial2-ppd.xrm-msMD5=3480AD30DF3399A10064E416A3DB020C,SHA256=DB7ACB7DD1D2C02CA32E2DFFCD6EE1C028B63E9A91B655DAC9F7BEAAEEC2D8F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.766{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_SubTrial2-pl.xrm-msMD5=1A2B3AA7E787F1680F500A5940C28CD1,SHA256=A56F3A4DA5FE44208513BF6858FC3DB033B8D0098028E6D6BE64BB934F820C48,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.766{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_SubTrial-ul-oob.xrm-msMD5=646A824F3F2989FC44C53DA274CBED0F,SHA256=042A8D312DD6C426233678CC19B2395293ECF8145F5F9A9A607F4646ECA60A9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.766{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_SubTrial-ppd.xrm-msMD5=48D811A2FB7186C3A3B34248DE07336D,SHA256=4EF7DE8B68382993F68BF79B411FD1C98206550F7F6B990EA1ED68CBA8090D66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.766{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_SubTrial-pl.xrm-msMD5=35626272A3083E00FD8CCB1C9F564ADD,SHA256=7B6C5944FDA8F8AF08063885BE9571782466A1EF29B1C29BB232A4914503ECBC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.766{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_SubTest2-ul-oob.xrm-msMD5=1ADC76F8E3C5B91AB2745B33146FD7FD,SHA256=27E17D87A6552DCC51A90AA282E76BE7F9F1972EB606DB89A8B4644E293A2AE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.766{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_SubTest2-ppd.xrm-msMD5=5B498CF9721B6A7488BAF194B34107D6,SHA256=906C10CA9B058018C97974098E02FE4A7E90AFE61E24DDA3869A2AFE697132E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.766{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_SubTest2-pl.xrm-msMD5=43D594056D00B94C40F57F0EC418D326,SHA256=BC399A8DB71311C5A9754158F2B3DD165FCC6AA30D0CCF1C61AE71A9502F0418,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.766{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_SubTest-ul-oob.xrm-msMD5=DEB3E0BF1E4D1DBBD3C0412FABF49B8F,SHA256=13C9B37A6CE7E04ACC6384D0FCDCDABDB5DA9FD272F62289EFC6062C1F5CC90F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.766{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_SubTest-ppd.xrm-msMD5=3E5B74B23B2DA0C1CC3C31B9E96BAD14,SHA256=653D7E3994546EF76311E54FCC26D918623F1A75D7297F2EFEBC01DCBD58CF0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.766{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_SubTest-pl.xrm-msMD5=6448963905E1CD89440904A5DCA24CA9,SHA256=949BA790E058AB1265DF85F69A26BD7109A1E62C07DD27B58D251767B5E96256,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.766{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_Subscription2-ul-oob.xrm-msMD5=95688263991A62A41443697F42F3A655,SHA256=925902EA438D83809949BD72534BD195940A08370F42D30AA7839E4AAC53F510,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.751{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_Subscription2-ppd.xrm-msMD5=25ECF1D9AA75E4EC1E617461046714D3,SHA256=49008A62E65451855694D94D0F2CB4128BEB2566B4523D05F6CF0BCAD78C3E56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.751{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_Subscription2-pl.xrm-msMD5=346FB22AD8CA1385874BC122E557B830,SHA256=ED29ACFF70B5D0F83266C756900B214D77A96E7EEC9EE62720EA7D2F13632BC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.751{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_Subscription-ul-oob.xrm-msMD5=BE45B168DD13F9952847DE1989F3E0B2,SHA256=A807378CE2CAA46CDB51375200934C9008D0006B91762409BD7D9F5537AF46A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.751{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_Subscription-ppd.xrm-msMD5=D760FB2C5C64235B81FEABB9657FAA19,SHA256=51F3BC87C856A29D0C05DE8306F54535E7D63B9A34133517A9A933D6AE8AE0B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.751{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_Subscription-pl.xrm-msMD5=89DA36DEF33901DF2B38737B8E55C040,SHA256=480B9C1C9934E11FD2CA2841B5A68929476F2DC12933087D87FF582FEF9AF1A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.751{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_Retail-ul-phn.xrm-msMD5=3176F53AD507B35605E2DA1696D97E4B,SHA256=C36594C7E8AF3B79B4C3C1D714F0ECE473F86BF98F08BE4EB75F406C9102C7F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.751{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_Retail-ul-oob.xrm-msMD5=C78D31D029461737894972A115D58737,SHA256=0F1928497EC54349E7EB85AA5663B158B03E1725A39F863D331376746C634928,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.751{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_Retail-ppd.xrm-msMD5=E4BA75EA7A315E5561C806E3F6304D4E,SHA256=0A7A5B01C1C790163B886E60349FD7B01BD45069A1ADF9B3D0E71A046C7485CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.751{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_Retail-pl.xrm-msMD5=24F7169A5B557C7C71BE18F08E8D5107,SHA256=9CE0E8CAECDE90B727806AE7AA49F25EDA36A16C0145E703CC91876733408E0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.751{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_OEM_Perp-ul-phn.xrm-msMD5=996AF91BA4853850043E98A523135B0F,SHA256=9B95610FF6E61D0A47179C825E7BE82DAB0F19D02BDD50B409382629D780EF45,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.751{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_OEM_Perp-ul-oob.xrm-msMD5=F504F11158D6111A8B01AC1ED74B4E30,SHA256=E67455162DE2B079C3C3D41005275C8C9B3E72A4CD1D36FDD23F61C938A2022C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.735{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_OEM_Perp-ppd.xrm-msMD5=AF534B9DA757776A2D5A8C6D0E7DAA36,SHA256=C02C9B9AC3DDC116F5A0462A57CDCC5FF9A78E4F7B612419C55050CBFA7CA29E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.735{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_OEM_Perp-pl.xrm-msMD5=F2625EDC379B709AB1E18E1A18DBE2AD,SHA256=4B9B3970EF53BA365DD5D6D719688F2AF3CEFB978B24C2FA1AA83A204BFF8E37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.735{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ul-oob.xrm-msMD5=8141DC03BC75AF43159B462C1E8D8B23,SHA256=F30F05B723EF469DF4205E2AB26CA23D410F07995E661AE5FF9A8559958504AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.735{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ppd.xrm-msMD5=9AA83F93BF16E4DD2DF69637B503832B,SHA256=A0C6144632C6A5C2B162AD7B571B630BF59AFDFDD3BD5AD91DD38E11BA44214F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.735{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ul-oob.xrm-msMD5=23A690F0016273C1D7B7171675F52442,SHA256=D20784D8914103FB112D9AA9A6FB0D1D71874630DBDED69E8710006C45696872,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.735{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ppd.xrm-msMD5=2B7F23C093C9454ABC21C17D440170A0,SHA256=0F7643E5C8A5140330CB348AD651D5C11C1E45CB3979F6D9980C0E1770F1F2A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.735{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ul-oob.xrm-msMD5=D8D2AEF6390F0A5D2BD9AD2A5F3365D2,SHA256=7741A133844919FE18617EB6D66C2A1378D18865B70D663EE910E2F90E605C83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.735{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ppd.xrm-msMD5=F4000D5A4D7AEC58CC988F4A0BBA71F2,SHA256=7B7CEAB2A2F1BDF14C4EB8D64EC64E4961424ECE2701EBC51C217331CFDBA22F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.735{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_KMS_Automation-ul.xrm-msMD5=36F8E02D68DFFFD2DE15CB48AC02AEB7,SHA256=B71C1909B06AE72FB7F985790D4336FF9D285F7F737A498BE900978E7AD98AB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.735{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_KMS_Automation-ul-oob.xrm-msMD5=10DB3614C9F63552727FD7FEA6F20190,SHA256=F1914E8027FB0E8053B74EA9DED44F505178155E4EDDB386583DEB77B15DA33C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.735{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_KMS_Automation-ppd.xrm-msMD5=218198A5A8F6375FCBCDC2E1634E5F8A,SHA256=30B32FBC871105B3D637CBA87FD4AFB2D0A50A338798264743C6321D3DB74531,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.735{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_Grace-ul-oob.xrm-msMD5=A495AE8167C20FA9103DD507E7CFA07E,SHA256=168A7086F0CA7E3AFF1250E96BAB7FF9F045135E66E4A37AF4329D019CFB4474,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.735{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_Grace-ppd.xrm-msMD5=240B20F3CEAA342238CDA3902677407A,SHA256=E3EB9FDBB51FA40CBB3BA7D197DBFB4F580823B24EF9DDB984B226304311B7B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.719{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ul-oob.xrm-msMD5=C0143353198AFFB880C382EE1D2F5E09,SHA256=72E194974E78ADA70EEE59D9A9127EB76A0D815F12BC942EFED6C2F2FA5E6B22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.719{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ppd.xrm-msMD5=4B5AE87B666CC5C5FBEAF7B351968F64,SHA256=3216F733A190414A14056DF43F2B3975C7BC4248DEC6249E4940A1C4888CA73A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.719{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_ConsumerSub_Bypass30-ul-oob.xrm-msMD5=6DAE4F3DDF8556A08BC62B082B2E79DF,SHA256=C64A0E5D2C4F893C8FB14E595498822D6D352462A1100529E9356973B22A3D0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.719{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_ConsumerSub_Bypass30-ppd.xrm-msMD5=BD961794FAD81206C545C0596FF2F45A,SHA256=28FF41FB0A991F0879FDCEE7C694380D386EBE7591DDBE73ED567879278C8571,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.719{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_BypassTrial180-ul-oob.xrm-msMD5=D6977E959D35964050147549E3E086E8,SHA256=D753E857CBD3CF4B524B749438FEA88D3C77B7C7339DFE68CA83FCBB2AEE2CCD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.719{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\MondoR_BypassTrial180-ppd.xrm-msMD5=5A8B269A066C9ED4C6266DAD3DEEE43B,SHA256=EA61B33AE85641B8C33C61B6D6E9379F9E00F7BAA15BA68270CC1C394EB5A350,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.719{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudentVNextR_Trial-ul-oob.xrm-msMD5=7CDBF7405F6C13BC42627B0970465A97,SHA256=9C3293C3849C3AAEF4823FD42E0BE9F2BFA714F2AD658BC2790165720813B016,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.719{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudentVNextR_Trial-ppd.xrm-msMD5=8669FA2B3736D0FF1EECD485F094C9D2,SHA256=1DE84F73F398F136CCD1539B7DFEFB70BA66FADF34324B1EC211661B6495FDD2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.719{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudentVNextR_Trial-pl.xrm-msMD5=796CB05C1EED708BE398255CA78FDCD1,SHA256=A1364275A51BC4C2BC5A08EBA7AA2F3DBF4358384CDC0B3398FA6C22F808C102,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.719{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudentVNextR_Retail-ul-phn.xrm-msMD5=87AAE9C0AEFF35020B852508A9572063,SHA256=D274DA53B7BDF96E718CD3C90CA42EBFD0751FBFCFEF744C262045477EEC429C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.719{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudentVNextR_Retail-ul-oob.xrm-msMD5=26941DA43CE10ED07F27EFEDF2835775,SHA256=5772BB737FDF8CD2E5FFA09EC17F2E99BFE805FAF2A75CEFB8AF7337746C8509,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.719{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudentVNextR_Retail-ppd.xrm-msMD5=14C9C5D27616B4AB65BF78D4DAC8E50B,SHA256=5C64773B41A30E0ACCBF0501AFD35DA81B843EB79CD8FB3FB942AD2BA4F84A65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.719{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudentVNextR_Retail-pl.xrm-msMD5=CDAEF2117AEBD704253065C0CCF4D03A,SHA256=FFD47A37CF46351C53EB40B01E48C039993A787546D270EFBE397C00612C4DE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.704{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudentVNextR_Grace-ul-oob.xrm-msMD5=A9F58213AB9AE1A194B1B9457AE104FB,SHA256=75920107483067565886B696619A919151036A60F1A7AF1DFB5F07B6C8323412,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.704{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudentVNextR_Grace-ppd.xrm-msMD5=AD23090DCBA7A8EA0D9EC19DB7BE909C,SHA256=18D716AC870BB1EBA3ADFF65BA8E0E79AE2AD9114BA15909813F62559ACC519D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.704{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudentR_Trial2-ul-oob.xrm-msMD5=04A2A02A44163E57830DE5959CDD68EF,SHA256=0F54CEE8C5143D4590EA41AAA827B590BC156415F5C4A6B489F95B6DAF3A46F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.704{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudentR_Trial2-ppd.xrm-msMD5=18AB30393F78A23A5FBBC8DB9AD28A80,SHA256=2AFD60E2863262FEA3AF9DCA00931C2637A8B7C87674170638176561991824AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.704{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudentR_Trial2-pl.xrm-msMD5=1CBD7565132EC9A12EEB06A7B538F5EC,SHA256=72EC5E4283F60757FB95FB815A895FDDE0D818DFF393F9D66B5D47CF4F6938FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.704{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudentR_Trial-ul-oob.xrm-msMD5=BCD03372E4E7B062CE149818CABB2E66,SHA256=1AB0DFE92A3224547EDC2AF6BAC845C7CB48D444FAD83D9D213F28E7EE531D40,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.704{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudentR_Trial-ppd.xrm-msMD5=1069932C017F2D76E5F7A01B0BE0AC8B,SHA256=2BC5D67A9D738402E18E7264DEE1D53A1D995AFEFC0206A63154FA457B11240C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.704{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudentR_Trial-pl.xrm-msMD5=3524E23E577C4165BD9F820284014529,SHA256=AABECF597E2D3C9164DFED8FF6F5E2F5E4E1EF3F7BB6F9172D4C0B5C7A7C3DE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.704{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudentR_Retail-ul-phn.xrm-msMD5=A3AFD6F463BE8FE25F026BA1B6650F36,SHA256=8E64648B9DBF60AE4C97BE00EE06F8DF82E9C597685C507EEAA61BED4D148B70,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.704{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudentR_Retail-ul-oob.xrm-msMD5=B4A55FCDE53876276E477A82EEB4B0A8,SHA256=3F0B6ABFBEFCE8059F85ADE64FDBC1DCB4A5D9C5465DD12868BA121AEF447CA9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.704{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudentR_Retail-ppd.xrm-msMD5=F24E5AF837BA10E16C8D29F7AF819EAE,SHA256=D3BCEE7C10F6E36A41562F0D28E3BA6F27C7905666C418AF6F91C56ABF4B5846,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.704{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudentR_Retail-pl.xrm-msMD5=5D1470E417846422707B1DF52140F902,SHA256=BA4AA6DC617634327333C94BCDD476467101ACACD49B573C6882F7142777A478,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.704{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDAD13BDF84661991E276DD00CB4596F,SHA256=EC48314237D15893EC6395653F2A1E3B9E5631FC10A4C301579A3C9AD5428B18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.704{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudentR_OEM_Perp-ul-phn.xrm-msMD5=8F9CBECB98C8115233983453CA4C3644,SHA256=C758E6D97085AD00C352BE97410A845D4ED96F7BC77058FC1FF558315FB01932,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.688{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudentR_OEM_Perp-ul-oob.xrm-msMD5=176A1F606E6CAF78693EA810879E9D3C,SHA256=9E73EFD36A0E8BD6A891A774E73EA3322458A7C9DBB855B7CA836CC34B4D6677,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.688{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudentR_OEM_Perp-ppd.xrm-msMD5=0AAA6E8A98A011EE3A388F5046EDE8AA,SHA256=3189DD1575756AB86F0D2CC7C843BC36D2B4FE8632674EB68A8BF186CF3B8359,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.688{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudentR_OEM_Perp-pl.xrm-msMD5=D8FE11FCBB2062FB1FFFED37DFDC0DE0,SHA256=A374D65523A1AB61E51F3E79AD2C8EAA66287558E45467C2FCAFE0A0FDBEFE8E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.688{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudentR_Grace-ul-oob.xrm-msMD5=E1741CEB065136081DE7C06ED9E3DC2D,SHA256=27CBA692F2A9A65A85FA39473A2327CE2E2804A0F39015FAE3872E265E935A79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.688{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudentR_Grace-ppd.xrm-msMD5=8056434657DA0220D251B9B21B69DAC1,SHA256=E93F6B91F8C754DE64D32C3F9BA9F89A39DAB5D9F2013EFAFD38EA760C0DAD8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.688{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudentDemoR_BypassTrial180-ul-oob.xrm-msMD5=DAF2E682B4C5AD487242BCE608A10FB0,SHA256=7806B52F7572BDBF5946D712AB4891F091FE3C784347B919C767D7CD10F1AB87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.688{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudentDemoR_BypassTrial180-ppd.xrm-msMD5=81643E399BA3970EE10139679FD5ED99,SHA256=5A6A41D4003227F9C4B7BCEC6AF36503BF26E37A2779B13EF9E2E9A343EE59F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.688{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2021R_Trial2-ul-oob.xrm-msMD5=11A7BF1D1E010ADCDC20A4C2161D7072,SHA256=660A27A88DDDAC373722C8CA72B24055035063D62089A10CB3A1F73E48BA5D4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.688{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2021R_Trial2-ppd.xrm-msMD5=96783A7782EEEB2CEC6491FCFF69CBBA,SHA256=F68FF88A076C8651614A17E454B338ABFD06D75218137E62C0D3E34FEE46AAB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.688{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2021R_Trial2-pl.xrm-msMD5=04A9489ED9D989834289ED98048A05CE,SHA256=C249F76699F52A3854CEF960D3CB8F1ADB1C0057EBD76DE6B20FD0D67A7E0BF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.688{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2021R_Trial1-ul-oob.xrm-msMD5=D379AB6C057F224DC00C971CE84AF6B5,SHA256=E9796F7DF95A5E86CD78E91A8A08919174E93D0E42F6F1C128EA427FB5BFC94A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.688{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2021R_Trial1-ppd.xrm-msMD5=A8D15E5A421EEC645F599DC3CC25B91C,SHA256=31EAD8344E6FD5C2C01928AD7C8A1A4FB756733BB6D268221E73A8308D6FE0D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.672{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2021R_Trial1-pl.xrm-msMD5=C61F5AA5DF10A3242C8BD7CCBCB73B94,SHA256=DF08BA9F3366CFC0C5CC780A28BA87F915F9F7A8DD565CC3ABF944074F365AD1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.672{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2021R_SubTrial-ul-oob.xrm-msMD5=990CCFEC1AAC7FD60DACA5B7540DFD46,SHA256=E490B36172E16FFF34E7A0E4622B554B1B6C254A54F9CA6FA81AC85F2D2508BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.672{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2021R_SubTrial-ppd.xrm-msMD5=FE06E4D02D2F5C97097A4BBD5DDBD8BD,SHA256=41E72AD56873608F4B8C0D1EFE655828B33639CDB29A97929964F66A029E2923,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.672{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2021R_SubTrial-pl.xrm-msMD5=641DCAF8EF46F154314AB999BBC9B0CC,SHA256=C73C4F3D0452D7C2115256FF3A70342EC1E6188BD44FD06BC380D82503FAA333,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.672{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2021R_SubTest-ul-oob.xrm-msMD5=EFB20480F4FEF653577285C859BE36FD,SHA256=410318F6D91EEF25FCEEE5338789B3DDB1AF1BA1A48A9838E32946F99CA7156B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.672{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2021R_SubTest-ppd.xrm-msMD5=FA3B455F70A7B24E0289C51579B177C3,SHA256=10D38A2BB536CF98E3BABBAF61883DA49720C69FB61AB47C7AC48240867DB497,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.672{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2021R_SubTest-pl.xrm-msMD5=45473D5659712A054D2CF70A6D4DCE23,SHA256=CF0F5FC06DBA299E948E14F61FE5FFDA0CF0588E7F3377CA0758677680009322,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.672{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2021R_Subscription-ul-oob.xrm-msMD5=3AE8B11439FD98D99691599CE0C10C68,SHA256=83E69663A19C36C9BB5BBB5ABC7FFCD361F6C71237C959A9BC4293466DCAA90C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.672{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2021R_Subscription-ppd.xrm-msMD5=F769CF69CB4A028F7C2E28E375B0A4B7,SHA256=DCABE1EF7B36C297AD60F6FFAFE66122E394B6D63C0FC2EE2AB7B0033356E194,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.672{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2021R_Subscription-pl.xrm-msMD5=DDB4B0D976C3928BA5D4B1109B46B9F9,SHA256=50F0405744C4CEF0587B079D6B2E6F5734C806D7170F073D4C75D5A33AA3BD9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.672{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2021R_Retail-ul-phn.xrm-msMD5=D3F927D594010EE44F694938A0EB14D8,SHA256=6044D9442C8D1177BEE114E05A1284416F61E68F5CAA837D439787718277D061,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.672{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2021R_Retail-ul-oob.xrm-msMD5=CEC4B84C0927B4471BCDBCD0D488941F,SHA256=7B9C80084697482BD122404FBB560FD6497B1977C1FBA6694785F6C1A8F4702A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.657{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2021R_Retail-ppd.xrm-msMD5=CC99CC1F54911D26E44832F26F6C7228,SHA256=2CE1C2803F7C806D40713D8CA56D677B160AABFBACF0F5A7FC24962BC4A64081,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.657{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2021R_Retail-pl.xrm-msMD5=23D6B7106C406E163231620EF67843F3,SHA256=1132B9DD50BC90C8F3F7529AA1C6F10D797D22D64A76EE25772AE50A7A5A96A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.657{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2021R_OEM_Perp-ul-phn.xrm-msMD5=BDF061744B865552B1B355544C74845D,SHA256=0F9646CE2129D3412C2692D0B8D8210CF10AA5D6DF93668BF7E1D818F85C3E74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.657{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2021R_OEM_Perp-ul-oob.xrm-msMD5=C27AC158BA07B37BF4F0F54AC78A7E12,SHA256=D012CAD97548E22A91E21296CBCC5541AA044EFD188FE6B8A6C95C6D4A1FEEFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.657{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2021R_OEM_Perp-ppd.xrm-msMD5=9D2D32BE99F22C532640D5E9BFA2459E,SHA256=C2DBFB983189E8D71E66C5136F30C74E93C86FC0CFB2E79ADFDDCA22D46602A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.657{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2021R_OEM_Perp-pl.xrm-msMD5=75D0DCC903253A3E59DF93FA5F414DC6,SHA256=6E89B4213430173CF38350DF0AA3E223C13163B862A15091988362E56A5FEAA1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.657{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2021R_Grace-ul-oob.xrm-msMD5=B625DB1DBDC5A708A5FEEAB8F95785E7,SHA256=E8B6251817C43C4DA307CA4B193FF01F61028359FC7D26EB4CB603E96751DD4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.657{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2021R_Grace-ppd.xrm-msMD5=C68B1D9C126FEC82D874F4264AC7E6D1,SHA256=73F868BE146AFF1D7529EBB95489007A01FCD71B3E28F2CF08A39479CE3561C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.657{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2021DemoR_BypassTrial180-ul-oob.xrm-msMD5=CAD72998A10DD7F6CF9311EB3E279B32,SHA256=C9E7171FE65E0099BBF8F99C714B5B6A580BA86F7ED983FC1FD3228776EA5452,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.657{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2021DemoR_BypassTrial180-ppd.xrm-msMD5=126D1DED463FD9C488E8E050CB397ABB,SHA256=9DC4CECE07575EE36CCCAA00EAC68604195DB4D1C4AC5804268BD0466E5C1D54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.641{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2019R_Trial-ul-oob.xrm-msMD5=D7DC159221A17A0FD8159B5252817F41,SHA256=A29D4C9D0B367EF5E77CCB9C5EBC9D37B3476EDEE136E24EA32CA0BBE55B2247,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.641{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2019R_Trial-ppd.xrm-msMD5=602D2605A9EF16494FE4D4E9F4F4D5CD,SHA256=493151787758B9B39B1F99E98F06784BBD7DC1EE0A269C1AA768E7C7ED487434,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.641{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2019R_Trial-pl.xrm-msMD5=D875BAA1F6F5F51A77D56EDE4123E520,SHA256=D316BBEC0A2144EC25BE709EB55D3FCF4EA9AF15A0A994276A5022133840EE0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.641{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2019R_Retail-ul-phn.xrm-msMD5=9B5C69B67785309A122E8BD323AAEF2B,SHA256=639C31D968975A8C76B6A5FEC09D8D6827B1A3C9B09BECDFB23D90374BACE1ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.641{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2019R_Retail-ul-oob.xrm-msMD5=3907F3FC44270D5F62634785DCABA2E2,SHA256=D194E1CD15E40B5B0DF9456714B2A38FF7821E2577695184F9F63F415997FC54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.641{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2019R_Retail-ppd.xrm-msMD5=FDE6934C447AF32DDA83E8B85DFAC1CC,SHA256=6EB4C8641DA7EA309C2DB1A8B8D67E4F62E4D30631C03B221F68E91A845F7FB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.641{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2019R_Retail-pl.xrm-msMD5=7C3877977D7A8CAC1460AB95498F3440,SHA256=DE73CB380FEF313C0191519B2B28263A32D4AD5F672F8F43D3EECE835218A99B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.641{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-phn.xrm-msMD5=8469F955B8F8A242517AB02F8D6EA6AD,SHA256=375B04C45B1CF4CC7428FF560A723FE8D885406F3FB1DADCF641ADE9D6BE3B94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.641{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-oob.xrm-msMD5=D53601FF008DCF10DFD8D7CDC7AA0196,SHA256=F89B1DD0C4B1A0C4BE79D49C17C07392156B62738DC3C4B8F1B10335FAD4E403,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.641{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2019R_OEM_Perp-ppd.xrm-msMD5=0BD78DA91395774BFCFC57B638BE7B1B,SHA256=B300CD25F05CE8B797AD2B4F5058F902C9A71225FA9A2BA21CBDF3BB8099BB82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.641{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2019R_OEM_Perp-pl.xrm-msMD5=F31AA6CD5E67AED003A5CA0011031C8D,SHA256=A3E792198AFD4E0EFA15970D2A98D29C2E2FE907BC8132D688EF560BFA200EF2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.625{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2019R_Grace-ul-oob.xrm-msMD5=27E85E87D2117D670FFBC296DB3644AE,SHA256=BCD1D59AF73F7DDE0443B7FEEE4F2DA37837E2F6AEA0E735D7E0B262F2E4F84D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.625{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2019R_Grace-ppd.xrm-msMD5=61600F3A2C7F966BEB9FAE48334CDED1,SHA256=B55DA4B6DEECE7D19F6D4EE49030218E000ECC5B55A83B131352C879E912CF1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.625{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2019DemoR_BypassTrial180-ul-oob.xrm-msMD5=A0B6FD3123D696E6F01D0DF70655198A,SHA256=FA6708E065AD7CD443068058E00695E84C501B3CA33F45BEE6274A3C42E725BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.625{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeStudent2019DemoR_BypassTrial180-ppd.xrm-msMD5=4F3B0C811B1BABC1C626D4EFE2E0746E,SHA256=D33C4F982B54A61C589B71DFE848A6DF8A6B76391010CBEA39770ED37B36F6E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.625{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessR_Trial2-ul-oob.xrm-msMD5=C82592EA66424496BD5D9DC39B20741F,SHA256=1512078F3BC9F4DD39B5BFC9228C528C68C6A7FDEF14530226652DB312353EAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.625{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessR_Trial2-ppd.xrm-msMD5=3099B7A18FE6788CBC83CB12CE0F3DA2,SHA256=E41F06C21FBCB068D2F92C8BB28C42391A80ED59A93A8DAEDB67D06665A132C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.625{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessR_Trial2-pl.xrm-msMD5=81155B8A5D4B9A7351DE91D519A98CAE,SHA256=DCDE6B8DF03E45EFD6329202969BA5CD63312E16A166CF8BAFBB0A70DF49E199,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.625{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessR_Trial-ul-oob.xrm-msMD5=8BB4133F1A9C0072D83BE6B2F790372D,SHA256=824CD4C4CC7552A55E7414DBF48DAA4212026A5ACA5645AF6F49E11A46FDF732,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.625{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessR_Trial-ppd.xrm-msMD5=7FF220C55361DF9CDB5F01BD95EE6F4B,SHA256=45005069FB5A5C4FDA79F6B88EA9757B992D2F7F42BB5704FC37163E281C3F01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.625{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessR_Trial-pl.xrm-msMD5=9F1A5E867FEDD17C74F2CA44CCB0E304,SHA256=8AFE457B6754AA7F54FA2078562C70B8800EA1B098580F0EFE8AC7863AC7419B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.625{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessR_Retail3-ul-phn.xrm-msMD5=AC18E7EE94378DEB6BBCA66AB75374FC,SHA256=AFA37F74E5A635474504AD184202ABE8B00C00F9526112190E219EA5187D253F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.625{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessR_Retail3-ul-oob.xrm-msMD5=2A030E3CFB755F0A22EA728C600FD4F7,SHA256=2FD3092A9F15AEA81AF80085CC71B06FFF8F895A05EA6120056286EA0343F06C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.625{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessR_Retail3-ppd.xrm-msMD5=6056AC8F4021CA9FE3614821AF3E7850,SHA256=2D87C1FEB0D55CB8E08CC698859030E26D5F543E3E8C86DC7855D4592F098290,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.610{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessR_Retail3-pl.xrm-msMD5=AB3CBA1D2E3303ABE4D72A1F1BC1FA5D,SHA256=17F0A2253AC4BB8336D8E3F1F861A9BAA8458AE255EB1F51E9DFCF2B46812B91,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.610{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessR_Retail2-ul-phn.xrm-msMD5=6616AF07CD807BBF04500E65F338DC00,SHA256=77157AFA90E7D93BD9EE78BE0F401AAA88C1A21FA889A1536C1215E57EC1B2F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.610{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessR_Retail2-ul-oob.xrm-msMD5=AF97DC77F0AA40E8A93152368AF5B480,SHA256=5A358F20B8B55263BA1188AEE88253F9EF6E51C2B855FB87289B93D13FB82F5B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.610{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessR_Retail2-ppd.xrm-msMD5=88CA49DA5E8E4DDA79F43BBD03BC50D7,SHA256=D13B7C8D53782BE6D6213C037AF52708EF7813261EE674E2262A70359FDD9D9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.610{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessR_Retail2-pl.xrm-msMD5=89EF90CC8262813151A210D5C0058C8D,SHA256=7E478AEFE2619D4455032AF9214738B3D340F051490071B4B646B293AC9B240A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.610{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessR_Retail-ul-phn.xrm-msMD5=788FF4CC047FADF1AE1F13605C298BFC,SHA256=E7255C8723E1195398588FFE3FFB562DDFDCA835DF829E11CE9BD2B8D8B005F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.610{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessR_Retail-ul-oob.xrm-msMD5=D8690A05AAFCF3373BA7D8E11970022C,SHA256=4CE8B4147BF896F81EB7AEDD53A09EEF50A9FA54099353AFD8F9A120F0ABCBA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.610{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessR_Retail-ppd.xrm-msMD5=CBC8F083FFAE81018240F5EF828203E8,SHA256=AB5F9450914B0E5D1240C98ECD7B69DBAA856E5EE4208B9E6651D357B1AC16A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.610{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessR_Retail-pl.xrm-msMD5=AD322071E69F051B820A660D43FAAA39,SHA256=00D5C44979AFEBEAB9E25600316BC39FEAB80411DEE0DE5783014C3AE4AF6A3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.610{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-phn.xrm-msMD5=3036CFC4200ADBE3DD08221DA46451B4,SHA256=AE48842CBCE2ED91A1E255F554A3F505D640E61CB03C4B6873340EF2B436368F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.610{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-oob.xrm-msMD5=5F9FC3990D320259858A49C863CF83EF,SHA256=DB09928320C2090FA0D0DBD43C4AAFEC4C4111281E062F9EC6A6176324748A82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.610{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessR_OEM_Perp4-ppd.xrm-msMD5=5632E639ECC028881849F2416C051672,SHA256=94187EDB019E75E337CFE7243DDCCF851619B917D493947247A2D49B3E4B09C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.610{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessR_OEM_Perp4-pl.xrm-msMD5=1B8D9AACD12BE9D910C8331449AEB05B,SHA256=EB3373E81A247AB0DE84D1F08CDEC5546BE6BE931004B9FB9BDBED5EE89D1B29,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.594{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-phn.xrm-msMD5=6A3A9B964B40A3A0925328CA6D101A5F,SHA256=9D52CEECCEBF8870192966533D8B25982B958EA7C57986B9180DD826C16E140D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.594{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-oob.xrm-msMD5=A09928F9C5474B6CCB49FBAED4D5316F,SHA256=79910E22F1D2D0EBB71F1BFCA32582E97187AA910D32C5F2C8E5CAB7E9215C19,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.594{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessR_OEM_Perp3-ppd.xrm-msMD5=AF8B31027402A55241383DD5C6C1CD36,SHA256=39456388957AC11DE8D06448324E98E75C7408D61CD20BDC86679BF09499ED53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.594{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessR_OEM_Perp3-pl.xrm-msMD5=6CFEFE6E320E3FE04B542D2B711DCD19,SHA256=10E3BC9B89B3DF51F953F232BB3B3705F55454F86394B6354C19FA4658A7595A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.594{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-phn.xrm-msMD5=F3BFF12230DE8F8A8CCABCE41F0FA44D,SHA256=0962CB81429EE493B2F2A63ECDF2DE6A8B96565B19B018B44701867ABA2FB051,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.594{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-oob.xrm-msMD5=BCAA37C88F07B9FDF177AFC1D227385B,SHA256=4EFC8B7615213DC40640B03C3A6839DDA6D1FE9175572C956F736B10B131152F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.594{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessR_OEM_Perp2-ppd.xrm-msMD5=C1589B54C88BA51357CF09BFF8A02875,SHA256=5E47FF76C8DA70ED8B0E58F169F5D43828DE1BA853503DF13E029114136A6C09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.594{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessR_OEM_Perp2-pl.xrm-msMD5=3E4753E8EBC1D4BE34160D5E206B7FAC,SHA256=2F6E80D5C7C5CF6186874EDABE7A5837E6856FFDC5B97A6B343914699D1FEF8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.594{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessR_OEM_Perp-ul-phn.xrm-msMD5=BF1A5914E77C1EC93CF2E897374D8C92,SHA256=D097F5DA7E5B3CB9692C19E1EA78B2FF1A58552C1BAC65EF6A223BECB663A0BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.594{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessR_OEM_Perp-ul-oob.xrm-msMD5=2E73A18278EFCA53270815F493823B2D,SHA256=BD17254B866B6DF36CC8F8BC982D554FA634AAE4C0A74167E9D4FCDA379A541A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.594{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessR_OEM_Perp-ppd.xrm-msMD5=FB52D9F0E6E14ACE80A93D281328669D,SHA256=29A567B43EB24DE5172CE8A337699F914E83D2A751C3B488D020B902DC3920BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.594{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessR_OEM_Perp-pl.xrm-msMD5=785BC562EBE723B497E69F0D103F66A4,SHA256=BB264213D2EB96C36B06DFB54584A276BA3839C7E993154BE0C6E583075DBB17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.594{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessR_Grace-ul-oob.xrm-msMD5=E264A201362D69D164D9B9C4C47069CA,SHA256=7C46C2FC91C2C2EC84213F3488C6D6B4C405B2974CA080FFC3F68B76086FC053,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.594{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessR_Grace-ppd.xrm-msMD5=EFE1FBAE7922425E774DF7FE5CAD70C9,SHA256=64FE412AC67DCE709673DA2C294A3C1F304535309AAB4A042864A1D660F1F017,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.579{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-phn.xrm-msMD5=0A4636543D2FC43C57AD9A72A3A3AF36,SHA256=E18A938C1104205E6F279323AD42D904E73A661592CD08E4B5A2C17126C8E146,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.579{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-msMD5=4FC413600B6118E6B4BD641F622A1294,SHA256=9A9EC442EC257A117AC894EEEF697752969E53FB5F78E76E5D064AF22F6D822C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.579{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ppd.xrm-msMD5=CE6F1D8EF4E1F6D0054D107594171A5B,SHA256=0A31F2E9388F9BF84D94A8A55D7D13653514820E6CB144A2437A868F893C717A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.579{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessPipcR_OEM_Perp-pl.xrm-msMD5=D7E77DB19459B2ECCDF806EC41694889,SHA256=29A4DDD0BB1F4240E2E98151DBA99793FF8E71A2AC93F8572CC47AA8F8CC68EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.579{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessPipcR_Grace-ul-oob.xrm-msMD5=1A7E3351A6394F842CA316A462F32903,SHA256=222335243A06DC8E0B0DD9BE9EB63C33FB712EDC230694B041B7C9C97AC83838,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.579{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessPipcR_Grace-ppd.xrm-msMD5=524A1CCFDB97831F2C3DC0FA4CB7F92A,SHA256=72C3E8171433AECC107C382398FC2420F55559B4721CA15B559918B78FF7EC67,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.579{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ul-oob.xrm-msMD5=2B528DF5BB5F1D40103AE92923E15CFA,SHA256=394FEA499436F69F1FA9EADE02685D83469C4C38E6F2A3A3F1AB6333D0985D65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.579{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ppd.xrm-msMD5=479BE1E49D67071E1D2DD677A6BF5750,SHA256=BA8E6E3B683CF55E8995F5219A03AEB7BAEE8DA79EE5FF26ED920F07F52D1B48,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.579{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ul-oob.xrm-msMD5=07608587C20583870F497F00D7957D4F,SHA256=8E2CA02E33C5004CEABDE20A743BF1731070E5C7D0B4C8F2E74F390B32BEE40C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.579{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ppd.xrm-msMD5=874315185D32457D4A3E562E74918A4E,SHA256=BA6C962CFD911415FCD277FA0C42C7640D2588675789EF045062561A0AB4F97A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.579{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_Trial2-ul-oob.xrm-msMD5=A2DB5A9C684C58830A9078CB87CD6443,SHA256=F4315E0911B6A9A3905024D6CBAF4C90AC8475152F460B7A04D4E67844C15193,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.579{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_Trial2-ppd.xrm-msMD5=C8CEB8868B5BFC2F249E41A3C149FD3F,SHA256=015004259556355D06AF9A458F8763F8E81CDAE4AC2B622CA1D5F978D612B227,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.579{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_Trial2-pl.xrm-msMD5=DC308D810BCF196409DA5D81D6FE13F4,SHA256=43D86D36FAA3E0521892C091FBB0816A3DD8283B98CFA767E5BC03743484613E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_Trial1-ul-oob.xrm-msMD5=3A06E4C1F2815D6BE40A39836B1B8139,SHA256=213C59F13E9ECEA2CE08812E428A2C7DF384F3F17838CDEB06FD454926327056,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_Trial1-ppd.xrm-msMD5=6D8C062E236F959E7382E872419EB253,SHA256=89D78D560CCB122EAD6DCF8F91790610DED896238502BDFBD646DF02A8DA3E51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_Trial1-pl.xrm-msMD5=8D5F0D04261C18F65FE2F2435DDB5D7A,SHA256=AEB3623256B2D556846FF6B34A62CB32365E516F6F97E70E9341E580CD969E5A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_SubTrial-ul-oob.xrm-msMD5=C6FCFEE0D54ED56537F28FEB24CC505A,SHA256=93A2235D8E75424556859B2CEB2E74810665859577E5D1BC5183E021F4B3FA3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_SubTrial-ppd.xrm-msMD5=D86CE768FE20FCF8819165E48EC67E7E,SHA256=5D2E13FA90149969D05F74AF1842534729D37C13D542FC26590B1961E633B0B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_SubTrial-pl.xrm-msMD5=085E0727408DB61AE1E76762E4BB45A9,SHA256=BC8950E3CD0A633ACEA7C5EA3D9F57C129A22CDBF92D3C4E88163C67BD3B4119,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_SubTest-ul-oob.xrm-msMD5=6F8C1A518275CCB28EF40AEAAB0B752C,SHA256=A1ECCE1D4B0A442C0D9F7E5FA359E981CB0C2557BD9279DE830FA799CEC248D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_SubTest-ppd.xrm-msMD5=BE1EB738D911EC23CBD01FFC782F00E2,SHA256=84D522F32AF6D2F0894986F5864709313C6268AA08204AEFC8022EE7A24EADC3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_SubTest-pl.xrm-msMD5=1609B696A5A016A78062DE59F5D2CFB4,SHA256=49AD127258480F8C128C8AF189BD30D61C6EBA89627DC939E2ACC87A1EDEBEC3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_Subscription-ul-oob.xrm-msMD5=293D18C37A5673DA268F71EAF2B60659,SHA256=7D50F3520E68D2300B5A1C9CB66804EB362924B5B235879CCD7D580D2D0BEE8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_Subscription-ppd.xrm-msMD5=8A4E037D7A2A560C7FEFA18DDB10275B,SHA256=9DE3F1AA9C79BFB82248415B3F0C3A05F27792FF4B6B8E8B93F26DC6FD7CE605,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_Subscription-pl.xrm-msMD5=E71E339F16EE7D068A7F1E16A2A9C485,SHA256=CA1A75E7B6F67A01B1F844E8C658565B56601E022543EFCD6BF747DA4EF7C18A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_Retail3-ul-phn.xrm-msMD5=0CBC8077C33A8783D94F19A37880B2FD,SHA256=7FB1D920FAAFDF4E54B2126BE773331BF83D82F813B3FD79F7E3A06FC86C3241,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.547{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_Retail3-ul-oob.xrm-msMD5=580023A522DD2963E83102C2BE74ECFB,SHA256=1671A7BF4763733FDAC7503A5062CA54F70E37013628C87C6971EA48109F8D55,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.547{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_Retail3-ppd.xrm-msMD5=96B49E1EC8475CD7E855EDD3B3CFF89E,SHA256=3AFD2E0BDBCD923D36A37EA770EACC17B4914AAE090E6935186C6A2ADE3418F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.547{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_Retail3-pl.xrm-msMD5=8A5950F3E7D374EB3E2EB2F21D4A45A9,SHA256=1976A9B44F5F2DF554498EBE3BA900819710DBF846872CFDAB89AAB81C5BD75A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.547{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_Retail2-ul-phn.xrm-msMD5=C2B1D87183B33D5276111392EC266EEC,SHA256=DEC45485CCD0E9C1E07793B8D97F0E6AA6D5D41FEBE0E200493CAFF4D1705C58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.547{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_Retail2-ul-oob.xrm-msMD5=484D88FED883FCDA6150DD5B80978F5C,SHA256=F67FCA9F288DF7FF1BD2EA8A10405B657F23CB854E0FB9751A9495123115F275,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.547{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_Retail2-ppd.xrm-msMD5=F5D98EA0AFC99422A3D984B33D6F7500,SHA256=7E3D6083548C0B8CCE660CB4C53894F26FCFFF31282E416A1927B889832C9DCB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.547{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_Retail2-pl.xrm-msMD5=BE934252EED1B1C3D8B0E35A31F2A49B,SHA256=AE4E392FF469E6F7A1FBD3FE95298ED6257A2FC09AACEF63756EFC5235B9B70C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.547{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_Retail1-ul-phn.xrm-msMD5=6B6E54859AB6A41C041CDA61ACB12B20,SHA256=13B539D9F693C835E84A77823EACAAF9C1EEAD2E955F772E470BF30D58971785,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.547{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5550C40835E1ED8B229BE45ECC64389E,SHA256=A811FD2CEA9C9CB7ECD4D24401DC1B28B2494B1823387E065F966EE26651A139,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.547{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_Retail1-ul-oob.xrm-msMD5=EDBAAFBFE8CF2D4A09D436C907FA8A01,SHA256=CBDB5773C428B0AF6E0B8CEA80B20AE31A1DA3E7F88094ACE3F32D84FE89248C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.547{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_Retail1-ppd.xrm-msMD5=B5411373F670F1AF65CFDB7700CC9976,SHA256=BE5CABE3D8062CE6EAA9E14820C1533E099BC480A6DAB58613A8FA4136E0B53E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.532{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_Retail1-pl.xrm-msMD5=98EC62B0065BD2D08C1C5E6F6DBBC6D5,SHA256=CBD014088A606A4DBEC45EC5510C0DA507A93060EFB8F024432FCFAE0AB586B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.532{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_OEM_Perp4-ul-phn.xrm-msMD5=9ED08ED68855C024777E58BFEA8A5A06,SHA256=21122C016007D502FDC563CCA7C2D1E6BE7B6B52089BF792180D6F869636DB37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.532{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_OEM_Perp4-ul-oob.xrm-msMD5=6B2E655001DCAACD8FF9C0FFA1D4001C,SHA256=BE79C2D84FFE4BD0AB5A0D936898A4958C4B0810A250425D318C3D2C5FDAD679,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.532{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_OEM_Perp4-ppd.xrm-msMD5=771A89EE9B8AD6B267F6382F42EF9CD9,SHA256=8FE2822DE0EB4073378E1EA30E07E7FB4133C460F086C48390019AB15F4864AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.532{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_OEM_Perp4-pl.xrm-msMD5=C4DEE39371CDC9B5AA4B1F740B13FF68,SHA256=D361D6E2EB7F3FB788494CA3C49031090E37DD63BB0AD14DCA973C9EE5BC31D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.532{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_OEM_Perp3-ul-phn.xrm-msMD5=889AC5993BD1214F18E522E60859380A,SHA256=A3E72415929FE797AE193F4FF6757842624EC581C2DC7F8BD44A89E35F7695A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.532{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_OEM_Perp3-ul-oob.xrm-msMD5=CE25CE107CE2941076BDBF629A7B5F8C,SHA256=1FEDE00399E7DA36D129A2E9B7F2269FAD27C8057877A134CFAF0D5EEB1DE884,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.532{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_OEM_Perp3-ppd.xrm-msMD5=5C08B26468DB61508631617539FF16F5,SHA256=D4EE0C6E42D04B95F192CB5B58A4CD843610A5F3FC18B1866C954EC1C2E1F7B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.532{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_OEM_Perp3-pl.xrm-msMD5=5E97EFB56FCB46499D8DBA69C063F31F,SHA256=1F4C47981313C6B52D5B8702B137E10DC3FECB5510178FEF8D7937BCE90BD357,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.532{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_OEM_Perp2-ul-phn.xrm-msMD5=C354C79F3DEF90E6E11CAF72C005A524,SHA256=76FF2C646A6BBFC627F85592F28BA9E21380A21FA8F2F7D145C73C750E32BA40,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.532{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_OEM_Perp2-ul-oob.xrm-msMD5=EA092CDB885AF703890A27F51A36AA7A,SHA256=816E5B8951C7990AFBA4A7D37E42EFEB172F0D61782CE00FC54DDAD2B0E41172,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.516{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_OEM_Perp2-ppd.xrm-msMD5=24EA2114FA6F249A573680D3E7B16901,SHA256=D46A47B4509B508CBF48E421D9365157480F09BAE6F846F3570661652BE17B43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.516{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_OEM_Perp2-pl.xrm-msMD5=F17691549514A07C4E36738D9D0F7BCC,SHA256=6588D7893E13FCE7A0D3C7A95DD0E042E488D964869B2A38DD82115C8186C3F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.516{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_OEM_Perp1-ul-phn.xrm-msMD5=BC673477ED3C40E0BC4D07C191DD9407,SHA256=1BCC1EE0813C56F2254E50BCCB33E94ABDE56BB24CC1ECFFAB99A2C507F39A48,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.516{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_OEM_Perp1-ul-oob.xrm-msMD5=6B1526268105FD3CF95C12F97D5AC16D,SHA256=8F540F85A9F2E103E3AC4C2CE0E2A5B35F0974BF1D93D8311E575F085D6EDAB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.516{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_OEM_Perp1-ppd.xrm-msMD5=394BDB6C27C738FB9A010FEDA3EFC014,SHA256=9033198F637BB709560A1F9162C95689A666AC2A1629A491B38A31CE11288DCE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.516{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_OEM_Perp1-pl.xrm-msMD5=35E64BCFCB8DC8C6979A9FA1C7AADF6C,SHA256=8161DEBF73A4849D90259C05FA172BAB33E951116D862784470304C83AD44D35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.516{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_Grace-ul-oob.xrm-msMD5=5B7DC9B1EB3ABA90E4F45575ADA386CD,SHA256=FCA643EAD4800DA1A6907ED5498BC13F95A601F75C31429804E597C2C50DF9CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.516{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021R_Grace-ppd.xrm-msMD5=13D4D1C683767C2A02D4447487F04B85,SHA256=BE7A076630D3EDC16A87E669B38D9F3C5B4A32B85B2F397C708F4AB2B0AB90DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.516{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021DemoR_BypassTrial180-ul-oob.xrm-msMD5=3DFB1456D08B7F2B45D915410BAAC279,SHA256=DBAF8955513606E3BCD3C09787851E52038CFD9A01E3B3D7BD9B93DAFEB7D4BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.516{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2021DemoR_BypassTrial180-ppd.xrm-msMD5=810658C49830ED3CD81AA90E5ECABB5C,SHA256=9439F05A3BD4E9C519D9661FFEB93C94CA5B19B5AEEC60CA8A198DF9E5C5DF19,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.516{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2019R_Trial-ul-oob.xrm-msMD5=43A3AF2467EA24D6B33AFC3E3F3624CB,SHA256=6C4ED5DE3A94C0D1D867FD1B872048075DCF942166154C38A52AB805F960FBE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.516{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2019R_Trial-ppd.xrm-msMD5=FF2DDCFCFF83FF4DF2339A472DDCDCEA,SHA256=1EE3987CAB0DA3FD5E08A17272C414EC26E5C760B501169AE0D392BC9424650A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.516{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2019R_Trial-pl.xrm-msMD5=055E1BD9FAE4C9AFBB23B5AF7DA85388,SHA256=F240B30D4A5820EB5DAF5A0E543EA81F170ACDEC1D0D57FDD01A70330FF6C720,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.500{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2019R_Retail-ul-phn.xrm-msMD5=48F94FC31E65993389262B32C1993200,SHA256=BF5074299146B2CB330F251D20D92476717C1B358429BF273DAB6F9D585D1FD4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.500{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2019R_Retail-ul-oob.xrm-msMD5=9B26DC6FA5ED869756CA947F33FACFC7,SHA256=BC7306F3CBBFDFDE5CF33E79A091910238B902CB091713198B0579F57EC72FBA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.500{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2019R_Retail-ppd.xrm-msMD5=E634D4EBD8C3AF7D15BC6BE134555D53,SHA256=1142594263185F50FC502B92007E1C34285FB6C5BAFFFCBF65CE241A344F12A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.500{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2019R_Retail-pl.xrm-msMD5=AED719B905E2468BBCEAC1ECB0775F73,SHA256=8039A0871E6AF782EEA97BB17A6CA758B36F04AC228B2AE13BE55234CB030FBE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.500{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-phn.xrm-msMD5=A305E046BB369C00B1A3FA98D2648574,SHA256=007A0335143A93B38229DAA9636FA751503231964676A8C9CE013036CCE0AF24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.500{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-oob.xrm-msMD5=E9CB05C91611B622FD750080B5FE5C2E,SHA256=31472DCFA83DA423B076C83B966CAE1EDBE99AE31464CC08E8925544F3F733C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000447898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:09.761{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52695-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000325475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.500{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ppd.xrm-msMD5=0BF2432DE6E43FBE27B2C0ED70728377,SHA256=05D207407FFC10097625D18021380E63B41D1587A427A809A9092842C7617464,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.500{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2019R_OEM_Perp4-pl.xrm-msMD5=0AF5BB454D53B25831055A0F584939A6,SHA256=D85F3EC45CD945FAA1D1E7653D7B29D31DE80D6922BA06D4ACC35A0F44C0A3AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.500{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-phn.xrm-msMD5=21DF330CE249CE55B90E8E64EF1D3D2B,SHA256=FB06957A50B721FF4B8F9FE9A90D030A898B88D909B1CAC9AF478F6D59D44C6D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.500{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-oob.xrm-msMD5=2E7D2516F37E1B86BB02C5C7D109D4E6,SHA256=54A15F45F07F3DB89F067ACB0392E14A7DCE2EDA2031533A35A69729EEA8450A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.500{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ppd.xrm-msMD5=9A47AA9C45DCE5AA315A5E7CF19373A4,SHA256=860C9DBB7DC592140E3D41B9C28950D2FCB0C6CB61DF224E63B0B0751E5E6E3B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.500{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B2981712FD197EE1E4BA4A8FE6C5A43,SHA256=50A8036A34F50307E381291DA6D825C9FB685780BB39219C6E810F63EFD861DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.500{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2019R_OEM_Perp3-pl.xrm-msMD5=51DFE263FB583963E16B98C376F5D498,SHA256=87AE3B7A6A6D30DBBF9728F6BDF7FCE13188FF33F40E8970EA120F075228DCE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.485{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-phn.xrm-msMD5=4849AEEE0789F48AD877987CE2F0A6CD,SHA256=15060CB2EE9804F3E9D4FD21E88D93BC0D9C96B16E3F68D34F71791C4F4EAE8E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.485{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-oob.xrm-msMD5=01A5D310C1BDFA0A808A7D56D5F7262E,SHA256=FDD801C0FD857DA70BBBA4BC45634B3FBAB6CDA8FA09433F9F13D0ED775FC609,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.485{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ppd.xrm-msMD5=DA5A397ABCB19F2817660222C28DC1D8,SHA256=80BD4D1023C8152CF95DC949A7EFB01C211BCE32772B876C426B32DA4D92ABAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.485{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2019R_OEM_Perp2-pl.xrm-msMD5=E0AEE5254A104F550A1F499ACCDA4A23,SHA256=56A599989D8F27F903158DA56208EE6EFCCF853BE51810AACD2A901C7C14AEBD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.485{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-phn.xrm-msMD5=8E81889ECA54D88CC5FEBC21E5DD4874,SHA256=B11B0B2EA74C14DA27041608CBB64EDE3ACF3CC9F5BD529F4BDEBA488156F593,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.485{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-oob.xrm-msMD5=82DA7D8DDE92C5259D2249DD0A017B0C,SHA256=4BC5DF93471C182B4E6063A41C7CFF6160CAB12F25769D04618B3F978D98ABF2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.485{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2019R_OEM_Perp-ppd.xrm-msMD5=1C97949AAF0CB7F450381212DE975BA2,SHA256=1C25CEFCF60F78E88E6A719A427C0AE9BBCB1BC44BE8AEACB48E1C9A61258941,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.485{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2019R_OEM_Perp-pl.xrm-msMD5=17B90A608C8147F529142B7098AF0AC6,SHA256=95C1594872CD147609A2DF6D32046CDA996C0AE2A1FADAC52A80301786A81D19,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.485{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2019R_Grace-ul-oob.xrm-msMD5=93507230CFC149C7346C133F9907F839,SHA256=223FD75532C7712788B680AE98256C70E5C836738B3804D130B8176A46A6AACC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.485{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2019R_Grace-ppd.xrm-msMD5=76A74C58E2D50C155FE2BF9DD2096B6B,SHA256=72BC3B4514F012955088F46DF942C7AD20448634DE0FBF01C9B6F5D162694B5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.485{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ul-oob.xrm-msMD5=14E59A81B73DA7C4F24557C8650EA861,SHA256=E21B3AED465D277E1C2C40260974F33BC4016E950DC28A84EDDFE4BECE04F2FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.485{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ppd.xrm-msMD5=0476386C2CC4AAAC7668F1A65540D3A2,SHA256=425AD7C1ACB4EBCC90D66D89936EA38D68B2724DC7CD0E1E5D21AB346D59C9DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.485{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ExcelVL_MAK-ul-phn.xrm-msMD5=F0AC6E3F1EF3B09F4C908832B3458F38,SHA256=10ED9AF7DF471CF2E21BBF356BB802481BD766AC5E105B81506782C85174A1C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.469{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ExcelVL_MAK-ul-oob.xrm-msMD5=FEB88EBD1234F66091D65FE26E7C07CB,SHA256=524D52C206D402B15411BFF2DDB5C64C77DE875C7E5ECF02FD78777C998B0B90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.469{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ExcelVL_MAK-ppd.xrm-msMD5=40D73ACFB19B6B8B784F73910DC73ACA,SHA256=D1958CF687180B6684CF142D5FFF34630590503BDE399272BBEB494EF67EC1A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.469{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ExcelVL_MAK-pl.xrm-msMD5=7D498376A9FB4C441C8DDF08FF9F02B6,SHA256=BFCDB92D7072EC99BCD61C13517CAB8B1F5C8ED552E9E12514B661D3A24F6AA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.469{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ExcelVL_KMS_Client-ul.xrm-msMD5=41CA79009D4FF127ECC9320936F36F14,SHA256=317312A54E084DCFCE13E02C45B980E59AEBAFC0C1AD2FE6738FF670F22E9D73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.469{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ExcelVL_KMS_Client-ul-oob.xrm-msMD5=CE090939C1291ED9878A9160383F49F2,SHA256=2092D920113EC7870B31D5F6EB2FEECA6268E4BBC8DF84EBDA718603ADB17ED0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.469{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ExcelVL_KMS_Client-ppd.xrm-msMD5=12FBC86709C6A0947E6145BFA149B79E,SHA256=8702617C66B834C0429F849B667F2D41E9B403AA45BDE5B2140917DC235CB5C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.469{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ExcelR_Trial-ul-oob.xrm-msMD5=58622427538617C180D0ADE56BE42640,SHA256=5C3F832868AF4F69F34A1553E41B4FE73D91621B7E10C6C49E6CFBCBF621AB3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.469{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ExcelR_Trial-ppd.xrm-msMD5=4AA397451238099EECB521F013E02A90,SHA256=3EAE9064E5891069B1DBCF9135B5FFB1DCB11A81F8B47547EA58F75EEF760FCB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.469{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ExcelR_Trial-pl.xrm-msMD5=52C2B0DDC7F21F040AF23E52DBF91C4B,SHA256=62E54F8F814DD4A067BFB9F462967D3FDFBA0B2AF1C1CD90C6B699614E3A4174,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.469{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ExcelR_Retail-ul-phn.xrm-msMD5=0C9ED1CDFDD54105B8FC5BBD0A4306D4,SHA256=D8D23242C99C83AE6B7B7E17CF641E244FBC74177C42EDFA90DFCBA44A7FFB1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.469{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ExcelR_Retail-ul-oob.xrm-msMD5=8FD2A7D4CD27591FAA08CEAE9DF113BE,SHA256=3DC4A6B73E511323A8F81BAF0451E8A351E044746794F7FCA30A0919FC9D3773,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.469{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ExcelR_Retail-ppd.xrm-msMD5=D15AF3435432FE8651A1444BA040EBFC,SHA256=2C3C53BC8784D0E1F167D58438ACEEDC124B00D51D8086B17F032F288205BF06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.469{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ExcelR_Retail-pl.xrm-msMD5=1EB783C80B842449E6610C36D12E4FF5,SHA256=510E27BE27820D20A54DB7314E85085DCED59AEB2A24FF2C1C6CC9B53769BDFE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.454{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ExcelR_OEM_Perp-ul-phn.xrm-msMD5=E8C9BB1E46C2B3C8FB5A6490713A1606,SHA256=AB5B07FDF749D8CE92B1AFBCF9C714C7C6229D53D1E180A17C0D2B9B0A22E8DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.454{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ExcelR_OEM_Perp-ul-oob.xrm-msMD5=F2C49500A74548AF45161B591ED121C1,SHA256=C72437CD4A6361F23ED016959CC239A4E393FCB243213F10A23D82D8BEBDDEEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.454{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ExcelR_OEM_Perp-ppd.xrm-msMD5=205EBC74847161FB5F61E70826F03842,SHA256=0FB0ACD8A0AAAC10A63FF555C60DB547A928B4EBF7B871991B100A32FDFCD481,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.454{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ExcelR_OEM_Perp-pl.xrm-msMD5=CAD21925F0139383F0706A1D7FA878DB,SHA256=981D1502D044D0E14B35ECC1A1110EBA56FCF07FC940E26EBEB4BB3A5F77F991,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.454{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ExcelR_Grace-ul-oob.xrm-msMD5=206AB61F75DE24C9338CBFEA60A5580E,SHA256=75CB5060AEE494C6414D91EC9BA35A3A5A9837E7334EDFF4E4C09A5BBBC64026,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.454{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ExcelR_Grace-ppd.xrm-msMD5=A63ADB53DC150FFA2A2770C4CD24C8A3,SHA256=C12768451E112E2877355450022B00F179E3357364E89A7DEBD06F2482894E4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.454{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2021VL_MAK_AE-ul-phn.xrm-msMD5=09EEBDFBB9734FAC2218F9F425F8299A,SHA256=08F4E238EA7CAE425ED5B88EEAA69B7EAD479ADDCC5148E3F4617B8749297C67,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.454{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2021VL_MAK_AE-ul-oob.xrm-msMD5=0CD33E14470EDA6832F5BC09BDC0893E,SHA256=D099612D06E3BB765C9014D6241D57BBD9231ACF32D4AE375EE632D8F7F12F57,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.454{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2021VL_MAK_AE-ppd.xrm-msMD5=99AAFBEAB1AC81DD79C0BBB1F499762D,SHA256=6AF5041E6FB5EF516EE427D1AE9238748884B01500EC052F1046CB40102175A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.454{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2021VL_MAK_AE-pl.xrm-msMD5=9070D4D60297888F8760A0425E1B0922,SHA256=87572B28D09FF71EE938769A5D307BD9246B21CB23420EEA120E4AE6CFEC98B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.454{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2021VL_KMS_Client_AE-ul.xrm-msMD5=3CC2CDE49A86B47226530261AB6F6E94,SHA256=ED315E9EBF245EFE09AA7CF202339F6312783E980C43D23B8A87E374B71FA913,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.454{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2021VL_KMS_Client_AE-ul-oob.xrm-msMD5=F621F3132FD86E17D09E9F415BD3F93C,SHA256=14B38A45108AC1697DA29CEECE72CB2B0ABECC81422AA112C4438A11587EEB5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.454{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2021VL_KMS_Client_AE-ppd.xrm-msMD5=4E13ADB5F5F6330137BBC9C9670C65E3,SHA256=8A1B326585E8B700E72CD6D6AC07789BB97AAEEFA8FB640D656838A297C739B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.454{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2021R_Trial-ul-oob.xrm-msMD5=ED42C7D568A24DC5E60E2D5FCBB1BB44,SHA256=931237DED75F9B5983CCC21D5EF4D2E638FC147895C9E0C16CA6C3DBDAF618DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.438{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2021R_Trial-ppd.xrm-msMD5=099665AB2C14D215D0DFF2334902AD11,SHA256=3BE7139AB7EF8D8052542C3AFA956C7DEF79B4B23D72EA407DF37BBA6DE84354,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.438{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2021R_Trial-pl.xrm-msMD5=BCCBAA48C2170687376479FD8A3EB727,SHA256=44CB5898A00BED8A159BAB18BD604492F55D0672CAEEB334D08C99DC4215B9B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.438{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2021R_Retail-ul-phn.xrm-msMD5=6967D242813186D0E301CCDC679E23F2,SHA256=D27E7D4F2EF945043CA9F25D52D39C7C00AD68C82C22FF93DEBBFFD9045FA244,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.438{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2021R_Retail-ul-oob.xrm-msMD5=8BF19CA549AB9443CE6673E1010E9356,SHA256=211C7F46D4C62F81C0E1C54A45A55EB27B5B74A6A8D48513B617A988906AB19F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.438{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2021R_Retail-ppd.xrm-msMD5=94BBAD823F3665F7E35F2AB38868B57A,SHA256=9140868FFFD5CA0023EC7BB0744D5828C8617C22DBEB71812C28293683211208,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.438{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2021R_Retail-pl.xrm-msMD5=7127BA51F1FDFC4A225D839B58C296D4,SHA256=13B13968DFF55B4B30EB16684FC45F6B2CC6FCC3F89A55F621F99A352580760D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.438{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2021R_OEM_Perp-ul-phn.xrm-msMD5=B353F2809F7ABC9D9B89BBC86F857091,SHA256=56F16019E4037893620B4AA42DF0C8B09431D6FE57948C6862A632B22E195237,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.438{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2021R_OEM_Perp-ul-oob.xrm-msMD5=813D6D853D43B3149B4BC525C26D3875,SHA256=7BD6CF46F563398A0E0F1AD3663EC3AAFA2E5D0377932373F09248483840DE67,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.438{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2021R_OEM_Perp-ppd.xrm-msMD5=E99CB24A7A7153F6835D3B491463A3FC,SHA256=E0274B9040B8C423630F0E9A39B57055C3E4DF3FBDF8E5975DA922AD2C71A297,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.438{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2021R_OEM_Perp-pl.xrm-msMD5=FA315E125FC364274D857388315E9070,SHA256=72C4AEC92E25EA507BE464DA8CED4573641BEF3A78C780787E418E54C20DFD53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.438{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2021R_Grace-ul-oob.xrm-msMD5=5DE8AA11E70CADFA20EC565004C8B36E,SHA256=50749012BDA42019EB96B8663A2C4878E6E5158991257D89195E66004EA2910B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.422{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2021R_Grace-ppd.xrm-msMD5=CB86CED17F2BE1DEE2734B1CF915F602,SHA256=5E3D51EB57823723A6FF6F465BA09CFAA6A0CCD5533A956A3CDCB11C7EEB98D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.422{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2019VL_MAK_AE-ul-phn.xrm-msMD5=C454E758B66C176A325276BDF5C48CE0,SHA256=E45CEEB8614A466A4C6EB3B563B135DD3A0AD225A60552F7D6BE32C67432C67B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.422{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2019VL_MAK_AE-ul-oob.xrm-msMD5=A452F7EB7E7D3BC9AE219CFA83F3808C,SHA256=D3B3796EF30CECD437E19AE9A2F5DE6D692CE1D67D6889C580605F497AE90C42,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.422{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2019VL_MAK_AE-ppd.xrm-msMD5=CF1F91E8E13BFC03258559705AA2BF76,SHA256=7D3D71CF2C4D47E18B03CFBC754EBC040EEB880E25CAABF54D0393B162BCAD70,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.422{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2019VL_MAK_AE-pl.xrm-msMD5=DC2D8C2EF7C93A771D2C514ED91867C2,SHA256=754128552354B2A81749BE11BBAF9199F8BCB6E775E2F3F8EF1DBA29F24BAA7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.422{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2019VL_KMS_Client_AE-ul.xrm-msMD5=C05417E3BF104B661D0CB0FDBD8E5EB4,SHA256=DC2A73ABE0BBC1CCB1B75529817D106163183663B32672BA3BB410EF8761F0BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.422{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2019VL_KMS_Client_AE-ul-oob.xrm-msMD5=A18089D933A51EC99025856B179F120A,SHA256=EA603CBA7BB883C6E5D196D3D711179AFAC7685D8639E4CD7F8D307BD301D7D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.422{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2019VL_KMS_Client_AE-ppd.xrm-msMD5=0E3AE5E7ADF7A4D35B705CFE6D6208D0,SHA256=33D37E1611AAF2136BE291F81E0627D5560B6A0AE98725D93D3ABFCC587917C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.422{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2019R_Trial-ul-oob.xrm-msMD5=153AC686882F813ADF58939F258C2112,SHA256=4A2B33AE33D1FBC321775BB8EDE3B904015B17B729D187B85E0A8B1DD9D8012A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.422{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2019R_Trial-ppd.xrm-msMD5=01D48583595AD854803C9634C7FF26C1,SHA256=161F9ECC23FC7E378071C3F2E717BF5121DC4C93CCEFF3DE45318456AA5B6ED2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.422{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2019R_Trial-pl.xrm-msMD5=3BEC0E9158A08672046B19962A228F07,SHA256=2A9CC1766C93FD5D207919DD10D1BF38EFB3E0575ECAF27FCC0F158DB9F56E0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.422{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2019R_Retail-ul-phn.xrm-msMD5=3DF6894A7AE8C73F968A956183F984E8,SHA256=DDC095E7F1E7D8515F0DDF6156CA2A243E8AB97EFAD265C76CAE7FF2EB5E4B75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.422{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2019R_Retail-ul-oob.xrm-msMD5=A469B28AA966035FA277D2BA72E5A7A1,SHA256=F9EECFE900BFBCBA2FB135629FECB373DC6B8A67F0AE654A6C9CCDAAA47A595C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.407{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2019R_Retail-ppd.xrm-msMD5=0FBCB9CD215F839C2DCDED22D6E38051,SHA256=FD76D4CD22A88A9FD854963F7EA8D9A4A0674F642234C4A059B17538AB09ABF0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.407{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2019R_Retail-pl.xrm-msMD5=A5B8D942851814F87B01325EE72D750E,SHA256=814E2918990C0EECF09D493A50B45A9335118763EB017FB5B7AF9162268BDCA3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.407{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2019R_OEM_Perp-ul-phn.xrm-msMD5=977F154FE0C0FC2BFC6F5FDABA577737,SHA256=194C2D23DF7BA88DC730A39738209902711696BD5A772082A1709E95A70AE3DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.407{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2019R_OEM_Perp-ul-oob.xrm-msMD5=1FCE00C6720E092B25679D24644AB628,SHA256=9FD92C6B467079122B35F5BD90098F727DB56E0F5F9CEE886F46BD914DA40384,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.407{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-msMD5=D400010CDC2BE6A2E978E02B05AD7C21,SHA256=150F6BF47775F51B8211C4F87442A640FA8255AC077C821E3790A64E74CF4C54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.407{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2019R_OEM_Perp-pl.xrm-msMD5=88E19470D1D77A116C5E235C56028528,SHA256=C20BCBE52AFEDDD8EFADD91C3F768FCA183918B349AF3F22BF57EDCEDD5D3286,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.407{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2019R_Grace-ul-oob.xrm-msMD5=27C38CFDB4CF76DED6A33ADE8F67A6C9,SHA256=1F54EAAAE8D7774D8DE2B1E79A25D2285B3FC8014DC27B71E167F23C0D5EBFC3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.407{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Excel2019R_Grace-ppd.xrm-msMD5=BEF4A9CA282EC03C46C899097E882BB7,SHA256=DF5877F2C1AC0CC741D7E3F2158D87F8CCC8ADF696AA8F68AE85ECD36C7DA478,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.407{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\client-issuance-ul.xrm-msMD5=7D518FF67C2FB10D4C12289CB6B0F46E,SHA256=50810B7E69DC2531F8776BCAA984F454F2FDB3D77309F1B911B35BE2581C88C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.407{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\client-issuance-ul-oob.xrm-msMD5=FEB6E793438695368C849E2054FA82EB,SHA256=4EE53DB020FD04075CA94CE36D49FBA4BCD179622669B8868C9D914950486373,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.407{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\client-issuance-stil.xrm-msMD5=2083AC3020996C7B0FC052B9148F418F,SHA256=15001F732A13EFC7D7C9DFA278F5C4D93F21ECF180D3DA66F2D2622E1E0606D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.407{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\client-issuance-root.xrm-msMD5=84306CC160FA8C4971C6F20B088D0DFD,SHA256=94B303980BD4867DF1B539D3872B075070F226F8A8C91151BD88CF5A8D30582C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.391{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\client-issuance-root-bridge-test.xrm-msMD5=89A821E769447376D5355A4EC49C6084,SHA256=B2D8E1E6AA5515C8B2E9ADEA11B2AB8BCFD643F3AB22EEFF7B64EBC5C7FEB356,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.391{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\client-issuance-bridge-office.xrm-msMD5=33C1695D278F5917F28067D27B4868EE,SHA256=65BCCC008F5B44D2DBD880C0C33AFCFFF27C07DD24DC0CC7DDA2B3BFA7E9AE74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.391{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\c2rpridslicensefiles_auto.xmlMD5=D83780BB406BCFCC03FC9E16CBD902CB,SHA256=887830CA970A6473824FC2275DDB950BEDA76E7977C41FB3BB7CAFF66DE57AF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.391{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\AccessVL_MAK-ul-phn.xrm-msMD5=861753974B49CBFC773CA3D9945A141E,SHA256=444DA0F2ED2607D2E973D558B5E99DA0837EDA0AD16301FD2032530F24202060,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.391{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\AccessVL_MAK-ul-oob.xrm-msMD5=E5FAAD80FBF96C2024726C0E184FA8AF,SHA256=1C18C58F27A3AD746F61D2E6C84736A9E8DC8243487ADD527D2FFB17EFAA380D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.391{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\AccessVL_MAK-ppd.xrm-msMD5=8273BEF1489EEEBB5287558EFA91B315,SHA256=ADF3B2B33FF9CFDB142CD5779879354B8FB35F96109FD38BFD0CA94E5DBC38DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.391{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\AccessVL_MAK-pl.xrm-msMD5=BDAD8BEA53ECD5B489DF5CE146E38698,SHA256=E43D09A2D2B844A2072F246C947500D0FEA4A0E29174874F6640812BEB0631AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.391{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\AccessVL_KMS_Client-ul.xrm-msMD5=85D68C704C262D9A186139AC3CDE9F70,SHA256=A401CD4EC1A3C02DC175797AF4EE41427245DBE62F0A83586724926317C39642,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.391{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\AccessVL_KMS_Client-ul-oob.xrm-msMD5=52FA7A2FF7358691F89A02812296B47F,SHA256=5EEDC8C935C0331E5DD724B7408BC6B22510D8D49AC811F2A975386837E41D9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.391{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\AccessVL_KMS_Client-ppd.xrm-msMD5=EA81F375DBF4359CB587DD1D1B9888D9,SHA256=DA3514705C933F1E7DE4D60270516DAE35527CDF62193A788AA382F9F7B3F54B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.391{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\AccessR_Trial-ul-oob.xrm-msMD5=4060936D59B4F68D89204479BC140B91,SHA256=BF0836DD2929714D38282DE3870BA79E58BBD122A690FD81E13C4ABCB5DCDC3B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.375{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\AccessR_Trial-ppd.xrm-msMD5=2584F0C2E64277E46E3F9F2302C2B180,SHA256=78B754C422043A0C78439F9B934CC903B46F46C4EBF33B1423A06A6F34908210,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.375{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\AccessR_Trial-pl.xrm-msMD5=DF998AF1C5EE938DE708E5AF8473E5A6,SHA256=C099AF45A2CCD2B2C9C6900885CBFC16D9D07E24460B3C2191BCA21F1E9ABED0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.375{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\AccessR_Retail-ul-phn.xrm-msMD5=F820FE8E63390D2F5388C3712F4DAF2C,SHA256=3FEA92E4A38FD0E7672673CFC8320089BD76FF3266C19E6FFDBAFAB5FF507B6C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.375{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\AccessR_Retail-ul-oob.xrm-msMD5=7F25A2F8BAAC69E2E47BC84B2CE2842E,SHA256=D4803A56FEA34CEAE34E3B8E54509A46F05FC023737314ED4569206048B5D3A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.375{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\AccessR_Retail-ppd.xrm-msMD5=23FA8BE60E4F746EC7AC6D132512C96D,SHA256=A1C3EB56B14039393CF68C3859DC0E7707089D039BD6F137D482B01CD3E4AF98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.375{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\AccessR_Retail-pl.xrm-msMD5=F0D04E8141C793D89EFDF59134C7FE78,SHA256=A6449DECA60398DD0C9B03BD5B88B493BBF1951E3E6DA07A8ADD2856B93607CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.375{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\AccessR_OEM_Perp-ul-phn.xrm-msMD5=C2AB83CA20C105610A54A329B9054770,SHA256=1389C369DC8FBC6E91CD29C9657E4278E25E4D294C06DE53797317EFC559B074,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.375{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\AccessR_OEM_Perp-ul-oob.xrm-msMD5=737D292210EE734C524CFAAE222E570F,SHA256=34FD75F514622F4879CDD843B45088F62963695EAA8560BAB2416B22916E397B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.375{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\AccessR_OEM_Perp-ppd.xrm-msMD5=D5B52E5EE7C15D520BC84659719AB67B,SHA256=E275698934721CA570D26D94CA590E91D128979ACC31EABB894283852B01F141,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.375{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\AccessR_OEM_Perp-pl.xrm-msMD5=F68ED689A57A180F1D25D8D36163C921,SHA256=ED33D4AD1A3B56E0F9E27DE0E6B16B56AF52A95A0B51CCBDCA816401F2760BC3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.375{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\AccessR_Grace-ul-oob.xrm-msMD5=C891E61F0B4084555A5574A9B23F310C,SHA256=AD056BEB42BDF545179CB33FC0A07737A985008CA365FEB37A9BA5D5051A89D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.375{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\AccessR_Grace-ppd.xrm-msMD5=2D5FB5D202EFFBF6ECBB2B10A58ABE07,SHA256=93A9B088C14DD65BEB6207FBC40A156B34E5844661FAF32D0DE9B69AF4E81DDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.375{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\AccessRuntimeR_PrepidBypass-ul-oob.xrm-msMD5=BAFFBEE4E8FD083522CC1CB6438E7DE1,SHA256=B32B11E7128DA4278A0262179FAF6ACE728839237597C6A3B85E6AE24804B446,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.360{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\AccessRuntimeR_PrepidBypass-ppd.xrm-msMD5=E2E33501FF3ED7BC8D36B1915516FC7C,SHA256=208C4DB551036C9C8F309ED2D336615CB24AAF13511595906D6A207CFC208448,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.360{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\AccessRuntime2019R_PrepidBypass-ul-oob.xrm-msMD5=6D94C2FC77C09300F1FD8BD555F9C72F,SHA256=8D36238EA1B109BB3787D314951C8D3CFBD0938AFD78F6F9349ECA38B71ADFE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.360{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\AccessRuntime2019R_PrepidBypass-ppd.xrm-msMD5=E315006D984FC9A5746A6DDA040B3468,SHA256=D2613B6EE712510A4B12FA4EDC52136BFF564ACC977CA421A1B9EAD3744D3599,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.360{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2021VL_MAK_AE-ul-phn.xrm-msMD5=7A9F023A6985DA925DF2ADA7F917D1DC,SHA256=36B7049B6750FB584D5A9EA9076A6E84873E7FC892DC237470A57E429D8E522D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.360{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2021VL_MAK_AE-ul-oob.xrm-msMD5=CA0DBFCF02C439214B1C49243F38FBFE,SHA256=D1D353FD60021E35623457DCE138D213F842501097E8E1B5E476ACDDE15084CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.360{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2021VL_MAK_AE-ppd.xrm-msMD5=9E7AC00DA8E3A75BE4CF72010A34A859,SHA256=888832141C738D9CBC6844CD1B803927190FE4C78277ED339634DBC81860D3C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.360{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2021VL_MAK_AE-pl.xrm-msMD5=9EAC2B30934EF4E76240F30B959DF472,SHA256=C83FCC37DE81332959D4A075A6340B3997F625875C209FA49F4DADB90C2B4392,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.360{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2021VL_KMS_Client_AE-ul.xrm-msMD5=DC08E5808AE9FDFFC79DF9C5BFC9914C,SHA256=BFE08054697C3703E27B6AB8A78EC0E453228D2AEE3F551CAABFA2DDF497794A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.360{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2021VL_KMS_Client_AE-ul-oob.xrm-msMD5=4E8FC98D44E3A29A4F491501F68F78D1,SHA256=CA0067C54C96FC4D50A535FB492D551507AF0515755D4486C8D3FDA4F170584C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.360{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2021VL_KMS_Client_AE-ppd.xrm-msMD5=90CE5B578BC792F1AAF58425EA6092A1,SHA256=99C1E2D3E2BAE4A67A41760F6D76451DC7434BE27EC246028344F1B3872B960F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.360{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2021R_Trial-ul-oob.xrm-msMD5=7F97715019C65D57AA15CE46AF26D2B5,SHA256=0490E01AB4A409793B63EF27D99FA2E30D75B229B5A44A8B6E84DB04E2818AE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.360{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2021R_Trial-ppd.xrm-msMD5=5DF98E15ECE9226253969C0F0100FA48,SHA256=91ABD3AC5776C3B34A73EF38D733F0B9DD128A2EC0A4E55D85131CDA0D5D29BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.344{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2021R_Trial-pl.xrm-msMD5=F85ECA4F46899939260E7F358DC4AB2D,SHA256=5DE3F0C4A864BFE261AFB4B6B2555A29AEF22C7E4DA45A032B2D3BD635CAF0E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.344{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2021R_Retail-ul-phn.xrm-msMD5=6CE16E371CF8978C8ACB6731EC4EB3BA,SHA256=37101DAE935B3E2AA4E2E358A9F428B4B873EFC6641C4286BCEF353906CBB61B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.344{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2021R_Retail-ul-oob.xrm-msMD5=827C5E2190FD13849C724E0C21EC6DF4,SHA256=D2B187D503127D0AC06226CDC9A3113F3A7F9191AA60AA176CB636878CAE8012,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.344{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2021R_Retail-ppd.xrm-msMD5=6A81BBD1FCBA7F4D718DB6B539D3996B,SHA256=AD3F4D29E157A93440BB1E60BCAD6903698BB4894119E94538B2ADDB325DAA14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.344{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2021R_Retail-pl.xrm-msMD5=9A54AED5AD0BCE6812AC4718846722D8,SHA256=51A8D5417EA999B264C0D497BDAAAC117B32BAFAB9B90C6C4E533D147D0A8F16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.344{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2021R_OEM_Perp-ul-phn.xrm-msMD5=32C7FCA57246168798FC3F6123193B7D,SHA256=FAC3F23F0609C5319F26943041C0C256462164090324B848D10A07D0284181E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.344{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2021R_OEM_Perp-ul-oob.xrm-msMD5=6B70EEE55134FA5008815A235B2D1782,SHA256=0ED13CE5D6EB4E65A204D6E684FA4947F9A2BBF1169916A32B0F37722E06117D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.344{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2021R_OEM_Perp-ppd.xrm-msMD5=B9380F082EAD2BEDE8BD750406F66AD4,SHA256=C765DB724F1971FB4315703165CC2C43E8EF5EFC8751AA6B3A4207ED7D40A105,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.344{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2021R_OEM_Perp-pl.xrm-msMD5=35210A9157E53DB58BD27386AB9E429D,SHA256=C3B8C97634502C5E117C85E6E691C561AAA2F571F9B2F0B6AC35858DF85DCB04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.344{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2021R_Grace-ul-oob.xrm-msMD5=0376BBF7EB8F037985926F22FB034421,SHA256=FFB42E87AA8E0B1A5E1664A8F26395578062C5BF033CA767047CF0A2B2FD7922,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.344{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2021R_Grace-ppd.xrm-msMD5=44CD18FC8C5085F12A0D47AAD3C45364,SHA256=25C4AB976C5F147030D684CE51DE74C9AA7D06B1C209E646B556707AB16FC6BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.344{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2019VL_MAK_AE-ul-phn.xrm-msMD5=305BBE8FFACC7CF7594EE18D1580B73C,SHA256=27B1998B9B70B57DC9AEF7AAF607C5E38F8F7C5D3794A9C3773E8E79EEA8DA08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.344{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2019VL_MAK_AE-ul-oob.xrm-msMD5=6B3D4137A7C9568B1F7277307C174F04,SHA256=1AEAEDA84916086FD8DD81FAADAE1FCF06BFFE377190A290F90C40F82F6B272A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.329{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2019VL_MAK_AE-ppd.xrm-msMD5=528FB51D1FD1E61E367B87AB168086E2,SHA256=60D8B24DD1452732864482D633816ED49FC55B8551D20C9F94C75FEB3E2B2698,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.329{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2019VL_MAK_AE-pl.xrm-msMD5=E6AD1F20B5CCBB26DDA712C27FADC320,SHA256=089C15BAAF7FE17D8D25F63C5F93A0A529B5DD694E400C8F85C0E1EFC88A3987,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.329{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2019VL_KMS_Client_AE-ul.xrm-msMD5=0AA3E8D4461BFF6BD9C4A58C56C6710B,SHA256=DDDE6B5700FBFC6C0F6810A614A572E75D1F4B21823C40874708F9C35E10C603,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.329{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2019VL_KMS_Client_AE-ul-oob.xrm-msMD5=2F513F2A1287BE2713ED9E454A84DA81,SHA256=C7CDB5D53C090CC658428938D7AB488D24169E9899ECCAC0C8698969FD03291D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.329{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2019VL_KMS_Client_AE-ppd.xrm-msMD5=6256D4AA826FAA59E89EA93160FC82DA,SHA256=1BEA83F266637F8E61149F968007BE67A63FE72736EC1833ABD20D18A5639E5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.329{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2019R_Trial-ul-oob.xrm-msMD5=459E56EACAF717A8B9F0F69AE1BE5FE3,SHA256=C71288136A629E8D7D55B1595CB388588D0ECF203F043C58013816D82243A821,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.329{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2019R_Trial-ppd.xrm-msMD5=D32EA0E5A8C8468BB249ADE1AEC81B43,SHA256=55491B9256AAABC4777F01B3B1D8E7EB5C7C0F49536EB89F6CEDDAF42375AEFA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.329{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2019R_Trial-pl.xrm-msMD5=F933CF5A92352CB6B8D48CCBFAEAFE18,SHA256=4DF9C805728C6D89A86E2CC4A5EEBCC690D1284FF8EA45381721672E5C1DF106,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.329{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2019R_Retail-ul-phn.xrm-msMD5=E0FDABA70C777413C62C98D5FC8F31C2,SHA256=2F5092660B3041F9408D329CB69409D27F8CAF6165BB7895DB1489457D610877,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.329{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2019R_Retail-ul-oob.xrm-msMD5=39AC1F7F9FB324E5EE1C69D9FDD70E22,SHA256=02FAD39C9B7C5D77C912B5EF7D5087C5BB1E365F060FCC9F5E7D33A367D08F19,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.329{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2019R_Retail-ppd.xrm-msMD5=B5D7FFD733DB8B67457B8A1BFC87B0C6,SHA256=4E1A658BB71D38592972E5E9CCDBA2D4002CB12C117E375A560396B8ECC2A31A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.329{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2019R_Retail-pl.xrm-msMD5=34B737945A9BFABCD2BABBB387B42AD2,SHA256=73EB1C573CEAF602D7C3C4D57DA48062F72C30E5559DB554E3DB8D86A8B6CB84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.329{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2019R_OEM_Perp-ul-phn.xrm-msMD5=5BA62C3E7B0C9536F1A758EC24DDE6C7,SHA256=4A7EF5473E884ADA763CD3E0B5D4D5F53D3A8DA36BA4F5789829E882D3B1847E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.313{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2019R_OEM_Perp-ul-oob.xrm-msMD5=57EAF6C98B686EB9A3F78D1ACCECE60C,SHA256=871EFC7E47B7151A07FEB1E525473BFF74E7CC36F7F370C92A55A45115A7E52B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.313{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2019R_OEM_Perp-ppd.xrm-msMD5=4D351C673088FC36A070FC65CA69AAE5,SHA256=3B024B84F38217FFCE9796D33E4297DBC548F672642D49EC795016435EB9303E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.313{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2019R_OEM_Perp-pl.xrm-msMD5=3F8E5B37BF762F06A3889CC695F75487,SHA256=93B814A0086F5D06A025C5414808038897EF4033812F49C2169302F086549D63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.313{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2019R_Grace-ul-oob.xrm-msMD5=4F9400C1B01B9529D6485EEFC9850AE2,SHA256=9719F9A0A31C1FB3A864BD2245B98DDE409E19A1FE768AF7A276609BE304702C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.313{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Access2019R_Grace-ppd.xrm-msMD5=642F76AFF630B99B0B6140C4377E630F,SHA256=0B03AC1E02119F7E934386DFFB791B00FC73AECD50CFA9AC916A2782716C6F7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.297{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses\c2rpridslicensefiles_auto.xmlMD5=D987A28F31634C83AB94189D105581F1,SHA256=D1891E0877F770FE63E6DF77698E79213F34CD9AF4D1F7A78A3DFA3B584FDE3A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.297{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\SPPRedist.msiMD5=AE001F6BE0E419AED5A91E84F59079F0,SHA256=FD31699BABE638C34CB2FFE4F9F19EDD3998554DE784BC4956AA067A859EF84F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.137{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\Integrator.exeMD5=78F0F289CA7062FAA81CD3D3B9954D01,SHA256=FD66EE29DBD90AEFA10252856AFFC01B5325D9F6FD574DFCDDD86C16DB5D1C0C,IMPHASH=DB5BA7C6A6C2797DBB974F4D4EF1EF0Btruefalse - insufficient disk space 23542300x8000000000000000325322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.065{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\C2RManifest.wordmui.msi.16.en-us.xmlMD5=7859F961973A5D91889418DB8B22FFF7,SHA256=79FD32B9416196429F8239F5C3C3F2801B66B181B1B9B2464ACA9A31CE4F397F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.062{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\C2RManifest.Word.Word.x-none.msi.16.x-none.xmlMD5=3594DB146CB079D7579F9DF20BAD0036,SHA256=D0514B618F5DA81F2401D1473B107EF1B3F9AFA152FB1F1ED8F5C72C5D6C3CB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.058{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xmlMD5=608FD06558C639BF0189EE7967E3FBA5,SHA256=A5540FFADA87DF827EE73762B0287706C60F9CB989DFD32F31E4CFDBF83038C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.045{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\C2RManifest.publishermui.msi.16.en-us.xmlMD5=AF6DD305F8ED217B15F2F027173451FD,SHA256=8A2F375662E708FC13F0B32C202DD2BAC42C3B0CDFF87C2C141188860BD86F5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.044{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xmlMD5=6BD5A42312F7F23DCA9AAABF3B37F538,SHA256=01A0FBE3413DDD10AFA39A99E8D8D0FD44326EFDA0191DA28DC7F4A6070070C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.041{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\C2RManifest.Proof.Culture.msi.16.fr-fr.xmlMD5=7420BB96E707E79262D5499F0E44EC9B,SHA256=F3B062BA1832A48434A1FFC22E1191BA3C70020B7301195CF16C70EC5EEBD9B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.040{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\C2RManifest.Proof.Culture.msi.16.es-es.xmlMD5=9739DA8DA82EFD615F4ADE4167A56B86,SHA256=B65152D05F594898B7D484FC82749A9F925AFDE93893F82F02B9C290803940AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.039{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\C2RManifest.Proof.Culture.msi.16.en-us.xmlMD5=0A190A669B6412C6731B597262EB9ED8,SHA256=DD3D264BF8681BE80E6BE9E05E63406A3090551CC1FC74106E0CBA2FB72AC6B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.038{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0343B48CD16D51F05B33A6C42BA5109,SHA256=D4916F9A51B69F7C2CBE47DACDDB2F2E4253E0BE65D427F0E655FE35526E50C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.037{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\C2RManifest.powerpointmui.msi.16.en-us.xmlMD5=9B363682AE6BA7FF9C1EEDB0EAD451DE,SHA256=669FA60E962F922ADA0415367FABFEA276B47CB05FC6610DF9AD58B8817C16B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.031{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xmlMD5=C17A8988CDFA22B2C837AB90C2582FFC,SHA256=30C405F4D195519808ABA1546E7E26E4C91BD81C27C48C85DFD68C001473CC1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.024{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xmlMD5=D01A4CBF254AC7FF7E3C5E7BF71B01B1,SHA256=39A92465BECA47C58E7E3C822E12623F1188268EE8B2D4BD69751ABD1272D8AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.023{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\C2RManifest.outlookmui.msi.16.en-us.xmlMD5=021DF3CAEE63D669BCFFD285F23C1FE8,SHA256=1C635316125C432E2D2461528D8F93E20E25AF51198C48B9C111F519C2E141F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.020{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xmlMD5=B3A0C61AFC125B857F3CD56EEFEDB7AC,SHA256=FC427FFC5C8A1720F0D5CE2D067E90322367B85EA7331B10ED035D56FF52EA94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.016{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\C2RManifest.osmuxmui.msi.16.en-us.xmlMD5=220AE72AA2505C9276DA2056B7E34936,SHA256=AFC37BA57FAC36BA151953B67619DBBB985F58122F4EBE07F15B312B5BDF004C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.015{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xmlMD5=0F90774603EF21D5A98CA6EB995F8524,SHA256=28B576ADBF2C4C04A558D05304A4C1A1B1C5AEE806E3FA6060DAF9E43001D07F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.014{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\C2RManifest.osmmui.msi.16.en-us.xmlMD5=DACDAD27E288910104698887EA03B609,SHA256=81CF3F491759538B802DB51EFAC2E69CA1639F6B98C28F2441BBD77907A53C41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.013{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xmlMD5=77A45C25F42F7201DD7B70E8BB0C872C,SHA256=B62BC54629B644013843249FE49433D022034A93C9C69913BDB58C1FADE4A4C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.012{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\C2RManifest.onenotemui.msi.16.en-us.xmlMD5=0F78D8114FC3075610AE68CEAB0027A2,SHA256=129BAF8BA6A8B8A21326BAAFB47396D88CF4A376B2E1A1E9FB0AC2F5D4836380,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.011{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xmlMD5=BAF4E872B6B0EE500825B85ECFA3178C,SHA256=16D2B4178F1523871E2E8234977BF477995C203A8DEBED22B9EFCCC056121AB1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.007{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\C2RManifest.officemui.msi.16.en-us.xmlMD5=0A65FFDA9106558E3DC7A30B5E8EC508,SHA256=7EA3224B675340890C12E1A0F2F441B7466053921EED48ED528148BB35AAD5B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.003{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\C2RManifest.office32ww.msi.16.x-none.xmlMD5=669F6E6F948415022559AB36BF0731E9,SHA256=DB67F5C4C071F36B6092A9CEDACB912C8452A7FD293847F030A30316E9BD1101,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000447905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:24:14.907{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\90005E51-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_90005E51-0000-0000-0000-100000000000.XML 13241300x8000000000000000447904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:24:14.907{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\3043171C-3022-4C0A-A8DB-5CE9390B74BF\Config SourceDWORD (0x00000001) 13241300x8000000000000000447903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:24:14.907{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\3043171C-3022-4C0A-A8DB-5CE9390B74BF\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_3043171C-3022-4C0A-A8DB-5CE9390B74BF.XML 10341000x8000000000000000447902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:14.891{45AAC21C-9B83-63D3-0B00-00000000BC02}632680C:\Windows\system32\lsass.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:14.891{45AAC21C-9B83-63D3-0B00-00000000BC02}632680C:\Windows\system32\lsass.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000447900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:14.563{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EF76E65C0C814D6755BDEAD8EC2465C,SHA256=C8DEE917C8B8E3B11FA2EAA4231FBAFEF540C61ECACE1A46F442882338391B0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000326576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.998{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusiness2019R_Retail-ul-oob.xrm-msMD5=AB3FDC61EC4293FF06F2065FFA8C7512,SHA256=4D33F48D031AF6E201B0ACB9D2DCFF5AC208E565616D91E633CB51166308C80A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.997{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusiness2019R_Retail-ppd.xrm-msMD5=786723B1152BF3E99A4137A3F4C888C2,SHA256=5BFDDF080D7746484103955CAA103F0FF5593595A214136F9AE7825F7A481277,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.994{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusiness2019R_Retail-pl.xrm-msMD5=2FF54302D1B930614C4A2A64965DC43F,SHA256=A61F7D97CC517E10058E4019DB41301DBA40382595BFE1E8E2A328A591AD10C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.993{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusiness2019R_Grace-ul-oob.xrm-msMD5=1EE2FEAC39B87869BD272A6B44FE1F88,SHA256=2A90073E8A3C50D8C4A73684634EFA35EB9B606404491936A536ED7BE4B909DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.991{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusiness2019R_Grace-ppd.xrm-msMD5=973FCC19A7C8DA1575EB59EA60953975,SHA256=21EFAF6DECB8FFD8228FCBCA37C5580223E28BAC1864D8927D1589BD699BD8CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.990{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PublisherVL_MAK-ul-phn.xrm-msMD5=0971C6926C527C26A5991EC5307DE1DE,SHA256=20298ED244BCF294BED3D1B34E033E9519BA8BC52F541D9702836BDC17470FD2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.989{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PublisherVL_MAK-ul-oob.xrm-msMD5=832858F4A0990ECC7FB61DA9A6B26C27,SHA256=71A0151372FBDC11F7AB2FCCE770425D83D6D584C0E454A4D51FA22479E6606F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.988{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PublisherVL_MAK-ppd.xrm-msMD5=E69433D9AFE2ACD86B445C43FE7F1EAA,SHA256=07158EFDFE7073A57EF999F0CD79970C4B70E4C59BD8287D1F18139546A758BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.986{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PublisherVL_MAK-pl.xrm-msMD5=23AC50A000F1DFB82E06A7566613E476,SHA256=81D5DD09B8F5BFBAF4E56DD3AE2269108224D2E85F834BF832A8558913F34EAE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.984{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PublisherVL_KMS_Client-ul.xrm-msMD5=9D6E2163C4B5086CB4888E4533C8CC03,SHA256=4E99A62ACA9B79633DD8E44686D2183007BD449CB1F2A5ED6090BF0FD4A993B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.982{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PublisherVL_KMS_Client-ul-oob.xrm-msMD5=4DFB6F11BEA8CF36EE57EFB7FDD44EC3,SHA256=968B2918106AFB22467ADC197A303CAE9335140AF02F9102B6D6FAA831246669,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.981{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PublisherVL_KMS_Client-ppd.xrm-msMD5=89EBAA528C98C9FB7CD660EB39472F93,SHA256=EADB5F50EB447203D778CDA6E2FA2DF46959B7A60A3810DCAA926C4F6EFA1237,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.979{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PublisherR_Trial-ul-oob.xrm-msMD5=4C1BA8D474A900A6413FB1477DD3CE65,SHA256=37006183CE2FAA792C89E00B133E143C663AB42EDC7369B26B5E0A5F6AC07067,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.978{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PublisherR_Trial-ppd.xrm-msMD5=CF97D5AFC226F87D318F52AC377DA462,SHA256=DE2A36A2C92966EC765C536E7E4617026519F49FDD31BDA17525E9F4165924C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.976{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PublisherR_Trial-pl.xrm-msMD5=8EB768DDFCE6E142A52D9AA062F9F708,SHA256=D31F398C0AED9CBD186DD02481AE3AA0302C470DA9EC11469AFDFBD4480CD6F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.975{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PublisherR_Retail-ul-phn.xrm-msMD5=E9661BFBB80B683C32A2F48B6E913068,SHA256=4ADCF3A3BFF408642BCF22C38F0FFB2BCBEC53374409C23F42F52BF6BFEEDC28,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.974{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PublisherR_Retail-ul-oob.xrm-msMD5=BAFA3B2380937B67BC9D10B443D4038D,SHA256=7DA62DF2C508BB26991385FC57E25828C1D981821F95C1B8A375DE3438BBE5BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.958{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PublisherR_Retail-ppd.xrm-msMD5=323B63EFF535E113E20DA100D47A6799,SHA256=7FB32DFD8BD1430213D3C150061829F0F9506A840C7CEF0F76416CD184365E73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.958{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PublisherR_Retail-pl.xrm-msMD5=09E9A8DE24FF3D0EDA98E46851022F9E,SHA256=97030CBE2AA74129DE5CAD4473B56487C355E15213286DFDC2AF086F3ACE1753,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.958{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PublisherR_OEM_Perp-ul-phn.xrm-msMD5=9248848B27B29C431F6B75078C74580B,SHA256=76CC6CBF3955C88573B1ADFB3C7DA3899917CF11F2E531DA433C9C4C93ADC8C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.958{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PublisherR_OEM_Perp-ul-oob.xrm-msMD5=E3691E4029C488A5EE9C2AF6499ADB35,SHA256=A158BD0A2AC1A03999EE333C05F78DB361F81B82CE8B3E8AA2A6717611840CDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.958{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PublisherR_OEM_Perp-ppd.xrm-msMD5=34E31AAE2115349FAABBBDFEC673D732,SHA256=82AE145622D8FD0B4DE3986DDF1FF3AA51AE988197CA717E05CAD7F7A209799E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.958{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PublisherR_OEM_Perp-pl.xrm-msMD5=604FDC248F89C6D83F9A4CD68A265693,SHA256=DDC89E779110B1576779E2C6517B37B8A5C4FDDCB92C831202BEF1EC38B239E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.958{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PublisherR_Grace-ul-oob.xrm-msMD5=8FDFDD65D5E4A17444403E92C343AA56,SHA256=A1D554D65194A7575F8F44770972A6DF5AB8DB2BB59142319101ED66B3699FAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.958{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PublisherR_Grace-ppd.xrm-msMD5=27869B47BDFA1FA1C8D7C5104FD011C4,SHA256=B209E0F4CD199ED56B238982710405C19A86408AE9E67268F61C3E0F7BD2E9F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.958{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2021VL_MAK_AE-ul-phn.xrm-msMD5=97BEA440B4FDF96FFA7BD00DC5EBED8A,SHA256=AF47A4AF2C20833D451293E502AF07AAD4A486B223C758F36A6CBFEC5BFFE0A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.958{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2021VL_MAK_AE-ul-oob.xrm-msMD5=84663144510D7A02BA7DDD20F7A930EB,SHA256=2FF590C1A9FC91A61E73F03D1B10DE138934DF79FD64F1481F410C1A48FA7A7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.943{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2021VL_MAK_AE-ppd.xrm-msMD5=245F3A2B2A00194F35B2DB3687949C36,SHA256=2FD071E1A3AB64A4136BC81FEBCCB605AF51603F1D3E173A794380001EF89CE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.943{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2021VL_MAK_AE-pl.xrm-msMD5=8CB2286D598C9D94E20224D3FA640CB4,SHA256=D576A6A2B2387E788CDFA3C25519E58ACC12D2579D43942B5C7C19A274B84061,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.943{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2021VL_KMS_Client_AE-ul.xrm-msMD5=E0DDEABC1132291F70F91545F9A93163,SHA256=373798A071AEC273C845E788884FE71A86891EE54058AC530DBB02868EEE3F2B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.943{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2021VL_KMS_Client_AE-ul-oob.xrm-msMD5=F7D77E302455DC24A3F40719EDBBB786,SHA256=E44B3278612D7F4CC941B37422C67B364BD1BF42DA50B12EF649D28674EE2D5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.943{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2021VL_KMS_Client_AE-ppd.xrm-msMD5=36D86B5FA78A528E7C53C7D731A8A8CF,SHA256=15CEF78D42A9EFAA8DEC5FDA51BC82706DCFFA4256135482F80E9FEAE8D74CBD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.943{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D47A8406681B7E33BEB83EE0E65AA011,SHA256=9E037E018EDA54E6C5D811B56BD4D8DD07FCD62F95CA9903A1369B3FD2DAC054,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.943{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2021R_Trial-ul-oob.xrm-msMD5=2500D34AF70C2AFF43D899B3BEC52C8D,SHA256=1323934C935700602A4B3D3DC144979A616E6D31DF65EE921CADF22868E796FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.927{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2021R_Trial-ppd.xrm-msMD5=1640F105F74E2CFAE6FE35ACBE4C9E60,SHA256=8B2CE7B7A5B09555A89250E53EA7190536B0D65713F611873D3D849540212ECF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.927{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2021R_Trial-pl.xrm-msMD5=13AE72A4269551AD109E505E4E6A2EE8,SHA256=A8D214BBE22EDF57E90F02F6E5F1878EC28500FFB1C64C3C3B4CAFAFA0E320D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.927{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2021R_Retail2-ul-phn.xrm-msMD5=151BFCA1F1AA90F78EAA4F1921AEC4E5,SHA256=BE9420EE41E0C0155E8BF716CD946C0BB8F55AE461330C955CEB30F79618A764,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.927{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2021R_Retail2-ul-oob.xrm-msMD5=DDE1F25A39A94ACFCEB03C5265C84B5F,SHA256=D446DD889139F1BF840DEDC42DBE15DF39251AF1A43E2799B424A8652BCA2AFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.927{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2021R_Retail2-ppd.xrm-msMD5=A77770A5F42BE986149622F22FE731B6,SHA256=5228CA051291703C962DC57B8328CBECD609ABAFB5201437356EB49593F93B7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.927{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2021R_Retail2-pl.xrm-msMD5=209540BCDA28FC9A929E1EF5F8DEA286,SHA256=B79DAC720AD71092C20AB73D5FD7BEAD535B2FFA99EB58EFAF160046864FA7A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.927{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2021R_Retail1-ul-phn.xrm-msMD5=8EAD0B65DFC30FAE7D6D68DF1DAB7107,SHA256=F2552F6F29CADFA8F25E5A619CA2E7F2E020149F52B6D8295A6D7CDBF21F1742,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.927{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2021R_Retail1-ul-oob.xrm-msMD5=4D31011BBEC6A833F167DE52A172B1B0,SHA256=F617D15616F601DE2F3D1CE4431C560653640CCBB0E3C8CD171A1F9A6E8B7CB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.927{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2021R_Retail1-ppd.xrm-msMD5=B7671F0B90E9CE7A136956320B9A8253,SHA256=3E95CD05A1F22243FAD0A786D1C1D5D8E6E41029438D4657B40547ACCA21B9E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.927{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2021R_Retail1-pl.xrm-msMD5=FD3DAAB21DFA56EBBF23BBE00C75E2EC,SHA256=2086DA93360334AA4BA2F9264508752D982C5D427D5098A057EEC63D8F721E5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.927{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2021R_OEM_Perp-ul-phn.xrm-msMD5=FD3F2A0897E7834F4288B5098309FDA9,SHA256=C5A47D52833BC46639DDE414434E3F2D16409B82C1D8479D4B4FB07AAFA163EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.927{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2021R_OEM_Perp-ul-oob.xrm-msMD5=D278D5996845CDAAE54D48ECE01EA78C,SHA256=B057F1044CA49A1651885767279ADD3C3D02E87F3FFE06238BDA40A0916E59C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.911{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2021R_OEM_Perp-ppd.xrm-msMD5=AD46A70B9D0A2D877111995BEBFF2D60,SHA256=9C6F22E60D13F7082B455FED7FB2E4142A783C5DEC1E6F9FC5DFD42C62C206D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.911{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2021R_OEM_Perp-pl.xrm-msMD5=E684EC4614AEAF830900CC376E950823,SHA256=C6F3E30D30010A56C551C0F4B3332F00B78850A4E02EB6D0850BC2BDE5D1200D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.911{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2021R_Grace-ul-oob.xrm-msMD5=BC0FC85DF6B1AFB52336514C95C5C0A7,SHA256=C4FA722960A31D04995D3E73661E2A8832BF8845D6C31E737AF4BE68DE0394FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.911{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2021R_Grace-ppd.xrm-msMD5=9CFA753EA3114BEED0A8A63E83F840F6,SHA256=0605F9C8798E9119BE35AB4C25261CF2BC1F50E3962AA0765BE28E063F4DC9D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.911{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2019VL_MAK_AE-ul-phn.xrm-msMD5=8764626D8DDD98B6A4F0E7E88F780031,SHA256=DB2A7B3CACFF3609A594282B1D765B240B04C7EF8B875DF8069AB2F80D2E3AF3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.911{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2019VL_MAK_AE-ul-oob.xrm-msMD5=520AB5909D7290540A33E424EF8FB1C7,SHA256=6795ABF12A8EF0BA8CD7156A1A7D42F6ED1F0694E8EF1030F376E3664ED4D021,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.911{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2019VL_MAK_AE-ppd.xrm-msMD5=C4CB55302C4E59A5FD6C6614011F99CF,SHA256=7746BE7FAAA2B850F5E9370821D52E42CC09E61DB9B91BF83A18E4F459C15567,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.911{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2019VL_MAK_AE-pl.xrm-msMD5=56551D0AB5BD8CBE2762F6AA1E85E0D3,SHA256=130FD364DC1C33783147E6DEFC0504D14E6E08A2D8B3AE646154A2E134C38394,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.911{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul.xrm-msMD5=226EC958A0B65AA355A31D629761327D,SHA256=7968542BCD7403E49D558C95EFEEE0F574C7F8BEB97C21EF9985FC12C1903B23,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.911{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul-oob.xrm-msMD5=426778F904542C3BED200FBB39B3378C,SHA256=2173754CD36F8424F17B5CC4718F96BF6D98600892DD9D5B6899435B67F71BAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.911{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2019VL_KMS_Client_AE-ppd.xrm-msMD5=0931657D814C9FF4D1E1F5F99D2E5198,SHA256=E902D2C52E6454E6E10880D8FDBAB8E8BE496B54F2854DAF0383355C4857FC5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.911{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2019R_Trial-ul-oob.xrm-msMD5=F4B8B05BB8E1CD8A3CA4198D205BCD8E,SHA256=ACC5C03E48E63FA4D89516DAE0760677B56699657444EFB745E6D7575CC79DF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.911{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2019R_Trial-ppd.xrm-msMD5=CD868CDF9248C38AF15542D7F4E57528,SHA256=33DDBFAAB9C9AB37A4174915970AEBC6CD63A66ADC2DE5E5D5EFF116BEBB30B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.911{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2019R_Trial-pl.xrm-msMD5=6EBDE7817C4C601DE0BE3CD53CFD3043,SHA256=03E173D0ADD06850A4B8F639B1F0A669B316FA69B9A3D8BC7AF9E4AFBD5C9B3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.896{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2019R_Retail-ul-phn.xrm-msMD5=35B552495A9C82F60560A8D9DA7C252C,SHA256=18029873DA653170B799706DA4E26FC2493F1E545AF9EC81C2BB0766A825E84F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.896{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2019R_Retail-ul-oob.xrm-msMD5=08828E6914FF2BDEE910D6F01451E6D5,SHA256=568A71CB237DABDC196EB28355B6579EC28270141721ADBBFB3D472E2D06BBB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.896{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2019R_Retail-ppd.xrm-msMD5=410EDEB145BAC2C569EA334F24030F3D,SHA256=56F747CE596137FC07E0B514F5FAB9CE4A7C40C181034C11CECEDD36EE37E402,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.896{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2019R_Retail-pl.xrm-msMD5=4B420892D63301858E9ABF2BBD29380D,SHA256=5272AF5412B3B9CE5069027EA4AE1A363DA1CD7F0D767D7E97CBDF60D80013B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.896{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2019R_OEM_Perp-ul-phn.xrm-msMD5=279881C3CA06503673E25CEBEEBADC43,SHA256=8D534FCAB3448F2C94BBDCDA719B84C7B645DEE58AE4A2C8AC0E45C4E779B545,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.896{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2019R_OEM_Perp-ul-oob.xrm-msMD5=739D871B1BAC0474298996BF53999B7C,SHA256=9BAB1C298A73673AA404F7917796F3434CF264C5EA461F2035607E2C37A186BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.896{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2019R_OEM_Perp-ppd.xrm-msMD5=84C3475E084AD6C210C09470589B1539,SHA256=7C412442E181EDF21E1E10BDA50F8690700BF92E27E23B2753DAD30AA92EAB7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.896{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2019R_OEM_Perp-pl.xrm-msMD5=5D005B22324C6A772E76A4AAEEB3DDEA,SHA256=87F57DD337E92B807A2E6A0D9499FA410D70DFFDB90C874E010933D2A49AFF28,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.896{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2019R_Grace-ul-oob.xrm-msMD5=62F2EBC63CBC8671D75EFB31C2B0B083,SHA256=25A880CDF7BA17E006837FA156E9513AF5F717DDE852395DAC63F37B4D6722EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.896{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Publisher2019R_Grace-ppd.xrm-msMD5=A5DFC2999609E310CAD2E5CEA452DA78,SHA256=3E2C8E33E2BC0AB029C64794104531411B6E453AF01EF32AA501E138C12D7D29,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.896{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusVL_MAK-ul-phn.xrm-msMD5=9C89DCDA14F7244FF8DC9FD2D6509041,SHA256=92212A5796CE2DE34D49350719BB72596EC8BCE5F3508D9B35227794F1209D1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.896{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusVL_MAK-ul-oob.xrm-msMD5=F0348E7BE6C1FA26F248EEF2593E69C8,SHA256=024AB58520DE13782B3DA482247FD8F851F91F67F4FDA6CC09BBBC075ADF5B64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.896{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusVL_MAK-ppd.xrm-msMD5=E1BA5F60D82AF2D090310A3F6AC7B0B0,SHA256=5743E5F314BA2A212A11C6C84C629E6D47636D2180CCECFA2960A298499410C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.896{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusVL_MAK-pl.xrm-msMD5=58AF770293A4C25D833C971766533775,SHA256=940BD40B30B1D6FA14EE9377322515EF2D5EFC26ED144D533A6489C92C0022F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.880{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusVL_KMS_Client-ul.xrm-msMD5=E41AA32E0CA479FB5CF923DDD540E2D2,SHA256=EB29A811E7379F10BD20384F1E47354DE569E664594E45132F4A116FB4E93A73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.880{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusVL_KMS_Client-ul-oob.xrm-msMD5=1C47D950435A91E3ED75DC5BEB0140FA,SHA256=D2D53E957DA72C70320503A1BEA644DDC852E0121F07C6925151E1FD9FC870B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.880{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusVL_KMS_Client-ppd.xrm-msMD5=88A8ECE68209AB32FC606FCBD81E824C,SHA256=8F303351A27460CDE6FF78B57B1F86E592C28F4E77B886F0F74FD63DA75A3C7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.880{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusSPLA2021VL_MAK_AE-ul-phn.xrm-msMD5=BF16C2B6A6839837503B3F5A0DEE2BAB,SHA256=43D377C14A8246DCCB14D21E96637A4B75B674964C3F12828A5F571849219424,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.880{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusSPLA2021VL_MAK_AE-ul-oob.xrm-msMD5=6D5696D4DDCFEA29C0A8B9608282D384,SHA256=D4DFEC841F7BFD7483846247A88CDAD3FBDBC3513E9F102CFF6205B69EC33B7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.880{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusSPLA2021VL_MAK_AE-ppd.xrm-msMD5=723EF5A9003453F54D6D2D8818E7F7AC,SHA256=41A60B68D1F20D5DC39A83CB22ED1BBA2BEEE404696BBE0D5F0FCE1DADF43D3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.880{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusSPLA2021VL_MAK_AE-pl.xrm-msMD5=A38241B57C3AFFD7D64BABEE5F0AC917,SHA256=E8B796FB96E3D82DA7D95F700D53E376C1B7E05F57D956D544192DD4FAE48C71,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.880{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusR_Trial2-ul-oob.xrm-msMD5=8F156844BC9390214E6C4186B3ADF44C,SHA256=AB00336DAEA1E15B08100EAB0F17D7700D637E09E3B04730AB6E053252C114E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.880{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusR_Trial2-ppd.xrm-msMD5=5CDCF78A6C6C15119EA1277813E3A516,SHA256=43D3C159684A269ECBE460D1A3E9F85A960B42D717ED630418F8CA4AD7E9A7FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.880{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusR_Trial2-pl.xrm-msMD5=DF87FF22DD79C1914B51B011016D2EAF,SHA256=5BA916D1160F61303854BFB856453DAF00A7E46DDD73DA1556490A90A7A3C9ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.880{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusR_Trial-ul-oob.xrm-msMD5=21EB2100026F5463C47E48BFBFB72CAC,SHA256=AA76E62FC1969E2A1F8A4B395BF0C06DF9BF60DCFFBF254877BE520E9373003D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.880{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusR_Trial-ppd.xrm-msMD5=64B3894E1D45363AF730FEA3955C799A,SHA256=EA64AD1862BFB95919FB5220E5C8A255FD70C5020FBACE6C3B61F89F133AD303,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.880{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusR_Trial-pl.xrm-msMD5=10FA9BC8ABB4940DB3A191AB695EF36E,SHA256=BC3A8696716E80FCA1B076D17D1CEF58F77B04DC6AC3F070E617338C89AA021C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.865{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusR_Retail-ul-phn.xrm-msMD5=BFF72C45A1D9C13D0D23E0E4A8F9DE4C,SHA256=3EAD16F650E18F069007593A09B080B1AF0B2AED45F5F42D3060058E43E97D00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.865{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusR_Retail-ul-oob.xrm-msMD5=AEF3963BF11EDB6A75D1895E7EAE86A6,SHA256=DF4517F7C61B3D1CF00E1B47015995FEF331B858123939B3C1E3C845B335F879,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.865{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusR_Retail-ppd.xrm-msMD5=8FDF9C3BD651B3EAFCB2DF830A9C5891,SHA256=5986E1DF51BA70C2451D7EB55F05D5186FF22B557F37914FEFAC63E29A5CB92C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.865{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusR_Retail-pl.xrm-msMD5=5A8848F9AF42F2BDE4E349567ECC7776,SHA256=09B3B687C6A391BF1472702E3ED7F77ED258CE2D7794CBAA9EA28F899B749675,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.865{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusR_OEM_Perp6-ul-phn.xrm-msMD5=6029B89332152E5229B078FD4DAEE1ED,SHA256=945A600A428759F4AB7444B694BC89BD81F6FEC50A684576524D650A11FA460D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.865{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusR_OEM_Perp6-ul-oob.xrm-msMD5=12BD168E92DAED158BC70D284B40BEB1,SHA256=9B5BB09021A6C746F633756A482510C6E7E09979D30D7CC2D2A5AC5DFA8596A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.865{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusR_OEM_Perp6-ppd.xrm-msMD5=DA3BD398EF6B5F441E5DA2738388BF56,SHA256=2DAB5A152500DC2C2968EBE0D555FC4A8E9A8B3811E74A1C7049E44DEC1B8641,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.865{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusR_OEM_Perp6-pl.xrm-msMD5=35E79FC23A0E05A2095F0B5FE2CEC1AC,SHA256=B42C95DCFC2F4DDE6FD454E6DE7FFDFBF8C331EB4FA4DD7CF5A159C2B486E516,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.865{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusR_OEM_Perp5-ul-phn.xrm-msMD5=69F9CBB18A1578F0699B935CD1E1278B,SHA256=81CE9949EBAFDD7A807FA6CADC43252B06A53FB24ADC5671433FB864CDD072FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.865{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusR_OEM_Perp5-ul-oob.xrm-msMD5=05844375019978B183F4314E06A9B6D4,SHA256=498775A189B6725C895D3FF27AC23D66DA35A9B7C9C9C8344779FDD16A54F415,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.865{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusR_OEM_Perp5-ppd.xrm-msMD5=5D5CD3BB150D0F52227BA744240070C0,SHA256=663B82804EFEF377BCD528D626460AB611B6C8B2A091BA4B55A3E9D334E3424A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.865{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusR_OEM_Perp5-pl.xrm-msMD5=98A5D423E5046FB44B903FA877C92FBA,SHA256=4470806E4A361C2AB970C817FF07F1F0AA62AD02CE2B949EEAF7A11FC6BB34D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.865{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusR_OEM_Perp4-ul-phn.xrm-msMD5=A1CBAF72F0D86433C7BECDBF22EDEF52,SHA256=E733E2946F5A1342DB8D09FF6177365D63904D672596C22FE23E8A12E792CB4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.865{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusR_OEM_Perp4-ul-oob.xrm-msMD5=2F7EC3D593F6C4EDD74E367A545B9624,SHA256=78A732260F7949F42D13ABF450806AAD244E9884EA277748BDA5E577B494ED54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.849{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusR_OEM_Perp4-ppd.xrm-msMD5=0AE187B02AC7CF19CE5657843915F5E9,SHA256=5FB5F4BF4FAFFE62A2E661F55EF3D2EC361E5469A245A88DA536E2CC228CC030,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.849{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusR_OEM_Perp4-pl.xrm-msMD5=02E1F5CDC46C94AC0263177ED159110F,SHA256=EBC5B387B0C0DCD58C80E766572A975C6E30843F81BF44A269BDD8F692E80CA9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.849{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusR_OEM_Perp3-ul-phn.xrm-msMD5=F7403332661A673B4E6474DF43DCDAF9,SHA256=36D62727B272106080B79727460D3ADE7C91AAFB5DB83FBB72A2C635FAE771CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.849{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusR_OEM_Perp3-ul-oob.xrm-msMD5=78B60A0EC618829873C0741AE692BEA6,SHA256=F5DC8AAD1F830E16E1C15AB46E25EB079A9A4EAB68DD51F4D564E0433C983FF1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.849{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusR_OEM_Perp3-ppd.xrm-msMD5=48279B97967E4B353BF467833B4BA198,SHA256=A208D3A1723AF269719C897394AC989C817F950109F497AFD74F498BA2574249,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.849{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusR_OEM_Perp3-pl.xrm-msMD5=073BFF631CD5DFCE0E4F59E6DB62CC65,SHA256=F5B4CF71A3457B9BDD97828176F4C0391481C33E7DFD1F2C635DEE1E55DEDA48,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.849{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusR_OEM_Perp2-ul-phn.xrm-msMD5=9A028D96F89B3C54247E3E8A6FAF64DC,SHA256=E16A4A0B5F6521AB9D65B6D84E8D410193663092AFE4E689A1A6A243B63CB1C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.849{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusR_OEM_Perp2-ul-oob.xrm-msMD5=B47A6DB90281F53CA342E71990333075,SHA256=946E383DBF9DC1BF320F407E8C4F66CC90E527994943F9044B4895E61F8CE4C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.849{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusR_OEM_Perp2-ppd.xrm-msMD5=F214F1ED51B29B5AAA9639308129528A,SHA256=AB2C985A7BD6E6054FC14264CBD2BE65DE8579B1E3D4FE9D9A54483750E10EBE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.849{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusR_OEM_Perp2-pl.xrm-msMD5=DC2C1D96BDDA342A5AC38F50BEA1F2D1,SHA256=ACF460EC840D9B3CD549240D7C8F40C9D5D95FCB5DB40B463D5D3AA5CF99A097,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.849{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusR_OEM_Perp-ul-phn.xrm-msMD5=F0754C70B10901994D831C106127DCDB,SHA256=A43A5CFA63DA34F89446947B5B5B77EA2CFE112928CBBD8025900260CE808E15,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.849{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusR_OEM_Perp-ul-oob.xrm-msMD5=5C655BB5C282A400811F664DF1D433FB,SHA256=0925E3D989DAB95013DDFF8147803465A7E600D2F32E3E6D4DAA1E7581E0001A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.849{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusR_OEM_Perp-ppd.xrm-msMD5=50ED9AF4456950BAF6C5E2B7CD0A3D4B,SHA256=46AC2CA5773AA6827760BB18ED33BBAFE3BA6A3E9D7DFB225977444F42301FB8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.849{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusR_OEM_Perp-pl.xrm-msMD5=C8FA051EB2DAFEBE7F3F4D9F49DEFDF5,SHA256=F157F5D6BB9543333C91B460982A36B8D8511B954DDD6715CB069923CCB4627A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.833{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusR_Grace-ul-oob.xrm-msMD5=16495C98E24A647701211E02D9214034,SHA256=B4ACA7065372AEF7561C92CDC34F5B2C32B515FD53378322715D010051F86093,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.833{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusR_Grace-ppd.xrm-msMD5=A68E30B381C733D219EA0BE3F30C3011,SHA256=B0282EDA9DF2B40564DB009393B656FB141E225E3601C198F8CB361BE4709077,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.833{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusMSDNR_Retail-ul-phn.xrm-msMD5=414BBC28C5052AD9408A779CCFD8A2CB,SHA256=0D409FE8F8DE38528DA697AD5024A28629093D3D117BF968AEC3E9D9A17966A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.833{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusMSDNR_Retail-ul-oob.xrm-msMD5=138B6F741263D6BC1E03C7D2C3437728,SHA256=259E8F6A15475A0831DEA8025A1424598703230CC04641228BB0F91458461960,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.833{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusMSDNR_Retail-ppd.xrm-msMD5=A0B74301BECCC74A595C81935ABC5A18,SHA256=531BDE009147D2C8FD6DAF3D4AA592C126E06B8CFE2337656D0E8A99D8272F16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.833{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusMSDNR_Retail-pl.xrm-msMD5=3807CC204ADD492E96FE71E06E8DA1C4,SHA256=B2D7151FCB1F5EF5BCA481648CEFCE91CD92E9FD387EFAD820A5769A72F9A79D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.833{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusDemoR_BypassTrial180-ul-oob.xrm-msMD5=5510A224ECFEA71BDBA9E9C59CEB4BF8,SHA256=949EE92F3C670AB9F4111FE90CECD717E3901E67690AF7E959BCB12C6A7457E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.833{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlusDemoR_BypassTrial180-ppd.xrm-msMD5=597CA898D7CFF28294654A1E82CAE162,SHA256=6C7BACFF0C92D0AD9CD732A5354C240FC8CDA02F573512DD1F3A1FE3CEF13DD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.833{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021VL_MAK_AE2-ul-phn.xrm-msMD5=7178EEC4AB7FE09620536E6D083CAC70,SHA256=7C348779FDE15CC57FFEB0FD6E12972AB8C5057F32F705A792D29D64F71172A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.833{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021VL_MAK_AE2-ul-oob.xrm-msMD5=C0B22D38ED180C0AC1E6733254DE00C8,SHA256=34D7A140BC38E6FD574CFDD498C1C069AFF9AD7867D1F7D044C40BF5F5F5F818,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.833{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021VL_MAK_AE2-ppd.xrm-msMD5=E73645EFF6F2104BF3E4F9C02DCFA512,SHA256=ABF0372EC38DF4B998C68BFE763F9B0E91699A21CFD580B5E03C30F761A88594,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.833{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021VL_MAK_AE2-pl.xrm-msMD5=7CBB87AA1EC11F81DE3B8B8C60289147,SHA256=703177851274537797AF157A2F9AB3AA92127FE464F9C4C8C55E350A178629E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.833{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021VL_MAK_AE1-ul-phn.xrm-msMD5=F6DDC7EB84E52A55BF719BC4960499EF,SHA256=A6ABCDA77E781153FE417A2B042ADD76EAE3D32511DC090A5CAD33AE537966D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.818{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021VL_MAK_AE1-ul-oob.xrm-msMD5=F42E9A76E16DBBD8E2FC2683D7DA33D8,SHA256=50826D73906ED687C24B629177E3E6D380F75F8E29AF7C82032B98E83FBA03DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.818{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021VL_MAK_AE1-ppd.xrm-msMD5=5DDF75164EDAAA9D5C917CAEDF255ED4,SHA256=2EAA92EEF3960B3EAC8ABA19558D72DD892F20F23D2CCA17D30DAE71C69D8A62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.818{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021VL_MAK_AE1-pl.xrm-msMD5=07D8D7C4FB490EEAD0C88698CE3277F8,SHA256=63776E6D8FC046944D564017173271A08C252CF28C73661C842B7173B1059327,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.818{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021VL_KMS_Client_AE-ul.xrm-msMD5=C5CBCD0261322D83AD7284D9C5F6878C,SHA256=E468689573FBBD5E3BA74C78066DF26377F58FF0B37F54DD6D7D01DAA75409C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.818{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021VL_KMS_Client_AE-ul-oob.xrm-msMD5=9B91E43EA89E86EAF792537A8B0D8BBC,SHA256=277A3B65662D3AA8F9CB88F3C296462F62D57C476C3AAD11380FFB295B7DD240,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.818{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021VL_KMS_Client_AE-ppd.xrm-msMD5=9D73772A11076FA65490BCE7C78C9355,SHA256=4B2047B3008810CD92B748AABB98F395F5AEBD56E184F9393A828E04EC0FB401,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.818{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021R_Trial2-ul-oob.xrm-msMD5=AEDE1715947BAC5FF5FC7B20C273AC47,SHA256=E7E4D58EC226A0958C9BDD9BEF86BC56FA1AC1AF6D4C3ED19FF8BA6BADB00B53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.818{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021R_Trial2-ppd.xrm-msMD5=10CD991DF90920303928CE8A7DF8F80F,SHA256=63BC281044724FF6E5EB2B697449D4DCDC37712D46C5B71CF836F98286879F57,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.818{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021R_Trial2-pl.xrm-msMD5=01B57BA3F2E46C86196319833C9A1312,SHA256=CFC87A70C563B62C019A3D7CE877D8C811C8D34B32D9A740E6927D0EAA5101E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.818{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021R_Trial1-ul-oob.xrm-msMD5=65415AB238269D8AEA860F112FB67650,SHA256=06D919710A2E1E204805C26C298F40F4B3F2149D88300385DAD5B4064A67329E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.818{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021R_Trial1-ppd.xrm-msMD5=1D59AD36123BC84F03681269204DC5C8,SHA256=EDA22F74B2E3DDE58EC5BB4475C30470B323C511171547FE7F832B9709E8717A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.818{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021R_Trial1-pl.xrm-msMD5=30A823F3329E7F46BCA41E897C683F0F,SHA256=1F903FCD38F53232BDE9E9CDCCA69707DBC758D9D9F88C29C2654F16CDB67F31,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.818{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021R_Retail-ul-phn.xrm-msMD5=B4BD5688AA985B62A287274857137540,SHA256=C31CB835AC0F88291831FDE3D0CC4BB2EAD38FA0070C57156D8DA94D4FDA4527,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.802{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021R_Retail-ul-oob.xrm-msMD5=0FAB32D8FEF987D097CA8282B13EB868,SHA256=99CB46C189CA4D4398AFDA11A7EE16A44DA5CA1FF61E6A08B883C24DA7703F34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.802{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021R_Retail-ppd.xrm-msMD5=9B3FCAC58CCA1E5B87FE8E5C5601304B,SHA256=3665D94C425C0554AA119EC7F97474E820891C260F2DF0DC77533EA3676E77C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.802{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021R_Retail-pl.xrm-msMD5=1B0FFC153C106BFF6564835CFFC934FC,SHA256=4957887DC1D91711D5F4D3B0DF9911F6015676054E6EED6118A9A207B29AA28B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.802{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBA62F334DF2390413BBEB37EC862D0B,SHA256=AF50A3BE34FDF8D8DA356540C4B779317DB64A8F1F5F20B11A7ED025F74BFFCE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.802{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021R_OEM_Perp6-ul-phn.xrm-msMD5=8A267AFEAAC924819FDCF330F007E1AB,SHA256=CAAA4AD796A2EE4C755B87CB5DEFAD83499106330882A5000BA74BFE7BC02189,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.802{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021R_OEM_Perp6-ul-oob.xrm-msMD5=319C50F8DA2A323DF655B3C8CA4CE9ED,SHA256=CF8E3FDD410CAA882DFB7AE1047AAEE1E51A20FA60961F30D0071CA466EA2347,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.802{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021R_OEM_Perp6-ppd.xrm-msMD5=DF9C0F3C3D52FE85FA681E9701E1A2D8,SHA256=13DB30C5C75EB078CF1BD0CC9D4246C7ABF7408023FEE1679673D7CECCDDDB23,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.802{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021R_OEM_Perp6-pl.xrm-msMD5=93A612673BCD38BABD03D7EF45C49BFE,SHA256=A77E786E912DEA66AA6A4D65554F159D194178643CEF26758832A7BFA9924978,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.787{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021R_OEM_Perp5-ul-phn.xrm-msMD5=8A135124A4F2109884BD7A693F09E6DD,SHA256=8D83A986AC06C96E29090F7D9A997787208424E0CDDE6819E8ACBB0EFC5EC039,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.787{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021R_OEM_Perp5-ul-oob.xrm-msMD5=5AC5018265AD7C59B5614FA608C3A50F,SHA256=3735F9D8C8FF97CE7F7524D2B1351B152A19E91707BE5AC2B6E4AE64E32E6E9E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.787{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021R_OEM_Perp5-ppd.xrm-msMD5=44651153E61FDD609BD53AD80BA0908A,SHA256=3EDED745593BA2C1160C7FF8D4334091A1892AD7B4AB96A58AA5F2198EBB2E63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.787{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021R_OEM_Perp5-pl.xrm-msMD5=A4162B1F6485D68BAF47BED8A5540058,SHA256=141720EDEA34F712CF450669E075744E347B80057E0F7527E652691FE8AA8F53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.787{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021R_OEM_Perp4-ul-phn.xrm-msMD5=A42D8323C95D0935A7A7032F3B152400,SHA256=A75B273AFA9B145B896F20AD02C3621BEE7FF48D859D6BE3AACFDF61F82AC7F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.787{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021R_OEM_Perp4-ul-oob.xrm-msMD5=0BC972F1E83EC3EE8FCDA2B1072373AC,SHA256=539FAC493467A1380B98A716AB7CFD6AFD2FB7E2F2C99B24BEAB8F9BA5E43885,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.787{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021R_OEM_Perp4-ppd.xrm-msMD5=5DC8991E33355A4F2FBD3272B1744D88,SHA256=F970AE0673925E6F974A976541672ABDA3234C4BE5DB20384EDE2B8326EC509E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.787{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021R_OEM_Perp4-pl.xrm-msMD5=3C4C53EA230F5DA63F059C8863D9D34F,SHA256=DBAB12766887C52F0191E747927EA695E03DA7CD3B70C03DB67B40048ACE7F8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.787{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021R_OEM_Perp3-ul-phn.xrm-msMD5=528249A1AEA048AD161115D2D4BB7E94,SHA256=658C0A8376A4DCAED059AB2C62B95E908FE531CF313DD3B10923F16ACFF86F72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.787{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021R_OEM_Perp3-ul-oob.xrm-msMD5=0FBF82FA3D760F14B62CD9A3E8AF0AD8,SHA256=58CA713EA995937D5D036A77EC69FD65EBB0E2DF1EF9922F63A47855436E396E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.787{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021R_OEM_Perp3-ppd.xrm-msMD5=877420F663FA57EAD10272AD6E0321F6,SHA256=990F0ED0E318D5E0028AF04F55A64972BC2BA71ABE77B2AEB18E561D895493B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.787{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021R_OEM_Perp3-pl.xrm-msMD5=18029CF26691594C7B53C80AF61F6FCB,SHA256=2FFD4C910A26D1C192E9E1DFC6011E5FDA9E88010488314F96D3DD748D2EED02,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.787{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021R_OEM_Perp2-ul-phn.xrm-msMD5=2E89C7D4A93152C46D86CFF59E23A436,SHA256=DDE6B51A8FDE7CE24435A9C20ECBE361E3A0D3C4025E82570853C24B6FFBCD23,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.771{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021R_OEM_Perp2-ul-oob.xrm-msMD5=7FDC5E7BC0F43902E451156EBEDBA4B8,SHA256=CC617C582F69ED979D58A2F34E780A2616BF351EC7F4965399930AC3AF99AB47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.771{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021R_OEM_Perp2-ppd.xrm-msMD5=1B3E4DE6B4F0F5403BF2741E07AFD0CE,SHA256=C3AE7320F6549F5DD51C8EF2B96DC8E66D5C2CF0B50655ED9CB0EA38F6623B80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.771{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021R_OEM_Perp2-pl.xrm-msMD5=6A7D9AEA0B9515AB8B936ED449484AEF,SHA256=871876AA575B7305EB58B25EDC90868BE2B8FBC6113A43AB276AE82CF1AA1BF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.771{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021R_OEM_Perp1-ul-phn.xrm-msMD5=14B9F53BE518FA63264E4CC72407A9B8,SHA256=9903E62DC22C5B1F517D0F5E6D360B0816051DEF06F3892B4034FD5916FC0E97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.771{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021R_OEM_Perp1-ul-oob.xrm-msMD5=F59BB7BB9C754B5AAF452B35509FC843,SHA256=0FE84B70578AD1948C179553BDC106D09B627B19BAEFB95798526B34E8E69D09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.771{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021R_OEM_Perp1-ppd.xrm-msMD5=C228ECBAC19E40C0CDB97EF250A5E628,SHA256=CF914DCF6620E78244ECB20804807268258B0C9ACDC21E5375AF9756E06F030D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.771{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021R_OEM_Perp1-pl.xrm-msMD5=91A80D0446D154AFADDD9D64371C1808,SHA256=1869D5B0750AEA3DA809A56E526D44AF0292F0732F82162859485FBF2773163C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.771{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021R_Grace-ul-oob.xrm-msMD5=2D683D0482E4F56AD1CD3D8E11DED068,SHA256=C5F1AE2C37F333CBD604F5D7D672DBEEFB9BD3512E0BBE1FE5566C8760E06DFA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.771{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021R_Grace-ppd.xrm-msMD5=3ABE8DDF91A7E61039E21E32B1EF5624,SHA256=10B8E8E99F746D4D9B5F3A774333F84FD056893C8CE5D59E8CBAE69286C21A8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.771{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021PreviewVL_MAK_AE-ul-phn.xrm-msMD5=A146379FE552CFBF1144BAC123067270,SHA256=98A97383E00EDC5FB49BFB2D143B46799C40C2FC2E84773212CA0FEA534C502C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.771{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021PreviewVL_MAK_AE-ul-oob.xrm-msMD5=E798FE834504C7326A43AEBC05E40141,SHA256=8DA8678692967AF18896E05E2E929797E8080235B234B6BF53B822A5C2BB6E30,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.771{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021PreviewVL_MAK_AE-ppd.xrm-msMD5=4AC338CB493123F15CD43083D47CD080,SHA256=5C762A5A7AFFA243575D069263DFE2CDD33FA426E2584E2EFDCAD03668FBDD35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.755{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021PreviewVL_MAK_AE-pl.xrm-msMD5=17D2B52D19AFF756FEE4E5155403FD89,SHA256=1DC43FFE9B07C92895974C452E0DCB01199D0EC2E3D68CAF3BC5662772DE59CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.755{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021PreviewVL_KMS_Client_AE-ul.xrm-msMD5=F9D44C799A6BA330B2C35AD0194B4488,SHA256=92093373C8DFE29EF2EDD5660733B74AC0CDDEB557EF7D9EDEA722E09407ADDC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.755{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021PreviewVL_KMS_Client_AE-ul-oob.xrm-msMD5=80D0AAA4BC6460227931D0E561F7B918,SHA256=46019AE7EE310C9D97E48FD9F7B8045EF2898699BE1627E69C57306C34324E5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.755{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021PreviewVL_KMS_Client_AE-ppd.xrm-msMD5=5C4C9C70C83343C105F21C928A1C5C1E,SHA256=91243C624F6D4FF7FDA57A5C407B623A8CAB4644B11BD7FB9A285BD290E74E3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.755{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021MSDNR_Retail-ul-phn.xrm-msMD5=B2C0A028F72D389754F6007BC5718EDD,SHA256=6387B396304E3D906412C1672D925314CC1631A90FAEFDB776B55B8CA4E4E563,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.755{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021MSDNR_Retail-ul-oob.xrm-msMD5=4721F23C41860ACC01DD7E0ED79E14E7,SHA256=0BD89B99D61F2BE7D9E52A4335D16F7ADC44FC21FB7E661D75A59EB95D1EC7BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.755{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021MSDNR_Retail-ppd.xrm-msMD5=9AB48729DC42A203453DCE618BD75481,SHA256=B95E875DBC863D87637017AE4816FC00874B12D08E817DCD90F7F2D950239E5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.755{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021MSDNR_Retail-pl.xrm-msMD5=E0341DD6208026E49CB30709F458E77E,SHA256=2CD9D0734168B04E6017565EF6C4031745FEE9C1CA1D7AF270F731CD6D5723A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.755{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021DemoR_BypassTrial180-ul-oob.xrm-msMD5=8A5552BAC6E5CA53D01CCCCCED3AB31A,SHA256=A264025C2DFC971AEA29DF841680E87DA95FA2A40CFC8CD565E208A22542EFD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.755{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2021DemoR_BypassTrial180-ppd.xrm-msMD5=7039D113A5CCDA06FD32C545B571BBBF,SHA256=E88019A4D2464D8AEC48085BF06A22FDC0CDBF331B22D210AC4AD1A1DB18AB43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.740{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-phn.xrm-msMD5=03CBF562E2D0C3C3C78981A3D3AF52FB,SHA256=ED500371D498A941EBA967BBEA273BB2157D7C14D46627101A97B76E8A5AED03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.740{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-oob.xrm-msMD5=C9507D9B91774143B0CC6D452902CCFC,SHA256=4C5A67C574346FF9BE74DE4571D61047A67576C161308E15F99C1738117E1374,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.740{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ppd.xrm-msMD5=684AFCC682B4EFDBC2BE118F09173892,SHA256=65D3CF9E2B7125459E186DD6409E7DA4F22D2ADF56CCFEAB6F7AB7FEE0A30983,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.740{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-pl.xrm-msMD5=956A405B22FB0A4206797DBC923EA5B1,SHA256=AC17D013E49C2C811617DA6D04599E44BDDFA92ECDCCBEBC959DE3989482DAC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.740{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul.xrm-msMD5=B3329ABC0509283E45102A7026058F62,SHA256=8FBF1A9F58F50092188A0255A65164B35BF1280BFE9D362BF05E9A308143FAE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.740{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-msMD5=F9FA94009A680E0E636E77F2CF2ECEAE,SHA256=95CFC9C519D655FF44CB364C4466FAE5200D954694BDF4CAF24E5FF20F1D36F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.740{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ppd.xrm-msMD5=C2D0F18F4871319C30AFAAC8477D988A,SHA256=313F736928D61D93B4CB8164EC3543D66EA2AD40A347FAC55C77E71E6F189958,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.740{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019VL_MAK_AE-ul-phn.xrm-msMD5=6AB240ACEA0FDBEE49C32BFC0A9CE039,SHA256=7771EAEA4F1815BBF340B4B2A64CAACDFF402C380FA6EFF11C618EC7777908EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.740{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019VL_MAK_AE-ul-oob.xrm-msMD5=278A173AED7229B6636EF97231FBD2BD,SHA256=063F1A2704A054416F55F75AD5B54CBAF66C39D3FB9EF67F9FDE5B59241DC1D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.740{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019VL_MAK_AE-ppd.xrm-msMD5=196CBE59D23934336C65B3F8898D4F46,SHA256=B6EFA6BB0CBE367116E8C09B24C7D11726ACB24B211AF765684B65D9C81C1E1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.740{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019VL_MAK_AE-pl.xrm-msMD5=4730AE9AE30CD6EF8AA65F7D08B25BAE,SHA256=FCFD47CD657AB08EF4F2F77CB639ACA9E3CBA772B44A00FED76E942F07BF3AF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.740{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul.xrm-msMD5=5B33BE9191B4085E26990CA1457C0FC1,SHA256=0A9DBDA0749CD846C5C4E5DCFC0AA1CB553FEA7790BDAF37DC1856B2120FAFF0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.740{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul-oob.xrm-msMD5=A92A17148D66926BA5599ADB4AF82CD7,SHA256=C5ECF7648B1660D4DA27319588311D7E930BAA1ABC6E5522C2C0BAAD56B55B30,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.724{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ppd.xrm-msMD5=4101AADC953EC1F9FD12E7B7E2DD9A21,SHA256=0BD999756D1E1480834979790C8E176BA17D67CE654209825898E7AA0FC56470,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.724{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019R_Trial2-ul-oob.xrm-msMD5=FB5FB114600983D002AA70CC5628B491,SHA256=67E83098C9B14DD4594FED40EB6A7DDA2FAD21FC4AF6804F76A1950C83C699CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.724{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019R_Trial2-ppd.xrm-msMD5=4866D89C7668876B69AC48FE2B5E26F9,SHA256=6A29C6DDC85B0E172F6F991D0E0B3F66DCCCFE6B9C0CE3BAA6D17928D041D316,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.724{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019R_Trial2-pl.xrm-msMD5=260ABAB27A1FE7677E40DE10E0A87C9C,SHA256=C1D3131C30CACAD4F0267797AC155520AAD500690228197E8F14061E80479414,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.724{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019R_Trial-ul-oob.xrm-msMD5=1730EAC4FAAC44389D538BA8F97764A9,SHA256=DEB238AB4105C009E350208C59BF12301BD5465A12CC3E6B6BB32F4194EC5631,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.724{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019R_Trial-ppd.xrm-msMD5=45F7CAEBCA4FDE178944C30EBB0D2A43,SHA256=43DE48BE56F89B0591FED719EE8EDD8B26CBFE323A148BCF9A129A62A54B3E1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.724{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019R_Trial-pl.xrm-msMD5=6E8B4B56B875FFABF71323C643F9C446,SHA256=61E89D7309B9ABB522CF78EF7127DC53D6C54DC929E85B883AD887EB4D1D9A06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.724{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019R_Retail-ul-phn.xrm-msMD5=DBD6FD6890EB74A8F6899EE662D12CA9,SHA256=ED577958C6993AE5CEA9364CA94BD5D5D09497FE9E0E2254CBCD1B23CBBFAD52,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.724{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019R_Retail-ul-oob.xrm-msMD5=E73219B337E99B2F392A4046E41A824F,SHA256=DB4AD8AE03E5947EB396C2EA3F38FDA93E29990277380F24E98C28157CF69316,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.724{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019R_Retail-ppd.xrm-msMD5=69822E096BAA4AC31B9A29B5D8A5876B,SHA256=8B28AF15A151BEDBA478432965963567E62CEDC3F81B0A8B782617D9199E03E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.709{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019R_Retail-pl.xrm-msMD5=F7F5D7C062BAD14ADEC16209D6B6B078,SHA256=D586DCAEC3F9EB1C3A7AEA2A85A6911DE1A9C3531EDDCA118B22AC9C7AFAD039,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.709{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019R_PrepidBypass-ul-oob.xrm-msMD5=50ED21E1ECCDD901395FFCBDEBFA535D,SHA256=30D458F35D3A257961E641732974E6919453C41937772A95E099470F0F8E7EB1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.709{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019R_PrepidBypass-ppd.xrm-msMD5=54A7511C34FED2C6287BC69ACFA70DC9,SHA256=502AFA30E6F6DE3FEB1729A864AD9A0CFA861DA0D09B00C3C434610E24887AD6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.709{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-phn.xrm-msMD5=EB8BF70521B65837C831C2AC36E71CF8,SHA256=BA4A8715ADFE9969B32BC7A0B21248811EEDECC5760CD1F23793B78D2BA4ED6C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.709{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-oob.xrm-msMD5=0FEDA0F68D8381BCB4F0122663B2C1CB,SHA256=78C2BE35D38AEE64D66804DB555306F6BA33D4DE594166834D82F49841833260,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.709{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019R_OEM_Perp6-ppd.xrm-msMD5=6044380A3B6D5E29DB60B395A1B03439,SHA256=3C6A6083182CA88BC3A7707EDA739284D30858D3B46B7463C91657FC17FD6415,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.709{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019R_OEM_Perp6-pl.xrm-msMD5=34B4CFA93C0E6149109FBDEE831AB75A,SHA256=ECE440D3DF362AD1F4B4A33F996EE9FD1C77BA22A0E81234B25FA0C9612C6163,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.709{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-phn.xrm-msMD5=4497FDED099DD75FA764D3CC4BA5E8FC,SHA256=3BEC797168AFF7B41E26C66EE500BCF1B5F060CBED3E29BE13FFDA408CC79EC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.709{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-oob.xrm-msMD5=2345AF6FD05D596B418DE69CA3626EF2,SHA256=816FCF74BF0EA8BEA3D26E2DB9897B5D5BA1A9E825D0A8B6C99DA77C1FDFCD81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.709{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019R_OEM_Perp5-ppd.xrm-msMD5=0BE959A69D0A106FDD6C4BF2FF7A55E5,SHA256=4F42864C6A5D74E20C9A3FD640585AE440B7BF92727C2CB94027B602BBEB8156,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.709{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019R_OEM_Perp5-pl.xrm-msMD5=75D6476C74508378D686BD770B57691E,SHA256=6DCCAC3F0E7F1F3FBF234C587EBFF576CC91F27300904CD26DA6D697BB839900,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.709{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-phn.xrm-msMD5=CC83FF696044C8EDA34956E6E9D33627,SHA256=AA1AABF86EBBD777C82E5A9983785A51FDAFCA35CF09066E41BFB458CF7536A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.709{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-oob.xrm-msMD5=194CCD2C2DF6445F2B8E732C6E2A5E12,SHA256=E41B681E86E75AF3D4806C29EF429CFC82D73F84E3FCFEAE5354FC11FE3060FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.709{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019R_OEM_Perp4-ppd.xrm-msMD5=391AFA801AFD1810F7ED2720E7428118,SHA256=F7ECE88FA80694F0184EDF75133367274736344C700B9BB03CD808A2A0E7CB86,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.693{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019R_OEM_Perp4-pl.xrm-msMD5=0F74C5A089B40BFF53EA642F2F58FE29,SHA256=677B1C0A500B279FF48729D2C2EB7843980FE97DF783D114AE4278E3DE1A7764,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.693{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-phn.xrm-msMD5=5BF36B7013BCE4E5BBC81DC163437729,SHA256=C21A6E0A311020AF06DD20E6632019C12C4277B9ACB2C018167316D401862360,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.693{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-oob.xrm-msMD5=1C4885BEB22B4F439DF9FD16A375FFC9,SHA256=D513F7162DFA21A57310DBD29AE1A6A441FDA8FB4353559357AED8D2D297E8C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.693{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019R_OEM_Perp3-ppd.xrm-msMD5=1503A025C3F50A86AB33AA220D6203CD,SHA256=481EB950A5944076145C235A2F6AD86FF6BF95A6B66C9B323E3A150AE38CCF73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.693{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019R_OEM_Perp3-pl.xrm-msMD5=D4F5C0E8950B2890FEDDF462197DA116,SHA256=D058363BC5B1738C808C6C689131FADC7EB5BB6B66697EA5B10F09A7F17A575A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.693{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-phn.xrm-msMD5=B8130C42EDA9FAEC89EBB50648949F0F,SHA256=7E92C493908C11A15F2A5AF4BE45D9DB602A6775C4BBAE639ECC0E08EDA2BC63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.693{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-oob.xrm-msMD5=587EAED6393A7BD3849E670DE9F8F039,SHA256=57827862A40F39BDCEA3AE9ADD686FE2BB50775C22DBC3FB1227EA2F13BB1F4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.693{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019R_OEM_Perp2-ppd.xrm-msMD5=CD562A94021E2C5ABC34FF568D63DACE,SHA256=5A3A0016CDA0693A41B47377BD9D0B82218066FD433747B47F7E052CEE48A113,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.693{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019R_OEM_Perp2-pl.xrm-msMD5=62B6CAD87C3755C70BD5C61C02CC775C,SHA256=4907F13993274941AC27395D5FFE46A16742C5C3E851F8A20BED89CA705161A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.693{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019R_OEM_Perp-ul-phn.xrm-msMD5=2DBD7F9F559AF7635A405A0FDDF6211D,SHA256=E5E6075642567549A19FE181967D53D5EF37C5C756191F45AA4D76226CF91663,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.693{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019R_OEM_Perp-ul-oob.xrm-msMD5=B086FEF0B69D9F40988A3AE8A31F621C,SHA256=1ED39E92A9719847160ADB9AD4BB27696222648860B065A3911E08A177AE2EC3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.693{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019R_OEM_Perp-ppd.xrm-msMD5=9507E3FBF9D2CB90B3C58C843472589B,SHA256=54FA85F84DC4D04FDAC2091B3168B38C9BAC5CA317177E4B15CE6AAFD1066C41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.693{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019R_OEM_Perp-pl.xrm-msMD5=1D00827CCE2AA295478CA46590CAC50A,SHA256=F9CC5656009B3588B6DACB5B7E69C4E089D02FF4FEFD4C6C41A94B6015762B16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.693{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019R_Grace-ul-oob.xrm-msMD5=D6967DA15FF1A4906DEC99E92304ADF1,SHA256=01A2381DA2B833B42FB037D17C59A78E7B23DA79EB9D042796020A36D2DC6A33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.679{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019R_Grace-ppd.xrm-msMD5=AC280B797A43E3046104B90E76C4E081,SHA256=F3FAC8FD1E3043AD813998E52911B1BCD19A92CE4E5287AF97A48FC5B7AEB745,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.679{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019MSDNR_Retail-ul-phn.xrm-msMD5=0E996878BEFA169DF91DE245095B01F0,SHA256=EF64B87D008CFCA5FE4B78E85EF1006A58A27FDF30BC522AF42A2A79C7DF843E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.679{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019MSDNR_Retail-ul-oob.xrm-msMD5=AE7C53484AC0D37F1B5FF152291B09E1,SHA256=5F2C645811A46B3DE88FCE20B65E889D5004804EA248A23D5130F1D02DA35955,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.679{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019MSDNR_Retail-ppd.xrm-msMD5=5FC591DBE43929AC45AF3FEFC7C7C438,SHA256=5803EBEF5B9DF767319067D5CF42164C90A6F3F2B67A9A0092A67397CED911E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.679{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019MSDNR_Retail-pl.xrm-msMD5=8F3A19915AF76198E797107307EF844F,SHA256=F503DC32893F41ECBFE36857E5974F12DFF74E85E29A631997F3AD1331C96CF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.679{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ul-oob.xrm-msMD5=EE04098F7360E54115EA96EAC6271879,SHA256=A73D40AF9E70E3B8FB44C170A2C7C5726FF939528A4CA1D19D4F6C43B47080AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.679{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ppd.xrm-msMD5=D265DD51C5D20E8CE22F002DA035367C,SHA256=A89FCA8BB2FE8FEFA7DA7419725B3C369AECA91AF7D37F69160703BD7B0D51A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.679{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-phn.xrm-msMD5=5F7CE7FA62D7805B1508F566EF896771,SHA256=F1379026A47F929CA231852845B1F265A24302C548ADD8E2FBF0FBB39FEE0442,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.679{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-oob.xrm-msMD5=77EA3C7E05D9C1A25DF110DA6823CD9B,SHA256=5627B26154173968FE803FC156AD162A21E08E5D04DD7D32B6E29B711C4F0D66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.679{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ppd.xrm-msMD5=60E60CDF726A13E9D8B05DD1A0D434DD,SHA256=A1E07D3F7BDBA4D3F966F9848A902E4336B0334203A40A43367376F7C1A5D52C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.661{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdXC2RVL_MAKC2R-pl.xrm-msMD5=F2358F5EB0F12B97103A2E9BA18EC7FC,SHA256=D545ECB6B2E5C49A5E1F2CB63E9DB0488F2AA02FEFF79E245E5944F19D126735,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.661{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul.xrm-msMD5=29698EF5B236C6C3A67297EA0A1CC6EC,SHA256=2A24ADEE15785F097D9D09E412A2A678ED9063598E6A5362271B8859D57EBBC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.661{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-msMD5=7F0D1B4E6CBB6F217D85B3C2C026ADAC,SHA256=7EBDDB8D043659B24860774C5E7AC4150E20D52E334A2FCCAE916FCC59CF4D66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.661{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ppd.xrm-msMD5=33012B99A0667E7C07F4431AF6BC874E,SHA256=AC89224816FBAA86E27965D8422544829BB5D6CF09FB50E9867F8D013B84A859,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.661{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdVL_MAK-ul-phn.xrm-msMD5=72328C50E726988A33F85989ABD70B59,SHA256=CB974B836817D0B48A06FF2F0AD5476E7CF190D56EC40DAE4D57C0CD800E36B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.661{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdVL_MAK-ul-oob.xrm-msMD5=5A2B43DBFD49B127BFB7F8056FE55174,SHA256=2396C86348659C64B13AE131E984DEDD5E58DA4EBE6224DB500BC46A6FF18129,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.661{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdVL_MAK-ppd.xrm-msMD5=B2F60093F469017C98AEC3DAA03F6C01,SHA256=62873B874056C4B36BDD94C948E107BB31931CD0D767D7E98D24A575431E09C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.661{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdVL_MAK-pl.xrm-msMD5=A201BC895825FC5586CE4D45AF81FC6B,SHA256=6E828571FDB8A91493A0E23FE14D11232C4F95474108277D809B0D95BBFDA1E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.661{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdVL_KMS_Client-ul.xrm-msMD5=FAAD44F255358C6C156CCABE8F271E94,SHA256=771F08F061006DF9FCD5DE5DA473B5945E7926742BFB2F89CE20C8B095DCB6F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.661{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdVL_KMS_Client-ul-oob.xrm-msMD5=B5EF4EF0F183227C6299707F1E2023B7,SHA256=FC531351EFCD58BCC707E13D63496769C98A3FDE4C71715C2722A744A0679FE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.661{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdVL_KMS_Client-ppd.xrm-msMD5=7B9F157D46713B5222C0E4CFC7A6A589,SHA256=73B0581C1F472401700BB941FE737244B61AE58229ECF62C85BD4652729DBD54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.661{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdR_Retail-ul-phn.xrm-msMD5=F9E7DCE932AE82654A4A2B2418CACC71,SHA256=58FEDFAD875948AF2EB2FD8B573A7793C72B49E16BCE85E74F58BCEE348BB1DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.661{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdR_Retail-ul-oob.xrm-msMD5=A453C65A4B2D5F9B314300F536BD12AD,SHA256=4BFD77BB68183C904CDFD2E8BAA9810E55A31CE1FBBE083DB913A4072D93E207,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.661{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdR_Retail-ppd.xrm-msMD5=AE01F0D45ED59271BAA61DE93117F476,SHA256=0EBE37BF7718EE659B58CAF89E65FCDAF2FA05B7B8ECB9CC684B4634A318D0C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.646{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdR_Retail-pl.xrm-msMD5=B5121E448A235C2758C45207520D402E,SHA256=6D5351F96935374415ABF2EA174993B8CF3310508D6C89E0C8117B9CD1F522C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.646{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdR_OEM_Perp-ul-phn.xrm-msMD5=33E35DD9EF294EF4BF8F51059E48F6E6,SHA256=3D7DD6246773D11977C04E80EFEBB99AB414B356C395B67FF250CE703BDAECCC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.646{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdR_OEM_Perp-ul-oob.xrm-msMD5=1710FE232914DA2614FCB74AD05FBE31,SHA256=0544D046C18C8FCE53B6366CE2E50A94C3FB72D69B7AF84D40EA913FFDAC8EB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.646{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdR_OEM_Perp-ppd.xrm-msMD5=C5DFFB12AC6F32716E9CC34551575DA8,SHA256=85B2109E0FB5BF97A0B35C570021637218103B400CA021C3D3539284347AC2BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.646{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdR_OEM_Perp-pl.xrm-msMD5=4B0134B2C3B3EDA7C9381624D515570A,SHA256=E8E9162DD2CFD1E1DBE2BF2D4F620F7629F2DBF4000B918DDC7203D213367024,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.646{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdR_Grace-ul-oob.xrm-msMD5=EA49CA5BDC33E5C2571204F405DEFAD9,SHA256=4A83ED1E2DA266C88855D2CCADF99B80998D21E7BD600E3B52D8460439BE95F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.646{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdR_Grace-ppd.xrm-msMD5=4022E355AD7E223DE10EFC8AB7BA713B,SHA256=DEE2A62DC12F9F57C326CC6DC311A42E20D48FC9012F030F81D53AB2CDA81FA3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.646{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdO365R_SubTrial-ul-oob.xrm-msMD5=235324588B497DC1E26DE06268BB113D,SHA256=6F8D953E029A502ABBD88AB83A83C8D17D283BFF7BD80211763407E359DACE5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.646{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdO365R_SubTrial-ppd.xrm-msMD5=2E117C73AC764F594B67D62AD75AD4CD,SHA256=C635253C87C9F7450FA8AE1657AA94D839FD7D06ED50EE867CD837AF69C1B365,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.646{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9D58090DB48524CEF1AF46B576F476F,SHA256=CFFD577C97B32604EBEE413089DC9464907B085AFFFBBF1D7981C978714A2873,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.646{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdO365R_SubTrial-pl.xrm-msMD5=DBC582CC5F7E64FE7B5AC5BEB2331208,SHA256=B12DC2EAEE8533DE3283BD579FD607E840273E9784921626FA641E6EA0E9B2B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.646{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdO365R_SubTest-ul-oob.xrm-msMD5=16820EADDE53BF4606C1A9D1E0E5D1DA,SHA256=EE5DEAC23865099B40DF68DD56B62FBCC4F70172A48011D31EE33B77261FD2BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.646{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdO365R_SubTest-ppd.xrm-msMD5=0938DCD670D92C06E9CE093BFBC8DAEC,SHA256=5917989B34F751551CCACC7EFC9B939BDCCE9F54C66EE3712C9BC7D2241859A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.630{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdO365R_SubTest-pl.xrm-msMD5=BC1B5F200B8E4FD8BAB3E1C84CB08468,SHA256=101E4D584F601580143BCD20C59DB476C2DBEB346BE5531F49AF8BE0C3BAC78C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.630{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdO365R_Subscription-ul-oob.xrm-msMD5=30C9FD6CDBBC7532E934CCC77DF571A6,SHA256=756F642D39359FBF7C2928A87684BE90D687F48E347B402049E8AF6785D9C094,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.630{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdO365R_Subscription-ppd.xrm-msMD5=3E7ADE6275BA134A95F1185243FEB360,SHA256=6E54FCF67B18BDE8B2FE8EFE3A78E5362CEB24E493549F6E82797F8F12E0B628,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.630{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdO365R_Subscription-pl.xrm-msMD5=F5399E2C726133CBC110C5FCEAC3E6E1,SHA256=0D04463DFA5231F8976925E618462DA5CF66A84279C3CC07C2D19186890863BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.630{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdCO365R_SubTrial-ul-oob.xrm-msMD5=C4B33E35E59E24DCCD3D0C8FD03296EE,SHA256=A5C77F9DD55F3421109BD64C81855B1E72EC5D8630D2C01444D44B0FC4A6F848,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.630{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdCO365R_SubTrial-ppd.xrm-msMD5=47D59B5B9E7AA26BB6629647DA926312,SHA256=5CE9703D538590D05DEC472FA016303B06E42CF5D820DBB3EC0009D7F147C15B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.630{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdCO365R_SubTrial-pl.xrm-msMD5=D3B65E37CBFE2A32728F426811552DFF,SHA256=57913428E479ADB9C19E88B61DD63F9F901AC0163434CF627E80BB9D981DA68B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.615{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdCO365R_SubTest-ul-oob.xrm-msMD5=4DCF7C950564F091D8F372CFCBCDB075,SHA256=588F4DB9B33AAC0D0CB93F6F47E0240A4EB078385CE891513DABC3896455DACE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.615{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdCO365R_SubTest-ppd.xrm-msMD5=AE0EF93449D44C7AA546A9F5643DC75D,SHA256=923B4704E4C97F3E909CF727BD78E37EB36B8E5D0D519366D117379D16ECF7DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.615{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdCO365R_SubTest-pl.xrm-msMD5=36D001504D1128F8AEC6A7EF9D6AEE0B,SHA256=D5255E8257E1D54973787C44D1E98C203C27788EEA7DBFD54A372725FD324F4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.615{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdCO365R_Subscription-ul-oob.xrm-msMD5=4DD80D84E827A88AA5B60FD3704050FE,SHA256=6CB995CCFE644295B9C42C43D56F77E855E5EC2E9360FD3284311B67AEC47DC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.615{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdCO365R_Subscription-ppd.xrm-msMD5=A2CD383E38D195A316C0F944A757730F,SHA256=D8145CFD85002F93AE195B1C88F53082FA573EE7C0F2041DC070F1F76F9365B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.615{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStdCO365R_Subscription-pl.xrm-msMD5=394C31E6157CB68BB0C90FBBE0A7A955,SHA256=301186C263B0189326274B654CE164DA25F839B63FDBAE6B92E315F580DF9B75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.615{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStd2021VL_MAK_AE-ul-phn.xrm-msMD5=E1E974FEFF324431FB6383CE36B35FB7,SHA256=1F9F35C16B4790CD51B5CC36106C5A2AD40E8BA7606EF6760A4BCE902822E796,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.615{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStd2021VL_MAK_AE-ul-oob.xrm-msMD5=76A902C8B165F3B16CA8697123409539,SHA256=410C3DD7A1E273FD5A9359BCBFD06936334CCE0858DF3AD43EB9C682B2FCFA95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.615{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStd2021VL_MAK_AE-ppd.xrm-msMD5=91793BB3D85DE8AA8778F8CEAFF0DF9F,SHA256=E6AC7D5829F63A55BF4556D1F3DC5C742CA76E33B65BD6850983EEAE179742D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.615{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStd2021VL_MAK_AE-pl.xrm-msMD5=E9DC86C091CB7D61CD240F14F7DC77CD,SHA256=D7615B6238950012DE7B68663B507F4AD97E8EC05052F7535DB5E27609823800,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.615{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStd2021VL_KMS_Client_AE-ul.xrm-msMD5=94A4237A7D836F566F05A2C3CFD80083,SHA256=05A05D48F5C1BB0471731EBF93B4415A20409BDA7B8DBC2BCF439862523A13BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.615{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStd2021VL_KMS_Client_AE-ul-oob.xrm-msMD5=7DC0B8040813F0A82103E3FAC7E523B7,SHA256=17583D3BEA42518848BF8053A3D64081848626A2D29DA045EA735B959643869E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.615{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStd2021VL_KMS_Client_AE-ppd.xrm-msMD5=978A58F0E09513F01A573B7166EDFBEE,SHA256=1C5D84AD500FDA00B59836A36BF674FCA0F3131F520253D080F54496D0F49E9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.599{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStd2021R_Retail-ul-phn.xrm-msMD5=A536822654BD01A2FC9652C8072BE43A,SHA256=94CE92764CB0DB2844BA017BD2F46E3887AE99C161F6950DA16097AD81BEA33B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.599{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStd2021R_Retail-ul-oob.xrm-msMD5=F474E19A65E5D3B1F815C1DB0DEBA8C5,SHA256=8565511810CA005AC2A84FAEAF26F0FC0BE1755010CC7643A9122DAF15006920,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.599{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStd2021R_Retail-ppd.xrm-msMD5=4920DC598DDB89DF01F038840185A4B0,SHA256=66CD62E9C9AA0EE0710582BCC7F5F48ABB38DE776883B0BC6702BE8CEF9A6ECE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.599{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStd2021R_Retail-pl.xrm-msMD5=D937DB2660C46317D652397064449475,SHA256=10556ED7389250F319CAC153D691BBE1D22D80A8D27B0701883BE262788E1155,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.599{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStd2021R_OEM_Perp-ul-phn.xrm-msMD5=3CB403D8F270A26E3057CD19943D9F26,SHA256=AE087D739E9BBB545836C74402538384651272A7C98ACF6D9C6970B3007A6B3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.599{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStd2021R_OEM_Perp-ul-oob.xrm-msMD5=98D597C9BD7A20E57A027DC0E661D54B,SHA256=35EA4946C59B8F7C4F0A348BE173F8FD56D5A2CF33F0322AD6CA8A0AA9FFD43F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.599{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStd2021R_OEM_Perp-ppd.xrm-msMD5=9F7731F0D7C4B22D0518BF386DEE9E3C,SHA256=4F17597062F907EEEE9F49F60330A12740667F63550A92F9168DA0E447093922,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.599{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStd2021R_OEM_Perp-pl.xrm-msMD5=5F923997BE99CF4A355EDA2AD6BDE1AE,SHA256=7475F73E5D6D618B0AE2AB218A42504E2F756DE3CE19F8BDFBA98F39EC80D65B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.599{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStd2021R_Grace-ul-oob.xrm-msMD5=AC2CB46C7482048CCC3B8FDAAAA963E9,SHA256=59F5ADDC80E46C7D0616B40A2ED76B6F1282A593CAADA5DAD4FCA9400C3AF974,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.599{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStd2021R_Grace-ppd.xrm-msMD5=BBA0C3619B67A7CBE37F36758E9572CA,SHA256=D7DFF6013E6A62B8670CFB73C5167B29C73DB2C982EEF16C8A3F35E6C3497D16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.599{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-phn.xrm-msMD5=DB2ABA97FA365849E5C569CD6919611E,SHA256=FA5D7D4AA46B0EAA48842A5F0D00CF196223D97E85B86181977517B360B5D9E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.599{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-oob.xrm-msMD5=264B89ACE9DA6C4D11E3F0E63783A503,SHA256=891E8479E7771437C4C2B8D2E4A43923E2C0EC2202308A9EF86877A73DAC67B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.599{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStd2019VL_MAK_AE-ppd.xrm-msMD5=D0865CD42AFB2D3CB4FE9D3790DF23EF,SHA256=615AB5AFCE2EA3E8A955F20C2382DCBCF233B1122A920E4BBB317FA146636CFB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.583{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStd2019VL_MAK_AE-pl.xrm-msMD5=FBA13B9428004F2B72D6AE8FC3818732,SHA256=4B07D08B16716B03F640CFDE4755B22902B8562ED2FA1ECF5F83B6F8CF136B3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.583{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul.xrm-msMD5=A4056405517D2624EA02C0AC6A0B41C1,SHA256=CDFB88DDAF4B8084AD6ECA11E890621A4305CB7234502D60EEE6C2D6779EB38C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.583{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul-oob.xrm-msMD5=FDA0E79D530CF3481648EC4824CAE772,SHA256=9F9C49F29B4881BFE9735EE684A6237CCA98334D5A0F2ECAC15EB065C40CF079,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.583{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ppd.xrm-msMD5=0E5BC3FDFE0FDE2B617E685A593E5BB7,SHA256=8AA99A3442124BAFCD2A4539B8B0EDC8E3B1EEEE09CC1A076C8095C1E508A9B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.583{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStd2019R_Retail-ul-phn.xrm-msMD5=954F8AC1FF887D63F5AC3E98B3D7F921,SHA256=FB95764BD71EE693692FEFB806BE94A5136922EA1026859093B1681C2C1ABB49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.583{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStd2019R_Retail-ul-oob.xrm-msMD5=E20F38185A60C1445036A226FC7DE012,SHA256=04FA81220C04FD5BFAE1311D61EE54F271B809451783EEEAD215AE804B501695,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.583{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStd2019R_Retail-ppd.xrm-msMD5=D56A90F8956044D2BDF45707368A1ECF,SHA256=3317988ED3371D2FAA7D4F67F05D43C130D28F844CF0A4590AF6CC330BB11DD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.583{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStd2019R_Retail-pl.xrm-msMD5=D3A17B4B34921CA336A2486F8B314CC9,SHA256=1605D29420017EA97AF1402F01A04D21ED418053369982EDA976341358E946C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.583{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-phn.xrm-msMD5=C970A8C1A9039DC7C7BB42D430ED3F29,SHA256=0A977C4B4C8E421288241DB268359F905F1F32D0582CF03CFF24D3A85B7970A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.583{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-oob.xrm-msMD5=B424A7AFC09D16BCCFB599596D44538A,SHA256=256159A3D1EDF0A11BB10757DCB47708262DADAA8070CA789009E8C96A7EFBD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.583{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStd2019R_OEM_Perp-ppd.xrm-msMD5=25F940FEDF73E0D87EFB9A7EE05F6E56,SHA256=E63300B7CB9C7B8A2E23FD95515A8604961AECC2B03458BEAE6360BB52E9C253,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.583{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStd2019R_OEM_Perp-pl.xrm-msMD5=F41F2EEA803079A626BF3D3D3B99416E,SHA256=EBBDD574B93EF246DF624631E715FF077A471BCF61AC5BDDE565AC64334904DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.583{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStd2019R_Grace-ul-oob.xrm-msMD5=5EEC57B1A3CBCE22E019CABAB939044B,SHA256=BD238490AFE3B7AB5BCBCD0DCE669BD678F8C6523AEBFCA6DF7FD44600F0761B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.583{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectStd2019R_Grace-ppd.xrm-msMD5=6D9A2F97EA5273C1F002CDADCD99D7EA,SHA256=075C39E79D37E7EF46556DD35F753776E2756D31C3560D1987212A6C45A7902F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.568{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-phn.xrm-msMD5=076C4D84B3C0C9E72C236317F345F426,SHA256=D44BC6BECF991665D8F79B1412092EFE3A8CEC209AE913E8DFE7554045CAD59C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.568{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-oob.xrm-msMD5=5B08258DAD6DD18E9937B86C01114706,SHA256=3DB6D09F9B8081EAC7FB8CC927E6E9340181107F316AC92A05C18A9F40C9023D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.568{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProXC2RVL_MAKC2R-ppd.xrm-msMD5=2EC343FF822D10FA1BFE5C346E38DB42,SHA256=EC88701B6BAECF77DF63960550A341613526EEACCA593BBFE4A2978B31DE4F52,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.568{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProXC2RVL_MAKC2R-pl.xrm-msMD5=C27CA80B2D1D99DA5D2FFB33CC4BE572,SHA256=9F95DAC1BA4944EBB2262FC3228E994D0372CB4E37D5DBF2DCD20B6120B3F508,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.568{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul.xrm-msMD5=C352F40FB32B6EA17D6D7D8B771ED8B1,SHA256=1B56BB03E34BF96CCC5D5E104C74BA560BE310AFC1D28B83E2E73E8B8E730174,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.568{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul-oob.xrm-msMD5=EC2E55235760FC6AEAF6188A72ED10FD,SHA256=A64BA7196FB9FAB7EBBCEAF7F55DBE380EF77F086E4BAA0966178E86B95BD1CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.568{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ppd.xrm-msMD5=94308B6A963EC71B7E7EA6882F1068D4,SHA256=829E714807171BB61E32BD471CD90B18E0B676791756817EF4E2658E2F9E14BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.568{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProVL_MAK-ul-phn.xrm-msMD5=934EDA0FDCDEB0E7ABA3EE575DBC98C8,SHA256=D771337FC110AA4B719C60A5FF84327495EF26E89333AAD1CD63D58ACD4B94AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.568{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProVL_MAK-ul-oob.xrm-msMD5=6684E086BE734381DB15F779C9B55A45,SHA256=003C49638471DAC8603600F946D350F802C90C37DF19A368C07BB74D4931F5CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.568{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProVL_MAK-ppd.xrm-msMD5=800E5ED05E9C6808252E138C6D12A615,SHA256=07009A938AF966EC1030C3228E95985F06BD8E428917A61E58E9BDFDA0890C2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.568{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProVL_MAK-pl.xrm-msMD5=89781ECEBC83373F5A740A15765F4354,SHA256=96B21739674EECFA269F17F99E56CF5A793BAD21FBB72F4FD083811982B80848,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.568{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProVL_KMS_Client-ul.xrm-msMD5=F11D86C147C054D9762CBBB8458E4D71,SHA256=E81084F47116109E5C66ACEF44F34C1120E983A6CD651A91C331E321C4608DC3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.568{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProVL_KMS_Client-ul-oob.xrm-msMD5=EA169877CC75F58E6DF24DD66D61015C,SHA256=AF0ED112358D5940C92045739E5731DABB8B2F567CE5AFFCA7CD6A9E1B246370,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.568{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProVL_KMS_Client-ppd.xrm-msMD5=76B3B6492916FC34D423DBF193C244B4,SHA256=85FE8D8EC62FCA9795E91EA4A466AD6888D44F7D7542DBAADE2D62A50CA2CA55,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.552{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProR_Trial-ul-oob.xrm-msMD5=DC21EFB9447C35B35AAC45EAFC3327BE,SHA256=F97C108A210DBDD72566E115C84447350C79A1D583F8942DB719F15BA06315C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.552{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProR_Trial-ppd.xrm-msMD5=E7705133ED1DA2F481F38496F883407E,SHA256=0E35DA3CFEE25C90AE1A0BA241F6277C287D9D11229AA1CC432F1585AB4C94DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.552{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProR_Trial-pl.xrm-msMD5=C9BC971C911C74E9A5B26A1C203226E9,SHA256=61DAAE1C603B0937975E229958AD6E04C8AAD7A0EE5209C6A6A89928ACE291BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.552{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProR_Retail2-ul-phn.xrm-msMD5=86A6BFFB28636DE9E4346003DC8F30A6,SHA256=D658F3EC01FF06FE1BF2C81DE6F8C76921D5409781D3FAE90B28B04E9CFCCB59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.552{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProR_Retail2-ul-oob.xrm-msMD5=7D5C64E5B88CFC646AEB5A73FF751FE3,SHA256=F11659028EBBA3227F5B300B620077BABF596605731CC3B693A1DD8EA4226C27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.552{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProR_Retail2-ppd.xrm-msMD5=9DB5A950B74CAC0D228EAB21BDE1AE33,SHA256=1EB631D4E96D41F82B66F1B7577C96A1D270D3AAA941B4C19E2A3757E4210706,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.552{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProR_Retail2-pl.xrm-msMD5=63B116B089A5E9016F6422FEB96CE6AD,SHA256=F5151661EF76C3B9B311D4017C937ED0A5F71837FCF10E05E30F0616A97E8399,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.552{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProR_Retail-ul-phn.xrm-msMD5=C5B5D0C83AF4C0DC76543DBC63FDF5CF,SHA256=9207774AB489F965C6A6F1614C1043B5F8BBD44A2F3882907EAEB103AAFFBC4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.552{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProR_Retail-ul-oob.xrm-msMD5=D803B282B13DE41DD9ED48787D254072,SHA256=621DDA1FDA8C5BA3AD1718184F6C881F5DCDEE5AAEE96BBE575FF1476AE59489,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.552{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProR_Retail-ppd.xrm-msMD5=CFC43CADE68836FE3941F12F3ABBC27A,SHA256=BCC048CE2BBA18F4DC4C8BD105B1B381A4669E38746F758995279C17BBFB6FD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.552{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProR_Retail-pl.xrm-msMD5=1D013AFD0D0D309EE977B6E690E61ABB,SHA256=DACB1B75B2E17F97143D887AA1733FF690F5115E8342D020BECB7547E2671F24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.552{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProR_OEM_Perp-ul-phn.xrm-msMD5=FD61298AA16B441BB8F8C6B8198600F5,SHA256=2BF53E933E9F79AB32B53AF8A17381113E820E7679A8CEAC0814753B08AE87C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.552{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProR_OEM_Perp-ul-oob.xrm-msMD5=5611BB004784EC1C7FA7CA768244020A,SHA256=66816F8FB3736A572D4403F1EF1476C1EBFD273FA5788072D6BEAAE25A6E7504,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.536{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProR_OEM_Perp-ppd.xrm-msMD5=7ABB4062F30E48885E5A20BC308E7907,SHA256=E83A00BE75BDB925EBFFBB236271BAD0DAE1E532BA0AC4901CC7D9E67F6A6FB1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.536{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProR_OEM_Perp-pl.xrm-msMD5=6A183F297A341E4BA18B0C40DB56738A,SHA256=B4B733A47B980AFE4FEA0983E648982AB7D5FC793C01ABFCA1489E86707BBC9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.536{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProR_Grace-ul-oob.xrm-msMD5=1F6E88E939831F644C68934F1E3972C6,SHA256=F18092CB8F7162072CA2CB5B46C87741283D8092DEB9CEF6BD39CD6B48B218B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.536{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProR_Grace-ppd.xrm-msMD5=F56FFECDFB1FFF7FABBEE43D203C0D68,SHA256=E43C5861A0C52C4D18E79325854B36630208A2EC688B3C92B3F9805D8BD3A883,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.536{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProO365R_SubTrial-ul-oob.xrm-msMD5=6E65AAF5A88B6AE92188898F58B8131F,SHA256=16235CEAB9D9AE7E32EDCDC71A023B5560D9F870686AD989871D7BA451A5D598,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.536{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProO365R_SubTrial-ppd.xrm-msMD5=6E186347B1D378C680FD042F395BAF36,SHA256=4E94C544547FCDC5597524399F41E4A42499953D71C7A690C327F9372146F744,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.536{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProO365R_SubTrial-pl.xrm-msMD5=C16F12039092246E97AC96DC6E2F217B,SHA256=33E5B527350C14A09757C7D7E3CB780F7898F08ED1D0179B7DC66F097D25824A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.536{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProO365R_SubTest-ul-oob.xrm-msMD5=BB3664737DAD35C48E794A77469ADD9C,SHA256=3D8584C4AB3886B798CF8AA9ECDDFAC9FD6089A7A3EE2BA2BD145792CCFF65B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.536{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProO365R_SubTest-ppd.xrm-msMD5=B9B34417E885E2D21967378066C8B1CB,SHA256=41CEF32526465A9AFD51E1D7755D2849D19F49C563F670E883F9296D6A4452FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.536{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProO365R_SubTest-pl.xrm-msMD5=70FBF85F0D23AA260F20689FD1BBB245,SHA256=1B504BDA57FE43BFCCDF410BE267C03199608C516470A680AB4A8304CB98FFB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.536{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProO365R_Subscription-ul-oob.xrm-msMD5=6F718E308AFBE668D81DB7EBE30D32EC,SHA256=EA8EE94DE6BFF04B6D3D099C0CDAD142043CC5C9E223F46AED4A761E22EC7B83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.536{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProO365R_Subscription-ppd.xrm-msMD5=A304B188A2C268DCA74A3589C5EB8E51,SHA256=194DC0BFE8406FF77FD8565B9CFCF6252A67121131B3B9063BC1148410DBE269,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.536{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProO365R_Subscription-pl.xrm-msMD5=B0D5CC267AEF45E0BC2E0D5C4BF175F7,SHA256=9290D60B30BCC259FE637FCC8090845EADBB3BDA379A04C5D53FD86F65854ACF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.536{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProMSDNR_Retail-ul-phn.xrm-msMD5=721C9321DE40A86F172858F67452C532,SHA256=277F6CEFFEC70D7854B291352C1617CA0F86E608CDD24025E78B54FECD1A652E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.521{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProMSDNR_Retail-ul-oob.xrm-msMD5=CB16516F56918C8B8B37CFD6E45C3961,SHA256=6EBB2797A1058EFF2A480C508806D126FC1CC3031FFFCF4597097B5C7E9F138B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.521{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProMSDNR_Retail-ppd.xrm-msMD5=D33ABDB55C9738B4EA4B7773466750B8,SHA256=3A58AF828F47488C18BE927BE3C6DD85FD120767D7CE88304D57410920574BBA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.521{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProMSDNR_Retail-pl.xrm-msMD5=DC75E074E2D33B2609BA06C21DC76BAF,SHA256=AD2E0CA94876DD596C2BF373F66327C873D7A1D2A3C5F0E2B8A6470C9B2A4CBD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.521{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProDemoR_BypassTrial180-ul-oob.xrm-msMD5=DDF637488402192FDC3E71DCBF7D921B,SHA256=9F63CF7669610E8D9A19369C4B4E8C108FA4C2B11CB293AEA96E5B3ECB50BBFF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.521{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProDemoR_BypassTrial180-ppd.xrm-msMD5=682A1BB5AD55F929FD1CE19FD823471E,SHA256=F5D4A4E620470822C6C29B812EF257A6ED190ACC63B87D8C5C97B172468A20DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.521{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProCO365R_SubTrial-ul-oob.xrm-msMD5=9B505B1E4DAEE3AB91B845F755A54995,SHA256=E7096813E4E98675711CE942184B025C3E339990FD39DD25BE0578F45E965DB7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.521{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProCO365R_SubTrial-ppd.xrm-msMD5=AEA7E9820291F0BDB20726B82EB6D47C,SHA256=10E6D85688CE8B54F5C12D5BBD5E102CAA900617771315A5ADA81449E8740844,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.521{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProCO365R_SubTrial-pl.xrm-msMD5=0003A8CF1D2708D4D6B1A5A10C7477B5,SHA256=FF676CE2DBA4F2E8A21E4D6B19F33E2F4F178A1AF0D32CFC9C3AC0EB15840980,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.521{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProCO365R_SubTest-ul-oob.xrm-msMD5=EE98C9ED39B7A11B938D51D82C5ED170,SHA256=36C5A23126F3841059E611FABBD3ABFFC7452B764D3FF112BFE7605CB128B395,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.521{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProCO365R_SubTest-ppd.xrm-msMD5=4BCE3BF7B277DD31EA9F8E0726F55BEF,SHA256=3FD4C8DC2EBB315FA6885EEAECEF83F16D379EC8466ECEA08E00A5DC8DF79881,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.505{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProCO365R_SubTest-pl.xrm-msMD5=3DB26101DE59EABD49CD1F8923F260B3,SHA256=FEEACE345F94FAE398AD2D7372D1C739131BB1B8A4DEEDFB78C09AD3FB8BB4C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.505{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProCO365R_Subscription-ul-oob.xrm-msMD5=3D068F1AC5D5D124A83E0936E2447242,SHA256=7D993105F79983015FD0CBF1AA2FAC58BB2CC31834FCB64783DFB75B6016907D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.505{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProCO365R_Subscription-ppd.xrm-msMD5=425A08773699F602C54EA6280038BDA1,SHA256=6FA71E7BAFB35BB04A60DF292BC1D85F811392C6954428DEEBE265ACDF86FAB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.505{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectProCO365R_Subscription-pl.xrm-msMD5=68B421120E5D3D044451ADA76A3277FD,SHA256=D88D63B36E22184C7EDE7AE46E0AEE9EB53DEDC82D2C1B5820662CA5E554EBAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.505{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021VL_MAK_AE2-ul-phn.xrm-msMD5=DAA7CE36BD2AA183632324CF9B7D1355,SHA256=C39FCCAA91B4F2D8E9AECE97371ECEF5527C22CDBC70097843DBBA2A51AFEC15,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.505{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021VL_MAK_AE2-ul-oob.xrm-msMD5=BDC79A36629B0B2777CCFAFE8AD56DDC,SHA256=99E814379E48CBFA0077A0E458DA84760BCD2C9A144FEF158520ABA7A8C847F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.505{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021VL_MAK_AE2-ppd.xrm-msMD5=C51D10BB86CADF3523EFD3E51E2C80BF,SHA256=513B429D45822AEB5AD61C3E156694AC025980E139D3CD1173C45C7279E04BD6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.505{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB7B40FB76A82F9B79FE92C58A5F95E0,SHA256=E8752096DCAF065D633C0B489B7BAB3E8611ACEA1348F77B3196621346A8F986,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.505{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021VL_MAK_AE2-pl.xrm-msMD5=E2158B42876B84E0B875F7BE4516B55B,SHA256=7D13049F7D34A542B5C3E9904D9C10DE1614115ED2CCA25E7A1F4752DE129055,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.505{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021VL_MAK_AE1-ul-phn.xrm-msMD5=8167955A8EA20AF67EDDFFA7EBDD3082,SHA256=A9613AD873115E98ADF73B370548DA39D61E44533F4D8662B9F94DBD23315068,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.505{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021VL_MAK_AE1-ul-oob.xrm-msMD5=E35E331BA58C5BEDB5A994113F7C9CF2,SHA256=4F170D10055698CD887A426EABF176D2841BAD9975971E19797C7CE693301B2B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.505{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021VL_MAK_AE1-ppd.xrm-msMD5=E58678F04E761BE95E0DBA8DFD816164,SHA256=2F080A19CC30A5DA4629C53E00B4F9F34621B3BDCFC2AAF4D0E06766822D6D0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.490{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021VL_MAK_AE1-pl.xrm-msMD5=2017732938A157435C22912C10355F8E,SHA256=A2DE964E1C0FCB98F51DB9A48258191679FA856A82B3845E0E65515C89983D05,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.490{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021VL_KMS_Client_AE-ul.xrm-msMD5=CCBDE74E8F247D61DD7C224856428460,SHA256=603EBE4E4C704CC5E11BB2FA72300084C4F8A442F8980689269F31C48DB1DCDC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.490{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021VL_KMS_Client_AE-ul-oob.xrm-msMD5=BBA8EA83ED664279A346189F5240B326,SHA256=400D98C07FE4A7F6A547276933F0ACD01C97BF108E1B6D8BD840E5D3E190478E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.490{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021VL_KMS_Client_AE-ppd.xrm-msMD5=91ABC339D9FEEEECC9BBF390F6198C06,SHA256=6E398835C5985373A4CFC4BB43579689D3C837E8DFEDE1895D8253F636B8D1FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.490{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021R_Trial-ul-oob.xrm-msMD5=2AC0C4FFC9CE56D756222819079C0094,SHA256=1980729D4E06971E7A7107C9BE053B7DEEA2420965720F61C9BFC8EB20D611DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.490{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021R_Trial-ppd.xrm-msMD5=EF504171E991C622A54AC9D6033A32B2,SHA256=2D019538F969310D99EA11F3BD2B30E924BD725DC108696FB2B37834A5A2DEB8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.490{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021R_Trial-pl.xrm-msMD5=17639A6E5E5EEE2AA7A8B72ACB5BF023,SHA256=D5E587E475A44A0263FEEB3390D51FD33EC684CE4901E536037865FA8E91B0BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.490{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021R_Retail-ul-phn.xrm-msMD5=6BA018018B4F09D0CB0E331DFB2B8F25,SHA256=FCDD7C97FE4289A3264F750C63B975B2405C5E02EC6B0F41BD2159F56820E02B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.490{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021R_Retail-ul-oob.xrm-msMD5=476681480AB5BEFA96474AFEE13CEB53,SHA256=FF8ED0ED21438D3CCD848D6BAB07FD82EC67E589B7800D36C62E6B9F79276D17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.490{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021R_Retail-ppd.xrm-msMD5=70C5E51A780657299212F7C8881B8B21,SHA256=08583A3117A50C8AE449070559A902CA0A09C42A6AFDA1D4C4FDA3A3B0661BC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.490{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021R_Retail-pl.xrm-msMD5=2F10986DC8CC1D8B00D48244330E7FC0,SHA256=2E268A3E97D3458E6C98011F9DB0E261BA1BF717EADE3B64ACB0DC31C431DF2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.474{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021R_OEM_Perp-ul-phn.xrm-msMD5=67FD72BB4EE1E0F92CE74F3CBC73B84B,SHA256=7853A62146734EE3FABADCF1112A214E808F12C60F0672E37568CF45F4849C67,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.474{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021R_OEM_Perp-ul-oob.xrm-msMD5=67DE45A2BEEB7188AA3439AFDDA40921,SHA256=C68452D01AE215239A3F1EBF10AAEBF305B617BF6D5F1CA1436CF53E7F62BD42,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.474{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021R_OEM_Perp-ppd.xrm-msMD5=0602BC02341BD3E5287D4FB36D09E582,SHA256=DE1B321AB5896362DBBAB456D756B3CC2A21E51D3D9CB20F4ED05FA14A8FC162,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.474{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021R_OEM_Perp-pl.xrm-msMD5=745B9CE8FAD051FB8ED7B469ADFFD2AF,SHA256=AAB654D8B96267175BF21D6B4E9EA3ADB45AD793F202C3145B183A0A375A63DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.474{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021R_Grace-ul-oob.xrm-msMD5=46FDDAC7635817D3CDBFF6FC509D8EBD,SHA256=7017E98EC5DC61367D0CFA2D218717AADA88058D788AB0303FDF22781D9996C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.474{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021R_Grace-ppd.xrm-msMD5=F9F79B54CB834BFF77E109E4BAACEC3B,SHA256=6C77CD1CA415B24FBFF8A9F918A98FD6C750C6DAD265318091996A5F15CF210C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.474{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021PreviewVL_MAK_AE-ul-phn.xrm-msMD5=32373208399119F1DF315353EEAD0A4A,SHA256=134EB4E2A7EC5F26AB39ECA6705BE66A2A76181555E91F6AA19FE193E7827C97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.458{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021PreviewVL_MAK_AE-ul-oob.xrm-msMD5=FA6CE79B954AC3E99DDD9D8E951FEC0A,SHA256=9285E7B3260DEF0F8FB9C7022A173CD4ABCD944527EAF03302107E97E09BF733,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.458{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021PreviewVL_MAK_AE-ppd.xrm-msMD5=1ECC06703575693DD9B1B0F0CADCEFE8,SHA256=536B0FD275E4E81F9C848BD7F21A7E20E3287AF3AD868DE88FAC7737DBB74375,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.458{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021PreviewVL_MAK_AE-pl.xrm-msMD5=93A0589FFEEEC3E6E326E8BB6375E34D,SHA256=21DBCFD0F8E7680D802348772FA59CD6711D8A710867F0DBAEB64DDF16E43893,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.458{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021PreviewVL_KMS_Client_AE-ul.xrm-msMD5=588B91CF0A675487F4C58A424BB3DD43,SHA256=2EE9C4F0E1D4FA4768A0A391F99AB848A3B7388C9B2EAB266F21FA0E688E9C71,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.458{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021PreviewVL_KMS_Client_AE-ul-oob.xrm-msMD5=DB467EAE23D5E6BBBD253C625873D4C0,SHA256=BF785DAF3F805B17B15A109CD44444B9F460A748571827D9A362E82D71936871,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.458{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021PreviewVL_KMS_Client_AE-ppd.xrm-msMD5=DE508F940BC4ECBBE0DD160BF61E64DC,SHA256=920EBEB3FAD896B3ABB8F37A99BD179C6C95FA004675E5027C715ADABA4BC76A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.458{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021MSDNR_Retail2-ul-phn.xrm-msMD5=1E61844C6C1F6634788AC7427C17EA6C,SHA256=0A8BC0F633362F0C2B55DC6C5A75D3965C996BB79B706C0C28C5752586FEC96E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.458{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021MSDNR_Retail2-ul-oob.xrm-msMD5=3EB8EF4994FFC924BDE590E5DFC4951A,SHA256=7D41D8E008E15B134986677EAC0658CD73E152DF8B7E2A19A9E217ED6E7EDEFA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.458{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021MSDNR_Retail2-ppd.xrm-msMD5=6491A76CB3FCF8519F1C69E3AD92A672,SHA256=EA94DEAA917E26ACAD94C51FE0D5A808A5F082853720F6FCE3240B8A716D5625,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.443{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021MSDNR_Retail2-pl.xrm-msMD5=15C4C2023AC9245AA5C9051604F82B42,SHA256=07E047D765454CECE835780ADAE3354FB3DEFF7F16C5904546424492E6BF6F9B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.443{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021MSDNR_Retail1-ul-phn.xrm-msMD5=5DBF6528387305865E1492F12CC22F75,SHA256=F183B351DA8947334ACB001C4548D8536E453B87A3D30A420B64F7CD55E6641D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.443{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021MSDNR_Retail1-ul-oob.xrm-msMD5=FDDC7C18B2115CE07296B653F3E0FC5F,SHA256=D2DBE68E9282734416CC2872DCBA0B3CAC9523C8DB91D1B52605FD27101BF1F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.443{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021MSDNR_Retail1-ppd.xrm-msMD5=58D231C2B6E92E847277161BD70C143E,SHA256=FAF65FCB6BD6A5E96436829BCD2650A2CB6334631EBE835F1E19598400E91032,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.443{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021MSDNR_Retail1-pl.xrm-msMD5=C8F4486DE43FAF3F3AD1D97AEFD010E4,SHA256=A1B8F3A5AF114B93D3F6D3FB1C125E28AABE6B990BD1181E48D55B1E798CCEB2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.443{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021DemoR_BypassTrial180-ul-oob.xrm-msMD5=0D9B3181B3CC76E3E74D19FE1BA30549,SHA256=5760AA4AB0233C7D1A47075369E92AF100C10CC9D89C87B67FB9301D643A22B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.443{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2021DemoR_BypassTrial180-ppd.xrm-msMD5=80262218F13FA55A5B8D39C170847DE6,SHA256=273F6A556A2CD015BF8C6F905B98548FC671568838ECB5EA8A520D07D289EEED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.443{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-phn.xrm-msMD5=E2DBE3AFBFF451016A8EC4BA696A8BA9,SHA256=F2A4E6EFD4E59134499B5E11B1E769A3D72520BDF10A6EEBCA797457E462C696,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.443{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-oob.xrm-msMD5=DCC57E08AB31B09948E1ACA4A8C32197,SHA256=D6D49BCE12F34066BC9B5DB1A0F6C4B4AE4DC158BD77FE3CF1C82910E110AAD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.443{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ppd.xrm-msMD5=4693C1D54E4DE50695CB4B493577F5BE,SHA256=C5C70C305C8F761518347CC4DBB6F67C9920CAF1118B484FFCEE916CD86E9B0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.443{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-pl.xrm-msMD5=BA763BAF4D1603635939D67D72BCF368,SHA256=1BA8120C9777C7BE6C4E2BDD60DCF2B8B5C48A2700140C6F1E56260F87863D12,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.443{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ul.xrm-msMD5=CC4E1FF71615D6871CFFA0652451DB3F,SHA256=4D1D7B356649BF55FA5216F5EB5A8B1DC01F53DDE3A44CE5851D0F9396B6F369,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.427{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-msMD5=19550FA1947415511902E1B4BAC7E959,SHA256=EF81EA643F763C25E10CEFC8354F194F03ACFDE4708A70C293F24A76ED03DF93,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.427{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-msMD5=A17DEFF782B31214BE700DC12FF1FE51,SHA256=B85CD95C08D6B2ED8787033E389BD6CC5EDF9FF189A404DE0CFECD64CBC71E6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.427{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-phn.xrm-msMD5=A81BCA2200BD2C0208FCAFC426688EDF,SHA256=2EDF17C3E9A61BDAF9C365BBAB28633CCE24432276302EFE34FAE95D732A95FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.427{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-oob.xrm-msMD5=0DAA598820551B18D86680701DFB4ABF,SHA256=549BCD609DE0EF4F0E038C241A212F58FF9277F5BC417906DD0A5A64059417B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.427{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2019VL_MAK_AE-ppd.xrm-msMD5=DCDA05DA7FF56A79C2E3C2FB59D61628,SHA256=443D14A69A5EBB10CAFC97E9863AE59E4C45C24209A66D8363B84F809DE7E757,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.411{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2019VL_MAK_AE-pl.xrm-msMD5=EE6416508939721513E82E1C128FDE47,SHA256=3A5E65CC4F4090B9F7EACF3257FF9095FADCA06FA10DA3087915029391875946,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.411{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul.xrm-msMD5=F02261C326FDD0698123A4FEC961E5B0,SHA256=A5E590F4319D18931B00EF5504F6BB039F834EF44F029AE204E428722F0BB006,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.411{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul-oob.xrm-msMD5=8D95144484064DF37AEE6273AE5076EE,SHA256=F68DE748FE3878734584FAA3A77F3379D8DF141A12863B699858CF049F87A630,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.411{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ppd.xrm-msMD5=0425BF00B04E7085BED52F54C32FF60D,SHA256=940BA989B49DDD7494322A867C7774F9857A7672B3C1776398C01C922E6E12A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.411{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2019R_Trial-ul-oob.xrm-msMD5=C0DC87E0CB7377581008DDF182FCD569,SHA256=54729B55B251117D26D07798AB8D54B16B3F4DC355D22777C7776E0913A8AE9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.411{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2019R_Trial-ppd.xrm-msMD5=E2A297BCAFA10662C8BDA87CB787C53C,SHA256=74F473AE4188E134133C88E64D3E6C66C4FAF000EF39FD9EBD985E2785A8E377,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.411{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-msMD5=8B2E89C6739BA75ACB79EB585E24D5CB,SHA256=6BA3D11F5FBF837D65A2CED6EE400105B009792CF1C8D395B41259B4BD7A34B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.411{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2019R_Retail-ul-phn.xrm-msMD5=3A3D1C3EC5C75D503BB955F952351DDD,SHA256=56D0674E9A6B642C7B1F16A6151025148FAD69BC5296606BAD0143CBB6381881,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.411{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2019R_Retail-ul-oob.xrm-msMD5=6FE2F2426B8EEBD4D34357DD89C5CBEE,SHA256=606907D9F269F22B5E41715365D0F37D0EB76075C546B8BE320200AF87BB77D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.411{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2019R_Retail-ppd.xrm-msMD5=0091C238E0EBF77E3704461F7BC9E83C,SHA256=747E49C75487A8700E76F2FBD0683D639DC2B2BD42ADED06CBEC4C84D4C3BAEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.411{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2019R_Retail-pl.xrm-msMD5=0C6C81F62C08017129C6A6290029B26B,SHA256=CA060E553E077680B2FC4243ECCFA2B160A191C295D213E30F94AF1C14C8C005,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.411{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2019R_PrepidBypass-ul-oob.xrm-msMD5=E1C4161A2A6B453431D0EFD5694F5C67,SHA256=DB576037C5BC88EEA86C64440AC5AC949D18695ADDD407D0ED11A4A554D82B99,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.411{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2019R_PrepidBypass-ppd.xrm-msMD5=BA0BC37CA16D7C2B6C465D09D95913FD,SHA256=141661D35FBADDF1D62F0782D60D288403C64B5DD8A6C36DB93FC6D629F6315E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.411{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-phn.xrm-msMD5=34D0911912C71A6848CD72890ACA781D,SHA256=1385064D724FD3F7888568ADD7345AA029DD8D61A7FD207519818AB4B77F00CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.396{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-oob.xrm-msMD5=55C2739491965E891DBF737CC21BB76D,SHA256=3F1EF1DCF6ADA9820C4FF8BFFDF4178A26BB6F142956473E028945DEEE133010,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.396{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2019R_OEM_Perp-ppd.xrm-msMD5=D15DF25B102CD77590381D270ECF36BA,SHA256=13B37B28B672733D2D40B4F564F80A67950474FFB1D34A00C044668047B17765,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.396{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2019R_OEM_Perp-pl.xrm-msMD5=736AAF330C5A8C3A312F5E97504DC292,SHA256=9ECAACAFA2CC9463BA4900FCD51611E657BBEDEC0309CE46540F2D87683BD88C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.396{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2019R_Grace-ul-oob.xrm-msMD5=E671FAD61418536847ACB245F359E2C6,SHA256=29102D54CF62E4296249AC5854F7056DE5DBDBF96EED5D955BAAE067479B512A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.396{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2019R_Grace-ppd.xrm-msMD5=28B955CCAD1DD9FFE54A4AD0D01A4692,SHA256=674E2404DEF4D1BB011AE72F29886EBD654A950FBA5D3290ED50BDA2885E3A59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.396{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-phn.xrm-msMD5=D1FF24BABD50BDCE938493EA46736B08,SHA256=FA2E4EDEDB548338B18388AF63020951AF22AFE45292170B43E7D6820E4F5206,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.396{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-oob.xrm-msMD5=021B2AB5EB4C4F6B1114DF0C8F7ADBC2,SHA256=DE4F3CFC5FDB37601E0E540B42BA26BB4A74E0DDF19E197297F4C5C364C8DC13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.396{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2019MSDNR_Retail-ppd.xrm-msMD5=F81DC94981B1AE79116A394CF9E26B10,SHA256=926BFE5C050DF0D2E453BA50308E8A35F2D7EC6C41059AE61FF9EB7DD78E627B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.396{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2019MSDNR_Retail-pl.xrm-msMD5=D673092A0CFC4CDBE6522495A59CDEBB,SHA256=F505539D34A14E7C92E799F0FBC4C017B78F3974240C6D3C140C5660D1285E87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.396{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ul-oob.xrm-msMD5=38D94EA717E488B9B6A1165ED343AD64,SHA256=CCA2393BE4EA7487FC0A52C08812B8E64FE3C0422D4AA02CF6AB68DB11574BD1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.396{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ppd.xrm-msMD5=8236D73715078BCEBD5CD5DF09DD92A7,SHA256=E7E400B9C2DFF08142EB5ED53B4E21C9BC7B025B7F5A880AA58007B2E9C71200,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.396{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProfessionalR_Trial-ul-oob.xrm-msMD5=07EE7991055D0401646D8A067905B244,SHA256=339C5B249D809E44E93AC63C68393FD3C4AC66E7811556B0E16AB0241160B94F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.396{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProfessionalR_Trial-ppd.xrm-msMD5=33DD3F998CAC8731A37DA3AE26880D47,SHA256=D1FFDC68AA3499517AB65EEBAA52DB73BC7597735DF1337A0B15A7724AA66924,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.380{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProfessionalR_Trial-pl.xrm-msMD5=EF5ADDE6AA102517C72239C2D26E56A5,SHA256=2B187A48452913DB1565D2C48999BAED3AC021562C595F7B2770FAB6B274DF2D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.380{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProfessionalR_Retail-ul-phn.xrm-msMD5=0C47EF60497455FF8D4C991C43B11E1F,SHA256=E1D203DC810A33D4518E6309B579E49E62ECE07EAC20BAAE51D3BB3101383877,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.380{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProfessionalR_Retail-ul-oob.xrm-msMD5=2126269945CAB658AE4304B09B25999E,SHA256=20794F62FF13ED7E16F3FDD5D1053C7B953677C62A8B6ACD43A1565BC1801837,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.380{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProfessionalR_Retail-ppd.xrm-msMD5=41C8F8093D0C28068392132977C0B33D,SHA256=D5CFF7BDAA706F23468518F1A930E4232818A90CB96639F92BA316A6136F4D6C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.380{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProfessionalR_Retail-pl.xrm-msMD5=03B4D92BFA1F7CFD249E41759FCBA64C,SHA256=C8F659D40863C191C260914B4F3D80AEAB13F99B4B18EAE0ADAB0C825AD2FE2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.380{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProfessionalR_OEM_Perp-ul-phn.xrm-msMD5=C30FF6AFA17B92BC118D209C387FA69A,SHA256=44A33760FC1707E6380F5901DE5129392DA28214C68F49E37B315A8D554F8E8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.380{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProfessionalR_OEM_Perp-ul-oob.xrm-msMD5=6912B1FEF5C667674A230A9A2C031FA0,SHA256=BFEB8918510F1EF51C789D566C3D4A4AD28551087D4F3801977A72F6001471BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.380{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProfessionalR_OEM_Perp-ppd.xrm-msMD5=C540596990877B935E599A86598777D2,SHA256=CDB9AD660C8404CC1CCE2E31A3EE1858CD3C829974048D92C7E72CF6774338CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.380{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProfessionalR_OEM_Perp-pl.xrm-msMD5=73E4841CB7B9D5218F2109B7984C5039,SHA256=F9E43554DC0F1D7FE648F7419E48C777A9FEAFC100E4E63BC3EB214FFC10CC60,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.380{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProfessionalR_Grace-ul-oob.xrm-msMD5=26F8462AD0D16C2DDAA7B7497FEF93EE,SHA256=BBD667760EA1258BAA90E427BEE9808482EDA30266432A3355F66B07AA7BE923,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.380{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProfessionalR_Grace-ppd.xrm-msMD5=A89D43F95617522F10640AFA40999E2C,SHA256=8236E086CFA53EDA4929B15F02E6EF7B6B30335F2E37408B4E302509D1E6D331,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.380{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-phn.xrm-msMD5=92D96B281197727DB48528BB3A6B046C,SHA256=2975CF28D5893AEC4704E9E07C4545676575D832FCF3931B735EA9998459532E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.365{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-oob.xrm-msMD5=D76DC08D9685AACA0C68ED6C2102339A,SHA256=7FDAACAA4A231E7F533CE410997CE48EBE6E59B9C3317E33B69C4A1464FB876C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.365{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProfessionalPipcR_OEM_Perp-ppd.xrm-msMD5=24B9A7948C7637A83177BD9E37F92229,SHA256=193CEF03660358220F70A0577271F57432AED6F8A4D23EE74D32F970017045AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.365{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProfessionalPipcR_OEM_Perp-pl.xrm-msMD5=8C7A65077D685DC6790ACC8D742FBBB9,SHA256=707A8D5CAE995EAE2DD97E627A3C14E3BE15291BF8C9FB5E10D45A9E36342CE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.365{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProfessionalPipcR_Grace-ul-oob.xrm-msMD5=8965A233AA3C1789864DF606F9652079,SHA256=BED500BCC62AFABD72B777D9BCBDEA2719DCD0350F565F2C00A4ED40770905D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.365{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProfessionalPipcR_Grace-ppd.xrm-msMD5=71A75812C813F44474AADC8D5755AC22,SHA256=C70E8B8B91036DDABBFB1C6DA668935D2A4EF2DCA9287419F824CEADAF398968,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.365{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProfessionalDemoR_BypassTrial180-ul-oob.xrm-msMD5=5C8C244347D6E399DB5C096B4F140C10,SHA256=5CDE774E6175803D22AF5FFFBA712D1D6C016FB17BC8771C343DF7DD64EC7E33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.365{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\ProfessionalDemoR_BypassTrial180-ppd.xrm-msMD5=BD4A91B27F175F0D72EAC4FE5460A321,SHA256=885DFA61CDB8CE144C3712A436D197C74CADE7CCB5605D41F86DBB24795AD97D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.365{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Professional2021R_Trial-ul-oob.xrm-msMD5=EC80BEBF57230DFDE21398C616CEDB70,SHA256=9D1A81384DF3C5D6462E25E225A7E11A7036F657680E3D6418AC79457942AF5A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.365{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Professional2021R_Trial-ppd.xrm-msMD5=321C0031AF25CD59359FAA1165711322,SHA256=00FF9C46E6BDEE213E25427F3E7EB2BF3B3E319E3E938540670B842E597CCAA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.365{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Professional2021R_Trial-pl.xrm-msMD5=E927B9F1A1968C6B4CE08BF61D090466,SHA256=A56803319567868EA14D2A995568CBE094947967CF8A530E92FEE4CCAF8BB4B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.365{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Professional2021R_Retail-ul-phn.xrm-msMD5=281C068DADCD85D6729BA26B221E496B,SHA256=7DA6ECBFB2CAA9973C2F266AD65CE2008E6F6824044CA6DC21E92BF2F4911D83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.365{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA21DE9C4720615694903974A031ED25,SHA256=ECFC2B632B80443BE9568269954EFA404D00B103EE139A7F52404577CDD64889,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.365{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Professional2021R_Retail-ul-oob.xrm-msMD5=89C67832DD4B770C2EBEA910D0EAFD2A,SHA256=1C38B2555BCC858407B0AB4061DA58F18794D83361A6B500B76F02BC3C419489,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.365{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Professional2021R_Retail-ppd.xrm-msMD5=6A10902B6F2B006E3C98D520F024156A,SHA256=170F5F21FD46C4E29E5407FCC145D90A85A09CBC0C92F790528C1C5BD8AE139A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.349{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Professional2021R_Retail-pl.xrm-msMD5=1EDC50F5E0B9EF5AFF472016A224C38A,SHA256=100706F0595A8BDE4622A9F34F75F1C4964AC9A5DEE6AFEC3FB67CB9A47BA61C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.349{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Professional2021R_OEM_Perp-ul-phn.xrm-msMD5=58915E5504319FEA8D13A767C14D891B,SHA256=833317A678436793EF7E50B84B4CF6A02403206EC1650545538DB5AEC5D174CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.349{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Professional2021R_OEM_Perp-ul-oob.xrm-msMD5=0B9BA04FD7B15C61C9C7FFE7FB72251A,SHA256=51740AC892C05ED5E74DA78CF8217FEFCF4D741E5B2664B8589F27A9F4780CDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.349{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Professional2021R_OEM_Perp-ppd.xrm-msMD5=9D07F4A58D0D46577C85549148311014,SHA256=0ECD8089061A26BE48D3A4229F426628DB1C6798ECF35E19354C4F025B57C89A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.349{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Professional2021R_OEM_Perp-pl.xrm-msMD5=5CEC2D5B56024292230D503FC7FB4600,SHA256=08C8BC4E7C8917C66CCF39550426B8F97F994155EEA5D87F00A0E03E1361EC3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.349{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Professional2021R_Grace-ul-oob.xrm-msMD5=E732D0778AC6205A65F318DDA65B4ABB,SHA256=DBB5C7482CFC4695414170B0B5167B052559A252F9247C9057FA0C00DF2D19F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.349{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Professional2021R_Grace-ppd.xrm-msMD5=93357591B3A24B208675C1AFBE150DD2,SHA256=A83BE941F301311587BDD38F23C412E7EA6E2E16FC345C1B937C720DA7EAAC7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.349{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Professional2021DemoR_BypassTrial180-ul-oob.xrm-msMD5=90A6E62768A8B58AD588FC468EF88D9F,SHA256=E30D06361E1DD509DF477687392E757A8C16B0360B906EA6545D689D61E5581B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.349{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Professional2021DemoR_BypassTrial180-ppd.xrm-msMD5=8A80FC5C560984A4B705BAEDE0696557,SHA256=F1F9E73A1A2101F5DEB9A1742A1A6FE41456FE08CC36AC4A3FCC5A815FE68DB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.349{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Professional2019R_Trial-ul-oob.xrm-msMD5=B1B4F5BFFAF729607A4010ADC3532D0E,SHA256=1878CAB73B9B6B79DEDD99AD569F687148DD239C2A620B0FF5B1D1FB059CAFC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.349{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Professional2019R_Trial-ppd.xrm-msMD5=5E7D9D47D757ABC750730EAB1B88FE10,SHA256=67F5103A328F67A6A225264A1A3C2362053EFCF43F79C3A6EC560046BF82D89E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.349{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Professional2019R_Trial-pl.xrm-msMD5=C3A20D6C913A58E0F1E58B4909DB5F8F,SHA256=CDCC30B05667D84DF82F2E09BDA08CDE6DB0B2328C5FC548427C5CD5FB396368,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.337{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Professional2019R_Retail-ul-phn.xrm-msMD5=BED4E1FF3980BC10B5F3FA6225ECDEF7,SHA256=4E9D36B440C1D49603547BCC963775C5FC270ADD1850E580BA677825DC9727A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.337{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Professional2019R_Retail-ul-oob.xrm-msMD5=BA663D13B82E5E7E34AA470DB1ADF108,SHA256=2331DFB0CD4810259B998C3A47A2A041FC68175C4F90562992CAB49CC0DA1D3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.337{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Professional2019R_Retail-ppd.xrm-msMD5=513DFBF1433DA6830618D668CBDFA5CA,SHA256=CE7DB4B16BF8528B8F77CA8D52F6E02D0608CCA7B5E950CA484A1F3589C32DC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.337{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Professional2019R_Retail-pl.xrm-msMD5=A5D1DBA6F91C45E813FFF2BFA98A5C4F,SHA256=2FD164E1EC1382B5A70A99851C8A164D66A25884C4238BEFFD26BD3D24F935BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.337{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Professional2019R_PrepidBypass-ul-oob.xrm-msMD5=83747A225534C7932BAA54CDA761FE1C,SHA256=8D67CC6C7F50C9F688EA2AAABB1193D4764A4913FB73C1FA9755A2D0E005CFE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.337{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Professional2019R_PrepidBypass-ppd.xrm-msMD5=35B2FA0747FDB488526D11BCA553B84D,SHA256=47DE014A5E63412253EDB71A363528102ED5E0B4C9688CDBA811308CB3086E75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.337{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Professional2019R_OEM_Perp-ul-phn.xrm-msMD5=DDAB53469EF618352C32CA49FAFE39AE,SHA256=7B0FF93468BFD6211439A49D78D9C928E3AE2ADDD534A2695B5111F8CE5C824A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.318{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Professional2019R_OEM_Perp-ul-oob.xrm-msMD5=31AA3FFE0725DCD746F3E24CBBC3DF23,SHA256=76B12E9A908E305DD4C011F819CDFED21DCC263755B32C91CA84135B3D650ADD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.318{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Professional2019R_OEM_Perp-ppd.xrm-msMD5=C052A882E1D2779B8FCAC948BBCEE23F,SHA256=0A2825F2B8FEBA7BF03B8F730ACE182D33E34626C935CB7B3FC68378F042B30A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.318{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Professional2019R_OEM_Perp-pl.xrm-msMD5=194661BB370CC6A8D7B1BAD37DB13BA6,SHA256=714B1D06EFF3DDEC9EBB9385C1891F8A8681E5738A36F3D5FFF011DBDA943988,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.318{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Professional2019R_Grace-ul-oob.xrm-msMD5=AB6CA376096011F099DBAC19AACB1C1A,SHA256=8CE884E7128009B650AD2221BC1A0143B3B76190D9C2C19BC29687E316A3FC5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.318{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Professional2019R_Grace-ppd.xrm-msMD5=3563FFDACD982ABEF4CB92C9ACC94F8E,SHA256=FF7B44D175F810E6C9D61C9C3628BBD743FD5A00CC32A62613B754E3A2AA9B09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.318{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Professional2019DemoR_BypassTrial180-ul-oob.xrm-msMD5=7693848E2BD0A4B1F587DAF5BF4B927C,SHA256=7FD45AC6C573CDD8D09102D48D418F59484E3B7849C1F824341EA0FEC8D8C1E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.318{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Professional2019DemoR_BypassTrial180-ppd.xrm-msMD5=CFA18CC5A11BF5DD133E1199C1A6D963,SHA256=6452EC000F216D786654F726D780C6BFFDB32896D90AE47EC0B866B5061C7B56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.318{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPointVL_MAK-ul-phn.xrm-msMD5=B19A3C502A93D0E61BD3626FACC4B9F6,SHA256=5504A888B7AFA20F17F4A7C1D6DB611717F8AE215257B6BB8AFE2AFACE127FF9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.318{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPointVL_MAK-ul-oob.xrm-msMD5=D8093157199CF13F9E3DDD1BAB82149D,SHA256=DB836D9AB71331E5694A074C58EC306C202F19C618451D7F68F7E6454484821F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.318{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPointVL_MAK-ppd.xrm-msMD5=6EE234E7D9EFFAC21445D5EDCC112B50,SHA256=116836243DC73F0EBACEB0ADCFB1CBA60B8C3825FA030A562C4158DDC94DE504,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.318{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPointVL_MAK-pl.xrm-msMD5=3FD91D275F1C5A9F9327098DEA0CAA6B,SHA256=D9E5B65FD3FD49F5CFA055BC5E12DFF3542169AF4CC15E1BE0697F17682077E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.318{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPointVL_KMS_Client-ul.xrm-msMD5=B04ECE34A61E5365129E01F46494778E,SHA256=4864CA5C22E0A2711ED2930C0CDE2CAA30B3BA17C642708238050A4A7528A53F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.318{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPointVL_KMS_Client-ul-oob.xrm-msMD5=8C313ED90D20ADF5E401663C98227A73,SHA256=45426CE7D5580560CD50A51E6A052F66BBCEE18599A810CE4297F4AD22C3CB9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.302{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPointVL_KMS_Client-ppd.xrm-msMD5=D42F0EA2AF363BBED47C312A0DE3E6FF,SHA256=74F23166BFCA286C6DDAA16C1EF1AEA466FF8C53BE4C4B12EBF03E17996654FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.302{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPointR_Trial-ul-oob.xrm-msMD5=9DC78DF92A568D680E6CE767A32ACD68,SHA256=6E061A013B0536AB2D55CA6EA0F9E807FCEA83DDBA59AD2EA3DAF22912B742A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.302{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPointR_Trial-ppd.xrm-msMD5=8D8EBC8562E8C1F867CEC9A818062A3F,SHA256=028F5ED4F62E54DF40754FF61A1DE864B47D95C9E51BD472D38F02FAACC05A06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.302{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPointR_Trial-pl.xrm-msMD5=8387E627B0D188E8F5941A1DF59C7A14,SHA256=1290542D4AD892C0FC5D8999D18A47EC5A548562A7F506F9814E073DC6B9D236,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.302{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPointR_Retail-ul-phn.xrm-msMD5=838C685B2F53C87CE846CAE86633C227,SHA256=2B1EF7FED164DF8C353F334EBE378CC34701C4BECB640EBE6C1BF4821176798F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.302{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPointR_Retail-ul-oob.xrm-msMD5=F445D3AA61AE4A7E9D69F9A9565F8FE3,SHA256=CF2D3E81EAE493CCCE5435347CA823E6AF53B5290D9D262F72B480DDEBD06DF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.302{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPointR_Retail-ppd.xrm-msMD5=8B280B92C30B79F23111D127EA7C95FC,SHA256=5BB71BB6BB45061F0BA73ED0069CB4B9ACBB98255EB6C5F1A4DF0507EDE33486,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.302{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPointR_Retail-pl.xrm-msMD5=C70D3129EB28E623196106926BB4E87B,SHA256=6EC7641922B91055C2FE139B6E4463B7D990CF9DB423E1D07427CB045360396D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.302{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPointR_OEM_Perp-ul-phn.xrm-msMD5=65B11BC7D5611BBF2E45BA1859F154C4,SHA256=D19D594659369321ABF6A581DAE9405A51C36CCE86869AE589BEB882B5CB360C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.302{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPointR_OEM_Perp-ul-oob.xrm-msMD5=A9E6D1AD9298F16D24D0033C728F8FD0,SHA256=FD04BE5F5C202284A21F5F6DA8858EE8DD6CAA08F7E997B04335A4A1943ABA87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.302{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPointR_OEM_Perp-ppd.xrm-msMD5=117D8AFDA1280B696B0157E0D0B205FD,SHA256=5BBC176743E07F053DB2DCCDADDB2CA78091124490C1133E19DC2498F11C7F01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.302{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPointR_OEM_Perp-pl.xrm-msMD5=5869CEEA29015AA9C02E4A9370A6DB12,SHA256=36F8A3F54D56D0D4DA2C54F4952F9D51FA8E2C5694A6B50170601768DD08F7C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.302{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPointR_Grace-ul-oob.xrm-msMD5=61D7AD3BD7F0B5C59B721DAAD5D007D9,SHA256=847ADDB716385FAE30C53AE4E83C7D739C9789214C64EB9BFD27CDE9CE8EEA51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.302{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPointR_Grace-ppd.xrm-msMD5=04C88CF9F1A463B9DF75861BDFFDD960,SHA256=2687A730EACEF3A3D4992CD3A417EC4C6CE3DE4D1ED12F18F61AE8CBF9D72BE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.286{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2021VL_MAK_AE-ul-phn.xrm-msMD5=F7C2383DC47CFA7646884CA5BB111153,SHA256=D5A685D20F791F032C33D6682647A8FE78CEC7B415B6D2AE47D313B81AFAA105,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.286{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2021VL_MAK_AE-ul-oob.xrm-msMD5=72F741AC82A60158C032FCADF5A0ABC2,SHA256=5C1BE932F2F569BD91A612EDB3EA69BDD65B1F471E5E6E5516D1337F2FA11369,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.286{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2021VL_MAK_AE-ppd.xrm-msMD5=9985557D4E18F8C5F54C8C5834B8E8D4,SHA256=11874E18F4A8FEA3DC54C594F902AE6D639AEF4BF94F6E66218BFFFA8BA1BA0F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.286{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2021VL_MAK_AE-pl.xrm-msMD5=F9572F58074DF81EE4231B05CA6EECC1,SHA256=A6AFCBD7BDD582F4F45CF01154F2CC7B8D76C23322522DFE121DFE4489041F42,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.286{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2021VL_KMS_Client_AE-ul.xrm-msMD5=DC9FBEA754BD45BD83CA467B2EB947F0,SHA256=0698E9BE372A18501947FAB2E7176E6824AB83A2F9CAC410A0FC80439926331B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.286{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2021VL_KMS_Client_AE-ul-oob.xrm-msMD5=BEB486FAAFF5CC13812DA217A01F0ED2,SHA256=AD1236F2D912B324EB0F63B02A7B48ABD49B4CEE66F5D2CF23B2E33C06E0F10D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.286{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2021VL_KMS_Client_AE-ppd.xrm-msMD5=702FE3BB250945B0F2B21025EFB37A9D,SHA256=5BDBD7C8256048C07A336CBA78FC66DE797FFEA941A79A035945B2D19B386247,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.286{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2021R_Trial-ul-oob.xrm-msMD5=8C5539F911E52ACE5302BCE0546B5780,SHA256=DDFBD35CC881DA2B1FE2B99872A4E5729312D17BF2667034CA146936E5B7255B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.286{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2021R_Trial-ppd.xrm-msMD5=EF7FC56A7F52B17BDD65291B0EDE3FA7,SHA256=8488023A10C5804F65D158F5B69E9611D95E95372AF59A4DABE7B628A65E9987,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.286{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2021R_Trial-pl.xrm-msMD5=A439CE2C2736D6030D2F2470373152EB,SHA256=3464E1A869636D58E79EAF21F7D2DC71444752B1F9057EB0A03227958A0571AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.286{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2021R_Retail2-ul-phn.xrm-msMD5=929D0CD70A351E138A7F107EB21ED790,SHA256=A11D6F638F7628DAF307833FB27E86E58DF48F4955992F54172DC242DF543DB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.286{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2021R_Retail2-ul-oob.xrm-msMD5=4CC4EFF738F5F1A5FE223E72625A26AA,SHA256=80F94586DBF0B461DF8F9C71316F8FD6F863F2237AE9CCB5724DDD76BE9E8178,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.286{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2021R_Retail2-ppd.xrm-msMD5=1E6AF1C8D168A5298DC1373401E62253,SHA256=2C40E5CEC1B51DB235F97C51B418F25C968208CAB53DD26F9FF5A35A82258AD2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.286{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2021R_Retail2-pl.xrm-msMD5=BB749DB6E04C16778BE962F300169324,SHA256=613140BD0FB4758CB3B5E189EEF671F9ADD3AABFBC2443083186FAF35323AD8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.286{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2021R_Retail1-ul-phn.xrm-msMD5=DF4D6A5CCE4F36559467AB461675227D,SHA256=B911386FCEE2ED9E826D772D08250ACD74A8B9EA8AABF340A4187533B8A959FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.271{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2021R_Retail1-ul-oob.xrm-msMD5=3BAD5B7A08987451ECFD16B87CDE6A88,SHA256=F20BE2BC139267F2ABE9A3177EADFD022F1A1B6502494DC9AED2DE0A69F981BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.271{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2021R_Retail1-ppd.xrm-msMD5=984CF46EDCE998EDC81EDF1F6C2B9760,SHA256=1C8011ACB50A636204F85F8689AE1147258D4ED70322C7D87AC81053B39B9B84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.271{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2021R_Retail1-pl.xrm-msMD5=7E2C12E458EA6EDA585F8B45F6E726CF,SHA256=E26262B6D3955DB9C4DD252A10B2F3DA1BA12539ADD664A7D26BA503ED6CDF1E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.271{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2021R_OEM_Perp-ul-phn.xrm-msMD5=797CEFBAE72D96222FE05A84ECB49BF9,SHA256=9139E4469B491E567D63FD26839D71D5A580E4A07C7B089384B2E1F4F86C51EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.271{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2021R_OEM_Perp-ul-oob.xrm-msMD5=E55A75F85561B2E9BD553CFADB7DAFBF,SHA256=742B79B277FFECA02DFF97A2C1988989AAD33D8C397298B9B59F7687137A1685,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.271{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2021R_OEM_Perp-ppd.xrm-msMD5=E876022F6866E662820579478A5CCD41,SHA256=F05E95D88BC2E878BFE82D966EC55BF04FEBC79838C636524A94E0F104D1C143,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.271{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2021R_OEM_Perp-pl.xrm-msMD5=E8A2A2952586A70ABC224BBE634122D6,SHA256=1B93409DC928BDCC3A16BE28112A088B7C01B4D3F8638FA8CEECA410DD1E7BEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.271{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2021R_Grace-ul-oob.xrm-msMD5=E6A2CD4D6E4919D0F7A299C6CE9E8A4E,SHA256=6B51031930C8CA073165EC6AFE7490A93D30B00144A28722C0CF7A9AFA6A422E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.271{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D64E91FEEF97CD649EE5CDEC8F131D49,SHA256=59A796F06063DEAFCB7D683AE2AE2304E12E13B0B3A9C03E072912A791C34E7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.271{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2021R_Grace-ppd.xrm-msMD5=962B4550048BA1F19DC644EDADBF9C19,SHA256=728E33FC860860A206571814D35DAE1C0C7A4F07054A23BDBF4C08E7717DCAD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.271{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2019VL_MAK_AE-ul-phn.xrm-msMD5=66FDA89F78E9E2E26CB65683F6F21F82,SHA256=E09BF71306353F6814F938D394FC9F2D7A18420BBF6979CBEA393823DE008C5A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.271{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2019VL_MAK_AE-ul-oob.xrm-msMD5=FDE4604116FB8CD172C88E91B2165138,SHA256=E4D1EC49909536C02ECFB3C4400836D7536D233C17B456B8B268857ADA9B577C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.271{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2019VL_MAK_AE-ppd.xrm-msMD5=7A5009EEA7FDF2E27F7740BA447896C4,SHA256=684FAA47E9BB8D75A665478860F983CBF90B58C8530AFAEB542676D3767333AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.255{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2019VL_MAK_AE-pl.xrm-msMD5=D930C82CCD860F255265C8F5E7A75D03,SHA256=8E23748CF8D83F19895C86B268A311CCEDFA2B4B18750E7E3C175621E2B317AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.255{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul.xrm-msMD5=AED8AB574CB935A2EDD7EDCE9ECE0505,SHA256=F37B54F1E904FDD8C7C55B07B38679B162CA49CB9C566A62E7CC9F80DCB07A3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.255{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul-oob.xrm-msMD5=F360B9925FB6B5F2ADAE46516101E372,SHA256=6D15759A5D09865F1F5DAD9B750C70CFB28BEF453E81DF45090106D38C225135,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.255{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ppd.xrm-msMD5=2462BD9D1489347C023E5FBE2D8094A5,SHA256=98700FD792B1C470110ACE23DCF5EE48CD15F0C8AAACD3F2BE7E11B92B7E1242,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.255{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2019R_Trial-ul-oob.xrm-msMD5=9B51197793653ACBB09FB43F390888D7,SHA256=6395247A6556195B0E27BFD770AF07C7E21BDFC8092B157C2167F3380A0AE229,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.255{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2019R_Trial-ppd.xrm-msMD5=606FB2E65A547535B25FC2C01261944E,SHA256=3EA98828F06041072178DD9FF800127005841F733F44965D2BB0A96C26E4ED06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.255{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2019R_Trial-pl.xrm-msMD5=960317F67C62AF569451C75F7C0DC343,SHA256=7845F5934D8CC413474C9DD4C0709C1F712304F107806CB371950106B7FEE186,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.255{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2019R_Retail-ul-phn.xrm-msMD5=B0076D192CEF1C432543ED025F7EBCA6,SHA256=EF7EF2DED1F26F57AC3E075632248722F118FB9B5E2D08FA66649E3EE5F86D26,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.255{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2019R_Retail-ul-oob.xrm-msMD5=B3DCBC947B81B01B1EA46DB6AC4BFE12,SHA256=9322073E1686A44C9A3C7F7F07BA9265564E0E295E97A7458B87916FA74CFB85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.255{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2019R_Retail-ppd.xrm-msMD5=A500D76D7517F37688934A4D2E3C0A06,SHA256=DD2E3891AA46A19CFA75DC0D0E1C5C6AB7FBF07124A8630525D17449876B8C19,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.255{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2019R_Retail-pl.xrm-msMD5=1825E115545BBD2D22AF676FD5BB4FBB,SHA256=90CFF06DC78F81D98F5F42ECB186FCF22473EC4C2C5D14889ECAA859480EA52A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.255{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-phn.xrm-msMD5=D9274528D709C31E8615014CEEF89962,SHA256=AE60C6E174E8C8BC4565A5F84BD9F99426F1CDB0A83699A8B36782C9279B8ADE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.255{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-oob.xrm-msMD5=6B94852BBE90DA0AB2ADD45AC27CAE29,SHA256=CEB8A02F2CDEAD7CA007D9A2567A8200455AE7249AF100AD4F234B3DD892ED7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.240{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2019R_OEM_Perp-ppd.xrm-msMD5=8B29F7C2C47AD9974AF5FBE0B65B5B6D,SHA256=2DB9E2C27E488E7F5D5FA41B46459F0BE4DB9265C0907BF4C0159156F7BACA83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.240{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2019R_OEM_Perp-pl.xrm-msMD5=47E864C021B8E598B17332E46C4167EE,SHA256=ECFD05DE22990496B24B5DD24C6707B6A5EB041A2DEF7D8454D86EF22EFA3F7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.240{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2019R_Grace-ul-oob.xrm-msMD5=06EB6DAC6F010AD2AF17CCAED5AECFE8,SHA256=72A9396DC7DB18806091C7495F72943BBF3C6274B950D64286704FB1A040B062,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.240{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PowerPoint2019R_Grace-ppd.xrm-msMD5=AA3713C764E31036086D2EE623373B27,SHA256=7B17F256568D709BF94F98672E8F4BE254D612CAF44A745061AA3FBAFEB5F7C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.240{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\pkeyconfig-office.xrm-msMD5=660927DD88B8F36B57CA64E9562C83F7,SHA256=1092F13FCC6B08AA2DC5FCAB54F5966724BB86598F0B1C2A88C3EB6A45A29666,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.224{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\pkeyconfig-office-client15.xrm-msMD5=B7786A85291AB8B736718BE0BDB8C8E8,SHA256=12321543ED69DE70DE79CF9066AE68160F8D4375FF8DEA1360AE1E41FBE7F357,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.208{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PersonalR_Trial-ul-oob.xrm-msMD5=F81C4DC7F5EC80133B8DC6A9735A2B19,SHA256=9C77C70DF37A6EC6DE4FCA3FE64C984A5EBA4ACB96BF241E32E5C39476D07EAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.208{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PersonalR_Trial-ppd.xrm-msMD5=DFC7C5FC6DB8632AB032FE3B18EDBD6A,SHA256=927F3727B74E8F03F298066338D6CD9E7C7912D17F680196D2D3EE0886FA934D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.208{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PersonalR_Trial-pl.xrm-msMD5=1BA935E708F591913DEEA1308A84E642,SHA256=608A48E7E44DC3BE1F38236206CF14CE91601EDA8F3E4AF0A49C0FA060634B65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.208{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PersonalR_Retail-ul-phn.xrm-msMD5=EC6245B401BF719D5EA96FDB4FD87559,SHA256=7E7A8234467318C3297A127B3D6EB0681A3E3C306D9576F60B94E3A61BA4A224,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.208{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PersonalR_Retail-ul-oob.xrm-msMD5=315A0BA669A67F9EE23D5587CF2DBAEA,SHA256=37149A319BA563DAF32D578523DA4BFCBF754D1AD10E0E859D317EE7ACDB334A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.208{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PersonalR_Retail-ppd.xrm-msMD5=3EDACBBB4BCA8B6FC7DB089362805217,SHA256=EFD418480CEFB7344084DAA71D3320DEC641A1ADBB12A7FE8E01B02638873C43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.208{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PersonalR_Retail-pl.xrm-msMD5=2F6F0BF7614C5742A662C37E3E73D2B0,SHA256=433ED8C9FEA79C6840C4C72483C0A00A2FD82C9BC3CBAD839CF4925801ACD5A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.208{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PersonalR_OEM_Perp-ul-phn.xrm-msMD5=3B1B248A47F7CE95A9377EF1E3E943F9,SHA256=FF5B4C214DC9A974D3063120CC0D71154896B08F297C57481B862852D2A45AE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.208{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PersonalR_OEM_Perp-ul-oob.xrm-msMD5=BEDBE194875338709F6C77D835E84D3A,SHA256=53F5D2979F4FFD699DC339494E638521363976A57BAE305F577A1667C2211D2B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.208{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PersonalR_OEM_Perp-ppd.xrm-msMD5=0BCDA93358E7C7FFC330D047340C6CF1,SHA256=A84A2E438E7A1E90E789D9E4723A8AB6DEDC0F82F71D156ACBEC58D6AD0F788D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.208{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PersonalR_OEM_Perp-pl.xrm-msMD5=F26E965A702F8C7FE35C09EC4413EE70,SHA256=6E752138C1F992FF71F2C19FEB7F880190A674E9EA2C2441790B9EE6183DC723,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.208{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PersonalR_Grace-ul-oob.xrm-msMD5=55E58E3D20B05201620D79371C9F1F1E,SHA256=25EC3A12252B6F9E4D1FC337528EABDF46DF0AD10940C3F347D33BFFDD4BA4BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.194{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PersonalR_Grace-ppd.xrm-msMD5=A5C16622197814AA71D2D4CD2AB0D9FA,SHA256=DF6C47105A4FFA23D5C60C482A6779088012548CB176C4F45E62527116EFEE3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.178{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PersonalPipcR_OEM_Perp-ul-phn.xrm-msMD5=2100A1AD970BE6F8552DCBF88E221274,SHA256=46C0FD2FF2C6651E321B36178C49E6D230BF20C884F263EA4AC525217C46A005,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.178{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PersonalPipcR_OEM_Perp-ul-oob.xrm-msMD5=50FE2897C25A7C49E7E3250B79207C63,SHA256=4DEFD179B0E7CE7AC2F06544F11E170C55E503F8A66DE9ADA0D442459B7D5B79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.178{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PersonalPipcR_OEM_Perp-ppd.xrm-msMD5=D0B58FABD560314C29546CF3802D3D95,SHA256=8F858752CC37E4AFFAC1151A850BDFF1494FED0E60B5D128C8D4FF65A8BCBBC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.178{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PersonalPipcR_OEM_Perp-pl.xrm-msMD5=0A6DD91CC9EBDC09840B4DFF825F0996,SHA256=EAA1918DE1C6DEE4929C8E766C26861CA275685476EEDBCF3FEDC87DD347D7FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.178{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PersonalPipcR_Grace-ul-oob.xrm-msMD5=63BF2150F4E090679056519F9DA8BB21,SHA256=E1B2C30BA69DE43A04C4925293A492946A4C4E1658AA1047544212605F406754,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.178{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PersonalPipcR_Grace-ppd.xrm-msMD5=B29675F6EF4359D84B2BE1466F502F44,SHA256=E8CFA68D966D4858A70D31C751EBB47EFFB09361025A2EB95AE6316E495AB51C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.178{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ul-oob.xrm-msMD5=D3335705BC06DB65609DAA2AFB32D0B5,SHA256=E1AC703E1322399E39F1E1928BC94A2B40AAD39A9E77B2839A54DAE8DCEED782,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.178{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ppd.xrm-msMD5=A5E4DE2F4A0134696C1B7280A930F66A,SHA256=210E577DBFF7B1CAAD43AC59B630B9E8764C4AB970875639E8C07725C8D7A566,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.178{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PersonalDemoR_BypassTrial180-ul-oob.xrm-msMD5=D94FC4036F254BB0D7F5A85C8C45B6EA,SHA256=1B53C2B81273AA5720AD2825237B5BC398C25D5C37AB8DA487B7FD9CC2D553B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.178{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\PersonalDemoR_BypassTrial180-ppd.xrm-msMD5=07D314FE915DA5FEFAA611961630C726,SHA256=B2C61B084E4D2B64BD39859C630B8AACE0DC3FEAD09014913B5BD2477FEB5DB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.178{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Personal2021R_Trial-ul-oob.xrm-msMD5=5D0F0CC8D53073F15671BA82EFC70986,SHA256=07012E92AA1A2EEF09A6B3C32C623FFA9C3DB98DAE6F5AD5DA63FAABAEC35118,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.178{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Personal2021R_Trial-ppd.xrm-msMD5=45CA01CD5DAB704FA09AC619FB7F6F6D,SHA256=BE69E37609CC924D49C4358E66DD294146FB901F212E58E4585C58F77C0AA1B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.178{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Personal2021R_Trial-pl.xrm-msMD5=763D9A1083EFE51394961E0713132D92,SHA256=F10F4A1F6CF5E4ACCE60FCDDC786E4BA17DE54DC81038F41D2406657AE066BC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.177{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Personal2021R_Retail-ul-phn.xrm-msMD5=961EBFEC5FAA31E65D52B8F9A87B5073,SHA256=139FB0E87929F627F3A90BE0414FF3692CB2448065C85AD69CDCFB92B86321DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.176{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Personal2021R_Retail-ul-oob.xrm-msMD5=36A57D6C84983A6003F391FDBE6B125C,SHA256=5830AE8511B3AE3469681A29B059172C98FF2BF87816E491580390975BE94C7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.173{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Personal2021R_Retail-ppd.xrm-msMD5=22880D3FBDDB689CEC2C67CF656767A6,SHA256=E3E6545E36DD39C492F3A10C509A6A3572E70530F716ABC3829BB5396D5C70AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.165{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Personal2021R_Retail-pl.xrm-msMD5=C1B15021A2FC3FAEF433FB72CC08C2EE,SHA256=0B81A998BBE3832BC1565A18D7999953115DE8573CD6951924A4E51CCBA7B0C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.164{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Personal2021R_OEM_Perp-ul-phn.xrm-msMD5=61FD9651F6AEDEE8CD9911E5D05654F4,SHA256=1D4FDD3FCC020FC10E5313BAC6614B278A00BE45DB3C36A6EAC512FDD2A73D57,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.162{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Personal2021R_OEM_Perp-ul-oob.xrm-msMD5=DC3600FF4A2F987CE2B7014D18E11E4B,SHA256=5F3F04D783A4073722701EADB46BA296487E6D3A7C448D1F0EBD74BEB433508B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.162{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Personal2021R_OEM_Perp-ppd.xrm-msMD5=0156F01A7946F6446D27E9CBB05C41F5,SHA256=A42E8F108C3B1208D737FF9B438DC28EF5AB2B7C4F9DE889CDF529D167E555EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.160{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Personal2021R_OEM_Perp-pl.xrm-msMD5=27D4745FBCC01E98D4562F7FF4D1DC78,SHA256=1AB652ED1C0977B1FB57C24A1A7E41BAE7CBE0D64A057C3458E1EE398A26B5B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.159{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Personal2021R_Grace-ul-oob.xrm-msMD5=A7093D356D6B327CCEDF3F74050F7124,SHA256=55C63D80309B1BFDE8B5D121D95ABC244C58355E23976883FF8539D36A55240B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.158{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Personal2021R_Grace-ppd.xrm-msMD5=8BA95B421E1F470875CB0FC43BE52DE1,SHA256=3E3A92D77FDA1F34B6867B3C1BD9F2A85612BF6134092C5BE10C544275752858,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.157{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Personal2021DemoR_BypassTrial180-ul-oob.xrm-msMD5=CAEB96FEBEFA3F5C936B8CEDECC90884,SHA256=E929E9A27FB185F7797E21E48FFBCE3A40808AE0FC431B4BE426821B6ED03487,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.155{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Personal2021DemoR_BypassTrial180-ppd.xrm-msMD5=AC28E54A7AD5F76769B87DB4AC5DA76B,SHA256=BD4EBD7BF5D0602DD4D106FAC3AE6AB9286BB6E7EC34664B11CC1F11A59D0B36,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.154{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Personal2019R_Trial-ul-oob.xrm-msMD5=3A003486BB39F3F22D61E2DCFFE7B86C,SHA256=18F8ACD17CC131EBE29A6FBC29311B02C27EB1D7C1BC2432310DD2099D6F194A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.153{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Personal2019R_Trial-ppd.xrm-msMD5=E982F2A356C60A996DB9F2787D3F473A,SHA256=6C7832C47EF4529FC849CD43C2E8A40E8CC65E2AAA8A948209CD036D9775D80F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.152{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Personal2019R_Trial-pl.xrm-msMD5=D36932547BC8CF44AED4A1806135C7C0,SHA256=024BD9F3AFE183769759340930AA6648A8AE792E30CF81EEEB38964970E5C901,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.151{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Personal2019R_Retail-ul-phn.xrm-msMD5=D40DF1CCCF9396211CA8CAB69EAA459D,SHA256=B5A532BF4B84B7AFDD036B9C3EFE6AA9C106F43830E858F46E83BFC332227C75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.150{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Personal2019R_Retail-ul-oob.xrm-msMD5=D35F45BAEEACBB248DA046C5DA419FF2,SHA256=6772E512EE4D110053B91577D9D09BB778BE2577F67D987DC210C00C16B26118,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.148{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Personal2019R_Retail-ppd.xrm-msMD5=0B5E899ABC279B760229EB0200F836A3,SHA256=90F6C778F93D270BC67DEBCBEBAF8C621CC564489131F2FCAC33D0C24A347443,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.147{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Personal2019R_Retail-pl.xrm-msMD5=3983BE97BF3EA674CC053BB0BFB5699F,SHA256=108A6B7634A1C032C056BEC215592D193659D08C0AC50BCC5E089EE0158EF3AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.146{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Personal2019R_OEM_Perp-ul-phn.xrm-msMD5=7CE99C18A4CDE5F5CE6D907C3EDF03BB,SHA256=1803250D1A939058C7B7ED7EE20C0FA2B8740810BA982195C6510B9EDC59A836,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.144{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Personal2019R_OEM_Perp-ul-oob.xrm-msMD5=AC73F3ECF5C4B0CF48BFB44EDD4F9B64,SHA256=3E45333781745245EF88DC83DB3B01F8DCC7DF1411ED0E7DC165AC37A8F5976D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.143{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Personal2019R_OEM_Perp-ppd.xrm-msMD5=B6FA06D53B8A2D6A2FB19FB5819779CD,SHA256=9840D469261BE3481B4F21C7FA53FE3EC1A7949E641C65A4704E07BF1C5FF5D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.142{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Personal2019R_OEM_Perp-pl.xrm-msMD5=193589237B108F725ABE3F4F5281ABA6,SHA256=F8FBF95AC809D6AD61094E253215106DC6D774781365C8F386C7055113BA529E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.141{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Personal2019R_Grace-ul-oob.xrm-msMD5=E5EB7EA9924ADBA1F3E462F155531EFB,SHA256=D55A16F6C1E02D8BD05084FC3298A7EDE1C489A3D2BDB014CF2E886679EC9DBA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.140{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Personal2019R_Grace-ppd.xrm-msMD5=15873CA609D86AA9F1C4DFC59A248CE8,SHA256=9AFCAA358EDB31D14A54212FFF00BD3E03CA4F7777F42BC933F1ECA6F9512831,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.139{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Personal2019DemoR_BypassTrial180-ul-oob.xrm-msMD5=7E8263CE0552346011BC00FE7B28BA9D,SHA256=EB4FE9BF99760AE9B45EC9C0FD39D7B2CA1FC0A63D1CE4BD26315ADB9CB55AE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.138{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Personal2019DemoR_BypassTrial180-ppd.xrm-msMD5=1CE72845D15954BBFEA3569F05B3AAE8,SHA256=2F5065040DA235DFE34360D62628C60A94457309BB460BB5C65BCA2ABD7F06D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.137{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OutlookVL_MAK-ul-phn.xrm-msMD5=DC38560891C5B4817007C436E2A3B604,SHA256=357DFA536F0531ADBDD6B01CE50B41547A9654FB7D98F44189139E33377EC27C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.136{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OutlookVL_MAK-ul-oob.xrm-msMD5=959DD8C91B01FD0BA2CB07A333D4642D,SHA256=0C15587936A9FEDA406AE96895777AE9632F280891CE77365F00A39DB0D174CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.135{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OutlookVL_MAK-ppd.xrm-msMD5=51EA9FB9520DEC9B38E43F62D799AE10,SHA256=7FF35E8C2596EF1D4F4CE0B09D274E75D45E191A1717EF1F38B848876AE1A00C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.133{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OutlookVL_MAK-pl.xrm-msMD5=625617043F5610F3416BC3639CEDFB35,SHA256=7A133C13E6A5C7D2D9D4DC77F7E885FA5FD0AA2BDE278D426FA661125683D146,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.132{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OutlookVL_KMS_Client-ul.xrm-msMD5=4FD3E0CB1662A59B4E580BF5FF7C22FB,SHA256=448B77399582E3E7AC8D061F0954E208B176C93A6DEE9C31049195B818383734,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.131{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OutlookVL_KMS_Client-ul-oob.xrm-msMD5=6F59FCA7612C26A490FE723FF8B8A9B8,SHA256=E7A4754F5A7F3EC10956D9FE501678E9761B41430C8C824D01F34729CDAB8EA8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.130{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OutlookVL_KMS_Client-ppd.xrm-msMD5=4EA819B034BB1420E62C459064502ECB,SHA256=A18734F33B31E1A4608E904FF8972D43948A430C020C3E5EBE4252ECB924F244,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.129{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OutlookR_Trial-ul-oob.xrm-msMD5=B3A8C16B50BB0C85F45583CD20D9A1CB,SHA256=51616693FA7FD64FED099773AC57F879B3FD3FEC7068DA0FC44A9F763047BC3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.128{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OutlookR_Trial-ppd.xrm-msMD5=CE4533EBE211186A113278C811E6C865,SHA256=BBB4D6DAC5F01F2739601073F3FBE904024F719CCFA6CFEA11B3FDB9BF78F9E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.127{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OutlookR_Trial-pl.xrm-msMD5=57C863AF27570869A3F5FF2361293EC6,SHA256=36A8C48A874AFEFDE8D1CF8BD5B0D17E0D4EAC6B37C11DE0FD2896848FBEF500,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.126{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OutlookR_Retail-ul-phn.xrm-msMD5=48B3CBDDBEDF986AF3E4EBEF77D9F1EF,SHA256=D63B0BD7817661066663A541F7DAA79D0B6DACBADD6A2958AF8E6ECA45C29DE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.125{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OutlookR_Retail-ul-oob.xrm-msMD5=0F56792D3CB3DE9572112D2BDE8DA725,SHA256=C5292F68B9AC32BC19FF9688FADC3F09268457E86C3310BFD69BC185ACE6834E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.124{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OutlookR_Retail-ppd.xrm-msMD5=4921E978989CBC53F2E4811D2B9801E1,SHA256=13468C1E0D55C5EE3B96F81233CF53AD7294225248871A58F4F6170CFD3A77DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.122{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OutlookR_Retail-pl.xrm-msMD5=13F7CEF6C04E334838A9F0E804BF3BDF,SHA256=E832718609098418D5A54B71A6274EC8ADC344FD64A154B0E2D12E444BA1182C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.121{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OutlookR_OEM_Perp-ul-phn.xrm-msMD5=E7E6B663C53D2821F129DBB53FBA87DC,SHA256=777FAD081DB2C7CD973AB58F5984D4B6DAE2C7F6AB3B22EB5C851DC7C06C964B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.116{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8FD45C6F1C65069CBEDB3F2105736B6,SHA256=C40BE5DA4232F48DCE3DB7EE3881FDDB802E74C709CC40A1761AB242CE6756F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.115{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OutlookR_OEM_Perp-ul-oob.xrm-msMD5=9B56D3C3370FAF7CB0ABEE018662D0E2,SHA256=246BDD67228427D99AFBFF70A59440FF847FE889B9C7EFC4E61E766839CC9AAF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.114{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OutlookR_OEM_Perp-ppd.xrm-msMD5=2F76E70C77460BC3A0F69F0A69741677,SHA256=9F90023E505869CB16E53B79A91242A1A5BDDFF39058E17974CFE0B422CC95E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.113{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OutlookR_OEM_Perp-pl.xrm-msMD5=777A8764E0B5063C8D785F3E6249D603,SHA256=BADD3E735B50976CB1F7B1016D470DE6D92A1FFBC76DC618A335ABB695765C98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.112{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OutlookR_Grace-ul-oob.xrm-msMD5=AF6894CDC651D2D0822818E6F1837B94,SHA256=80EEFDA468D1756AA179F60E643989C5D6C4E09872BBE21B490104EB5F3AF9DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.111{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OutlookR_Grace-ppd.xrm-msMD5=0910996AB8BE32008DB059CF2DB0B3F7,SHA256=01F15490DAFF070D9A23875E21B475DB9F39CECA35F3C63011916B7467081285,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.110{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2021VL_MAK_AE-ul-phn.xrm-msMD5=954C3A5B44468FEBD266D85A1C3FCDBC,SHA256=3BAC0B5448100FEA7A698D60ADB6DDF32F3E2DBD8AA1786A21A4287D4BE79B70,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.108{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2021VL_MAK_AE-ul-oob.xrm-msMD5=D28878CEED8D7240ACA23D631D4DC3B9,SHA256=EE84BC360CF26F1E6F73DF79B7F24837A91617F018D3253246EB291C8CE75231,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.107{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2021VL_MAK_AE-ppd.xrm-msMD5=1BBECBCB43E2AF176D0037B088796F8C,SHA256=66A6293F00288141969A2B0C92F95A87231ED6A21FB2BCE610730B5DDD3F7A84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.106{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2021VL_MAK_AE-pl.xrm-msMD5=87063D37BB444A3151EBF7059473B901,SHA256=157CCF9CEB1DBF353EF1E2C802F0720D1A9A28E6EFBF6B192A734C4E2049BD2D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.105{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2021VL_KMS_Client_AE-ul.xrm-msMD5=0D023FF8B6549458CF02E9771336A091,SHA256=B46AE2411EBDE2FD6805B06FAF819C24A119C5D5B5D2E21D66A10FC0CCF76D5A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.103{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2021VL_KMS_Client_AE-ul-oob.xrm-msMD5=A39244BA30BC1ED49C1FE9F64421D42F,SHA256=CA4C96CFBC9901CECDAA850D984E14E619D62E22F5BCCC01A38EA507C3B75DCB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.101{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2021VL_KMS_Client_AE-ppd.xrm-msMD5=192EC1666628645D1623FC2915235F21,SHA256=3CDCA7F47B80FC3925E22031B43517838B6ACEB739887E97584162D9E5E68003,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.099{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2021R_Trial-ul-oob.xrm-msMD5=3F8807F2D1A2CFA6F690686B35F078A5,SHA256=2DE535D543FBC441C1BE24193A7C848FB9F1BDB445219977D5F78BD4DE3100EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.098{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2021R_Trial-ppd.xrm-msMD5=71D326F59CC1C219888F09E031C31589,SHA256=3D388416DF264B235B21DCA3CDCC2B27CF5BC7AC9BFC5C9AF5B349DBC7B19539,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.096{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2021R_Trial-pl.xrm-msMD5=ED6C2BDCA428E05B1249695B713686C2,SHA256=3C9E8905565181D903D555FCC41057AC327DEB4EC1D2014B547FCFAC1C12ECA3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.094{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2021R_Retail-ul-phn.xrm-msMD5=BA226FF6A59D2B6A9074B1A0B5C65703,SHA256=F3D1DF7A40BF8F75A0447463D65C93E0803E337CA4D620601A6A2295618C0EA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.092{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2021R_Retail-ul-oob.xrm-msMD5=95D443277423F8A4FF0C83105C8F6C4A,SHA256=AF7545823570715DF85C02FDAF8718B37CED34D86BAEC4B50FA629A4CE376420,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.091{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2021R_Retail-ppd.xrm-msMD5=A816E9C2E035064BB4225C1EB788D634,SHA256=2049F64A8051659960C52B5DF723404D2F00DDDA177E82F64699B0902CD95BE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.089{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2021R_Retail-pl.xrm-msMD5=FBDFF8F00209F1FF0C1CD03E7DCFCA2E,SHA256=5CC8F34F476AA0752460CF762E51C1599B166D02672834CD02EF64D05E5CABCB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.088{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2021R_OEM_Perp-ul-phn.xrm-msMD5=448FA969A7234EDB22836EF01DE85F16,SHA256=656580596B48FE50486DE9A4D00C2A1AE9152B8C1C4C7FE3BF1AFE636B30CCA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.082{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2021R_OEM_Perp-ul-oob.xrm-msMD5=D838BC6857F23127B2F422064A128D96,SHA256=D865286805295F1F4F5F732FCB4211A9F19BCBB00C6FFDF04C6EA5E7B686E506,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.081{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2021R_OEM_Perp-ppd.xrm-msMD5=F97D38393E0D1C05E3A16EAF5A73B526,SHA256=DA7B3C0211BD6500B14FF8AE04BE9F35CE5868FA3EBC58A5FB1F86E0E218A890,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.080{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2021R_OEM_Perp-pl.xrm-msMD5=15A7373AB3F4DB62B07567992E135647,SHA256=3E8912C8CD87266DCC5FAE58B243F531CE2176D8B4946BA9E878433918DF9F84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.079{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2021R_Grace-ul-oob.xrm-msMD5=E3B8F364230498A1DA00A3C77399AD27,SHA256=6730BCC1383E205A8ABAECD0738A24717A07539D6F41604D6D0CBED9E91DCBD6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.078{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2021R_Grace-ppd.xrm-msMD5=D65556E62C11534E1DF53518D424BDB8,SHA256=E58960B7EB86785346A9051FDD5DDCB84F56AE274247AE748E5D9999F63908CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.076{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2019VL_MAK_AE-ul-phn.xrm-msMD5=C751E7665F79C02BF502955D42591480,SHA256=7A80482851FEE779922E159686E9013B034D9C718D53692BFA8E9F11E19BC1B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.075{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2019VL_MAK_AE-ul-oob.xrm-msMD5=F4DC592ACA751DCE4D5F8AEC43F66716,SHA256=871C7D981FA6CCB45CA478E1B46EA406D9BC19D77EA6FF5E25B78FD0777D0141,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.074{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2019VL_MAK_AE-ppd.xrm-msMD5=F3EF92AD424C89DC8FB59A0B8D282E6F,SHA256=3F6C3D7119556E1D609E3F464B05ABFF30AD44EC3D83F176D55073020B0DCEC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.073{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2019VL_MAK_AE-pl.xrm-msMD5=1AB927F5CA8CC5896501372254AAE698,SHA256=6E53001F84038ED731D3155CA845AA99705DD54896C6A3CD7A3F6376E3AF5AC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.072{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul.xrm-msMD5=AB352EA1413B10395A8CF277D1B47179,SHA256=54CDB960B94D86ECEEF691B16B0CF8B21085813F08546CB7B1A803297C4901E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.071{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul-oob.xrm-msMD5=269734DB549BAAB4898E94E7C498B049,SHA256=7DD11119BFD0CEEFC373651C06C55A983FE6C67B098C2B2A48755558FEA94F08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.070{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2019VL_KMS_Client_AE-ppd.xrm-msMD5=A600873169222EC608A705812F8AF930,SHA256=EA8420D5DB355C875FD38B4F811FA0D124E95E5A440A15A471DB7A6FC562DBB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.068{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2019R_Trial-ul-oob.xrm-msMD5=76219F0E66C78BE59ECD8E4C773F670C,SHA256=E369883E3EBEE6F415ADC1EBF1557C024580FF03D40142E604072AD7793E658E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.067{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2019R_Trial-ppd.xrm-msMD5=FED990E5513807EF9743CD64D1F309A1,SHA256=4F858D041C5C90A96121F92513386F394E61ECA161CEBFA9FE407571E2B32A90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.066{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2019R_Trial-pl.xrm-msMD5=6C8D29A044196C73FEBE2B826CE1AA1D,SHA256=192BDD402A1BEC8D25E7B316CF5E323D4A098A46E0546169086B9C6CA57D073C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.064{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2019R_Retail-ul-phn.xrm-msMD5=1DAC6030A505E23E334021AAAEBC06A3,SHA256=930DBC5735BD5F4E5604017A247A8D94DBC1752C4FDF5DDE1C39A5176AE96D6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.063{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2019R_Retail-ul-oob.xrm-msMD5=7F872DF17120D40DC0DB67ADBD4A0CF8,SHA256=9696C4B795C444793D10F0EE5CEE64F8012B5669F23A3FFE377E14636E18262B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.062{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2019R_Retail-ppd.xrm-msMD5=31885659DE76E02D6F2621CAAA3C510F,SHA256=8A5AFDB31369DBCBE8A76344C1EC0AB3846F015E02A1A460017C40CB46C46B7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.061{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2019R_Retail-pl.xrm-msMD5=DF0C0BECF9B1BB99A662243AD2BAABB2,SHA256=3C0FB85F7FB2D342DC86FF08FC2E5C970A539BCEE4E806778EEE06828BFF4754,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.060{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2019R_OEM_Perp-ul-phn.xrm-msMD5=2BEC651A29FF49AA2B0852A2BC9F1E03,SHA256=CC2581ABFA47305E4144DFF4947469B04EAA582B380425B22E16CC165F890B88,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.059{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2019R_OEM_Perp-ul-oob.xrm-msMD5=EEC6E8F1128CA1DDD05CE0B5CB20E782,SHA256=25C94A46A4A0B5EBA5CD456DBA53A637ADCC3A11F862A159F74FF2B4943D25A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.057{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2019R_OEM_Perp-ppd.xrm-msMD5=4F575ABF40ACC7D43D7D44F914366FB9,SHA256=0FE90C82E35BBBD96242AED3B8956115E2F3D47446509429FD422CA07DFBD550,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.056{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2019R_OEM_Perp-pl.xrm-msMD5=83E565DCD41B4D94AD9A9F5ECFB94248,SHA256=6B0D496AA53684BD1E4FF64B915DAB5286A6108458863726AD9F55A1F9C2BD48,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.055{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2019R_Grace-ul-oob.xrm-msMD5=A9E8A5D82B6E171CC39054B25E02B336,SHA256=A9291A68B7EE4048BF0C803EBF5613B3129F1A661F4572D84B2444940D10C97C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.054{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Outlook2019R_Grace-ppd.xrm-msMD5=D9C6D86F10A3EDB26BF2F13B7D620DC1,SHA256=2F60BB2004B6DD04D4DF263A82FD6B2F6A9EDCE012275E3D7B0C775804CB7303,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.053{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OneNoteVL_MAK-ul-phn.xrm-msMD5=1D01E82077DED5A70F82A650C7C3A75C,SHA256=81ED26D39FCE56CA1952CBACBDB198877083EB6C99E1A593C7362499A75A25EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.051{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OneNoteVL_MAK-ul-oob.xrm-msMD5=0D6FFBDACCCCFDBC92A4B922D79632A3,SHA256=6FAC2BCC93724785867F06EB4F91D7E0F4E3941F292E89945E57709D1810C958,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.050{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OneNoteVL_MAK-ppd.xrm-msMD5=15C552D98B6B375AA34984667E0BC45E,SHA256=2BA3D2175834987BE397B093008FEAD0A1EB144299719C406D3CFE3A51B57C54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.049{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OneNoteVL_MAK-pl.xrm-msMD5=6D416CE86CC3A2CCD0AC8CA7C64E0C64,SHA256=E00A404B23AAE9B387D948571E1D47203C7610FA723B551588139D31D6ED458F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.048{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OneNoteVL_KMS_Client-ul.xrm-msMD5=855F81CEA244F5EA3BA661B67D7DCF31,SHA256=3B79A00466D8A42CA3A23C0C3C30CD5BF76DA68E1FA886BEE7E4B36706E3C175,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.047{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OneNoteVL_KMS_Client-ul-oob.xrm-msMD5=BA091ABE0D9069D5B636C9B74E3517E5,SHA256=D01C234FAB8CA3C03B0A773FF98DAB5E63C5CF54C54E6A15BBEF97C6D3A80791,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.046{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OneNoteVL_KMS_Client-ppd.xrm-msMD5=2D44CB71EAFFF9EC6AD1C9B251FAE707,SHA256=D243F453E6740EEA1176797371ED5503501F1FDCA820C0804F4212FF12D10AE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.045{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OneNoteR_Trial-ul-oob.xrm-msMD5=A6C35CE1F8A702E089BCC28A39B1E8B6,SHA256=0FC1E7BF598849E3880301BBE86A303B1F119465C05B0903F8DFC25BA4C55C9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.044{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OneNoteR_Trial-ppd.xrm-msMD5=833CA250371425777B622C84905167BF,SHA256=A294294EEA1AC620B424E6FF2200ABAF5DF2960DCAA852957E37843C5F61081B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.042{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OneNoteR_Trial-pl.xrm-msMD5=78A2D66EF0D8BE2943C5A96A8BEE1F5E,SHA256=53C93E8F4AEC6AA0B345A7A1CC9F310A64E01D2EC04DAAB909F69B13B5A4B030,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.041{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OneNoteR_Retail-ul-phn.xrm-msMD5=05E379E52D9E6F58B96F051EADC0642C,SHA256=0398D84925E8E448FA0A9B82BC2AFAC67DFA8AD60C6E4291BA8C496E44E1B908,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.040{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OneNoteR_Retail-ul-oob.xrm-msMD5=024D3925E275364583B8BC3906676327,SHA256=A811DB8401B9EAEDA839B69E37D18882843A79477DC7228EA04C3E9DDD52A853,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.039{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OneNoteR_Retail-ppd.xrm-msMD5=345CD0DFD6134CF8F356CC084B457470,SHA256=D1AD80C099DA828F220D9B10217026D94B8A75E09E5C73692238267C9FDDD92E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.037{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OneNoteR_Retail-pl.xrm-msMD5=53DBB2DC52E78305C33421B4F1DE1659,SHA256=ACBE30C9C5AFED760118A4E6A65CAA133162B3A35B8A14E16677CDBE6FDEE5E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.036{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OneNoteR_OEM_Perp-ul-phn.xrm-msMD5=23DBD5B5450D87ACBDCCDF951E060231,SHA256=A64C850B8F3DB63B976AB6B36BBC5AA46A2EAAA0FAB1636AACAF36CD345D762F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.035{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OneNoteR_OEM_Perp-ul-oob.xrm-msMD5=0D5BD4BE4D45146E86DDFD81B850C6DB,SHA256=E120197E463231BFFBB1980405DAD9EBDB45CFE1F993D8256AE45818BA3342BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.033{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OneNoteR_OEM_Perp-ppd.xrm-msMD5=3E50E214CB92A4572349D886BD40F9EA,SHA256=35C0828104E0D19033EBEBC293B15F2894D83A9D4A681538655190298849D00D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.031{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OneNoteR_OEM_Perp-pl.xrm-msMD5=44BDF199AA009302EBF102F84618382C,SHA256=178B51439837160EA425E17B50688A713D222CF65E19FBC208CC7EE04838427D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.029{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OneNoteR_Grace-ul-oob.xrm-msMD5=AD92F88F833B67DC07534D135980E5BF,SHA256=3877C35F76EC2F2A7E09634EF1C122554DBB63936A29C87E1412523E63928D7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.028{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OneNoteR_Grace-ppd.xrm-msMD5=72A1425589DA129D3593BD1320F05338,SHA256=384735E356F12ABE75875C329FE9A12AA82D86685F9DF248AED0F8C260ED05AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.027{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OneNoteFreeR_Bypass-ul-oob.xrm-msMD5=170906DE3BEBA753F1BCFD506A75AED3,SHA256=8A0343E01B5320FB6663651E8F7C7C672014045079B73E7A06A77D1C66C50833,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.026{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OneNoteFreeR_Bypass-ppd.xrm-msMD5=A625189277063C47978B717EAE051627,SHA256=4CDA9F4F8FDD17C88F5674BA0B00882E5F29D6F03398CF9A63E983A0AE705886,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.025{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OneNote2021R_Trial-ul-oob.xrm-msMD5=666721237D438191430B64EDADC4185C,SHA256=C691B57BE95BEA164A62A8D2E8C5806B5B3A024CB69A188B84A16C83DDA0205E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.024{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OneNote2021R_Trial-ppd.xrm-msMD5=6D51DB2A7387B88FB036C78687EAB465,SHA256=33A9EA57526512EC83FAF94FCC7725F69FB102074DD6ED313B1953BCBACBE9A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.023{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OneNote2021R_Trial-pl.xrm-msMD5=343357FF8C01ACCF90C75CC343191132,SHA256=51A0ADB048B75254E363509BC46B30695F9705543787CEA7BE8FE0F1B15F969C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.022{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OneNote2021R_Retail-ul-phn.xrm-msMD5=CBD83992E61979DEF118C827AEDBB3D7,SHA256=5838F68710CFC04C6131664D89D536B240204894C2688D150CD75E1B30CE75E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.020{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OneNote2021R_Retail-ul-oob.xrm-msMD5=73FC9DEF88CA08F20462D7061DAA5B0E,SHA256=D43E2171D7F2E9843D702BD8A76C46738D2F885144856453CCD46EAF824A9F72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.019{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OneNote2021R_Retail-ppd.xrm-msMD5=13EC6E0A509C7F5E218C4FD049474271,SHA256=011DDD469E89F7D9C3ACFFB2F3F549CEBA957EAFBD7A6539801C1AEE743B17B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.018{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OneNote2021R_Retail-pl.xrm-msMD5=62CD91490FA67886DD7962CE59718974,SHA256=5579F463267D373527798FC9CF9A062C7A4B99D9E093F8778FFB6B0936A582E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.017{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OneNote2021R_OEM_Perp-ul-phn.xrm-msMD5=0AD1FD79AFBA8B04F02F0481CF152A63,SHA256=3A87674A82FABE1F42FC3FEC4A8276A21942DE5B6FC44D77FCE884C3FF197850,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.016{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OneNote2021R_OEM_Perp-ul-oob.xrm-msMD5=AFCC5A15362AE56B3FDBB697B7EFC7B9,SHA256=CB373D82C9475CC1799C077BAC2C02B17873108ED0E17AD5C4EC17E8E16FDF0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.015{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OneNote2021R_OEM_Perp-ppd.xrm-msMD5=182B3DAF8447EB3757F26366A0D14912,SHA256=B14332C139306DF0BFE28E3EF69EB726E41EB63551C3DF056BB6608721835E94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.014{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OneNote2021R_OEM_Perp-pl.xrm-msMD5=01AC5F34DFDAD69D474A06C25F31FF62,SHA256=D52DEBB294967AA105763818CE06BD40A4C29281DB5D99D5BE2105BE9520FBF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.012{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OneNote2021R_Grace-ul-oob.xrm-msMD5=44744695CE1231CCD61D3B7BAE2FBC9F,SHA256=DDC07E66AC212D79E20FB777EF7E18EB963079299C944BB97EBA0E55026FB12E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.011{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\OneNote2021R_Grace-ppd.xrm-msMD5=C07BDACDB918EE4EFFD399C63A2E3BD9,SHA256=928007BDABFB3D2E9A766213B31235DEE4371C35A053CEA3AFA52468D7A4E08C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.010{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365SmallBusPremR_SubTrial5-ul-oob.xrm-msMD5=5F647EB27F542534E20DFB9AB74ACB88,SHA256=B4728C842CDD81B87ED85AAE1BC2ED2FE0DBB51A4B3D0893B38D233E49424E4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.009{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365SmallBusPremR_SubTrial5-ppd.xrm-msMD5=E228B6C578115EDBA2FB1A290AD1153A,SHA256=E5B3112F9AC82064E7DE126E52E537F3F70D933270979AA5E979E292F3FD4788,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.007{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365SmallBusPremR_SubTrial5-pl.xrm-msMD5=DBF273D01EBDF5C520BFE64229A35306,SHA256=54C3D50EDF79AB83EE4A6A4FDD74C039E15DD154BF2E54838D918A956196C088,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.006{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365SmallBusPremR_SubTrial4-ul-oob.xrm-msMD5=F163D40A0C143723306247DA9E1A5109,SHA256=85DACE84A7C248F78D3A30C254F9A133FD5AD507088644B9B2DB2DA928AA4203,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.005{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365SmallBusPremR_SubTrial4-ppd.xrm-msMD5=863A1ECCEFCC242975E4BAB0BF1A322C,SHA256=B79D2470B44977933CDBB38A715F4F59FC476C54289C8128F8AF1966C35F9E4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.004{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365SmallBusPremR_SubTrial4-pl.xrm-msMD5=AF2F3B31403DEC7E259C4F21626A5F1D,SHA256=D78B295292C2474099432BBD159EA536CE53C9EF5EB8C72A7D09F2A71FCE6BBF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.003{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365SmallBusPremR_SubTrial3-ul-oob.xrm-msMD5=F8DF57ECE4AB8CD0E9B73C3C627A7187,SHA256=921263F0C28AE0CC7305582E74AC4157A037BEAF36F469FC10F1CCEE59E6A517,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:14.002{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365SmallBusPremR_SubTrial3-ppd.xrm-msMD5=4CC2EAD9CB594823A5E370FD00A89870,SHA256=CA048C4359E941259A7CFD0DBD6A51B01BB54BC8ED1477C10D6A3E313F3E82DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000325847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.999{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\O365SmallBusPremR_SubTrial3-pl.xrm-msMD5=E0083493B994F22947ABBCD85EAE937E,SHA256=7FE095D5C557F45CA3A38E0ECA9E98EF627292DD2A3AF77426F2A54A21E2237F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000447909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:15.750{45AAC21C-9B83-63D3-0B00-00000000BC02}632680C:\Windows\system32\lsass.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:15.750{45AAC21C-9B83-63D3-0B00-00000000BC02}632680C:\Windows\system32\lsass.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:15.750{45AAC21C-9B83-63D3-0B00-00000000BC02}632680C:\Windows\system32\lsass.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000447906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:15.641{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C78E39600E7F502DB7101D62FD02F1,SHA256=C98EA94C9BABD226FD7987A2C91D2BFF6FD432B3E3CC9EE7E6DBC8E9D2C3A678,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.996{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR27F.GIFMD5=A043187410CAD1D0601A8AABAF26A79F,SHA256=74BA9B09C20324C164A951F5496FD1A1838046A9101BFEEF4E238E11C3011FE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.995{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR26F.GIFMD5=4E90B36DEEF1A04F5896553674F61D85,SHA256=D4519921B1D1C7AADBCD96042DC6A1041C31D35521E23F5463EA0797F911BA47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.993{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR25F.GIFMD5=E9F4CA42D6A1EADA4171E14A45392584,SHA256=0708242C13733693C7E23B3DE4DF3081F87D0EF7E99E74362E14BAF6A8FB7BF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.992{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR24F.GIFMD5=E110B9EEC18EC364F8578BDA925B886F,SHA256=CAED592EFE610D5FA8B034EE075113C6DEBD82364DCE2B766B057F1BD3958466,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.991{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR23F.GIFMD5=18E615ABDC93BB7349A2C3A2854574B6,SHA256=BF84CE86E1585D9483EA925C48897A2BA106C8EEF8B17592B7C7E47348DF73C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.990{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR22F.GIFMD5=7AADBEB741B84809BE061D88529ECB8B,SHA256=19ADBFE67D6A8FC16A7899ECEEF14456670D19B2A2AFC8FAF1F30C719C108B4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.989{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR21F.GIFMD5=D3ECF13823590AB168B59DBC2611150E,SHA256=39CF247A48611A2CBAAF6C1A2527D5B90AA91C7BB39576E9339AC8FFBBF99E81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.988{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR20F.GIFMD5=44B96137651E7DA5928AA30CA380ACF7,SHA256=FE9CAFEDC2F9D880BE1B5442AE408B8A78EA0ECE2BACE1688022DD59A0D2A070,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.987{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR1F.GIFMD5=9A665E6EA1B7FB01B08EEEFBD911C729,SHA256=B101BB216F206ADDC0159C823F69DAD59165ED34C67AD45817A52DC3603E4BAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.986{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR1B.GIFMD5=D26CA1D81B9337322D064295A92B9B7A,SHA256=72555D0672F90EA7225276F3B76DCB33154F4A4DD868FDF0DF288722ECE27019,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.985{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR19F.GIFMD5=739EA25A4B1D53044870188A2C9245F7,SHA256=A6D5A5B498CD48D7A6E99427A51407FD9FA5CCA0DE894E9912F9908425F5E0DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.984{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR18F.GIFMD5=C5E6E4BEF2378DE36E11DD04EDB70DF8,SHA256=99F3E00180FE65BDC6A6AB7A7C227079092B39CA0F9CAB616B106F3AAE99DE75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.983{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR17F.GIFMD5=80BA66A9FFD260087C2E9CFEBB41595C,SHA256=C8459BC8E70E4676BBE0879647423EF8420E5F266C1F441452A3B18B8350D1CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.966{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR16F.GIFMD5=917ADBA960D6B08A53C935C380F765F0,SHA256=CBE3D934546FD8FD2A3B8DECF2D84FF59A5F8A021CFDA1D3D787727EA7F490F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.966{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR15F.GIFMD5=434DEEC853D80A868FF87B7188E550DF,SHA256=9FE592173704BBFC6B1F042085AFC45E1A3D6727430CEA80517AA531F8A420F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.966{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR14F.GIFMD5=049E398772F1DC81D1D23D674C12E251,SHA256=8DF3B5191CCE76A25734C061F374DEBDC35017ED1FE16B3E6CBA08248ADC7B90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.966{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR13F.GIFMD5=13A073DC2DE13C5AFB7491A700CA8157,SHA256=679AA4303A55EEE0FF83B9174C98ED68699D095E10B89B7AFA7382F0A1FF512B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.966{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR12F.GIFMD5=E3BABA3F12A9F9675529479C8FBF4F60,SHA256=757F73C973DC9F6316571B79B1F8918D648330E346C04C34C323CD79C030FBF3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.966{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR11F.GIFMD5=482884CDEBB7A2B0CFCA4A38DA8480AB,SHA256=EED2ABF4AEAD08F16F84DB73FA4DF6BBEA073E2B517DFA93D70C6217687FE483,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.966{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR10F.GIFMD5=24F298D944F8BBD6D6BDC8A633D72A3B,SHA256=E58D7E004465B6BB038EFED208CBD11B17D553E91249F8948ECDAA129AF99302,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.966{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR00.GIFMD5=73401A1D8E46B3BEBB8B73A69CC344C9,SHA256=E6C6C60DB896C52E0E0F2074D071922086C7E8454846FEF270844C5A44694BD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.966{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPAPERS.INIMD5=EAE79C239C8EFF472306E460F881C5A8,SHA256=60AA37E5A6753229E16E7B38051C0EDB309C574086566A969CF09FDA8D65A0A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.966{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1C2551117CC327951C7F8FD00FEE445,SHA256=9026054F8A3555DABDD5524514026F788636AFA4B5FDE44D8D978086D5B4D16E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.966{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR9F.GIFMD5=415D5A8662A712A0CB2A0101D8A285CD,SHA256=2DBC13710DF0CF635703B97B26D0089D324E8A924B3CAF0D01DC87796F745748,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.966{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR9B.GIFMD5=E3E480B7C54BE2F7883914CEDABFD500,SHA256=B4F72D0B8E71A2330FF5F2687AAB433941935201C71B5C6B94D354DB1FA6505D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.966{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR8F.GIFMD5=3E9392145E73105FFB429A9818FAB88E,SHA256=1976B3B7F7ED44E27391A81DE29DDA7C782DAE6083613478C0E75866C800BB17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.966{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR8B.GIFMD5=C340FD768C103DBAB3D2D0E744CB4C4F,SHA256=3928F8E564ED8DF9488092954FD05CC5A899198FE569590819538C2106B03B1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.951{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR7F.GIFMD5=1F12F0841B671234DE94D0FA50C11C70,SHA256=025CBFA874D6440FD2B9CA79FCD20E6CE8174F3F40C041EF4710AD8A8A6CF310,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.951{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR7B.GIFMD5=05327C66F9FEF2D675F7C568C3D8F0C8,SHA256=96A0D1A16CC759FB00075A1106D6B4FEF7AABEA3AE7E82F609E1E9534031B46D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.951{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR6F.GIFMD5=F432921872D5A247D57C0ACE59F7291F,SHA256=66868DE38308CD2C757F55CD181C4559834D8E04BDC2F1F0143FB8258F31D899,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.951{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR6B.GIFMD5=023C8A03AD51B53A3DF0C9A6023B8AEA,SHA256=675968C42D48557969E205E643213E2E8F98BA5D58C906E99A9182FB5C3050C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.951{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR5F.GIFMD5=8689DBEB36524AB87AA71BD777D0E5AB,SHA256=77A2AEDCDBAD462799775AF2DA72F82E44B2C730B67F9D4727C966A380593FA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.951{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR5B.GIFMD5=40BC8E63F05C0C0F6C48EA2D172A9D61,SHA256=0BDCCE8F826E1B560E942BCFB6D7B0ADCF0D9F4FA492DB8178AC3D77E6383308,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.951{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR51F.GIFMD5=244EE9FAA8565D4CEDE01BABB295FD9F,SHA256=7F7E15BF51E0C654735E7A6B30F965B486F694B7306A58101DB5CC966F00C226,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.951{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR51B.GIFMD5=9FFCF3FFE27BCED0A4380CC6F8D49089,SHA256=E770CE46264FB29D9B71706D4918A43F35A0E55A9C1693B90B54BA9879D11329,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.951{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR50F.GIFMD5=FAE1B07DB885F523D5A418A3F613A383,SHA256=5FB38EB63E7B93F9353EEDBC1463744F43B343B8E29F9189CFF8C7364BEAEAA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.951{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR50B.GIFMD5=733053BC5F12410C226BAF3EE28AB5B1,SHA256=38F5127717E3FCC9AE0E49BF4DAA42B488B61A2C2875D75D327978441B09410E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.935{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR4F.GIFMD5=51A71D534C3AC39A17F07BE56EA69086,SHA256=6719ED2102689B794C2232131F82C5DEB3217CBAF554FABF81EEF5D62044471B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.935{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR4B.GIFMD5=4BB0CBB2368ACE977CD41891231E0364,SHA256=3094B8A73525E5A3D8351121F8BC5EA408F0EFAC969D405C3CB6FBA093E9CDB2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.935{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR49F.GIFMD5=E7E6F3FB247C79AFA84F87C75E9EB4AA,SHA256=349FEBC90524DC509DD8685FAEBEAD72F9649A824993D15294E02DE2FB2AC6AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.935{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR49B.GIFMD5=62BB601A761B886E6D7AB2AE627A2D49,SHA256=87F05756783E5A5C502F57C3D18B8E6B866676CFEB422431ACC5DC30F408B18B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.935{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR48F.GIFMD5=9D22C03CB3777528211B868545341518,SHA256=61BDCDB1C8784E49C1FCDEC3317102CE7CA8461A74B2A1732C446D73407421D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.935{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR48B.GIFMD5=E6C5FAB2FEB8E9D28ED3DE49A3606174,SHA256=02505CF221187F138975DEE21C124CE1AF14C9CE6D1CA0E3237D8B5AF501F1F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.935{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR47F.GIFMD5=0553E5A7B44C848E2BA4C745920AC7B5,SHA256=07B1691A458CE260B2D1D1746EFB54D414C5FD131FCAB4ED89763D887ABBAD4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.935{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR47B.GIFMD5=EAFAAD5916E790109CDCEC75F15AD1ED,SHA256=C9AAC5EC3E7F4E4BBB9DD39BB3E37F5C0A18F619EDAC595286FFC2B7B90C28D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.935{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR46F.GIFMD5=FF2C7DE9C7C8AE4CC1B432AB1A6E7099,SHA256=C624FD8CA3A12C8D309A4D211AD841997100F3E1E756BC834D027283996BB330,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.935{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR46B.GIFMD5=2E3A4B8FB7C1BFEC6F2690257CD0CF79,SHA256=FEB03C2F6260ABD081E25FFA2823B62CC7F87095CD97BEA61F65A57D24445FCC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.935{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR45F.GIFMD5=A18CB8E664394DFB0C8182E6A2967205,SHA256=3923FD88764EAF6D56A888C0AD1CF25BA3270CF8914B957AD3830CEBD6B5AD35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.935{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR45B.GIFMD5=010886E985C3885F38C21FFEFEAF8956,SHA256=120DACE675764DAF23B9D0BFF37A1A22691465CACFE51062CA21CDE188FCEFCB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.935{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR44F.GIFMD5=8BDD5422CA1B2170566FAE8FB8F7F765,SHA256=4D82A05DC2C563E286500BB10EFD29DC45224DDBE94CAB7C3F6033811EC853C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.935{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR44B.GIFMD5=1B884B095F052C0DCEF1B0F3E3EAD191,SHA256=F3FCC6036EE6C83A09DB5DE433FB162A3FB93F64DA7BF14E1C51C57409661A74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.920{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR43F.GIFMD5=B5E6D93669E4198D89B6AC9F4558D3B5,SHA256=3DE0798B2F83086200837CC61CADCAFCCD426D87CC2FF35757BC2C4D6DB30A01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.920{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR43B.GIFMD5=FF2BDFEA8E884F30334462D39A170A9A,SHA256=18B10C147187052670FAC849432C3BEE159538A7370435F44CEF123AE4483206,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.920{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR42F.GIFMD5=9B1B7D351304DB1A947F9878C1A265E4,SHA256=86BAC590479FC6926464181CC1AA4A7BB0218C4B7530249CD7FEF4FAA8048039,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.920{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR41F.GIFMD5=30D437F7EAFAA2824CE40252374AB84D,SHA256=0F8CEF90356B2B675CE2069E18AC9A24DCB59FE4B7DE68D973AC87741EB37B4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.920{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR40F.GIFMD5=B4941512BC30B453C29AA7E9435CE12E,SHA256=6B033912B2ABC66FB52B7B448F91D2794226F8BBA824AB38C7BD3104734E6EF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.920{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR3F.GIFMD5=BC506A880994456F33158460D46E388F,SHA256=492D6F758225FB7ABD86CEABDB9E34BD556A7BF5A87A749E197D0D07661CCEF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.920{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR3B.GIFMD5=759110FDBED89F718BDB57FCB45919B8,SHA256=C54D5625097EA04E323D655F2F7945EE7AB02FA7D68CF7F24B7360118660A805,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.920{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR39F.GIFMD5=6EB45B67B56EFA231531809BB4A3BEB4,SHA256=97BCBD958B3A5B77AF42F9E7DE4C12FF918F9BC32218AD50ED18512B0121F521,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.920{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR38F.GIFMD5=2C0B526BBD9680C73150904CC2C5769A,SHA256=D1A4869C37CF40AEB5847185188774BF9A9907790B3FD3735BA96FCD8353C0BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.904{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR37F.GIFMD5=ABA270FE6861B2B34679228CC1E8C251,SHA256=730C2F6181DC37312C6DFD52D3101EBC772D33A2A4589399D6EAE87176EC07D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.904{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR36F.GIFMD5=4FB3DFDD4E23B54648DB5BC6317DB497,SHA256=BA229A9EB702084C1EE642AAF8C44CB14B94D3D80FD3DC62F350EE89938DE1B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.904{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR36B.GIFMD5=B5DDA272E1D95DF874A07129584751A0,SHA256=EB2B429DEDCE423C7C39C9C502715D350BAB5F6FCEB8426077D800DE488F79D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.904{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR35F.GIFMD5=4DF989FFD4594D9854C6B5F21FBC24BA,SHA256=3E78ED526B58D6227A6EA6568DCAE3668E2F5B7ABCEA92BA678133054B7FA2A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.904{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR35B.GIFMD5=3187FB8467FDCDA9127668B5333F8F25,SHA256=4822AB091F4FCA0673450E3433716B89A08350BA63136B4D66BADB93BCD42E20,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.904{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR34F.GIFMD5=0DA918F6C1D4AE83E6F2828B0E85BCEC,SHA256=48D7DCC85353294748EC7ACF2A0D66C12714B4AB1892B38BE6C0A75D1800A811,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.904{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR34B.GIFMD5=82E3CC56F6AA2270D45C933D6F54415F,SHA256=EC8C02338CD72C176E083E82A066FB044A9A2D109117495C1E9BC75D5250E293,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.888{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR33F.GIFMD5=FDF349A95719A62731CC7D1C96CD4A7D,SHA256=8B88D43AADC8A92D46C5396809587EF1CA844D9926ED83E095F5431230D71BF2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.888{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR33B.GIFMD5=9E4FE1879C6089A4B0B1B148119A03A3,SHA256=AF38FC7292581E2055E3CDF960D21FECC4C2905A2C2E75CB20749CE17BE322FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.888{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR32F.GIFMD5=ED88E6C883F9AFE74CFF31A5898E22EC,SHA256=B8C57637E0D316E75B00CBAF7D49D699A158FC6120756FF991BEEA1238977295,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.888{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR32B.GIFMD5=47AC7C1850943F88E706A0C9355B365D,SHA256=70AAA3DF4BAA282E3047EB8C9B506EB49203309D63E0639688F7B9C862C81A56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.888{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR31F.GIFMD5=83B2D3CE9F22038468D8404A27F93AC2,SHA256=AA78B1EAF31A25BDE17BC715451844C86F1716E80FD611668A55C40D24756146,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.888{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR31B.GIFMD5=77B151ACFB53FDD55986CB2A1B5D27A6,SHA256=C12A77E011CD554FFDFD03F0073C194552451E873CE13D63A1D7549204DAF2A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.888{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR30F.GIFMD5=2793CA91D8018DD9DF06CAB6C17FA8CC,SHA256=A69CC68E6F5A55F690B937FE9850CA05A9F8EA1033FDEBD00BBD223AD5A440A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.888{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR30B.GIFMD5=DECA3CA57A633F7A143BD18FB9D759EF,SHA256=55A4CF5D56EEAC19ECDE6E0FB17B2B6F997523406322BE548E858FC8FB7A05D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.888{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR2F.GIFMD5=5152383964D9D6D04BF6345141A287D4,SHA256=45976506AB75D457C6FB49D985682D9B3A1DC2942CA8F6251949550EB3347E0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.888{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR2B.GIFMD5=E33C6A779E5E74FA503A712B03B3C319,SHA256=741C64DB95E8A1154DAAB589DC5E60CC3FC34B7169CC2855ACA70647EF38AB8B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.888{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR29F.GIFMD5=E4AEA994DC82E4C3BA1E84CFDE280FCE,SHA256=33B9BF35C10785D2D6A3FE0DF27900EF06F2E1F8BE0ACD1967D2C26F98C3A04D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.873{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR29B.GIFMD5=484B9D195F7BAFFD6C3D55F740E9A745,SHA256=44B71FAF49F0FEED4467B8FB7EF229C4389AECCD95C75136C7FA6A003191D8F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.873{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR28F.GIFMD5=C95ACE2B7A7EAA2C383FDE8E6997AE6A,SHA256=C6FCD0E53EB210C65BA1849EDC03152E4BDC1B6576A5ED86CEB3EB5487B7B737,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.873{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR28B.GIFMD5=F5BB9B4DE72EEFE5D61E97F249CB2C29,SHA256=86132DBFC3CB7C8CE0449F7489B93BAEBD39BAF2C308A7AFA9F54E9FEFDEA4A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.873{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR27F.GIFMD5=EC8B343F01C949C4FA951CDA888E1898,SHA256=33EB6F289BCD0E539C984BA88EF41EC9AA24F50CAFEB297A48D95A6C45ED30E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.873{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR26F.GIFMD5=AFC698A92CE7207D29DCD1E5500CAA64,SHA256=3B937EF2BF4E14207D5446255A72AC7145EA51F80FEDC593EA7C05A2274B87A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.873{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR25F.GIFMD5=BD0C382C09CE2545E403E2814D13CCBF,SHA256=823665B05B105E45D9DF005F6B6853F0D0EDB12987C6BFFA71DD1CCB451A0F06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.873{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR24F.GIFMD5=BDF4F4F6F143215D5D95EC8B23EF18A2,SHA256=8969A46C1FB1727118C337C52A7BBACC4873F65343A4181717E1B6C17180C57A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.873{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR23F.GIFMD5=8F752E6DEC4BF3A26754D25CAA50B7C3,SHA256=48D08765B22056A23C0E2E715A4E1CED492E6FA4CA8D00F5C6823306E19E9036,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.873{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR22F.GIFMD5=FDB2A6B478F05480DB620C89B36E44FE,SHA256=743095CD3D8CBC11B8B3047C226352EC8D8EB3B9E9CE34A3A31040136D3CACC5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.873{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR21F.GIFMD5=8AB9FFD1761569B415236DE2C5AC94A5,SHA256=4CDE918C7F01F53BE4A421579614A9AB4A3BC4D9FA63182EB91764F31074543D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.873{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR20F.GIFMD5=7054771093869151DFE4C878403A3603,SHA256=D4527E6C8FAE866E4C5FF406E76AD130570DAB79F1BE201FB25FCF0EF4D8CD51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.873{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR1F.GIFMD5=EEC45566CCC469EBC5631FAD063548C6,SHA256=109E26EFC6BF45CBBFD2E855E88A2CD371824D664CD0B04542FD0EB301D54318,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.873{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR1B.GIFMD5=754A0E1E2AEBC1EE85E6802C2C260E65,SHA256=1B078666B9BE6703D1966474EAFDA7A1541F4ED86BDB974FDBD20E4CCD675975,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.873{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR19F.GIFMD5=C7CA47018E0F38344A57A6B2EFE1B6D8,SHA256=65D2F30659A422EFCD89E53F09AFF7B0B9A3A6E8F4DA2EAC95AE1D8C3FDC9F88,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.873{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR18F.GIFMD5=7FF0BF5F12946C0E5F4EC8660311F9F7,SHA256=A929D685D51ADFDA6AE98F2A33AC4FE4F2D9D510DEC91D247EAD8360A52800DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.857{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR17F.GIFMD5=2795A20A1E48EE3B3FBC611CFFE36D6F,SHA256=C6B22C76843C0DB23824560F846ABE46FCE48973F199FC2DB7CC56E1FBC5B9D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.857{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR16F.GIFMD5=5EE8D613355AD3439BBB7D305B601350,SHA256=BA873140EF958A1821F36EB12D27E635E5AC6D86CD2F3F6434AAB49A0CEE563D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.857{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR15F.GIFMD5=C9F3DEB9EFB7C940EC206327DE5E0BD6,SHA256=116C4F398C574C7C72322CB80EB766FDFE64F73AAE3578B47BDD95EEF04060AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.857{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR14F.GIFMD5=DF03692045292C2221015F8CB2EE26C3,SHA256=0021718E633BB4F17581B0898B137EAA628A56E566836C774FD0933B2037360F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.857{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR13F.GIFMD5=D362B2D6C8D3229AF0BD777389E3F2B2,SHA256=65B4B97DBE1897FE7E4B4A5DF311438563C124F9008BDC7936E4A5CC51A1F4B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.857{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR12F.GIFMD5=BC267F63F56638EB254213C7802BE13D,SHA256=541A8209BBE6F13F47A3C9DAB21EE84148191F23E485E40AA7CAA8AEC80261EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.857{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR11F.GIFMD5=51F56C2757E8234474CA76040104E77B,SHA256=51CF49C7C853B34A19DAE168C0C1950387DD61C3B3D13847D20FCAB1AFD363BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.857{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PDIR10F.GIFMD5=E6995B2CAC8EA3D2B91CF312A839A90F,SHA256=519E8308833AA911C1AEFA6CFC59E7FC94E81F1FAE47BBA229136B415799E03F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.857{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\PAPERS.INIMD5=4DCFCE92047B3916F360928A52F03E75,SHA256=49C0011CF4F97ED84564FD81A9473702344713EE3EFA6EA8FA1A8480B953B448,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.857{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME55.CSSMD5=0D452D09E337DC95EB045A546A109B20,SHA256=7F26A65B53031FB7E1BB5A58CCE533445E20E536BFA88F29554246AF7ECBCF67,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.857{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME54.CSSMD5=A03CD38596C14453D632E220D99268BA,SHA256=11A7753F1A83A2113C3C85736EBF83E2A06117925DA8A468D481D1CE51A03A8F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.841{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME53.CSSMD5=927D6D8FF5B570049E6F9525A6CA7093,SHA256=F72AC6AE0A6D10F99315B039E877956CB1270A301E4514AE1205176D36D4198A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.841{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME52.CSSMD5=001D2870959C5E9F6E6E4B02C376D9AD,SHA256=C95E55529AE8FE7E4EBFBFD0137D678A29A7B75BA60C82681A3DBA50A2FD50D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.841{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME51.CSSMD5=043B10E4958E08DDC6CFB2877819FA2B,SHA256=617EE79C4533A7E9A7EC0F35F2AED6E1EC11502E18B1D5FC6C80F3282296FEFB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.841{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME50.CSSMD5=6585C4B4B2772A5D93CC1E89DA6828EA,SHA256=8C25C35B683A5DC055EC35514A578966526C1893A6122D23D90A90A8EB9F645D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000327015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:13.440{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50995-false10.0.1.12-8000- 23542300x8000000000000000327014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.826{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME49.CSSMD5=6B97DEBD3AFD70B6AC2AFBBA2404EFD6,SHA256=DB05470908BFFE869B399AFE1348F968BC3959364EA46703566828327113875E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.826{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME48.CSSMD5=467A311773D0DA96E3F583DF6407240A,SHA256=E164C6C189673346FB3647641C023D5CD76017EDE09DEB80F42063DEBF0AE428,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.826{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=389051EFE120846B4B8C3E007B7B37AD,SHA256=C9867E54BB7A44043766EF5DAC738BD077C572B3D90DBF3F4840D85AB6E1E5A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.826{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME47.CSSMD5=98C11CECF55DD840892C60A9D73CE26F,SHA256=C15F6AD41D54EEAA4DB624678BE12ADFCCE1BC5C951BE0968533C306FB00B2FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.826{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME46.CSSMD5=81AF8A22F14396B7BE44496D8FC4B7A2,SHA256=FD83E52575634CEEA0517ACAECEC0ADD33AA19376FF7B531F4D3ECAC449B384E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.810{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME45.CSSMD5=9B7CECDF635B3547ECF77275FC5EC0E0,SHA256=0AE394605BA6C75B0EEBEF77CBD2F40A682232023E4601E32687B6E7CCA4C8D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.810{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME44.CSSMD5=71FB0EB57512264FB321208F63DE2052,SHA256=93A9A9581DA34438BCB13FD5A163F800F71061C1206945F9049BB4A64148817F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.810{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME43.CSSMD5=EBC22AF9A7C6B3068E19C5DC10AC57FC,SHA256=DCE989415CBF99B40A480A97665927E2D90EBAFFC926C9D54B724EA9FB64368D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.810{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME42.CSSMD5=DEE76E8CE0DBB86E6A38B3D442FE4D1F,SHA256=B76000CBD304E69B79DCFEA707CACCB876543066BE340EAE709FD18C5C1BC780,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.795{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME41.CSSMD5=C8874A3DD4791510DD66B69561AB58A0,SHA256=E282ED68BE473C80315935FCF7B0A84CDA257D204CE75DA19D1D53BBEEFA240A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.795{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME40.CSSMD5=45709F0829AFAA9B04C858EFEBF9DE7A,SHA256=DC7C626A146AB5783AEBA640B99A52095D9A336689360F7EC29917DAF803CA80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.795{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME39.CSSMD5=1736D144FDC0C953103C1C5A85A484F1,SHA256=9C74CB78E2F691CE2ACFFFB51E74C95AEF8A0E810BC37067BD5F21DA7E009CC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.795{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME38.CSSMD5=CB5CB2310B89C068B82BD54C36265C07,SHA256=14E725854CC7E446F40CD1D4423AD062B4E615488E0E20DE4C294B882A5EDD65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.779{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME37.CSSMD5=653A88DCCE41BBE84667B8F387FFD130,SHA256=FA04459D439276E0224E519B1365A1933907AA47C0A9C8508B30861A438BC388,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.779{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME36.CSSMD5=39EE91C121788850ECBEABC84F1E553C,SHA256=1FAA84DE31133EFBE453E686FB2D6981BC005CBA5B14F1D5D5E26D118768B2FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.779{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME35.CSSMD5=45935390B44D4FABB3CD6C01625AFC84,SHA256=B1717FC39504686CAAC01089F135A0F4C4803807755EC91E911B8D9878AC28D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.779{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME34.CSSMD5=DFE7F22FE8EF16384F129FFF45E8CB92,SHA256=94E4EAFE9DA3599CE4C6AAFEFA38F015E69F6BE174D783C5BC63746C4A6DAAE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.779{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME33.CSSMD5=687DA56449A9CEE3A7A9292AD0D6ECA3,SHA256=64161D24AD31C30DA34B9ED4C528C0AA7962A2BA04C08E4ADFE5BD8BF82D5508,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.763{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME32.CSSMD5=A7F0A5CC20652B15FF89F41BD3613B76,SHA256=EEBBC3A5E45DB8707DC0ACC4181A0DC5FC3ACE8EBF847AF676BAEE849FDB6404,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.763{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME31.CSSMD5=D2513812782DF6928F2113155C2656E2,SHA256=033B0D10A2F7C30336252A9F465F7B3A93154322DABBF62542CB0D1728A01CDC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.763{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME30.CSSMD5=8EFB9CFC8A96ADE8EF7E833A6D315817,SHA256=CE1159C274ED5E2B64FCA54DCE151A0161F0D2D62FD3E4B5BD1F493ADAB37175,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.763{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME29.CSSMD5=2EB302885B8DA428D9EC6A775D5E70CA,SHA256=0FC903A38613D79CE00FD652C70277E4E13927D3B179610BF5DC0DE5954E0F69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.748{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME28.CSSMD5=D97122BCA949234300616E9C6ECCE184,SHA256=7374C5F2D72BD1C7B624F7231124E6699D14348ECF771345797203E37B39A90A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.748{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME27.CSSMD5=E0039D78027435EEB7E77C500375C0C3,SHA256=1208F7BBFBD3F9CB2B023C2755F2B2340A1757FF44217F25664FA02CAA29CB2E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.748{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME26.CSSMD5=F444E1C79489DF340AC963BFC8975F85,SHA256=9DBCF889DA4E5DCE2B1932F6D77DA92316799692BF706343045AB120D29BD7B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.748{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME25.CSSMD5=B2945477E07DAB3AEAB8BBB62D8C50C3,SHA256=FF5EDF6D95F8720B09169D3E85F8BF778F6D66716F3818ABD2F7DBFFDE986919,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.748{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME24.CSSMD5=2978FEC90562BE1BFB61C0FF4E46E85E,SHA256=10EB94AC9A38C461B573E4239E9DF8823DEAB32DE96C03AB08AB22F5DBA6F7D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.732{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME23.CSSMD5=553445451434865CDB76C0EDC7E58C0E,SHA256=824CDDE78FB33CA66264C01AC0127E8DE2A21BC9E76427AB34C283764AC052BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.732{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME22.CSSMD5=FBE1D29A17B70D12CA2936177DAF7FBE,SHA256=FD58335BE14C63EB96346334BEC56686D3D90AED531B6455F4442A53B7D0198B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.732{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME21.CSSMD5=37277D07E36547AB0B61306631FC0B16,SHA256=0C5CF8CDA156E78992981147E693D40235DB325BC1D785319B613DBE6B7AAFDC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.732{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME20.CSSMD5=6D507BB72278B5550D6C2096035A6785,SHA256=2399EDB11C8C290F272D77F93BC79DE911C5828C933B89590FDAC39DF3FD2E35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.732{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C0437C086BE44FA33C7612CF259A60B,SHA256=4CED3513CF13AAC0D58F2AD86821F4F41701D1430DC3EDF137475112A7DE728D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.732{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME19.CSSMD5=DC3C892C7CCEF86F8F746CF4ED061CA3,SHA256=F265D48131E36A8BC6D6B42CF4FB3551212FAB63D0C54929752BB0B1D23599A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.716{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME18.CSSMD5=6744451DF1FD4F93361BFD9852048065,SHA256=3D4300B003247F9A8EB01BCE00822CB8ACD2CF2440EA974A234461DD71248A51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.716{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME17.CSSMD5=BF04DC289FFC872AA61FE64AFFA41810,SHA256=B42EEF24EE9D2307AA478D71515A9E8EA5F580DBD521F90A4D3AA00F455623C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.716{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME16.CSSMD5=4B6374360F4ADA2366824FBD63DBFD6B,SHA256=7CA54EEDEBA7FE937C48360969DE4605D7C60FE9A84B568F9FF317D7385A4D4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.716{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME15.CSSMD5=3CCE7EF8B5475CB36BCB639D1608B530,SHA256=F6A394F622C19F652F212373F0044B9DA0A930B3B3BA94123306243AD646FAD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.701{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME14.CSSMD5=C11C1EC9D78784A0A2A9615F0F3D822E,SHA256=449FAC9E75D21F76AE8EBCA041ACAC26EE1DB548AAD4E44CB854B9DF251617A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.701{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME13.CSSMD5=8E929DEBFF3387642F4F7F7672FF9E44,SHA256=560E1C57441C98584FE35F33CA0B980429928D0439E89A29647E291CF7B0CA78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.701{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME12.CSSMD5=769B0234FD6ED4481086B062186FF300,SHA256=FE86A92168E408BF0CF7E7DAD59E09A620101F0193FE6CE5818355D4C09AB929,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.701{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME11.CSSMD5=C1392A1ED9291D09C93A4692633742A9,SHA256=BEC953541F9DA8EDB1EF91C5FC78A0BC6C48D611A67653F79FBFC46251377D9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.685{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME10.CSSMD5=1421A07950AF45AF29723E77E88A82FE,SHA256=80BF69C351775C6404725B6540B6258A5B61F30B441AA0A574942FCE760AFA22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.685{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME09.CSSMD5=D139F535C281138E4CFA8EBDE98F8F8C,SHA256=14410D7E5EEB18BAADD117F88006852E8AF9B0F872AD68169242509EAE0D6A49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.685{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME08.CSSMD5=01089B285405681ECE372542A86F4F1D,SHA256=4810C94B2C7BA57D792785B53414C80CE7C57B99519E53F675865B7E1A9B31A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.685{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME07.CSSMD5=160EB1BAB31D3300039D7592F9E64484,SHA256=CE8AB46415CCD86F74C4F27AA903EEB0DAB9F8F429B94649ACB4CA038C0A0DC6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.670{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME06.CSSMD5=35AEECD3249E5E23069E0611F7C45B5B,SHA256=90136FEC058ECEF8FE4356D70236094BB6969F204248D7DCAB22E164EEF006A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.670{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME05.CSSMD5=CC4370E7ED6BA8A513B7806C176A1B24,SHA256=81F1BC02B2C9B3098D13E6F89DF9F3C6995F91BA0AA21820E425B69D1DC481DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.670{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME04.CSSMD5=811C6CC1B054FD7FD1F5BF6CEC87D55B,SHA256=14A0B2E88067F44526CAAACCD8C8777BD54357621D3EAAD096C8F6C91EF41B7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.670{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME03.CSSMD5=9C1F747AE8803B49D4B6781FC2B9EF93,SHA256=0D2DC96125B7A3543642E367EAC093FBA89E376F95F3EF94E1EA8AAE0B41081F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.654{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME02.CSSMD5=84A593FF70A2CD07E91B920C1BD7C42C,SHA256=153224766855B2E9CD49FD0B94D481D54FC85D4D06B7B7BE304C559FD941C173,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.654{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\SCHEME01.CSSMD5=A8DE447A639B15636E8A66E26C86FDC6,SHA256=84383877BE0419BE39A7F3E8361734404DF053940D836103B8C29B5516846F90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.654{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBFTSCM\FONTSCHM.INIMD5=3E1E83229DA76CE9C58DA07908B9532B,SHA256=949C21A9365F139BA7242E7409956CFAADF4185502CED5F11380102B13A0EB11,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.654{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\DataServices\FOLDER.ICOMD5=A6DDCCFDAD18D5CA7AAEB168B6D02253,SHA256=3114451F95C7FB8D7D884A19C724F6C7FF906B6D9BEC1BF7C6300D2CCA4F43A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.654{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\DataServices\DESKTOP.INIMD5=466AFDBDD30770A1A6B47AFD85099E82,SHA256=D63E228A2173E58FA14818AAF610E9E6676D2D9836C5C2ED83BA6A783B7BB999,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.654{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\DataServices\+NewSQLServerConnection.odcMD5=149E8C684B9EA9887DD2E7E596E7187C,SHA256=43B12E68FB3B5BCC4099D796FA670A62B116A894437454A20050661DEF9D8816,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.654{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\DataServices\+Connect to New Data Source.odcMD5=16A8A9A2B0A8B65FAF28E1007DB6733F,SHA256=3A13080059292811E5AC3F9E8B04B2C8EEA95D6A5538116AD751D11C834E6056,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.654{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\Bibliography\BIBFORM.XMLMD5=FB78C57E0E039AE4B8CC688DF76C966F,SHA256=584BD28F9C967F31E34F395C50D5E32EBD08BD38F0EFB9C433ABEA2C489416D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.638{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office15\pkeyconfig-office.xrm-msMD5=B7786A85291AB8B736718BE0BDB8C8E8,SHA256=12321543ED69DE70DE79CF9066AE68160F8D4375FF8DEA1360AE1E41FBE7F357,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.638{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office15\pidgenx.dllMD5=EB816AF86F911BBFE1DC0B091DD40F83,SHA256=17A52D5BAC977C3C71E95D5F393573625C2DADABCA5D485F39E33C4B0E457D92,IMPHASH=80CA698E066444E9F8C0272252110998truefalse - insufficient disk space 23542300x8000000000000000326955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.607{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\loc\AppXManifestLoc.16.en-us.xmlMD5=6D2648020BF16CAAF42DFED7CEA1BBD8,SHA256=8881FFC1A2439E2FFF086FBCBDC57A1C41972663D3A869478209E30214079F80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.607{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\WordVL_MAK-ul-phn.xrm-msMD5=084EE7FE68544E1CFC63D4E76B1D3F10,SHA256=80453F0CF5BAEB01E7C1678E55B7DA5FDC06ACA4C9AAF7259450AB7499C502AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.607{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\WordVL_MAK-ul-oob.xrm-msMD5=78E088EA0FD78AF1FDC36B3159403507,SHA256=E5FA53992628EB77E363AF6690E47AB5330CFC549E8724E53311DEB5F0E3EABE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.607{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\WordVL_MAK-ppd.xrm-msMD5=39939C822F66D93AA22987EEF8E200A8,SHA256=24C4D0219023053F9DCFA65DD4457273652A7DD09BB1F1012336DF835FE13266,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.607{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\WordVL_MAK-pl.xrm-msMD5=7FAF64CA49B12719F5E51A0FC5FA0089,SHA256=9E6BA012055458E9A78BB9059EA6884F6AFAA0BC994BE9A37BC826EB970FDC1D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.607{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\WordVL_KMS_Client-ul.xrm-msMD5=4BCF2336531EFAE88DA2D6786C1D1DEE,SHA256=0CBE9299EBA4923C68BEFE47C478D828B40FF6BF9EB7DA95247C220FF56ECBD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.607{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\WordVL_KMS_Client-ul-oob.xrm-msMD5=9A2295EC53E9D6DAD17D0AF17535D143,SHA256=92144F9FC36A3556654464F7E98536DBF7835459B8BB35860AEF7B0CD152EA9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.607{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\WordVL_KMS_Client-ppd.xrm-msMD5=33929E2B646D3AAD7FEDCEDA60A62079,SHA256=72B55FC8050D7168709EF11863BD7207AE14F9B7E2E4837BE7FBA8CF68F43FAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.591{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\WordR_Trial-ul-oob.xrm-msMD5=4E93E1B936D9CB11F3726FDED87C54D4,SHA256=258FFFF80DBE77505B8E0621B27969E4B6DE8E7C14543E3B8E3749EF589D809B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.591{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\WordR_Trial-ppd.xrm-msMD5=112C6B2A7FF045D56C0484001D6155CE,SHA256=15304D92662C3A040160A51F085C3D6467C09956CD2584E573D048CAAAF65071,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.591{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\WordR_Trial-pl.xrm-msMD5=E447842A3903EFC5F4F86226C030C522,SHA256=FC590CFE7AD2DDEAD0BA4E404D3D5FF1960F2F4474B102EA026F41403223EF5B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.591{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\WordR_Retail-ul-phn.xrm-msMD5=2614217842FF67C9C507016115EDFD6C,SHA256=A15AD8AD6BEEB635A63389B7E5F1D234493637059FBF1CD86078991ABCA47878,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.591{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\WordR_Retail-ul-oob.xrm-msMD5=BD670B9E49B0CEB2513CF0C9529E3F8C,SHA256=31EC3364749EE45EB85C0F6E6303A8B17EE88C490E7754AE569C946D85812EA2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.591{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\WordR_Retail-ppd.xrm-msMD5=E93E93D8105840097F7FEA60F8037D48,SHA256=64AFBA05A77BFA78000FC72E9F546DD5F63E6A847B9B2C58738D2F1E558E4AB7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.591{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\WordR_Retail-pl.xrm-msMD5=055F74C722FAB913C34762A1CDE876E5,SHA256=9554CA8AADFC7BBECB7BD8CE18BBE85607B90DAF5DD53AC880C0E0AA0411B3D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.591{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\WordR_OEM_Perp-ul-phn.xrm-msMD5=57CEEB503FE2FE661D26541CC169BFA7,SHA256=48E2F2448CDE67AE0B5B6F5E9B016730452DBB3215A769BD42120737346B8A10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.591{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1E4C0263A5BBF00313EF95C6702CAE1,SHA256=48A06A10CB604419912C6AC9213769DB27DC0DAD9D9E16A16FA3082B46C0AD93,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.591{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\WordR_OEM_Perp-ul-oob.xrm-msMD5=B03353275288E95A7B34F0D10BAB0C98,SHA256=DF92182547126B00EF47B72C2F9CB68D59915A74CFCC728C9580A4E31FBF1986,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.591{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\WordR_OEM_Perp-ppd.xrm-msMD5=1C585BF80EA7D08980A8DEA0707D2B66,SHA256=863450A9701473235A29689A83B3B974A4FECE719859420AB930D7AA5DCCC7D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.576{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\WordR_OEM_Perp-pl.xrm-msMD5=658AF3A06AA55EAB8FADB44C82828DA4,SHA256=89817A4EBD9EC91DF1563D474E6813DD6F96405CB230B4CD05AF98571227C20E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.560{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\WordR_Grace-ul-oob.xrm-msMD5=CD9053BD7974769D3B70638AEEAFA106,SHA256=C2E567E6D81760955C08FB51FFAD9EE6F9E2B9C348936741C0E1EBCE2F0AAD86,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.560{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\WordR_Grace-ppd.xrm-msMD5=C46B6989591D1D6D72C79F1766326B22,SHA256=C4B4F705FD598F0DDA09286A773BD9C6CB5E1BBB816CC40864AA3C203B4167FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.560{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2021VL_MAK_AE-ul-phn.xrm-msMD5=1AB29996D60F86316A129BBA4271EC68,SHA256=86CAB216573F25B6A1F3F2FC345949FFFBF04BDAB6046535A5681FEC08CB31B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.560{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2021VL_MAK_AE-ul-oob.xrm-msMD5=10E0783CD5043D69764C5BC453C26DB3,SHA256=371E977F4D94030165220264235238A18E1391D13B1D9A211FA77B8D0AE9EDDF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.560{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2021VL_MAK_AE-ppd.xrm-msMD5=EBA08E6BD3356D7B26E7B17CBAA3B9A3,SHA256=AF1F0A1F3D1382AD40ABF467716BFE75F2BCE00B8A450BA433DFD1CA99545730,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.560{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2021VL_MAK_AE-pl.xrm-msMD5=73DF17AD1B46CD8B4D61B966C5F6F4B4,SHA256=9A6C53B66202F111E515FDFD6424F7B9AA28AEC29E8EB83928812ED3EEED29D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.560{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2021VL_KMS_Client_AE-ul.xrm-msMD5=F727F6FBF662D84082024386F333AE35,SHA256=735FD14834695A58F97578E2273CE753DEC5C2BE6C1DF6E6CD8D9DE492794D6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.560{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2021VL_KMS_Client_AE-ul-oob.xrm-msMD5=3CBBB3108BCA660A0159DAF886B4BDFA,SHA256=21CA1D47A1D0B3E72327CD9FBFAD2959FC4C4FFCEE29A9C25C186007C1D09160,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.560{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2021VL_KMS_Client_AE-ppd.xrm-msMD5=818FA1C9C40896C89ACAF685D5406EA7,SHA256=7896D7AE21F772ED5CB5D0F6252EBC9089EC5E0DBDDBD676A4CE640430F82274,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.545{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2021R_Trial-ul-oob.xrm-msMD5=754265A1422094A953201CF800633F4B,SHA256=969C700BA8320A4FD42C3984138BC69A0FA3643B03B3807C5867AA4E9D0BAB9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.545{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2021R_Trial-ppd.xrm-msMD5=6A09BBAA24640340EA3DA532AF1383D9,SHA256=E5F2341E07237D2CC4FFDBFD432B3C7A6A6BA5996D400A03638A6A7311185824,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.545{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2021R_Trial-pl.xrm-msMD5=6F5CB796A22F72FDD90AA28625AD8DF4,SHA256=50FFB9928F3C6261A5D57445BF37C874738133730316EB6B7FE6405366806BDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.545{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2021R_Retail-ul-phn.xrm-msMD5=C5A2CFF1BA2200979E45FA5205708B0F,SHA256=D3D7E027FE7D01F9701674BC84FBC5D0DD30A69FD682059AE7DC6B6077F57593,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.529{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2021R_Retail-ul-oob.xrm-msMD5=C0A00C1631F6C40DFBD6AD0B52122731,SHA256=502B4FC8AC60F96CD5989C7916A51792ED62312E73DD01F69784EA66C230032A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.529{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2021R_Retail-ppd.xrm-msMD5=68F9D6959E30FCC167D22C3E8BAFB855,SHA256=43758EC40876D65AF4A2D6B1AEBACED673CD9FD76A8BCD4883793D4947FBCB9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.529{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2021R_Retail-pl.xrm-msMD5=FC6C1DAE19BF6D737C66D9DE85D8D666,SHA256=A24427232D8DF0DD4209E63C60B155857D521BA2D7FA8C0A91CBE0306A808040,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.529{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2021R_OEM_Perp-ul-phn.xrm-msMD5=AA1B3E34C113E81A03C11B62F62A63E7,SHA256=F225F5DE45CF71074BEB8B81302AF21B44818F3F67A47C29967AB3DDD8116E25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.529{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2021R_OEM_Perp-ul-oob.xrm-msMD5=4A9A4FFD5A608D7C7F30C2A7DF382F28,SHA256=ACF552EA927C9F7AFE221DFFA62C82AE5E75CBDEDE2D1A9FD6DEF39A85F3D703,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.529{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2021R_OEM_Perp-ppd.xrm-msMD5=16ED6D513CD4823406633B6CE5436036,SHA256=B93CB5CC0F666391CE096569ED25E587C3A05453481409C7B05F53D82B45B879,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.529{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2021R_OEM_Perp-pl.xrm-msMD5=AC87FB31190ABC6704441D706E84E17F,SHA256=E9FB35C1D20A7C6E65313E788BEEBEC2E1C9DAAE8344A021120D019582BAC351,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.529{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2021R_Grace-ul-oob.xrm-msMD5=72ABEC0AC560B7A9B34105DF31F0604E,SHA256=226CA5AA69ABAF1022DAD1FF27D1A4867C269BA60599DAC02205049FC454E825,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.529{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2021R_Grace-ppd.xrm-msMD5=46F11E4D14596E881E8366D9A13D8C87,SHA256=91599D30188A796746C053B8B2E129FBA1F29513A2E995FC6E9E890D707FFF59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.529{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2019VL_MAK_AE-ul-phn.xrm-msMD5=09B516091F65421A979E9516A43A4F2A,SHA256=FB32C0ACBDA765B124CCF0F240D23D81A36BE66573E382D9C3BF5AEBFB9FD835,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.514{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2019VL_MAK_AE-ul-oob.xrm-msMD5=D70FE6BAFE49EF0737DE0CB805CB8DEE,SHA256=2BF6ED68119E7BBDE7B42BC3182F8194B7F80BC6F841AADCEDD4A29F4C1B798D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.514{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2019VL_MAK_AE-ppd.xrm-msMD5=BED384745A08A7B05B59E02255DA95C2,SHA256=1223D6FFAEF7490EC8B94C103708B1BF94B4235DDC2F75050EBEC2C4D346F9EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.514{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2019VL_MAK_AE-pl.xrm-msMD5=9738101FDEEE54B55CB86BE4915CA94F,SHA256=15D0CD8044C0E9BE9D93FDD147A7D7901A109D2D7EDB947BD7764BE2432A4D22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.514{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2019VL_KMS_Client_AE-ul.xrm-msMD5=5F7A3988D71D6558BC97B3A4105ED963,SHA256=E53F4D8004D213F4D08D22491E426B956D12534117A7DBECA58B8BB85F7480A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.514{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2019VL_KMS_Client_AE-ul-oob.xrm-msMD5=97341DFA66366EF86415266AFAE6F95F,SHA256=2A7F4AA5BAB786EBC89B3E54B4C6D9C45CFA352955E3282B53A165A576FFFD25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.514{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2019VL_KMS_Client_AE-ppd.xrm-msMD5=85D30407D685D6111E9C70BA2C095B60,SHA256=98EF60E6FADBFFD1A67E82EC3269D2F8BE2D1EBFCF82F0CD8DC17FA984CBC5D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.514{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2019R_Trial-ul-oob.xrm-msMD5=5FE3270E74CFB1F4530D1168D1B5F013,SHA256=778F6FB148C3E24C67B2077914ED1547304DA884D6A9EA7638580CFEAAE47E70,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.514{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2019R_Trial-ppd.xrm-msMD5=81DBA5E08A6270F3528EB91E04B3DA35,SHA256=9F8E9C9E03ACE9515CBEEB94C67592547CD06A58CB53EB805C3426492C1851C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.514{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2019R_Trial-pl.xrm-msMD5=6C0B824562A8F49E8219C5482589C38B,SHA256=26DD60DA08AED8BE78950CD0448FB69320FB53F72D9D3C7C3C76DDE0C5880031,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.514{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2019R_Retail-ul-phn.xrm-msMD5=53DE2BC473CBAC7F2C9E1153DFB930A5,SHA256=4E3462D0F30EC19C94069B95ACD2C3F3255B4D8D1DCE41AB041CF18BDBF79D37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.514{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2019R_Retail-ul-oob.xrm-msMD5=B13FB43F73EB93C5838DDDEF63890416,SHA256=3B190F6AAF28EE3295A49B10E87298B36BFD41C58B1FBCDA64F966CBF0135D9E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.499{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2019R_Retail-ppd.xrm-msMD5=E5C6CFB76729AE7F7183CBB9670F2F7F,SHA256=BB106986C28327BF92A329A83F4E2CCCE432AAAC482B1818E5F43AD79A4F60DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.499{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2019R_Retail-pl.xrm-msMD5=1843A3EBB08C647C5169FA371770D33B,SHA256=27EF42E3FAF8523B104116EAC35C485BA19CC3A1F052F4C54B7389170FFE86EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.499{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2019R_OEM_Perp-ul-phn.xrm-msMD5=DC4C741BA2B4F73088BC95FEC2ABB376,SHA256=8B46FB4BAEB32714AB8EC4CE6EA72E52A16AA7FE9378252CBC8D88934F67B095,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.499{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2019R_OEM_Perp-ul-oob.xrm-msMD5=A5D5FAC8695BE97D3A74FABEB2012998,SHA256=C336B816DDBB4FE0658F4690BAEA62186C181CD3AF71B149299FE1FD5EAF01DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.499{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2019R_OEM_Perp-ppd.xrm-msMD5=368D8B9D456C7B8D394845F602B6C360,SHA256=D4B91453485074E2DFF06BBD51904F455CF99F4961BEA4A09049386FD4FE08B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.499{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2019R_OEM_Perp-pl.xrm-msMD5=D25492C2394214F9F3CB0D22C2E4F83C,SHA256=3450FD22FCB6BA118B5A58823DF7D6390F4F550F91F5075A0678C4346F58F743,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.499{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2019R_Grace-ul-oob.xrm-msMD5=564BCF7E43B0D47545AD3C2B151DEB23,SHA256=7A954E992877EC30DF8663B795472165013CCC530FB1EEB3643876CB291493E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.499{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Word2019R_Grace-ppd.xrm-msMD5=EDD12D897EC2BE111EC7290197827C10,SHA256=DE746B755DDED805C088D733D3B6A7372CB48DE37830CA9E2D16B6C779CF57B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.499{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdXC2RVL_MAKC2R-ul-phn.xrm-msMD5=32898DB7219CF77D3CF1108CF512D5C6,SHA256=AEADA4AF6E38D5EE4C3DC04C480E09561845C454A7BADCABE9C577BC0D81E39B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.499{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdXC2RVL_MAKC2R-ul-oob.xrm-msMD5=0D15A6875B951132A5A92D807415E5EA,SHA256=10D01A88AB2A6D5A001589768FC84115E72EC87E369583F0F3627394EDB11789,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.499{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdXC2RVL_MAKC2R-ppd.xrm-msMD5=9FCBB7BE0874B07D5C3367962A36B8C0,SHA256=D5C741AA272C18A4F4BFDFC1BB4B6A77ABD1A7B7022A8B6050A5B512AAC12590,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.499{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdXC2RVL_MAKC2R-pl.xrm-msMD5=B1F8AD5DCC034FB26B9532BFB61D4179,SHA256=B2DA930F9D3EE44AF9E7657C9B51A87B397FA0767719887F6E521C57079E7D6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.498{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul.xrm-msMD5=2F11F593F0817293D5F3438F34ACAD6C,SHA256=09CB68D44F2D890ADFF41FDBBF441B78846F834996BA16B2034AD90509743E3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.497{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-msMD5=D36A5663FADD3FD27B55178D5BDD7CB5,SHA256=5CFDC5D073BD6F1DC9FEF3623DFC9018904538AA8A1968C4834697E6048B7621,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.496{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ppd.xrm-msMD5=BFD965CA0993C4840E0CCFFA52F45E83,SHA256=040B15EBF382C82678CFA945C1E037C8BD0397CE60D82EBAA5BF4ED36F78E915,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.495{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdVL_MAK-ul-phn.xrm-msMD5=2D148E390BFE83D879D0CA0B6651C953,SHA256=C64A6F6C57FA4800B921514CDF1D4B1AD93A537F3589371E57A5680020338933,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.493{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdVL_MAK-ul-oob.xrm-msMD5=D1EF9DA60595215CA69D873D03EE5F91,SHA256=908B940E7F6EC78E92402EF08F0A173D7D8C670B4AC05518E06A830F685E11DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.492{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdVL_MAK-ppd.xrm-msMD5=E6D61DD38A73479267F0D7E654D33A7B,SHA256=0B705059B7FEDF9BA8D0E27987E0A187BE6E596EFF9C93D72794E5359AA01747,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.491{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdVL_MAK-pl.xrm-msMD5=B1FCF0038C0EEB2B733C3A1B0BE5AB5C,SHA256=8547816FF5DE627640664477B6572D64B4A2077C28A80E252308286AC80D23F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.490{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdVL_KMS_Client-ul.xrm-msMD5=FCDA9829D3BE4F9C6B96CA8154BB06C0,SHA256=DB584985082A8855954835FE75FFFF7E06ACE5BEF01C877C9DF70B8D9C6A7E5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.489{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdVL_KMS_Client-ul-oob.xrm-msMD5=571FAF9BF6731638A9A86F8938856F61,SHA256=0714C5B012FE3C538D5B0DB7072784B49F47046D15C49C1F397ECE506183E69D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.488{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdVL_KMS_Client-ppd.xrm-msMD5=0F461570A800DDEB437B346112847743,SHA256=B0CC89D00026E36312CECE4E50BB3E969304FB5392A3F97A53904DB43601495E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.477{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdR_Retail-ul-phn.xrm-msMD5=5C15FCBC54754E7A13149CDC238BC7DE,SHA256=8C819308D95FC25E63DF6E9FAB6C47340D4A290A631A1E5E09960406C43CF43F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.477{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdR_Retail-ul-oob.xrm-msMD5=5ECA5B886B7CEF99B5294A22B295352C,SHA256=2D01BAA29E33485977053BF121521897B1D4E73686BF67313790373DDEA10947,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.477{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdR_Retail-ppd.xrm-msMD5=BD94FA23289CAAB50000AE22B9436216,SHA256=B34423384FA0EB78C60C09510B9839B4E46EDD38BD86074312A5A6F74976FFD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.477{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdR_Retail-pl.xrm-msMD5=531D6750E273E86A662CA1456C77A8E0,SHA256=74FE388455B4C88CEC98575FCF91733BC91FDE829F041C847053175F3AFE4B02,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.477{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdR_OEM_Perp-ul-phn.xrm-msMD5=EC708F9DCBBAD7726710466F2D2C6243,SHA256=81BF0E167DE0A0D968A664D284E6C9F9B7A7DB38AD750E655514F43A70BA4FED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.477{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdR_OEM_Perp-ul-oob.xrm-msMD5=C828166273C340AF3282FC31120F069B,SHA256=F537C0F2F327820492F60BEFD1F5834EA52048EE5B6CCED2A9E6260688196402,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.477{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdR_OEM_Perp-ppd.xrm-msMD5=9C830D80DD617BDAAD62D1A1A8B0723F,SHA256=242554CD2FB91A41C67B48D0627D3BFD22ED54137723C351D8E46AE95FE45A63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.477{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdR_OEM_Perp-pl.xrm-msMD5=6ED12C75CEE3391588AAAE781FFF00F0,SHA256=990544388AC31FB57B86CAD6DA5F42F039091E9A20B538ED83A5E733AA1E9BBD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.461{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdR_Grace-ul-oob.xrm-msMD5=4F6AB219081C01B4964A05239A9B06CA,SHA256=8839ED60977B2B3ECE4A52C0D0B807C3452386508F6482FC000257CE3B18CB7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.461{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdR_Grace-ppd.xrm-msMD5=DB6D8701B04F9D754E084A826A5F20BC,SHA256=9BD128CE3917F99CAF599EAC6D4E35DCE1B5C720728608DFBFA7EE5F7478B733,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.461{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdO365R_SubTrial-ul-oob.xrm-msMD5=9E6DBCF3C37C10C94BDC8110F3EF9EF3,SHA256=672E2A6530D2E57408C148750A784F5EFAED2A457428370765F644DC5BF13532,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.461{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdO365R_SubTrial-ppd.xrm-msMD5=81E0780C9F12D2AA47FEF7DF46B12AE0,SHA256=C9DDF6EDCB4D666419148C492E845D352FF512FEE2287A88F88C36425CEBA7E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.461{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdO365R_SubTrial-pl.xrm-msMD5=D0FF8FC41BEF56B8A5659DB1E7B6CB3C,SHA256=59DAF43F61E0EC37078705C5978999222A1881CFEFD62A3B4C5DFCFD2A4505ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.461{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdO365R_SubTest-ul-oob.xrm-msMD5=8972FF11179484A2128CD2EB92401D73,SHA256=F5DBA90F0B3133CCA1470022C4947B7970AF85B0F9EBACD86E72047CCFB4F994,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.461{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdO365R_SubTest-ppd.xrm-msMD5=663F9BC8E1EDB81820DFD05682F490A9,SHA256=1F2EE30102D41C5651932F839895E321471220837EA454C622CFE1379AC7F93B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.461{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdO365R_SubTest-pl.xrm-msMD5=1C6F0B64C41ACE21E22C472C119A8DE4,SHA256=AA3E76B0864D8846A393DB78017BF331F2E935C1095E917E3BED4AED86D7241F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.461{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdO365R_Subscription-ul-oob.xrm-msMD5=23902810C536CF5DDF0503867E8259A9,SHA256=0BCB262B20D3C2B4B500292C70D3E42FB5884AB20E393FAE72F84CC854157EF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.461{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdO365R_Subscription-ppd.xrm-msMD5=38BA7B6D02651D4CCAB78D121A98971E,SHA256=7FD344A580C4D3DF31B832C238DB50A846FA7553F5DF16A02A9CF21F2CD08BBA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.461{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E61C529E31D9F59DAE28D455B08A9A42,SHA256=A69D9CDF3F0F01D0A740FAADD63180FF43F702E72EE85BD11B0777A0F3B7EF31,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.461{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdO365R_Subscription-pl.xrm-msMD5=878A9A92839B062FA3D65B9293F07441,SHA256=73CFA58AC6E27C7E118F1383D3B7960F2D7B71824175DBE25C7B182FD284D57B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.446{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdCO365R_SubTrial-ul-oob.xrm-msMD5=4C359B05D997D4F35132D504650258F3,SHA256=71C7C6B397307CED9F35B98CF73FCC22E11B454159742371BE664606C3D5714B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.446{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdCO365R_SubTrial-ppd.xrm-msMD5=89036B6226FA8B411192A83FC0881F94,SHA256=3B0A5E18A59552BAAFBE05DB935986390527D44E9008365CECAEA29727EE1FC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.446{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdCO365R_SubTrial-pl.xrm-msMD5=C5399788ECA0A0505CE81F9FFE44C4A7,SHA256=45AEF9F29C4E2EE5CDD64DF9EB4BC977DBD94C88AF0578620B10673082BA27AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.446{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-msMD5=2B677FA49B8DEBF18E76DFC03105FA20,SHA256=47DD61F90443079C1421458000F411D4CF35408AECD842D1CE1E22BB203DA981,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.446{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdCO365R_SubTest-ppd.xrm-msMD5=71D8DD89384E4260AC2600567CDD287E,SHA256=A516CDB29A9A5BEA7BDDE29CDACC6F73593812C7787F893EFB002D51DD87DCFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.446{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdCO365R_SubTest-pl.xrm-msMD5=62B7D882557C148F2EA8FD9B9E83C3F8,SHA256=A637A9E981931CEF3847B8DEBA6827F6F37A73D5DDB454BEC0F4B1E6C921B6B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.446{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdCO365R_Subscription-ul-oob.xrm-msMD5=24DA2BD76FEE4F6D5D2651682BFE3539,SHA256=03724DF054E420DC78929C136450800ACD7EF07401C74C8536FCE9D988900D22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.446{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdCO365R_Subscription-ppd.xrm-msMD5=CC12840986C42A2E1D111013FF442456,SHA256=1DD1E8A37454D47D13E0A5102FC93CD61D489D83D88EDA39004AB4C2F52E1438,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.446{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStdCO365R_Subscription-pl.xrm-msMD5=2153E90DD77BD7CC680C213B3114B72F,SHA256=A321961BEB2DAB6746F9187A14C34F5AEA664E14917B29E800022D557D5AECB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.446{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStd2021VL_MAK_AE-ul-phn.xrm-msMD5=9D2D86867C1E7FF90FA5463A315D58D7,SHA256=BFBCDC93F3CD589B3032ACD4F787CF987A49F270C6DA092F7509BF5D346A5BE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.431{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStd2021VL_MAK_AE-ul-oob.xrm-msMD5=EB9FD4A9B11E05786B0F34DC0FB3E6C8,SHA256=546DD7D10B2C81BE6AA1F1175F8C89AF8AAE08B8249FD2D621C0CE0DD4D0E932,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.431{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStd2021VL_MAK_AE-ppd.xrm-msMD5=DC2974A9B0CB8CF21D7E482210DC4FB2,SHA256=5657EC5B4202F6CECA68D0D5687118DE06CE4B8155840649804C052E7894908B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.431{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStd2021VL_MAK_AE-pl.xrm-msMD5=B7FB069B4BDD0391139BF6C439602E4B,SHA256=ED66BD41140E646D97FE79F882A8ACED2EEFF1BAEFE6887CE585980E8509BAD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.431{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStd2021VL_KMS_Client_AE-ul.xrm-msMD5=CAE92C7ABAA8BA2409294049CCE223A1,SHA256=21DAC615D6F0CF95BDE38040527811969D39337B1A24A26B93D0F93BD338BE89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.431{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStd2021VL_KMS_Client_AE-ul-oob.xrm-msMD5=49517B73DCC8577FC9112B462A951FE8,SHA256=7465BB7DBD41CA3D6434F37162AEF7A65C6B4376ED1B69E3B0F8FE1E9F5EDB03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.431{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStd2021VL_KMS_Client_AE-ppd.xrm-msMD5=D93E9BAAEDAAD3E42F0501913DF23483,SHA256=30EEFC5F544AC6D5CA1231B43753D7D78C38AF0C915FAB64F2C0315036B194D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.431{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStd2021R_Retail-ul-phn.xrm-msMD5=744851B1C626A77A6C96AFEDA4B186F1,SHA256=FE768E9227E1F7BCAD8B5235C5A69D390A03923721B010FB01214FC1A8AB2F94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.431{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStd2021R_Retail-ul-oob.xrm-msMD5=CC54175EE56DCE42183FB9E623705271,SHA256=F1A5007DB4D60B8DCF64814747C72856D4B04BA3820A3385D7838EBFF0445E69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.431{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStd2021R_Retail-ppd.xrm-msMD5=798FAD0FCFB8AB04F190F640410E154D,SHA256=7E860662BF716DECEF633F68651A5FBF596941F9018EBD3AE94EB836EA881AD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.431{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStd2021R_Retail-pl.xrm-msMD5=AB177D85DF80C0BB7DBB7FFE90894BA4,SHA256=4519185E9EAC0D71934A21E811184D41EE8CAC2496668A6FD9E71624E1CD043B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.431{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStd2021R_OEM_Perp-ul-phn.xrm-msMD5=8FA753CE7091AB187340258AF5F9691C,SHA256=9CC4E30E6709E2F0E17E9967604A8D0962FD754108414620075FD0C1DF3A4A74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.415{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStd2021R_OEM_Perp-ul-oob.xrm-msMD5=A8EBD3FE53AAEABB0798398F98DD1137,SHA256=F513B8814F2F9F85167B75B91548A8AEC6695B74B276133033471C08BEB8BC3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.415{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStd2021R_OEM_Perp-ppd.xrm-msMD5=CC71A7C70C456893D7F2F23F564860D1,SHA256=EE6C3BE31E1BC634B6C84EE7146792D72884B16B764B1E70B26CE4D8F1DD8E49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.415{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStd2021R_OEM_Perp-pl.xrm-msMD5=30913ED2CF40D9FFF112EBE23386AB66,SHA256=8BB966F4FA3D3CDCBA059AE1471CF83DDEC7FC664109428265AA17AD6CB4C4E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.415{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStd2021R_Grace-ul-oob.xrm-msMD5=AE749F4398E3005B77FC23501F2BAA12,SHA256=2F90E4326AA43B7E2181F8D5B3E0F03995BF87BE0CB119B8B6AF33F58D04B77C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.415{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStd2021R_Grace-ppd.xrm-msMD5=5A9E8D3DE562AA6257D7844EC20D20F7,SHA256=9FC6B689648DE2F1C2A1D7FDC9EF916AEC3403E0613E7E8AAD71F01AA250AB7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.415{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStd2019VL_MAK_AE-ul-phn.xrm-msMD5=802BC384F2FE5B04A6B2466FB2982C8A,SHA256=1762E7E01A9E03E5BEE4DD2A282C24BCCBE15A985D26F4036B34E833F7F3557F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.415{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStd2019VL_MAK_AE-ul-oob.xrm-msMD5=FCC6F981F1AFD7AF23E445E0D7403EA7,SHA256=0F099FA3ECC3525D37A1F04755A8B3E4FB3DD48EAF48BA41F19C94025D04755B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.415{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStd2019VL_MAK_AE-ppd.xrm-msMD5=2F9391F7B4E08E9945C149C675F97ECB,SHA256=BFB3EDF5C2144356D815AB43D8312089912AAED2C4E96B1391D486BA776F6451,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.415{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStd2019VL_MAK_AE-pl.xrm-msMD5=250E70269382AE9258F94966D425987F,SHA256=2B9A47CF2D65DAD8469283BF11B15825767C16A9F87418D97F69DC4856DF6F8E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.415{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul.xrm-msMD5=BA6F1C3048F1CFC199657A3913B18ACF,SHA256=F9671F1BE4B8EE4139A1FBE857F21E187168A61297CD57FE9BCD85F854140F1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.415{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul-oob.xrm-msMD5=24296F4C697D7D3A5C6585A45311DC4E,SHA256=02F97ED9AE67E99C3A7B11047F71DCA884D8AD57BAB76FC8E9A00D5370D9797D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.414{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ppd.xrm-msMD5=95870166D4A218E1015663C5EBA280B0,SHA256=A84B694530E7482DCB40F0A7A4D55602C17CE0EA97913FBBE19347538079B881,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.412{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStd2019R_Retail-ul-phn.xrm-msMD5=3F22093488758DCE2DC0332DB6F86078,SHA256=BC0673B2A34BD12208B5442E1CC5226826DBB624B3246E4826B7CEDA15FAE4F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.411{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStd2019R_Retail-ul-oob.xrm-msMD5=F7231ECC40D0DE83946734970FDAB886,SHA256=E2D5DFFBEB6C60CA09F62D0B82A050547205C5431945F3FBFC55D4DE586685C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.410{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStd2019R_Retail-ppd.xrm-msMD5=EA9AAA67A9AADBA5A4CA950E10B041AA,SHA256=305A789025C8D0464E8A697F244A39D2F734ABC8709ECE32C83BF8C036B7EAEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.408{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStd2019R_Retail-pl.xrm-msMD5=8A5C480DF2F49FCD44C151730E88A3C8,SHA256=5B46715450F59032F72FC3D6337AD9A19047B462D256D9E8E999174BF7DEA38A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.406{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStd2019R_OEM_Perp-ul-phn.xrm-msMD5=898DCE2F16D81322CF9159C54D5B50A2,SHA256=EDD8E261164D6373591179306958E01CFAC179E2FA1DC42BFC347700D5AA38C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.405{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStd2019R_OEM_Perp-ul-oob.xrm-msMD5=77B7C5AC206C349DB51101D0819D7219,SHA256=50AE5D21F89E32653925AF40152A3B80445D16C295951F9F4D60C0982C6074D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.402{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStd2019R_OEM_Perp-ppd.xrm-msMD5=DFB9322D1C159DB60EA2F9208F30C0B5,SHA256=1885A265F5D353CAB9026E8492458907A010639BAEA2CB9CEC66AEC4A7A815E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.401{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStd2019R_OEM_Perp-pl.xrm-msMD5=7C5A6AFB203B43A35588C24E0F42502A,SHA256=EAF5A7C1EA4E017170912EAE6F0A528FF7CA2012C750AFFEAFF03CADB5DE2481,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.400{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStd2019R_Grace-ul-oob.xrm-msMD5=C7403DA02A742EF9AC9B964849F18BCC,SHA256=5F6311C451E5168B158FE647CA48BFC7E3494B3AFB0C496EEA32C1AEF8B7E288,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.398{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioStd2019R_Grace-ppd.xrm-msMD5=C90F235B2A34082F25BFF08171E58A1A,SHA256=176BFE5A625EC98463302AA01429E9335D327FAC3F051C6ED8AC9D8AA06A5811,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.397{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProXC2RVL_MAKC2R-ul-phn.xrm-msMD5=95C0A026BA9216FB01A6B9546EDF1A05,SHA256=2435826BA3684B547893EB84C68CDA46B21558DE613B4561F524780EA4FDACF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.396{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProXC2RVL_MAKC2R-ul-oob.xrm-msMD5=CC97AA5001981ECF5910E98810AD8475,SHA256=EF55C24C1DFA8828FAF37549371C5C1466E658BD069310E1BF29ABB7B43C9620,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.394{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProXC2RVL_MAKC2R-ppd.xrm-msMD5=40772FEEC94BCFDF398AADE1A3F166B5,SHA256=DBFEACFE9D2EB3F87CF46EF9EDD8C30C4954D90DD44C96F1D874B011E49D6C6C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.393{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProXC2RVL_MAKC2R-pl.xrm-msMD5=12C89DBAD66BC3A940E67C15B2F378EE,SHA256=370BB1E4A5BDCCF0884A7972F1227EF01CBF54E1230C9B01AC04458772B4A8D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.392{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul.xrm-msMD5=82A6F34ADB9E7E8D16308939AC6299D0,SHA256=45D0357298E86BD6412EE804C9CB5D017B8D245F50E7F453D9DB30A73CC5ED44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.390{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul-oob.xrm-msMD5=416E3F602900E159A1C2AA8829B1F23B,SHA256=05F81D92F50D04907C9503BD82E9455AC2D3B10DD95483FA450B9F919FBB69D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.389{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ppd.xrm-msMD5=A5E9F49FDDF5B515609BBFA89EA63CD3,SHA256=F66FF3B9532541AE1362C4338F4A570B905F4EB496848C72D7C740AE2EEB4647,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.387{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProVL_MAK-ul-phn.xrm-msMD5=7DE5019518EA2DD443F40BE434861554,SHA256=268FE0D16BA6B7D9BCB5DCBEA40FA0CC93A6C4D95F63BBCB93E904527DB30937,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.386{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProVL_MAK-ul-oob.xrm-msMD5=CAAB8394CE895E5E1FCFAD75DF288E75,SHA256=CBFA645AD9CE22B9B4F996CD044C5965C7BD480C670BD4DC03BB10FCF4875557,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.385{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProVL_MAK-ppd.xrm-msMD5=02D954068A0E7F28DE229F521F7A226D,SHA256=46DC3DE1F60CAD98E820615CD95B677D7D4C6E6866CCDC40B84CD08A43E8F236,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.384{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProVL_MAK-pl.xrm-msMD5=59F7221A2BA110D020A7815490ED57DD,SHA256=3ABC9C5592663C983B6BDE30C333665348F6BD1FDD33FE3340A73FDC2D90A98A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.382{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProVL_KMS_Client-ul.xrm-msMD5=73CEBA204546314E89C5C80CA60277AE,SHA256=A04C03F861C8062AA33D0571F6EED7C91E2161A2988FA7F5B594C3D6EAAD0B99,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.379{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProVL_KMS_Client-ul-oob.xrm-msMD5=84B835284E34AB96647BE05C9183DEEA,SHA256=41B3B8768158F4CCC9CD4AD400199980725926B05AC2EC7258601F1DD68BFAD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.376{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProVL_KMS_Client-ppd.xrm-msMD5=E995661044C9EE6C55AE8B31441BAE5F,SHA256=B330F00DD9413AC8F4FF066FF2A36B8BFF5DB4D5CEA69511810A871539F04BE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.375{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProR_Trial-ul-oob.xrm-msMD5=39F5508D937004C11D6DAC16EDBA2AFE,SHA256=67EE61B66201C880B90D6EECD302D4237BD81262D93567BE91D31FBC0476E86A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.374{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProR_Trial-ppd.xrm-msMD5=AED6A41EF80E632356042DDE421950CC,SHA256=4880AFDA3F57D10AE052240C89A0A51C14B2F02B3E1261DDC96034F4DF94EFF2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.371{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProR_Trial-pl.xrm-msMD5=BF416648DAF22B329A4FFAD088064290,SHA256=F1150D132EBEB08B9018681A4ED60F1B91413BFB2939D01E9B73D4D25F5761B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.369{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProR_Retail2-ul-phn.xrm-msMD5=577F1F14F7CCD0D51EAAE005A5C181FC,SHA256=506658F5FDBBED806EC2C94F18C750EBAAEE9B2FE3AF05033ED1319BB1228D61,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.365{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProR_Retail2-ul-oob.xrm-msMD5=CF3B31C6BB1D36FFFAB8159D8F2F0B16,SHA256=2A793ABE01FE7A6E2D36596669E1C9595EC4D73AA31067C1D5E0F65D95E44C1E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.364{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProR_Retail2-ppd.xrm-msMD5=2C2E118FDE096317CA8992A7C941B4DA,SHA256=9C6BD19070606C9A892F563E6C6D770835DCA1E008D1B43E74660E25E360F203,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.362{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProR_Retail2-pl.xrm-msMD5=CC15E338B37C1743D283F576E62F1316,SHA256=680AC9F4E918B7022CDA60D5A6F2A37F0D40E60F1C3469610CC39260B5DF9301,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.360{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProR_Retail-ul-phn.xrm-msMD5=23B53F88E1D457AE5A3876BCF852B549,SHA256=94D5388657D141B7771C13EB99C4CB09B66792198B66025ADD3736078708CE26,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.359{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProR_Retail-ul-oob.xrm-msMD5=A3308E23E4DC6E3FD305FFAA122FD843,SHA256=F593FA32F7284F9845BF64D182257DBCA1C8455A051B4FC7033ADF0045782945,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.358{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProR_Retail-ppd.xrm-msMD5=71C1BE5A1BFB7F1AC18B8EBD02586E43,SHA256=020DA0B921361A077DDD9B5BF6E8D11512B9ADCB86B088C34FAE7A3D4C8611CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.354{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProR_Retail-pl.xrm-msMD5=857455F5FF9FCDA890E55D045BEEE2FB,SHA256=BFDF5C75D696569247E5694E5561C57C733DF8016A2F216A47972ADF08B438D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.353{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProR_OEM_Perp-ul-phn.xrm-msMD5=31E2E3777428D404480E91E39382D485,SHA256=34E64209FF69D8FADBF558977C767501469A8A6206EB2813FC67A7E6C230E1FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.351{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProR_OEM_Perp-ul-oob.xrm-msMD5=503F4B58D561D0CDFF391FAC2389BF6A,SHA256=24917AF47E494B731C2DCBBA52DB8E72F7467AD2D3D6229C597599340BE13CEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.347{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProR_OEM_Perp-ppd.xrm-msMD5=1AFA975665D6020884F3217BAAB13382,SHA256=A7174AA77D1EC367E142049D8D59DFFFC6477D2B56B13C21537E562619FD0BDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.346{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProR_OEM_Perp-pl.xrm-msMD5=C8DBAE8517240B88CC7D177CC7D7225B,SHA256=4A9B3BD9A7E3EA6104DBB4FADC01AA80E4AE6693A518C2A29D6A6B1346B8EB52,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.345{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProR_Grace-ul-oob.xrm-msMD5=BAFB5B8CA11DCB64BCF0C986DF6090A2,SHA256=007684E2EC872866863590260DE28F56DEF1A01D386B3A4BA0C80543825A36AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.344{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProR_Grace-ppd.xrm-msMD5=BCD2200D8A96741A17EF0F19C7256847,SHA256=729FEDF281EDE194C679E0A0D8B88C475C5F3C479FFF521851F52B1952A5C98B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.340{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProO365R_SubTrial-ul-oob.xrm-msMD5=35C06C07F791C65E39BB58140EF81BAB,SHA256=3E11518A45397348DFD91B1D79C49E7EE969493CE8D62F62B255683827A5BC75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.339{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProO365R_SubTrial-ppd.xrm-msMD5=DD65DC8EB4D900DB70570B5CFFC50FFC,SHA256=13FC6E1B46DEA6A881767A5FCC725130A6286A3F07E399B99F16FD786A2D4ABA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.337{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProO365R_SubTrial-pl.xrm-msMD5=36360D6AFAE65C041787E77DDEB91D9A,SHA256=8304081A83B28165F71C8CFF6CFE93C7032F24D54814F94704FE6C00F3CBFFA9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.336{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProO365R_SubTest-ul-oob.xrm-msMD5=0AA9D02E9F4D4FAE3D3E95127602507F,SHA256=532983185B7C5A5A7F627D00CB0AA892CBFAF48161AB05A34FD3747DF2E8B49D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.335{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProO365R_SubTest-ppd.xrm-msMD5=98C283C78AB87F265A77D540726EC87E,SHA256=4B2DB6754D897FA73422BE116C7A3234304C0F44B5E578B822A69EA171118C1E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.333{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProO365R_SubTest-pl.xrm-msMD5=59BA11FDFC6FDD390281399D78B63612,SHA256=3D3A56ADD98EE40704EF1379FB08EFB57FFAA192E49843D0F83009321EACD60C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.332{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProO365R_Subscription-ul-oob.xrm-msMD5=75B83DCD599FF7622B9FBEF6956746B2,SHA256=2ECB0F6972DA9AFCDB6FF85FEBF9C1A13A6F93E85E5A0C71A89D3A2AD7F809B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.330{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProO365R_Subscription-ppd.xrm-msMD5=CCF89BB41E731373EAE6470B846B0B32,SHA256=EAE39AB865218C0B1612B77842B0FEB526830D834758B0F3C136CE339FCAAB7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.327{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProO365R_Subscription-pl.xrm-msMD5=97C26243E4F9060DA27C92D3447D5F35,SHA256=7B72C959C19143DA938F428CB2C4A967CF91A7737794DE660B94B35AEA31D7B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.326{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E1AA62FF1142CB24AF8DA8818753D47,SHA256=378F9B7E61B9BD864D098A02100866EAB195CFC23EA13731842D9E5D9B59AE04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.325{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProMSDNR_Retail-ul-phn.xrm-msMD5=6EC82E32F9E335A3438308AC266DDB87,SHA256=492ADEC847CB60FA1517A31272B318611A8176AD42D0495B764DD8BD610DD773,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.321{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProMSDNR_Retail-ul-oob.xrm-msMD5=3C3C9CA3B4FD3AC0EBF2B807E2D9FD8A,SHA256=31D12D3C03329A4F0F03F27ED42FCB327644A93EC95D0C42832F91ECFC4A8CE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.319{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProMSDNR_Retail-ppd.xrm-msMD5=FBA46E033599069E7A58004CE772F6D7,SHA256=8D528590084B642D5F3115DFAACDD4FC3A353075DD980E98797524691DEE85E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.316{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProMSDNR_Retail-pl.xrm-msMD5=05BB4154BB72449AA0C9DAADDD21911D,SHA256=59CCB87098FB6ECCADF29DA932515B6E35EA896F1D6919B9AE0D7A74CDC9F090,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.314{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProDemoR_BypassTrial180-ul-oob.xrm-msMD5=61779C2730B39DAF696209895CD2F977,SHA256=E637765ADEC4EB6449A808E4495408F63D00A5AB1E303D583FF89B036F442B7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.309{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProDemoR_BypassTrial180-ppd.xrm-msMD5=EE861F5B49C7CEE11EEA74CCFE447E81,SHA256=651A3F42A8A22C6FA283941FF359C034E1462739CCAC23763E27B351EE496E79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.290{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProCO365R_SubTrial-ul-oob.xrm-msMD5=3701906A0CBCEE82DEFE2C242088ACAA,SHA256=9C956221860CBD6E5C85C1CBF6440D35CC04F8F779B7C4651C9B7F0BB423BFB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.289{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProCO365R_SubTrial-ppd.xrm-msMD5=C458F76BB33901FF8948F5C1423E145E,SHA256=8F6E807F49B29144A45701BA60623F6D4571F6E0F4A00872FE5316E5BBC98775,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.287{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProCO365R_SubTrial-pl.xrm-msMD5=07E106327439AE14248A6451F60AB9EF,SHA256=2CC808EB85F0F545481740D2CBDAB966EAB5FD71D1EB6CA0984CE2F55104821D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.285{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProCO365R_SubTest-ul-oob.xrm-msMD5=6B2C2216EB439F543AA41378048500A7,SHA256=4715C125F119A0EED7DDB7DC3F85D10E13A555CF9E8D79303B905C80AB3D3C53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.284{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProCO365R_SubTest-ppd.xrm-msMD5=642AA06310F5E62DD76641CFE4C3A260,SHA256=3C9817F2014FAC8F5CD1197345B15F4AB0F442EE6273997BEDE39E23AA4B2BC6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.283{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProCO365R_SubTest-pl.xrm-msMD5=65EFE688EA3E9A839A1EA0D0250D1334,SHA256=E0CA34CD7995A8D2A57B7826D4751A700D97B1D62420300BABABDF58D903E9CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.282{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProCO365R_Subscription-ul-oob.xrm-msMD5=15FA68F4D78909B8E7E6F0D93882A865,SHA256=BC814FD186DE054A8F5E44917E834210F14C9F26180EC70D51B30292D5BB4136,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.280{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProCO365R_Subscription-ppd.xrm-msMD5=7AA3680E815812A894B9952C671A3F2A,SHA256=27B87E05F6CAB07A3AD415D0E7255C2B7EC880ED57598D461F9BD7F5FAFE4B3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.279{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioProCO365R_Subscription-pl.xrm-msMD5=661A85E7F06E4484A5ED2219D8E8C0DB,SHA256=E543FB6DCF6D8F3BF9378D23E44B9B595586398C31946D5C1046FB7BCC56995C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.278{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2021VL_MAK_AE-ul-phn.xrm-msMD5=A185E7C20390059C35AE96B6B2778BE9,SHA256=EB24A10AC0C7F875B642AF1FCC409BCDABEE734DFEBF0D61D72E816174EFE291,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.277{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2021VL_MAK_AE-ul-oob.xrm-msMD5=C23F225889FC22CA75E49FC76AA75B0C,SHA256=3AC482A2B99AE313EEA5616E332A62697E571D4F57FC5799158CB84724B2CCD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.275{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2021VL_MAK_AE-ppd.xrm-msMD5=146CC4E5D584A7ACE1B15D44E59AA002,SHA256=F69FB3FEB038FBFFA65F2FC6DC920F798E097C253A253F936F011E30DE2E002A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.274{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2021VL_MAK_AE-pl.xrm-msMD5=6755C510A3222F53337A3CFC74019CAB,SHA256=8492C314FDB6F0FD270995B480786D8FC0E9B41BB1863C2D1C77C301A627A6D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.272{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2021VL_KMS_Client_AE-ul.xrm-msMD5=113A0642415652A53695021671BE3004,SHA256=6762118B1F531B92A014512F6BB8F4EF3122F3955CE713E0B712D34570DDB781,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.271{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2021VL_KMS_Client_AE-ul-oob.xrm-msMD5=A81D5636436C58FA4344C4439D17BC37,SHA256=63D39E4E335F27C4B5830B330189A903385BC2465950EDC9F90EBFE057608BAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.270{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2021VL_KMS_Client_AE-ppd.xrm-msMD5=4E1800DE24D071DBB3DEC5F62CE372F7,SHA256=6C497F10957A70B0D82002325973ED045F83DBFDD8F9C0C346720A8D2278BF71,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.269{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2021R_Trial-ul-oob.xrm-msMD5=6D2E140606D10B01352D1021E8EB0C05,SHA256=2E313BEA5D2DF5DE546A1D9249416F95FA2AFA3F7E4D0048D1DBCF3AEB35EA49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.267{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2021R_Trial-ppd.xrm-msMD5=C202B11C3593BE4288C36C35F6B55767,SHA256=5DAF647A8D10EF878AC0664698B4D47CB80039FEF8C9176100A62DB1AC0D08EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.266{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2021R_Trial-pl.xrm-msMD5=443248DA49E3F24FAE1E2264F79A26E8,SHA256=DEDD3AF068026E711008C18AC092DA47CA66F3A56078F8E86E4603DB9FD6E4F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.264{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2021R_Retail-ul-phn.xrm-msMD5=8754D86480E6EB7E4F9FCF3AD71D8D15,SHA256=BED81468A7CFC72C655206B0945CCA7F7D544A220C925417465BAE085AA23EDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.262{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2021R_Retail-ul-oob.xrm-msMD5=BC6978446926647E512648E5E3D5C503,SHA256=1C1E92D263B2FE1212B3CD749DF3CAD693030DCDFC75640846F54E284844DD5B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.261{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2021R_Retail-ppd.xrm-msMD5=06BA451A482716D9DDD6B64A3C11D975,SHA256=352CB7E06150DE0EC99A76BE04C88B5B6BEDBD99D2DC9ED36F80DC7EA5D136CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.260{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2021R_Retail-pl.xrm-msMD5=8C07DE8B50CCEBA68FDF73F3CD03A43B,SHA256=E551D1697E26769A7ECAA5950BBDB77C0EF6CFED7B195D77A8E7D1EB7439F5C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.258{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2021R_OEM_Perp-ul-phn.xrm-msMD5=857AC97E9DF21F6B48774B4FB6ACDB6E,SHA256=FFD4479714B67520712F75DE58A746C9736E0EAB87FABC2D7E370918BCFE5A00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.257{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2021R_OEM_Perp-ul-oob.xrm-msMD5=81C1FDA98804991AF301E42BEB3EF3F8,SHA256=5D8910BFAC318AE45442988870323EB2A167C6DA615B499DD4E6DB59946F2D4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.256{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2021R_OEM_Perp-ppd.xrm-msMD5=55EBC249775423297D75A402B2738DF8,SHA256=3E2A438D5D3E545A64F427327C878A272BACF43514A97025BB5E680B106E8AE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.254{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2021R_OEM_Perp-pl.xrm-msMD5=0E095A05445757CE09C964A4B4CC1DAB,SHA256=298555DC83DC1641EDA9C5B0E3F2B58A5596A493E34451B2BAEA1B7B7A89ADE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.253{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2021R_Grace-ul-oob.xrm-msMD5=D85EAB4857A6745A6F8B403C490C04D2,SHA256=BA89AD896649F7081AD19E27BAA1884786AA950F9DD50D3A8EE513224BE64667,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.252{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2021R_Grace-ppd.xrm-msMD5=B1212CC6C9AF9609C1E18373B72FE3CC,SHA256=4F7402A9F962C871BCAC134990CFBED5D489BE08AD53C32EEBD73A0F4635DAC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.250{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2021PreviewVL_MAK_AE-ul-phn.xrm-msMD5=3792336C3281A591B30A2FA4162FBDC6,SHA256=B3A60D60ADF247B459151066F13349B3AA4771A556EB8688326D66B14C9698FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.249{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2021PreviewVL_MAK_AE-ul-oob.xrm-msMD5=1224BE695CFB486F2EBCE448787FE88C,SHA256=3B63376B538909C4AD79DF010F19531C40C984BF556AC0D7AD5489358F3D156E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.248{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2021PreviewVL_MAK_AE-ppd.xrm-msMD5=8011C96A31C605FCD5CD6E67C34286BA,SHA256=E2209B659ACDF99D0447EBB4E571FDE1B1302134317A3873F155286B33A74607,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.246{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2021PreviewVL_MAK_AE-pl.xrm-msMD5=84E825B812A107553A142C75E410A28C,SHA256=D04582FA42C5030439009E58EF2A9FCBC8385C188D0C919E8059E90C2802A374,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.244{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2021PreviewVL_KMS_Client_AE-ul.xrm-msMD5=01089156384B88194BF889E04A29775F,SHA256=5C54AA195DF4B257640E533CFE5B0EBE519A767D5E8E68A53A4885DCBA3B1634,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.243{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2021PreviewVL_KMS_Client_AE-ul-oob.xrm-msMD5=8C523E38467C6D34C10E11B5F4B3B49A,SHA256=89765F57141D69E3CCD4EC26A1ED836AA416D0E56F3909FD5ECB1568BA9A7CBC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.242{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2021PreviewVL_KMS_Client_AE-ppd.xrm-msMD5=BBC2F28E331790261D31BD809B228342,SHA256=A5F4C98E5BDF4C80ADBEC73B89CDF7D7B769B16B05079130F15C29CA05FDA65C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.241{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2021MSDNR_Retail-ul-phn.xrm-msMD5=52F413ED9A8E16565EC64588750FF272,SHA256=8E9C55D2276890B9B80DC873579C91B86402CDFB13BF1A490CA53CD233E6AB3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.240{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2021MSDNR_Retail-ul-oob.xrm-msMD5=0D5B8F96DE388C419CA99C84A5388793,SHA256=E7FA5D8AA92C6961B6159BD5C99B080B826689546958EB14906998EA819E81F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.238{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2021MSDNR_Retail-ppd.xrm-msMD5=EBA9DCF7538FFA2650EBC179FD2E991A,SHA256=66AB0B7AF67944D86B291AE22EFAAA720213A3866945B53BD19513123C636452,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.237{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2021MSDNR_Retail-pl.xrm-msMD5=FB11665095B840160AE4EF5CB21A4A35,SHA256=92059A9422B1F0EBB448DCDB7CB9E0B4AD072E1ECE85AA347676A5C9B02312BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.235{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2021DemoR_BypassTrial180-ul-oob.xrm-msMD5=D066CD6A99414F171D2E514B674969E1,SHA256=E91DE592EE7135ECD12C7FC90BE1F344005AD87B935F6BCA1BD544C10149AE65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.234{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2021DemoR_BypassTrial180-ppd.xrm-msMD5=FA4FFCBC9BA12157A19621FC54CFDA19,SHA256=3DBF504B981A4A2D2674E2480ED524BE957D4800557766756A199490A8E572A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.233{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-phn.xrm-msMD5=816D84EC17C20482668941CDECE64665,SHA256=43834D2B2DC1755CBAAF32B7FEDE0D4276E8088CA23EC7BCA6D03B756699BD97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.232{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-oob.xrm-msMD5=4AB28E23B7A8B2ED0DC3289DFDB53B56,SHA256=5E28A2B6B0E4E0FFCE0B310496942C0EDB8B8DB639C0CB82748DFE5E237CD561,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.230{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ppd.xrm-msMD5=2C156F6CA55FBACE7A19314F93600CAD,SHA256=B78D678CEEC1E3960D04D1A89CF1DC34B4C84B21CA755D9D2F045DDF57DE53F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.229{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-pl.xrm-msMD5=3638D6C734E599A3C58ABB2115B3E209,SHA256=C3F3DD6E0F995F07307C190035BDCD69CAB30B8BFDAEC9DEEE9BF7938ADCFDD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.228{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ul.xrm-msMD5=B2E1682CD8F27D1616F2792C9A47BC52,SHA256=0C0D4E7954DD1FA1D7332DC9BBFFE73F7E73DA3F68630C51DF5D2F535B55D5E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.227{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-msMD5=1F9B26E3B885944BD248031F94217960,SHA256=28626196357473439B1B96DA8D7FAAF36A68C86AA6C48EEA75473F4911A1D8AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.225{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-msMD5=01AAF13CA3BC85F9C492EFD252C90361,SHA256=0EA1358422DAFFD66730EED4FEE8B300D3A105B3F12812EB6C6F579B5E60661F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.224{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2019VL_MAK_AE-ul-phn.xrm-msMD5=958A6C743567CD669811BA730F83FC19,SHA256=5EDFD9E8E3D4D2BB510973D804560C7F6C5979218292E8B19E7F433DC8EEDD76,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.223{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2019VL_MAK_AE-ul-oob.xrm-msMD5=21BE925AF34B91E1360946703BC10FD3,SHA256=60F0A3DFE9A7D80E37C2F46746DD6CE7BB5FD023799D5021B4CC0214BB17F6D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.221{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2019VL_MAK_AE-ppd.xrm-msMD5=470A5B65CC8E9287CC28D5B2EA9D916E,SHA256=E27AF0E1392CFD270E619AA8BA2910E6574A177B7ECE68AD63B999CF8382C0A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.220{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2019VL_MAK_AE-pl.xrm-msMD5=77D9CBA151D4DF87698DC790D9AA404E,SHA256=D2FA3A5896F2C18463E69F02F376FBAE45B2C86C56071DD020462D8104167B80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.219{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul.xrm-msMD5=9578C1A28C638F13BBCF3E60FB7ED63D,SHA256=062272B277DFBB895C91D22AC1AE3CA7EFA8615CB51F006ADCA02995BBAE7E2B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.218{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul-oob.xrm-msMD5=E8B04C33200B6AAD1B776A0F7C8FEF5F,SHA256=4E569CC457DF862D1EDC267CB32F6AE693006C10143D8939A301839FA894FEBF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.217{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ppd.xrm-msMD5=3E9B833448DC91A4766C999FBB692CB6,SHA256=2936363A302FF543C907273FC079E16C95935A0CBB4ABFD1D76F14D5C5E5C76C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.216{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2019R_Trial-ul-oob.xrm-msMD5=1D9112EE17F7AA242FEB763DF2802381,SHA256=574B685E248164D33906C7AD628B8588504A4FBF89EA731FEDBFC06C7FCFE9EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.215{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2019R_Trial-ppd.xrm-msMD5=36C61E72AF3A5CE5107E149F06303AA2,SHA256=BF084EFF084756E4F2D04027D852E12A0E4259450B2513302EABE4BC9FAB8030,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.213{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2019R_Trial-pl.xrm-msMD5=CFDD64BD7BBC7A2F3B82CD1D42B30C55,SHA256=A0428F9476884CC2F859C1B6627CEF5EAFBBBD4BEC01FDA12B4BFC5A7AC921AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.212{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2019R_Retail-ul-phn.xrm-msMD5=A5FAA617FA1757C620DE0F3F26A9F62A,SHA256=E7DE279FEE4F7A9341A1D9E059D33B7EE418C61FAD74056485EA78004FA4DA64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.210{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2019R_Retail-ul-oob.xrm-msMD5=C88F63EFC996F4DBB7D0E22457585165,SHA256=934461E3EE78B0F343599B78F25728FAC2A219039902084DCAA6255C0AB6A2A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.209{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2019R_Retail-ppd.xrm-msMD5=48C20B945163C322B3C486B66A4610B5,SHA256=30A4FE7DE2113C69D3830A310C64ECAB9D07A8C204048772209E9C3E2B885D6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.207{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2019R_Retail-pl.xrm-msMD5=1BC288945B945D583355CC0E0596991D,SHA256=88673BAA2364AEC73B7FC1A5F38282F55E2233E6270C43C09B8D20845CF03074,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.206{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2019R_PrepidBypass-ul-oob.xrm-msMD5=AB26B81EE2838525334A5BEBE11B7D4E,SHA256=736A20CD2C6D34BCC569AF0B148155FE9232079C8D8F3DA7F3949A63CF0BE721,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.205{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2019R_PrepidBypass-ppd.xrm-msMD5=AEC7C0628C848ABC7EAE781C50476449,SHA256=8EB1BCEAC75A4C8F88DF54562572A34FBCB945D871A77C66B24E8A060F2D1522,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.204{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2019R_OEM_Perp-ul-phn.xrm-msMD5=4D10DD1C6BD905FEC1A7A8487F607252,SHA256=8928CB89A7F05D127B62E44203633813A7C654A55726F84A5E13EB5AE788688A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.203{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2019R_OEM_Perp-ul-oob.xrm-msMD5=5CBDAA75BFDA50170FA94F17D5266905,SHA256=FDBC544969452B38FD3E2B549441F2F2E83F44FE6458539EA05D09E4F2CF3067,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.202{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2019R_OEM_Perp-ppd.xrm-msMD5=4BC1A49D35C33329192BB4E7168BB130,SHA256=4F92F8F96C44B89948CE33EEE0456922556069E46C637A6E79352343F194069C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.200{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2019R_OEM_Perp-pl.xrm-msMD5=FFFADE0F6080D28EE4B28DF2A6E9BA2D,SHA256=6C247046E65A9F8F5BA403F9059CFB1176E5B78201DEDFFCC960F55E8F45B4B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.199{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2019R_Grace-ul-oob.xrm-msMD5=811381512C139F89D01D123FBD580451,SHA256=4A23A389A22D6665AA7BA9FA27057C139EE17C6942E27043CCEC9DD2015BB206,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.198{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2019R_Grace-ppd.xrm-msMD5=15DCB83B58AFF1BF192EF648A78F06F5,SHA256=A81A4250AF9362C85420710A2FACDFA86A218BD615601A17AEA905A5C101C2D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.196{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2019MSDNR_Retail-ul-phn.xrm-msMD5=B33208E81A6101A469F5818419420511,SHA256=85974AC5365CDFAE6C8D8CA68A8D024B44663F81ED45C2915200C274713DF657,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.195{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2019MSDNR_Retail-ul-oob.xrm-msMD5=E5563B4B68A87099C1148932BF3F2C96,SHA256=E989E0A9071147DE12E45B101D82007781337ED75FAFB69DFB1A1CDFC13635BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.194{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2019MSDNR_Retail-ppd.xrm-msMD5=EB0E5B493B2D8382D6CA4F192885EEEB,SHA256=9C429430B7EE8B35BA7E72FFBD1121D0E0783560967501C72969201B0DEE7E64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.193{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2019MSDNR_Retail-pl.xrm-msMD5=F024DC37830415280C4C725EF4255CA0,SHA256=45E847448794F690BF38F2BBF63695EF783AF7F6FEAC2D0013B95F8D253959DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.189{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ul-oob.xrm-msMD5=71D8FE6B5FBA9E4FF6F46BE32E715404,SHA256=30671E6CB2C07CD7291202DE48D87939232D165AA4BDAE20A3986FDF06CD65DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.188{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ppd.xrm-msMD5=83A5D35EDDF601CE79FB82355FFF5BBE,SHA256=741FF05391AB4DEBF76C56119C95FBBDBF041552BC46E28F42DD0F7845320B25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.186{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\StandardVL_MAK-ul-phn.xrm-msMD5=5F42540C0D1FA26040AEE81C662FAA12,SHA256=967F2DA8D8BE08D5C6541FF28FE11E9CF7F5DDE36359DCC4AF8A80FBA42A60CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.185{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E8B02DE1C2C6B0B2603E54FB3EC6C72,SHA256=0ED9EE584D41D090FFFE02E3EAAEAC902BA36C3E8FA176B97BBB1C765C77879B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.184{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\StandardVL_MAK-ul-oob.xrm-msMD5=83DED9375AF9014BDB088CC412488738,SHA256=51D23FA5416877E33E2182C57A871960FE63516D2A724414DDAD59414841574F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.183{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\StandardVL_MAK-ppd.xrm-msMD5=0047761C2C5199D289D95653663503EA,SHA256=5D0ABB580A82CBD15D3FA177FFDF89D9E63B2263D1618E239525B31D9D47EE1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.182{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\StandardVL_MAK-pl.xrm-msMD5=46A9699C5462C0F20139F88FC84D31EB,SHA256=0175A16FB28081814771E07DB76A7D80923441C7FE556322E8036B4369BCE093,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.177{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\StandardVL_KMS_Client-ul.xrm-msMD5=165E7E5368A76BAE67EF6922BCB91D76,SHA256=B512108607366BC4A1BAB88F686F894C5F7B5D27B4A97C1C0B43B67E9A26EAEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.176{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\StandardVL_KMS_Client-ul-oob.xrm-msMD5=BF08C19E9035EF28C5915E543CFC720F,SHA256=153F848550457845B15BACD4CDE95B17D18D17B2B068C3EE90CCF32E093F3338,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.174{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\StandardVL_KMS_Client-ppd.xrm-msMD5=DC7135C6C54517970DF7049B3231CDAE,SHA256=721BCC9AFDD4DF9629672C6102B6207114ED65361FEC7B30B3600168B72794BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.172{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\StandardSPLA2021VL_MAK_AE-ul-phn.xrm-msMD5=CA656499313F03360985C4DF5F96AE1B,SHA256=FAE141FF596982382A12A32F211A6D34D12052B8FD04E6379C671434825C7471,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.171{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\StandardSPLA2021VL_MAK_AE-ul-oob.xrm-msMD5=1493F0A72F39AEC762E1A4A23E9A0082,SHA256=81199BFA92DBEE210D5FA911D44EF3BAEBD2C8AC6C867CC96C1791A81822D456,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.169{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\StandardSPLA2021VL_MAK_AE-ppd.xrm-msMD5=7176B7A2B8D6686E4C33CA64BFAD2F54,SHA256=1CDA524FB0DB81935FDAD0175C85D33C6B6FF511EC6548D6EF21D7B1C5D66546,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.164{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\StandardSPLA2021VL_MAK_AE-pl.xrm-msMD5=BFC40AEFC47AE37F001BB9D0741F1447,SHA256=B9DF3C073DEB6ED42596B6B455248C11C684F907D9380F4FD8CFA48641A6E52D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.163{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\StandardR_Trial-ul-oob.xrm-msMD5=E0BBD9941CFF8B07059FAC2818E854CF,SHA256=94B9D2D5A67B26A683D337791E5C879BE45EBCA1CE9F93CA5AC52558C33B682E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.162{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\StandardR_Trial-ppd.xrm-msMD5=566DD5BFC3DDF8CD28CD1C7447B7B223,SHA256=BEAA2CF8591C7BC8F52CD0B34641F92C4C7FEC9F0BA54C411F290F64FC7D568E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.160{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\StandardR_Trial-pl.xrm-msMD5=FBD16EE04AF7CBB348210CB1E8FC4D09,SHA256=1FD3B6DBDEF283B97147FBFD81C31D5F4AE6AE3CD3DF8D68FD07DD4824217A7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.159{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\StandardR_Retail-ul-phn.xrm-msMD5=8AC7884627A0CF3FE2B84162B35129FF,SHA256=3C0E9C0A445EEC434CACD563D211A95F3B987F18D4510BC66D5D3CF8CED344CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.158{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\StandardR_Retail-ul-oob.xrm-msMD5=80D11C8D4E23F11F73FEDAD09766CEA8,SHA256=C5E80A72357606F0DDB5A3D27E484CB65EA0EA597F7664B201E5B706A2CF2ACA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.157{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\StandardR_Retail-ppd.xrm-msMD5=2E71D6E1C36C26B96C415D7170E2020E,SHA256=21D9885F89DA79366013046001E4D6C439EED11860F0BF62C66305F7B3BC0ACF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.155{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\StandardR_Retail-pl.xrm-msMD5=946165664B5801BC7003809F7FEDFD09,SHA256=0EEAD18F28F5B61CA96F261E0A8F0E70C8F2CB40D1E7CFEA849D9593508F0BB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.154{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\StandardR_Grace-ul-oob.xrm-msMD5=2B10EC861213F1B610FB1508F1218680,SHA256=87222D880849531B8C78D4049FCFE1781AF9CFAC968AD26FD16AB896E5793510,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.153{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\StandardR_Grace-ppd.xrm-msMD5=A487E9A93E059FEE50050600CFC6553D,SHA256=40CCFF8BC4A04D464A8720412B3666CEDC87B344CBAA7B7D9D0D8777642BD005,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.152{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\StandardMSDNR_Retail-ul-phn.xrm-msMD5=59584E6F0C9217D6460991209E68E280,SHA256=7C8D5B43698243A8FFE796438DEB70A9A6486FFF291B6539D9733A8C910297D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.150{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\StandardMSDNR_Retail-ul-oob.xrm-msMD5=49BCE6C7ABE9D1F7CEFB2B8F2C35ADE8,SHA256=9AED66BFB363E9DB1E3F43782EB0370AB75169B6C905F17AF1DB462BCC00D902,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.149{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\StandardMSDNR_Retail-ppd.xrm-msMD5=62AC9906556DBB8B518F5E616B6BD5F5,SHA256=20C363535256B661CBBE4000C3BCA341903C78186D862B63E6F21944A3C30B91,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.148{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\StandardMSDNR_Retail-pl.xrm-msMD5=1DA0805E0E61E513B41CE5FB4C09A83C,SHA256=B3D7263C7E90150A9B16C0AF710540788CF45B249CCC1E6B40548D452AE8D2C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.146{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2021VL_MAK_AE-ul-phn.xrm-msMD5=79859351E0FEC56ECF37621B2AE75406,SHA256=95C83B6A0C8CFF7DA6FC31DBE1D8F4273394FC7259ED9189DEC4224E20345B9E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.145{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2021VL_MAK_AE-ul-oob.xrm-msMD5=A70431F5D6690CDF870D2EB218C5D619,SHA256=E377B37DA935A8F7E1BCE884F6707E977754DC40704056A2FB6FE593AB399E86,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.144{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2021VL_MAK_AE-ppd.xrm-msMD5=900884991C5799957E50D038BCBEEC3C,SHA256=2620092A3A7809446F0D4D9326C04FC2B031F22BC7678DA306D5232B584832E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.142{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2021VL_MAK_AE-pl.xrm-msMD5=9819B771EBF4197586C78C08BFC2D9C6,SHA256=AE201B63EC299FA7FDC4324CD010B7419CD9764B4E88ECD0447F077627ED7ED9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.141{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2021VL_KMS_Client_AE-ul.xrm-msMD5=CFD1979B7BA177BDF40EAF990ABA6DE6,SHA256=D047748A29E73E5395D7170FF0001D7D4D31C691E5F1DD1C4DDEC5B5C4ACDCE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.140{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2021VL_KMS_Client_AE-ul-oob.xrm-msMD5=823888995977E8EBD979DF8A66883FE7,SHA256=EEA3BFC008CA8F9B08C882E40B72A3E3E87B2DAE81B80C78B06C15308B1F2FB2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.139{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2021VL_KMS_Client_AE-ppd.xrm-msMD5=77729F84CC88D47DB1708D43B9117537,SHA256=11CF5BB445DDD8C98778B2452E35D44373A7B60CE496A694FD84E11A101290C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.137{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2021R_Trial-ul-oob.xrm-msMD5=C612303A95F7D9B43B47BFC45B59BD22,SHA256=73BE09A02FF8CD94E031CFDAF9107F90AA8564CB8E648BBE2985643AA5F76A86,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.136{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2021R_Trial-ppd.xrm-msMD5=498F296957E3D27F4034037D9AAC2CF8,SHA256=01D95692F39D3BEE989090088BDF31F5C34F8014DCF4F3BB3E48167542AA2BC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.135{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2021R_Trial-pl.xrm-msMD5=9C510FA865916A6F0F786B2BDAA92C6D,SHA256=32A09DF445F2DE5F4A60B9590380969FAA9705385F602B889D336F505FBB9428,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.133{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2021R_Retail-ul-phn.xrm-msMD5=71E28CFE1F9BDA30A3BB8B598DE2FFDB,SHA256=0455AFF2AC15B112B273A63BBCE9AE42DB7847AE48195F8DD2CC8C0BD3717432,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.131{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2021R_Retail-ul-oob.xrm-msMD5=214938406DCB9A43EDCCD7740BCA719A,SHA256=CCB29345FAF7461FA619B274A6186F36F4FB532A53B4108DA61840595DC2DA50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.127{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2021R_Retail-ppd.xrm-msMD5=9C3245A235849DBB8F327721BCEF372A,SHA256=A9275CEC19631797EBDE7B3681C878681ABB95CBDFF9D0DD19B17E890C83950E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.125{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2021R_Retail-pl.xrm-msMD5=01735CF1EC4B48E4E38B917EA4113E61,SHA256=6A5AC6AB3E731D90DB8479EC792A7ADE12DA8A64ED7BF95F29F149711691B652,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.124{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2021R_Grace-ul-oob.xrm-msMD5=B0F9C0781F7CFB9FD833B507C5F0B267,SHA256=A0C68046D2F5B069EC8B3D71A3026EA976EB20161008124E3E09956ADE2C3E9E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.121{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2021R_Grace-ppd.xrm-msMD5=36796D01EACBB6B6437AD5F41DDD09B5,SHA256=F161062CED850890F34B41F4444717222B357CF59CC4EEFA4BD4DB9A01F5C31B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.120{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2021MSDNR_Retail-ul-phn.xrm-msMD5=5A3972C45CF1894C522246024112A1F4,SHA256=55DEE7A3B6678D40D2F397C36D4AC2F82F5C49F249DA3C4344CD4B65C2E98F2D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.115{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2021MSDNR_Retail-ul-oob.xrm-msMD5=7D1863333902BF4F20B5DA1C84F334EB,SHA256=5D093877EC1969EF7454A5FA70F347FDC6ACD19A1A3378E0933CC262E2F08AB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.114{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2021MSDNR_Retail-ppd.xrm-msMD5=7D44811B8C0F195F5A64E7BFA6AB021A,SHA256=E131C473E7C128341312FF31E9FB250C719892D83D71BFB8E251D730B522B3B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.112{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2021MSDNR_Retail-pl.xrm-msMD5=91EAB6675F766234BEFA5FC6E90E8461,SHA256=84C45B80558C7AB8A43AA7F03980F0CF4F5E308293D2B446CF930618298C2C42,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.112{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A15808BAB8D95D9A5941F9E28789E670,SHA256=3F46E3A00C7EEBEF2224B9047D4DDF7323BBEB210AEF7F077CC74F80C1734DE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.111{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2019VL_MAK_AE-ul-phn.xrm-msMD5=A3A9E6F5DD6CCFFF287DF7D5F4CB22F6,SHA256=297895D4E8A1969D15EE11A52A6674E04C39178A663DFC1646EDC0487500B048,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.109{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2019VL_MAK_AE-ul-oob.xrm-msMD5=BBF3B253ABA20B029495029577091E02,SHA256=9C194B71F56D1E63512CBC2E02424463AE20872266B2252FEC11FE9894AE92EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.108{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-msMD5=7A763DD22841B45ACB3184035A7EF45D,SHA256=12D78D964A4EF5CB3E7310021AE56AB13BE5DE3B97160704164B090B0E32D9D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.106{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2019VL_MAK_AE-pl.xrm-msMD5=B056CBD0C9457FE24D936611E21A3125,SHA256=C005361AE8A59DECDFCD7FA3546EC6DDA00BF29BE47244DBC1966ABDEE9E3AA9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.105{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2019VL_KMS_Client_AE-ul.xrm-msMD5=FFF3C411D0531BA587FAB3817CE7ED5B,SHA256=AED7AF4E18105AE9834CCD5E977786E45FFFC261772125DB66639FD442126045,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.104{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2019VL_KMS_Client_AE-ul-oob.xrm-msMD5=6353AB103DF15CB99ECA8B4D8DCA9D64,SHA256=1FCE79FF4FBD26845BCFE862F39007920AC8A9A95806FC0BF461E56BD915B262,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.103{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2019VL_KMS_Client_AE-ppd.xrm-msMD5=15FE8732A0DDEC343E90CA2CE859E3CA,SHA256=75CA1A180D931CF3B5B7E2DDCD1FA2326054AB1D7D5B891998F2C7834FF6FBE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.101{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2019R_Trial-ul-oob.xrm-msMD5=2D8FDDEA47D17FF96105A072122BD8CF,SHA256=3F47F835879CC900434DC3AD8352D213879342765D53EA48F422023FDC0288E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.100{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2019R_Trial-ppd.xrm-msMD5=E3DD4106A2BF2B6849DD5D7EBE0EC5AC,SHA256=DB66B641A92A947364942F134C6D2493C4ACB033F00F56666E28C680CB424C52,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.097{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2019R_Trial-pl.xrm-msMD5=2E2A265BCF8BC52083343683DB736EFF,SHA256=5CCFD33A53015EA14464B6CE044A0A48EC8BE6C024FF22E34B4D954EB95248E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.096{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2019R_Retail-ul-phn.xrm-msMD5=5D60BFC4E54D4AA4E8F18DA11983B54F,SHA256=92F2A7022DE2051932DC1ECFF5EA7B783BF7B2ACC35D687B24DBC00032457659,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.094{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2019R_Retail-ul-oob.xrm-msMD5=6C89B6638A04F0A3F46350B97B9DCEE7,SHA256=C8D4952CA9FAF873A692DE2440EE04EF735B3F11E2E9B1B3AF18EB536CFD7614,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.089{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2019R_Retail-ppd.xrm-msMD5=8C6EA35A51DE3C9ECCBB5D3C06A1A0C4,SHA256=EEF9E7B6C795B8FF90E0ECE52D749E4818C3DB73F89B05CDA931E611E0766B47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.086{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2019R_Retail-pl.xrm-msMD5=0C8A02BAAF61D99BCCA3740B0C8293E5,SHA256=8C21C26527A9338FEA6BE96BD5561017C4AFC6EE52F6F416F8F97BD24CC998CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.084{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2019R_Grace-ul-oob.xrm-msMD5=C461D874F89BAEEC3D24B1D365E8E717,SHA256=F9F1D98FC17879F196036F4683EEB7DFA5D7E6ED1C8C0142E2AF5686E293A228,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.080{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2019R_Grace-ppd.xrm-msMD5=78970E43FB58FF47467BDF0BF9BBACB1,SHA256=1928B4AFD7EE25A664E52D84AC1E8F1E3DB761FA81666793149A86A5845FE774,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.079{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2019MSDNR_Retail-ul-phn.xrm-msMD5=4979FEE586994FE2FD94E6BA7855141B,SHA256=DF0051D019214550946D095A0C8027A3F62F8068EB3AEC2218BE056B3D83C183,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.078{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2019MSDNR_Retail-ul-oob.xrm-msMD5=D63F95EEEFBD32B631458626B903DF81,SHA256=0A35644A2BED841053E9E04259A6F78A975253679E74F2D9E9B2387F3459D40D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.077{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2019MSDNR_Retail-ppd.xrm-msMD5=F9307A448200C587A4111548A2F15679,SHA256=7EE8B1B160A299654F2AA2A1C6206B066271326E90D8E9B1E6FF78D6F60F6818,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.076{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\Standard2019MSDNR_Retail-pl.xrm-msMD5=CE5706413A471BBEDC44E2B7E94AFAAA,SHA256=F1B8D54B288F35D08132A0E99865793F37BC34FAB04E5C96F50C0AD63D2DF28D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.074{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeServiceBypassR_PrepidBypass-ul-oob.xrm-msMD5=74A2C3C1522EDEA2B43EB5FCF3403129,SHA256=573249A073F46475030E28845AADA9FE697191BD860A0385551A158C155ED2D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.073{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeServiceBypassR_PrepidBypass-ppd.xrm-msMD5=91AA4C087FFC84267B6FCD7DD513DC21,SHA256=D0056591222B020AA15AAAC2F3B9996B6A51DD4F8E16B98AD44FC04A8538ADFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.072{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusinessVL_MAK-ul-phn.xrm-msMD5=DFA7F140CEA044FAD471DBFCD0EFF081,SHA256=C22751FA4FB0A5FCF5655B93FF576AD70F46D86B270D81A3165B579618BF80FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.071{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusinessVL_MAK-ul-oob.xrm-msMD5=4ABA50608C0235C451A4BCF24D4C01E9,SHA256=3D14C44DBCB8BBAA020CF9B5AA95DD70A1F4E13DB868E519950AE4F3CAC94FCE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.069{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusinessVL_MAK-ppd.xrm-msMD5=EB28CE3F04F34044A75DF18F1C8663C7,SHA256=EEA145B11C80082EAF604BF3FB949A913DC3F398D6F4991B18F6C4D4C9CBACB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.068{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusinessVL_MAK-pl.xrm-msMD5=53B2B9C2CA0B3398620AC7DE01D48BFC,SHA256=C930636F946D12F58F7A4F0CB97829E14E7A6084AD02437CA4846D31986A52DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.067{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusinessVL_KMS_Client-ul.xrm-msMD5=37DC2B7D840DEBA78B4F5F59F4F58397,SHA256=2DF62FF7B0472C01C9D1F264C062A886B4274C81274CDDEE6ADECBB8055DB7F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.066{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusinessVL_KMS_Client-ul-oob.xrm-msMD5=7D4A32D56C55A72DEE0F78ED9E5EB7F3,SHA256=887AE16C6C118012F4EF913589AD138BAFAD37552D51F0B15D5303A067A62945,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.065{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusinessVL_KMS_Client-ppd.xrm-msMD5=C904500734BE5425BED90BF8F1717A67,SHA256=FE223E5FBB3CE517630CADE47A9BD7939DE4F0D85EA6227B39C8FCC07EAC1ACB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.064{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusinessR_Trial-ul-oob.xrm-msMD5=24A359A9047DB6F2FF26BACA8019BC24,SHA256=51A59851824D4813419956E0BBA2185C81DDC55E03AE35CBC695815ACA1062CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.063{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusinessR_Trial-ppd.xrm-msMD5=89C227873E38E635F710F05A2FDBBDAA,SHA256=457DFED55FA47D23E01897CED2A09CFF1CCF1FDAC0560282FF5C835399ACC75F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.061{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusinessR_Trial-pl.xrm-msMD5=7F42BC5DCE1C39F1AECE707F6DA3A197,SHA256=8177BB6DD0519B34CB711CEA5385013757BB633511E31866F1CC4A0ED3B5C608,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.060{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusinessR_Retail-ul-phn.xrm-msMD5=C1C5B812813411B79FD9692069F442FA,SHA256=27435C4AC78A0212FB5BB4AFE3C59175F6A998B70F87A1FFA41564568FDAB929,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.059{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusinessR_Retail-ul-oob.xrm-msMD5=A6976384FBF9B339D7DA52A0341F6398,SHA256=68C236D10E1CFD22F07D8256EC6CC3B2F3AF7FE3B1BB526C182AADE0808431D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.058{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusinessR_Retail-ppd.xrm-msMD5=D658EEDF9C6453CA7293320D6D145D94,SHA256=6CDC095B574A2562D5DB44893E8CA84D996D57BFFEEC98E10407519BB793F4E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.057{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusinessR_Retail-pl.xrm-msMD5=66A18E900DC2207B8C4C3B31274DDF23,SHA256=776B5614DB093C4055A6FF171B387869AB958E718CEB0CD145978110D062EADE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.056{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusinessR_Grace-ul-oob.xrm-msMD5=B8F853868238D4749CC883FAB4048645,SHA256=8E8565A3E2625335F813B21239D17DE6E54603BF77C28E4328968C44A35C5896,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.054{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusinessR_Grace-ppd.xrm-msMD5=287AA882C284464B50683DBD2560257C,SHA256=D8C34F4EF2A0133EAF20419D0BACAC5B4AF150DD0C9ABC90E1FD56A0D62B29B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.053{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-msMD5=AB4B23209A5EB89B8BB7433DB6101B15,SHA256=96D797B41B0292893FFF3E10DE46FD08EB413114B1D41CF2789960017819854F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.052{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ppd.xrm-msMD5=FF61FA666C76DFFDAEB3C8FB1CE9546F,SHA256=9A304F2EACBEBA754CF2DCF2F985AF4C2F2FA741191BFB6B04003140E6F4107F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.052{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ul-oob.xrm-msMD5=7C9DC0F0585E11F832D75C0241EBE826,SHA256=48C7241A4BE9D141E1EB71B28811A408D4511F504B6F300097FDA786BB59ECD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.050{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ppd.xrm-msMD5=5B04D194069AD4210DD9D1BC85644309,SHA256=742CC0F02D0786B039911265DE252E2FA9F2D66406B61B2B18FB8C1725A5DCC6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.049{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusiness2021VL_MAK_AE-ul-phn.xrm-msMD5=FF292B497E294769AB5EC18F73548BFD,SHA256=2F6585E17EA11C2A0A32D386471BB7CCD6F8652E9795FCE8E0CED34AFADA9605,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.048{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusiness2021VL_MAK_AE-ul-oob.xrm-msMD5=21A8FD06E8AEAFADA5AA10664B2CFAD2,SHA256=25CFE3E6932566EE0CD7B8F8447B217E6ABC34CE414671B0A0535B46A0EBAAB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.047{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusiness2021VL_MAK_AE-ppd.xrm-msMD5=D09C9B0F1CCBD07A830067C0734E6412,SHA256=A633E474B652C5668417823ABECFDBF20A525A2FC5D33F57E7DB0A1FBBDAD23C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.046{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusiness2021VL_MAK_AE-pl.xrm-msMD5=B319130015B98F1AA69E68185F8841ED,SHA256=E430E0506DC7A9AC4B98C320F7F7E26A15EB50C8B1D3B42675645BA1E6582EF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.044{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusiness2021VL_KMS_Client_AE-ul.xrm-msMD5=BFD1FD3D0079FAA7337C5D4CB5C6CBCF,SHA256=9840FD3E988D6EBBF7032CEE01AB4209799613EBE6C145AB048A35755CA58221,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.043{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusiness2021VL_KMS_Client_AE-ul-oob.xrm-msMD5=CADDE65EC7DA90CD0325800EEEA66DF7,SHA256=9AD16E5104B993ED885125BF35511B1A8B3E00F7B5E960A9FB485AF3D9FFA59C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.042{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusiness2021VL_KMS_Client_AE-ppd.xrm-msMD5=DE3AE1E6FE24E6D63802F7497956C1C1,SHA256=3BE35E595A0E0254064D20D3AC97E3F86071E909B5EEADDD641C1B9CF5271E0F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.040{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusiness2021R_Trial-ul-oob.xrm-msMD5=E9BF6A30C1B9B6233040597A4E485AC6,SHA256=A06CD8A840D5D7252F43BEA0E6DF2976566424BF8DE6648493EE624D31AC67C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.039{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusiness2021R_Trial-ppd.xrm-msMD5=6C1AF5FFE0FB1A4DDD17088323A7058A,SHA256=CD815214F5227B6E34A402629E27790A49BDC7517526B53D0B5C4AA8F9C8C0D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.037{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusiness2021R_Trial-pl.xrm-msMD5=6241463B6D2838821C45D2CA91C80523,SHA256=A321BC0BF90ABF7C019C72CF113E671C084BBFB4FD5671C37469DEAE0282A1FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.027{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusiness2021R_Retail-ul-phn.xrm-msMD5=D80D63D8446B3C62399361411A7A0900,SHA256=C67C78F4F19C30175A731DAA6882B8228DB9445885D91745F6D2E408F6D531B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.025{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusiness2021R_Retail-ul-oob.xrm-msMD5=593C6F0A691743CF54DAC3B5653067BB,SHA256=452BDCAE849CF6B13532AE8D701BB7C94872764D5318920DC7B0B124598283D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.024{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusiness2021R_Retail-ppd.xrm-msMD5=521693DED9A552B51BF655249A681C86,SHA256=3027FE7E8B42EEB2A510BF0C1D7BDC479D0478C551B719F6939F9A52EF00C18F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.022{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusiness2021R_Retail-pl.xrm-msMD5=8C101244DFCCB642B5BB38858249485F,SHA256=E14795C1E17A8D4E98B7F0FF23FCB1016CAD227FD0848697E44C9AAF81919972,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.021{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusiness2021R_Grace-ul-oob.xrm-msMD5=F1773E99F0FC5043AA7D42E5DF4A113A,SHA256=18FE87EFF0813D371F657AC373E0828A25F43EC2D9C0C63C873962569B1EE45F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.019{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusiness2021R_Grace-ppd.xrm-msMD5=7BFDAF67231AE9C89DC26B19D80594E8,SHA256=3C186B7A68B33C225FFE807AD57694271EA15007E47A450DBE581EB46AC09347,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.016{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-phn.xrm-msMD5=3A16816C915F6CCDA54AEA52A927E8BD,SHA256=AAEBAE4E939C0F8E64D9F7801271533A98F1CDB5D1E3877FB1DD7B9736E93BB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.015{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-oob.xrm-msMD5=6E10DD3FD32F18A746B11F5EE9102DA3,SHA256=7A105B76ED9131BB3852B074D64A08960B62085FF706FF8236E667B874E8B63C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.012{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ppd.xrm-msMD5=8930F2C736B0C86497E2B79F9A95E40A,SHA256=4A45691C7F28512B041ADCDBC560425F2BE6036CBB35525ADD96828E8AF499D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.011{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-pl.xrm-msMD5=AA6C0387C565FF46824B90FC3B292794,SHA256=79263BB720499E6FC1CD7FFE806CA53338785528F1404167248E11F1C863D0C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.010{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul.xrm-msMD5=BB463D9C99DD38DD3BBE15B5A5250F78,SHA256=DCD25EF7BAB499A8D067EADC674EAB691324011E0BFDB247B0064DD3A0A58E52,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.008{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul-oob.xrm-msMD5=700803F0435CEBB3E2197700660D764A,SHA256=EC513DF1AE913DE2BD3202B6898F6F54162996865C3D737EAF2D8F48D029AB0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.007{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ppd.xrm-msMD5=EDA8D77102A6626E7A95811B64347543,SHA256=7ED63FFFDAA03C359F0443779449E9300BF88D20CED879FBF82BFB9DB50F7D8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.004{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusiness2019R_Trial-ul-oob.xrm-msMD5=3B490353285D0F84F576516C193915A5,SHA256=8392D90B5BAFE87AA237DC509C4423B19B9B16ABE7FBEC77BC27D1E26C0413B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.004{72106695-9B85-63D3-1100-00000000BD02}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E45A0FB51B9A339D372FB312AC84420A,SHA256=40CDA5A6E73937BD90A04E44C71D08F92D6924A950A24EF75D2276D064BDCE7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.002{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusiness2019R_Trial-ppd.xrm-msMD5=E5231569508D0B08EB80C12BEA6028E5,SHA256=85D03B841EFD627929205826BCEA8EEB271DBDC9827304736303DE4E8E36F631,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.001{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusiness2019R_Trial-pl.xrm-msMD5=657837A989639D1562A5B6DC0C873A21,SHA256=4915F62231DE9A8C1E9F0834D8F7FB65CC0E5C9725B6D9C2AFFB40BF39966603,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000326577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:15.000{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Licenses16\SkypeforBusiness2019R_Retail-ul-phn.xrm-msMD5=3441BC877D35CF6CCC5119E6B4489A8E,SHA256=708F460301CD6E3EBC0B206CD2B8F24766F947C48EEA592F6A54331679C86003,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000447923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:14.449{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52697-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000447922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:14.449{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52697-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000447921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:13.613{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:7600:5f00:9800:f54a:aa2:ffff-62125-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000447920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:13.613{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local62125-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000447919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:13.593{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local52696-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local135epmap 354300x8000000000000000447918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:13.593{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local52696-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local135epmap 23542300x8000000000000000447917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:16.828{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=897EB94AD2F67D5BE95F7C1E8BB4CCE5,SHA256=24F69B5E8694970CC405792BA9418055C86B61DDF5C398AD4617E08F60F8EA54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:16.765{45AAC21C-9B83-63D3-0B00-00000000BC02}632756C:\Windows\system32\lsass.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:16.765{45AAC21C-9B83-63D3-0B00-00000000BC02}632756C:\Windows\system32\lsass.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000447914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:16.719{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00659C2A1140B6CA53028FEFDD867A20,SHA256=B1545163AFA8E68B50529A4B31CCF9ADAD80CDB47FCFAA0206D92DAC7015E661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.994{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\TellMeOneNote.nrrMD5=C825DF20A791756F4CC38810D943CD3C,SHA256=3D775389847EDF60A458B940EFE8261750C9A4E7BA6D0C068F3A125267A819B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000447913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:16.578{45AAC21C-9B83-63D3-0B00-00000000BC02}632796C:\Windows\system32\lsass.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:16.578{45AAC21C-9B83-63D3-0B00-00000000BC02}632796C:\Windows\system32\lsass.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:16.578{45AAC21C-9B83-63D3-0B00-00000000BC02}632796C:\Windows\system32\lsass.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000447910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:16.204{45AAC21C-9B85-63D3-1000-00000000BC02}368NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=98C9B0C8E5241FD25C81B98055C34F4C,SHA256=DE1EE0E24FFD3F4F8FF2C4837B917E340F250C02506519A7F67A42C2F012CFE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.975{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\TellMeExcel.nrrMD5=DB255540CDA46C928181A2284EC3A3A5,SHA256=720B840A98F08C2D7B8B04FA5EB39A95168A0790A775485BA2D361792B84E6DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.975{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\TellMeAccess.nrrMD5=B3295B9BA6170F890EB03851002A4307,SHA256=4534D62AF45959493E822337EE7F2C1FF11039CC8163C3C96011FA05A7575229,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.960{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\TelemetryLog.xltxMD5=4F0C3E9C2A18C50D02F7747A38A826C5,SHA256=1C6E87BB81D9541DE425DE974A3C12BBB58D903BDD26303A30088E3EA2EA6740,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.960{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\TelemetryDashboard.xltxMD5=C0F0C1541E8C2498910C4D78326BE75B,SHA256=9A79850D172D21FD8E4299E24DA7BA03A3A1562690C813E2F11D5F80823BB761,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.960{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\STSLISTI.DLLMD5=36B480E8B412E12C3F50AFA8EC2C3A94,SHA256=F82B466B094E0A439D12DCDFEF792E06BDC9E5D84402C9E9B607F72F56F44C4F,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.960{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\STSLIST.CHMMD5=89920DC13154BE087439A2935B0C78FD,SHA256=16D7794BC0D43F8C8CAD61F6FD431B168026BD4B369E06ED8125C5D1A6B5FE88,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.944{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SOCIALCONNECTORRES.DLLMD5=A27F459A11A44B73682F025FB79B1B4C,SHA256=410A1AF7D8A0E52B1DCABB80E6634DA67C0BF15E81149EB5A5BE7ED51CBE7454,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.944{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\smb_eula.txtMD5=0656823863D5149679FD885B1C8A02CF,SHA256=E595CBBD4E39F29B65FDACA972199951242E1A214EBF6B691091880DC1133A06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.944{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SLINTL.DLLMD5=73ED8919240EC7C54B3524257B654053,SHA256=300313B91EC55EFA7FA5144FAFF771A6185AF0FC4E29CEF1C68D1B8051AC0599,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.944{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SkypeForBusinessVDI2021_eula.txtMD5=666E67F18D742E83EFED121185F6EB4A,SHA256=6932C58B3549CFB10AD466D73572F4D6A533712E5A55F3647E25361CB55FFCE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.944{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SkypeForBusinessVDI2019_eula.txtMD5=666E67F18D742E83EFED121185F6EB4A,SHA256=6932C58B3549CFB10AD466D73572F4D6A533712E5A55F3647E25361CB55FFCE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.944{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SkypeForBusinessBasic2021_eula.txtMD5=D0748D0B42B521DDDCCE5F19EFDCD25B,SHA256=90438A13AB2C3840A47163B1C5E6706D1B4EE87576766C3BC677F7F3E50A5228,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.944{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SkypeForBusinessBasic2019_eula.txtMD5=199E27792D4C0D45E08CC5D0D3C02AC9,SHA256=1C7EB2E23415A3DC724856298A2215B6E3BE4528826D10C437203F7C1E770098,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.928{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SKYPEFB_ONLINE_K_COL.HXKMD5=DB9742E49C49C505B293A84518E95FA5,SHA256=1C17B95E5098ADB0C0E06AAC8A8C7C50C6A5EF1B696465D548C8A922F1D3A653,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.928{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SKYPEFB_ONLINE_F_COL.HXKMD5=B8FBBC73DDDE31636552AB184B4E398F,SHA256=3C3702253A4695B5BCB18A2565B1D49F9F32F5F9F2442FD1395197970FA34EDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.928{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SKYPEFB_ONLINE_COL.HXTMD5=333F8D3F2BC846CD8B1E39052E20666F,SHA256=E8CF51A282D00316003845F75DEAF5FA6C8271A9C3AA498777CAB901ADF4DFC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.928{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SKYPEFB_ONLINE_COL.HXCMD5=6D022391B1BB49DE7B9ACCFF4827942D,SHA256=D5DBD3B579476C5FDB94FC7614F9BF9DA736F714E502F0AA8587B43D5C0C1A8E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.928{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SKYPEFB_ONLINEG_K_COL.HXKMD5=DB9742E49C49C505B293A84518E95FA5,SHA256=1C17B95E5098ADB0C0E06AAC8A8C7C50C6A5EF1B696465D548C8A922F1D3A653,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.928{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SKYPEFB_ONLINEG_F_COL.HXKMD5=B8FBBC73DDDE31636552AB184B4E398F,SHA256=3C3702253A4695B5BCB18A2565B1D49F9F32F5F9F2442FD1395197970FA34EDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.928{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SKYPEFB_ONLINEG_COL.HXTMD5=6C3F44824282154FE718B22832A3FC39,SHA256=72C7441ACAA541F9CA96A3A10728E22BA197023E5B26D515D826F0083DC2960D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.928{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SKYPEFB_ONLINEG_COL.HXCMD5=DE1B110CBE87F306B58D81B5BD05FE10,SHA256=4C0E1476504A2F1797AFD3F8654E45E98915B9D96526FF9AEE012EB1175C6F0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.928{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SKYPEFB_ONLINEG.HXSMD5=740BEDA555CFE02BF4F859BE2BCD86F8,SHA256=4F5913AB96925FB92F5D35FE9F0506D62F6575A1D9CDC48D6A91C96DDBA1DEE8,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.928{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SKYPEFB_ONLINE.HXSMD5=212183009DAF7F18865DFB0787EB0EB8,SHA256=4948C1869FD6871DD660822797F38EA85019253DB982442978ABC85843D2847F,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.928{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SKYPEFB_K_COL.HXKMD5=DB9742E49C49C505B293A84518E95FA5,SHA256=1C17B95E5098ADB0C0E06AAC8A8C7C50C6A5EF1B696465D548C8A922F1D3A653,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.928{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SKYPEFB_F_COL.HXKMD5=B8FBBC73DDDE31636552AB184B4E398F,SHA256=3C3702253A4695B5BCB18A2565B1D49F9F32F5F9F2442FD1395197970FA34EDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.913{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SKYPEFB_COL.HXTMD5=D4936D1A9C6A6D82A4598C31255F4A11,SHA256=FC80A71BC2A60CDF8A0052FB707A9C466D0077CE15E91AA266F7A670A2E64BDF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.913{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SKYPEFB_COL.HXCMD5=EA51B4FF2D92A850BA3C0CE450CEC62D,SHA256=0E99BBDCDFCCE8A8493A49775B2F93FF085F52EE224F653808A1972B7B064059,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.913{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SKYPEFB_BASIC_K_COL.HXKMD5=DB9742E49C49C505B293A84518E95FA5,SHA256=1C17B95E5098ADB0C0E06AAC8A8C7C50C6A5EF1B696465D548C8A922F1D3A653,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.913{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SKYPEFB_BASIC_F_COL.HXKMD5=B8FBBC73DDDE31636552AB184B4E398F,SHA256=3C3702253A4695B5BCB18A2565B1D49F9F32F5F9F2442FD1395197970FA34EDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.913{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SKYPEFB_BASIC_COL.HXTMD5=73995876C877C5452CB339D00ACBD907,SHA256=F42AF963979E3A0ED31EF6D8E6924952E7571F05C7FD945C53AF1ED8B3994017,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.913{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SKYPEFB_BASIC_COL.HXCMD5=4C85944D450510FA7D8ECC22B10E3778,SHA256=7D9AEB3BD93B1F3191C4B42BD15FB9A15A93223FEA56EE352273318821561914,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.913{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SKYPEFB_BASIC.HXSMD5=62EECA0417252E2F07167BAD2B8D88AE,SHA256=744B65CADF18EC14A051ECD254B28C5A7988ED77667BB99DE4941FF7D64A7EDC,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.913{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SKYPEFB.HXSMD5=4CDAA6E1F60C4EF6873F1745A9A5AAFC,SHA256=2B7808BECC46F4A4682F801C13A0B67773192B8BBAB7947501DCBC30AAD79B4C,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.913{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SETLANG_K_COL.HXKMD5=DB9742E49C49C505B293A84518E95FA5,SHA256=1C17B95E5098ADB0C0E06AAC8A8C7C50C6A5EF1B696465D548C8A922F1D3A653,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.913{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SETLANG_F_COL.HXKMD5=B8FBBC73DDDE31636552AB184B4E398F,SHA256=3C3702253A4695B5BCB18A2565B1D49F9F32F5F9F2442FD1395197970FA34EDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.913{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SETLANG_COL.HXTMD5=5BB9A0ECC3D3F9C41ADF46E3AE5989E2,SHA256=A47928A24648BA8A43213A596206BCC10FC6F95B366311CFADE288F4E6B5677C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.897{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SETLANG_COL.HXCMD5=2D5B32DE3AFAE50A363A61FD85C87D81,SHA256=70D387AD2D1E1273CCED0E3C9BFB7FDDFB851E30A7AC5EF16EA55C0316664E26,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.897{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SETLANG.HXSMD5=1A4B688E1C2E1CB7E5BF16D0FFDA4C6F,SHA256=5FED013FB3349104FAA14323E3DCD79AA1403105AA7219C094DD70C7656B7A9E,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.897{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\QRYINT32.DLLMD5=A940AF6EE9C26DE4D01B6214354F597C,SHA256=1BC655AEF2A1E0DE80C4051676BAB4C807E35991A32F1E7E67171A56FA31A0F4,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.897{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBWZINT.DLLMD5=651AD3573D81C8CEF48D09EC744512A8,SHA256=082088CC7F2F7A2C0DF2B84CDE23413F138CEA584D35E4B84585A6A5CAEC86C4,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.897{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBCOLOR.SCMMD5=E915ADCB77D3871AD7F63506F19050E7,SHA256=8A6BF9DCF5EB6E6F40833BC402FAE792F64B091ABC30B85439C4300F42D83C2E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.897{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUB6INTL.DLLMD5=4A90DEB22C98E3959E0A5E9AF26EF84C,SHA256=8BD1240F0F031E135F19EEF3B31E41A60DC86F002EA7336A8D258260939E6C89,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.883{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PSRCHSRN.DATMD5=4EFB221BC250CE29D4279FD9F5CBDAA5,SHA256=DAB41152137DE61D4230B51D5C76415417159B6DA3CFAD763AFC3FFCF662A7A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.772{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PSRCHPHN.DATMD5=4BABCD7A6F7AA33EAE6791DE2B79C075,SHA256=E0B2C47EDC3315F144D4FAB2DB64A1541A9361D1248FEDDA79FECA332505F2F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.772{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PSRCHLTS.DATMD5=265B2AE0098EA6FC19A1EB56D6F062F1,SHA256=A9FF4194B71675CEBAF615CDD1F1CADD1338DB0681AB796F24EC34A8B58AC857,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.772{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PSRCHLEX.DATMD5=6DC51B8EC54A465714765445DD0190AF,SHA256=47B84AD0B3F65DB4B646AE412535DF78DDCC85D169EF34DDFFBAC95B89A1110F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.741{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PSRCHKEY.DATMD5=637F36F8C7AC336C5448B5FAADE33158,SHA256=255AFAB2453FF0F9D5043DEC621CF8CEC17501E0F37E3F0DFC444AF94F6E4810,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.725{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PROTTPLV.XLSMD5=D06585F0C1DABE598CB56F2776263401,SHA256=398110335CB8E62BC91B4117B613C4C699E9D1CB3A257AB67E0A86C51DB961EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.725{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PROTTPLV.PPTMD5=AD3AF821274DE583BCAD58524F5D3CCA,SHA256=4125A234E556900B5A2397341916748996B2226B23443CC70566363218D9ED7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.725{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PROTTPLV.DOCMD5=DD20BBA2C4DB5CC6949844174B1BA279,SHA256=CEE85DD9B74E156C969FBF55A12A68A2B388F7DADBC446549A07211FA3697A63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.725{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PROTTPLN.XLSMD5=9BFF69AA98FE3E0D7EAD3622F4E67B34,SHA256=DF0B742B3B70F19D3413C1827925B5EB207997CBEC14A8D8AA9A38400433C195,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.725{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PROTTPLN.PPTMD5=869F9133110546C95F112B850A33F98A,SHA256=8E3385E40B72D42DE5564395B005C12680D0722D82C1B35C9213E6BF7368AF1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.725{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PROTTPLN.DOCMD5=DE8AD0E10036055D807C48C6E212D525,SHA256=1EA89436BA65E17751325F9B1F80D68F32B02C0B257D74295EF9914D2608AA92,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.725{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PROTOCOLHANDLERINTL.DLLMD5=5339A484516799988EB33F5D997C0078,SHA256=689000FF3885212EFD072B0D95AB3170C78F92EF17828379BC773531BBE8AA1C,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.725{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PREVIEWTEMPLATE2.POTXMD5=B564DA809C4364F1AF7320D5E15CDC5F,SHA256=3618286B339098B71B71D7448DB235968C4B514240BAB408F597754D48F5AE3A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.725{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PREVIEWTEMPLATE.POTXMD5=86EC47D3E3B7AE5BA4A1582B27911880,SHA256=4AA03B1A884735219C62A9F3D722A148791AC6BEFC943677911272B53A475FFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.709{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PPT_WHATSNEW.XMLMD5=86587E78DC84C527BA10A6BEC88C418B,SHA256=17B2C82B33FC9DD13760051281E8C3D408898224E5CE9DA04183403790CD2FC3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.709{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PPINTL.DLLMD5=920A09EE92BA42CA750BBB260C746C7A,SHA256=4702391B4633FBF8A192205089C92AE5D3A752E69232EE5F9775CE6258C77E10,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.709{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PowerPointNaiveBayesCommandRanker.txtMD5=7EC7FB5DB2FEDB78EBFFCE9C444CEA36,SHA256=400E7DEF8E006E3279668D69F181EE31E01396AF5561CB95CDC80F11A1448E49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.694{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\POWERPNT_K_COL.HXKMD5=DB9742E49C49C505B293A84518E95FA5,SHA256=1C17B95E5098ADB0C0E06AAC8A8C7C50C6A5EF1B696465D548C8A922F1D3A653,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.694{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\POWERPNT_F_COL.HXKMD5=B8FBBC73DDDE31636552AB184B4E398F,SHA256=3C3702253A4695B5BCB18A2565B1D49F9F32F5F9F2442FD1395197970FA34EDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.694{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\POWERPNT_COL.HXTMD5=3A52DE047D175CB31C704DB04EFCE59A,SHA256=0857DE352EF344B436B20EBBF54ACB2B0CB6FFE1831923E0652F010450B8B13A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.694{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\POWERPNT_COL.HXCMD5=8B57C5496B5C82D93D9095AA1E6A74B5,SHA256=3C552ECC4C46F9B612CC1D02327248E5279284770C69FE261D2BB48BC025DB94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.694{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\POWERPNT.HXSMD5=C4A3BE4484451A087543568F3C5225EA,SHA256=21410F7A91B80A417749C5BC4A79348DD8B7B2F6C3D536CFC550538400AA7BBE,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.694{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08CB68B1EDBCADA0998EC05DE8C47DE2,SHA256=BF403449F6F2A604D016A1B90867CBEC5C2E1CCE6D7802E3F285FC7A676B92BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.678{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OUTLWVW.DLLMD5=736547427780B72B2F848BE9E49C18B3,SHA256=F91BE344765F88C76426D09E5B7BC6F2AE2C7C6B2DED746E12D8D76FAB2E1BA9,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.678{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OUTLPERF.INIMD5=509A7197AE66401D1DA76F4BAC1DD0A8,SHA256=EE9E288C3495FD548FD49095BE08807F215FC0780064E179011098C0C7461A34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.678{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OUTLPERF.HMD5=BC71FF7DA14ECA943FA0AD815F72B8CB,SHA256=48E537902C03A3EEE4790FC97EE072CDDC7C1A90122702DD18243D8C12A0D99A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.678{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OUTLOOK_WHATSNEW.XMLMD5=3AC3DAD8B764D3CEF8B69B81E00100B7,SHA256=F56BA2C1361DD8262AF35B07EDDDC7BEA668549F01673B9D0F32F1AFDFD4C0D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.678{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OUTLOOK_K_COL.HXKMD5=DB9742E49C49C505B293A84518E95FA5,SHA256=1C17B95E5098ADB0C0E06AAC8A8C7C50C6A5EF1B696465D548C8A922F1D3A653,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.678{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OUTLOOK_F_COL.HXKMD5=B8FBBC73DDDE31636552AB184B4E398F,SHA256=3C3702253A4695B5BCB18A2565B1D49F9F32F5F9F2442FD1395197970FA34EDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.678{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OUTLOOK_COL.HXTMD5=1F12EBFF96E17BD71FC7AC56835B3B68,SHA256=FF1A99BDA69B78AA12A40B1355A9EDE20A4098A11F86377D44C68C4CC7275AF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.678{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OUTLOOK_COL.HXCMD5=77B0699804754EEEF89B478237ACE897,SHA256=CF5E1BFB9CE5CC47E3C47F9A48C926FEB978278D0F2ABF0CE6BFED0C8B0247B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.678{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OutlookTaskNaiveBayesCommandRanker.txtMD5=373DD5983391B9FBCB8C6B88F9F85205,SHA256=302FE205A45ED7A96B4BB20ED108B30F2DF9E195A00E06B7E0C971687720825B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.678{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OutlookNaiveBayesCommandRanker.txtMD5=48B3D22FD7C711BC3FB4F701C3180BAA,SHA256=4EC7E4F78AA716C0DA2C7E816DC9ED401C70395F77569FD4322B5C0FE1701904,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.663{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OutlookMeetingReqSendNaiveBayesCommandRanker.txtMD5=AC2F8494F0818E4B95DF5165E40F117E,SHA256=802E668767A8E7876B59BCFEB12A9047386E0AA8175C1643037644AF2BC09284,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.663{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OutlookMeetingReqReadNaiveBayesCommandRanker.txtMD5=5B967F7A6626CDCF436E54073256B23A,SHA256=EA6D7DCC56A2138E3149A470D79D4277E6CF02A460A574F494670735F5876D49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.647{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OutlookMailReadNaiveBayesCommandRanker.txtMD5=45820EEA45DFB0DE55F1CEBA3AF85ADC,SHA256=8328EA08CB2579D7785E223412CA9C2DC2C6F1F2F980814805CD62C654D51C05,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.647{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OutlookMailNaiveBayesCommandRanker.txtMD5=36FB6398463C63C124401AA47A6338F3,SHA256=F43E6DE303D4814EB7E7B9BC48E96C3FD32421AD61F85A7E2A85BF9A102A09E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.647{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OutlookApptNaiveBayesCommandRanker.txtMD5=919F3EA66AE401E5AFEC88EF39B4CAC6,SHA256=4682DB83688BD4DE4EE8D26E916672D383EDF3A34CCEECC10410BC025FC15AF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.632{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OutlookAddrNaiveBayesCommandRanker.txtMD5=D9D2194E0AA2351EAD86E850BC4D4A35,SHA256=03BFE40DA36E93212AEEC14CE3D142F4BC753E6718535012694F3F32ACECC231,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.632{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OUTLOOK.HXSMD5=6E74597327DA43D715B4A19DE3278694,SHA256=D2BDCE15B7781E7D9B4EAD907D6F07A7FFDBEC938343B0C9834254FC9D5ED040,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.616{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OUTLOOK.HOLMD5=853582E0581BAE06DF5B1B791FA97376,SHA256=2440B78B899F5E1131BF600C52CDFBDE2DDDD91C2A3136C1B7B5C7887B2D060D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.600{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OUTLLIBR.DLLMD5=1F6B0398CA665C9F2689DEBCD1FCE0B0,SHA256=496EE4AA5C74D354A4F35C7E0FC92BCF49F4F334D5F53CDBBB690D605D54663E,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.569{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OUTFORM.DATMD5=5D512E3AFA69A20E09ECA14162F867CC,SHA256=4E8D7D8866B8D61EC92FD312E334C1A9558F8A88A4B793DD84E8B15262B685F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.569{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ORGCINTL.DLLMD5=EB0F1D8787FD1B8622B792982876A89F,SHA256=EC2B43CF1EA4D5430AB4E2A2FD2B80C5D9735764149DBF3CD2A16C4BA8088603,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.569{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ORGCHART.CHMMD5=18950E798222B3439C5FD06FD754511E,SHA256=79FAF6639F0389BC70F4D78BEAB03B7C8DF30D7A330CCD386C5679E1A0431AFB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.569{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ONINTL.DLLMD5=2EF0CB36FB87E4D865529DF8087C5B2A,SHA256=0EE3A753250B80A52BB0D4CDAB772B874F20B2619CF880AEE6AAD2867FF0F635,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.569{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ONGuide.onepkgMD5=463C7EDF20A0F2BB52D65B156E5D6343,SHA256=37C69116B82A65694BD0518B6730A9B1CB8024479B8ED3486CF342C313DB8D3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.554{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ONENOTE_WHATSNEW.XMLMD5=33610EAAA1F397E7E8C9A82DB14126D6,SHA256=6C2EFEA710264B9443ACA11926A3123B289336BA2C4E333350185C38023B1D10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.554{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ONENOTE_K_COL.HXKMD5=DB9742E49C49C505B293A84518E95FA5,SHA256=1C17B95E5098ADB0C0E06AAC8A8C7C50C6A5EF1B696465D548C8A922F1D3A653,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.554{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ONENOTE_F_COL.HXKMD5=B8FBBC73DDDE31636552AB184B4E398F,SHA256=3C3702253A4695B5BCB18A2565B1D49F9F32F5F9F2442FD1395197970FA34EDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.554{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ONENOTE_COL.HXTMD5=CF2F7BC27D3347765F403C9CE29F1694,SHA256=A6200C12607B90230BDA67F133DFEA0DB8756DBEE1FC0D4C4C96DA6FE0757ACC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.554{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ONENOTE_COL.HXCMD5=4DE1721AEBC8F9E37BDFF1F360E08E2D,SHA256=AE72FC738D036D36B785D1D67FBE3836AE59BCEC97E3BDC57B92760B8E0EE5E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.554{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ONENOTE.HXSMD5=53456BB00AABC3213260BC2605F48CB9,SHA256=BE94BDC35239779EA6BC246A50B6F733727D001B888211BDD1B2379BACA438BA,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.539{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OMSINTL.DLLMD5=CD2BBCE0315053A4AB59246941F0CDAB,SHA256=E031CBCFFD4BC43C1E26D29C496F2F2FBFB636CEDB45DC0902641CAFBC21D624,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.539{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OMICAUTINTL.DLLMD5=E42BAE9A86282D69EC706E4B8D32F56C,SHA256=7D0F111508710EEF1074E91CE026E37F8999CFABA17BFEF2AC6E44B4CDE913F3,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.539{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\offsymxl.ttfMD5=F7074EA44AB8CBC837659FF0988ED5EC,SHA256=337A3600038FDCF592033D5C2027157F810A8D7F0F5FFE28A2669468C4CA8D8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.522{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\offsymxb.ttfMD5=D034F0D3DE577FD8D7BF32AA88805C78,SHA256=B3FFDE2858A760634883A0A8AA5E6E0AB1817510A7834B111B5A197B96D6896F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.522{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\offsymt.ttfMD5=2A15A32916C6E6E20FE3784A2704A8DC,SHA256=54C9F986CBDBF19D368849D70416193F0C93773FCEA174EE579B940F9B4099D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.522{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\offsymsl.ttfMD5=F5A9D6481AF8C8537FCB8F20EC20B5FE,SHA256=BEC37E5D27E6F34A9078F02F6E2693C4F23582A31FF5088C0DF7E0053D937392,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.491{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\offsymsb.ttfMD5=03423C781C5E2BAD6E30CDE16A727535,SHA256=EEF13FAD912A76F9359BC8BE7D327D92F50F49030199E7022BF3D7516FD66FF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.459{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\offsyml.ttfMD5=F64C9F744C0CE95CB886725DD3B46856,SHA256=EB711AC3DB90C885B0FB17BA5184F82BB04FA684F001061C556BC1377C782DE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.459{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\offsymk.ttfMD5=7BCF072C4F4DCDE1787C413C000F24AE,SHA256=202240248310C98C5E62692C5232F5A0D66D70DBC276553C3A7D98B07ABE7C05,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.444{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\offsymb.ttfMD5=93315D16698C6BBD8741469E83AF7090,SHA256=6B34E1583F82BA1048ACFD9303DF3CB8A6B5564D979377841CEE4657EF1AE208,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.428{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\offsym.ttfMD5=3B426FD0BBD534E5FF4A96676ED2E197,SHA256=8E3AD9F7DAED5EC21724972675AD8D9B02BBF6DFCD9A9F3FFBA27BA415E1663A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.397{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\officeinventoryagentlogon.xmlMD5=5FA24116188AE6F686320A8B190C0EEA,SHA256=BE1BCCB56A1187267A73AFA348AE0919BC7772EA2260A9CE8524EBD5554DEE4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.397{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\officeinventoryagentfallback.xmlMD5=BA5EEECEE8DCFA22E8486E8836E2DBB8,SHA256=87CE7D2E77AFF4F7314E75EE4F860E66F6AE1AD5D6C81EAF7E38FD3EE14AB03B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.397{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OcPubRes.dllMD5=ABEB3DE712E8C8E892AD0D3DA2D53426,SHA256=95FAA12B9F8D8E49E1DEA8934BE114CBEBDA78C1D79F8F3FBBD03E078D2805B1,IMPHASH=8CB32FCFB7068FC225DB27CCFBED2A1Atruefalse - insufficient disk space 23542300x8000000000000000327285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.381{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OcHelperResource.dllMD5=A3E8A0D1D224B839CADEF97927448756,SHA256=A3EBFCE4F8D53AF5A078CBF0899F06880DE706BCEE11C82DDDD90BE9FB2FB5E3,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.381{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ocapires.dllMD5=3466C8C74B38153421ABC91C82D05852,SHA256=F079FEE7CF75673AB03C1DA0E30CB3E522C02ED1F541A3B8FA5AC993D87E654B,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.381{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\MSSRINTL.DLLMD5=63AC0F5B3D9BF8B14B65FE3458E4E1D5,SHA256=1520ED9F71F46D5B2525D06524C180541BF699A83E9E50A4EFF53C2417838E33,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.366{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\MSQRY32.CHMMD5=05D96A79544107BFE04C861B13D87A66,SHA256=03A60568C18822BA0C173FBCD280524E2E9785B16C0C1E24386111B6075F692A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.366{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\MSPUB_K_COL.HXKMD5=DB9742E49C49C505B293A84518E95FA5,SHA256=1C17B95E5098ADB0C0E06AAC8A8C7C50C6A5EF1B696465D548C8A922F1D3A653,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.366{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\MSPUB_F_COL.HXKMD5=B8FBBC73DDDE31636552AB184B4E398F,SHA256=3C3702253A4695B5BCB18A2565B1D49F9F32F5F9F2442FD1395197970FA34EDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.366{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\MSPUB_COL.HXTMD5=6E8D2A7B74F0239471E336F700198F0D,SHA256=2B25658312BD00C2F73564A58E9F260737840E381317522BBEB766A2614D4EE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.366{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\MSPUB_COL.HXCMD5=C8FE2A0281820DD9394665C32ACA2B64,SHA256=99E93D2AF41804DA8A4A6C3E594000ED4F468161BECCBBC3E32AAF1E7BA87348,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.366{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\MSPUB.OPGMD5=A894191ACD8B89C7B12D62B757A02059,SHA256=CD6640BBC12972FD070E982355886CC415637F6C77B8BB5D3EBE377D859F0354,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.350{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\MSPUB.HXSMD5=4F0C130D57FBB48557C9CB576AD78D45,SHA256=955E76405E369CB2784CA3D800DEB16A3F0D0632D3DC4FBF0C4F7052A4D233E6,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.350{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\msotelemetryintl.dllMD5=828A6473607F81ABA7257402F5CC29D9,SHA256=AE5379C1725B72A934C0662DE8A72070DDE21DA94781291DEB05068B572F1DCC,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.350{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\msotdintl.dllMD5=2F460D81BA197DF8B4C5666B74550D84,SHA256=884248658F28C60A4C588503463C9AA548FFCD9A08155C5386C73F9BF1BCEB02,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.350{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\MSO.ACLMD5=CED43D4FEC3951BF64FF86935C28F5D8,SHA256=B39BA3C8A1A773D123F0E9FC5E73DE907850CCBA6749310F966E11EABD0A3243,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.350{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\MSAIN.DLLMD5=84789393C5609838670ECD21791C0A77,SHA256=F610F194F751995057376FB535D19733D106EA65ABD540BFF60F15A6C90090C5,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.334{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E57F6199EDE807639FED20CA9E5CC9F,SHA256=9D5BE337A3BDB54234D871E220EE9431BE93A3059C9EA1DCDB264D978EE93E91,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.319{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\MSACCESS_K_COL.HXKMD5=DB9742E49C49C505B293A84518E95FA5,SHA256=1C17B95E5098ADB0C0E06AAC8A8C7C50C6A5EF1B696465D548C8A922F1D3A653,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.319{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\MSACCESS_F_COL.HXKMD5=B8FBBC73DDDE31636552AB184B4E398F,SHA256=3C3702253A4695B5BCB18A2565B1D49F9F32F5F9F2442FD1395197970FA34EDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.319{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\MSACCESS_COL.HXTMD5=51DD3A08F9915CE3E2D2362A9AAB2476,SHA256=895DC5EC34A53A8FAFECCDA897727D6780719F91011B26629832AA6FE794986D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.319{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\MSACCESS_COL.HXCMD5=844C564EF711FDF3EBEEF2E73EE36C80,SHA256=FA2451BB0B052AB04F36303AA8D7CA823692411E69FA6C97FA9B537879325E1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.319{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\MSACCESS.HXSMD5=73DADD3F136600C191C688A501EB2660,SHA256=63FB0F016DD5556E58F88EBA3C513ABD3ADBDCE150CDB89754FE7DAD70042CFC,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.319{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\MOR6INT.DLLMD5=043AE502AF93415603A28E451A5D73FD,SHA256=03DFF5B007176FAB326268799323A626C42728EBAD7D2D4AC23540C719303477,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.303{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\MidgardStrings.Rollback.jsonMD5=937634FAC692DC3152BB7F6114ED231A,SHA256=DFC6A2D15515882A5525C6AA004B8D321DAF387B29DE1E9050F5C3CF86D71633,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.303{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\MidgardStrings.jsonMD5=6000F44437705138EE585FE75D0372CD,SHA256=F30EEA5698292EE38F6B773270DFE566AABC1CAD58643BBC55CC620B1982ACBD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.303{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\MAPISHELLR.DLLMD5=8D1BB232A0AD546E12B62B4AF00201CE,SHA256=07DE3A09F039C6994106E72E7B11B42AB44B757D4BECAB3BE5A748F24E41EA95,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.303{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\MAPIR.DLLMD5=A5E8891F2D05DA460E26CB9EADF90748,SHA256=A8DD67788F1306EB517A4CD738FC7AB7C8D38723EE5A05977B351E96E515CD70,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.273{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\LYNC_ONLINE_K_COL.HXKMD5=DB9742E49C49C505B293A84518E95FA5,SHA256=1C17B95E5098ADB0C0E06AAC8A8C7C50C6A5EF1B696465D548C8A922F1D3A653,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.273{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\LYNC_ONLINE_F_COL.HXKMD5=B8FBBC73DDDE31636552AB184B4E398F,SHA256=3C3702253A4695B5BCB18A2565B1D49F9F32F5F9F2442FD1395197970FA34EDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.272{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\LYNC_ONLINE_COL.HXTMD5=0827B6E99C76D96D8ABE252E7358770F,SHA256=AF42B323D583568AFBFD69FA53F337BE492F51545455C63040C5FBA8CC8CFB5A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.272{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\LYNC_ONLINE_COL.HXCMD5=CBC1BC9655715E6A4EB810AA7969449C,SHA256=F63C2F0BB0A3622E2D5147AB1FDEC607F3DCD4C5B3299490B320C15853DB299C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.271{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\LYNC_ONLINE.HXSMD5=25F254D0F17E2C19928E2CFC04BFEB7E,SHA256=575ED1BBB4A2CDEB75C915203E5CE79DFF49CD4AABA73F5D6D580E914327B58C,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.267{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\LYNC_K_COL.HXKMD5=DB9742E49C49C505B293A84518E95FA5,SHA256=1C17B95E5098ADB0C0E06AAC8A8C7C50C6A5EF1B696465D548C8A922F1D3A653,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.267{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\LYNC_F_COL.HXKMD5=B8FBBC73DDDE31636552AB184B4E398F,SHA256=3C3702253A4695B5BCB18A2565B1D49F9F32F5F9F2442FD1395197970FA34EDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.266{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\LYNC_COL.HXTMD5=12905F0525B7029D285E893723C04D69,SHA256=55396F6BBCDD649BD4A94CF14D1E73559BA70DD5B3E5745EDACC215BAA8EBFE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.266{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\LYNC_COL.HXCMD5=7EA89C0D3180F91DFFB17FA0935DD58F,SHA256=3651F9849D78DCBFE53A395AACEA1C6140FF9ED9C97BA31473C4D77BFD8B2F20,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.265{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\LYNC_BASIC_K_COL.HXKMD5=DB9742E49C49C505B293A84518E95FA5,SHA256=1C17B95E5098ADB0C0E06AAC8A8C7C50C6A5EF1B696465D548C8A922F1D3A653,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.265{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\LYNC_BASIC_F_COL.HXKMD5=B8FBBC73DDDE31636552AB184B4E398F,SHA256=3C3702253A4695B5BCB18A2565B1D49F9F32F5F9F2442FD1395197970FA34EDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.264{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\LYNC_BASIC_COL.HXTMD5=DB2F4C1E766BD92BA024D99484647BA5,SHA256=BC54D8B8D1A2B44E657D154DFD43CBBD9D31DAB7B70C3B8D4121213D6368A3F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.264{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\LYNC_BASIC_COL.HXCMD5=BA775ACB0FABE82DB1F0CA1D1CB35F79,SHA256=FB3ABA054AB92A28EFB8B24E95E11F3EF2010AF98094150234A6ED97BF625F6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.263{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\LYNC_BASIC.HXSMD5=7544BEAE0A73854DD108D00E1C8C8781,SHA256=EF92F30A61EC5CD4A41E3BEB99F2B3B6F9FC0BFC13D1C17544BCC207544B6664,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.259{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\LyncVDI_Eula.txtMD5=57D661D897D3220520512D4767F35FC2,SHA256=D7E36C35E42C0799A87131320B174682A74DF7B0CAE2C51C6128FDC8255D54C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.258{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\lyncDesktopResources.dllMD5=3752D4A255236B8F525095A0DC0E11C3,SHA256=C9D42FCD9398702C5413AA3DB06E3A7163A6D5B165B06677CB314F38160608B1,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.246{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\LyncBasic_Eula.txtMD5=9DC106E2FA19D2B6D663CC89E935EDC6,SHA256=4DD8E741C8232A238CF8C2C83514DC2E694E13FC2B2D88B8E2A7CF7BA73E0B51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.245{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\LYNC.HXSMD5=3C3217B8BCC4D87D6D7252D27AE814D9,SHA256=915A24F6FDCC7421E96B5BC9849534DFBD9E4A2A982492237C5E282EB3B9DC2D,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.242{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\Invite or Link.oneMD5=EA1101CD06181E9BEDCA640A7CF4517A,SHA256=2CEEFE8ABAF43487A4C3B88E7325C477014C27BA336F317D7FB9741C802902D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.241{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\IFDPINTL.DLLMD5=07D662FFC7EBDE5CF02C5A7B3D2F0182,SHA256=9C820D381FC81861CD36459E40BC2D5E5779094D8590DC90B380C71F251A6766,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.239{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\GRLEX.DLLMD5=3C8C29D40473920320684A0FB37440FB,SHA256=750C8B939B85A5AC8117160FA1368EDE3AFF7DF9371CBC06411D608072F00A51,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.238{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\GRINTL32.DLLMD5=8C8E918DC163203DC9B43BA1901AAEF5,SHA256=23A3B596AA20779F09B2914FCD3D3E748C964C30AD0C7C0BD77A7E7D3E67F587,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.234{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\GRAPH_K_COL.HXKMD5=DB9742E49C49C505B293A84518E95FA5,SHA256=1C17B95E5098ADB0C0E06AAC8A8C7C50C6A5EF1B696465D548C8A922F1D3A653,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.233{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\GRAPH_F_COL.HXKMD5=B8FBBC73DDDE31636552AB184B4E398F,SHA256=3C3702253A4695B5BCB18A2565B1D49F9F32F5F9F2442FD1395197970FA34EDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.233{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\GRAPH_COL.HXTMD5=0431FA92DD9D0B224B740D40D55CEFF6,SHA256=42B64E6605285505D0CAA7073A7C3D7205EEEFEA512B0B6A9FB65D2C9F3B91AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.232{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\GRAPH_COL.HXCMD5=878911C6C99612300889691E20298A74,SHA256=C17E3F9D31721D9F57D49ACD7623BAA269FDD4BF8D9A3F61575E112CD3F06B20,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.231{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\GRAPH.HXSMD5=28090B5DCDA44E5B93554AAEDA0ACBD3,SHA256=4DEADFF881455BCDD4B64F309F8478845FE5DCF738B903797F5A4A917278E31D,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.220{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\GR8GALRY.GRAMD5=BDCA0FDD95D739A849EA4CA4D0D4FBD1,SHA256=3FE7DEEE976B7173B376EB91D408918A246543C2D7F5B4D0737280BC48A4B208,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.216{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\EXPTOOWS.XLAMD5=35C69BC4D13E0FB56B11881644E33C2E,SHA256=D07226C44E1725A66FDD97D5D928FF4229BC6A98D9E0738A792B639DE0BF5EB2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.212{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\EXPTOOWS.DLLMD5=0DC9562612511A2B4B890F3577344E78,SHA256=FADB15658486928C96E687F60337DAA635DDF011C88D23412235ADC8B1B88A7E,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.211{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\EXCEL_WHATSNEW.XMLMD5=13520ED38CE4B991082D676D8E44D702,SHA256=780075B899D9BA70E3058DEF63446CB27616581652B9DEF598DE28DC1C7DA081,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.210{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\EXCEL_K_COL.HXKMD5=DB9742E49C49C505B293A84518E95FA5,SHA256=1C17B95E5098ADB0C0E06AAC8A8C7C50C6A5EF1B696465D548C8A922F1D3A653,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.210{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\EXCEL_F_COL.HXKMD5=B8FBBC73DDDE31636552AB184B4E398F,SHA256=3C3702253A4695B5BCB18A2565B1D49F9F32F5F9F2442FD1395197970FA34EDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.209{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\EXCEL_COL.HXTMD5=400015616311620544662F434941CC50,SHA256=B37F3BCDCDEEC6291B7D1CDF3A3FD2708B212A01428576E02BB53ADBB47C0A64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.209{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\EXCEL_COL.HXCMD5=0EAB28E12F1E6DF41B9E946EA79C53EE,SHA256=DB7E4ED3F202733F3B96A5F2301A2DDF0E427E275312FA76185FFEA0C6942170,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.208{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ExcelNaiveBayesCommandRanker.txtMD5=CA37B262332F0F3B9E538073CC1A49FE,SHA256=BE39B9D62139B64AF46D69A8827DDFCC8C70DFBEBE01954883F612FB635C377F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.197{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\EXCEL.HXSMD5=22B96D9CEE3843641484EB3BF444A12F,SHA256=DC35237EE78ECF761AF8ECE07932DD240ABCCE6A478219B154295761EDD2F1A8,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.189{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C76C2D385D8EF4B9DE3B8264D178D8D,SHA256=45F54C70676AD4324E6EC97AA19086DDD281FF6E9ECE60014BB8047A0D6600FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.172{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ENVELOPR.DLLMD5=B213476AD015BDC46E40579095DC2D71,SHA256=27738C388F8F12316FEA81A17BC5BFB6BCB8A973F8366C5F7BA3C2F5DE593269,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.171{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\EntityPickerIntl.dllMD5=AF4775AA8FF8886CC76C65B0794B0016,SHA256=5571320A4BE4CFE76B3B19C72E4388347B982F64523036121434DF5D4D5656F1,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.169{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\CT_ROOTS.XMLMD5=F343E48E929ED23D88B519955E1C56A2,SHA256=8AE1B7B720DF3D9B76D146A1858CB65927EEE190401808359CF84B6CBDAE9DAF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.167{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\CLVWINTL.DLLMD5=C56091E9B2F2BE7A1F528CFFB5864B36,SHA256=EB64BF3662E518DBE532DCFEF096E8F9FDEC764F0E92278401592F43F9AEBE53,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.164{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\client_eula.txtMD5=E54D75D1D2848859500030E6A1BF5D5C,SHA256=1CCF3568A7ED6215816A612749FEFA8E3785E7F783937DF782AA3EAB8FEB5919,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.162{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientVolumeLicense_eula.txtMD5=1460EE599525B4C721792440FE369FB6,SHA256=1301B81DB0FC9ED37B74BD14B721D176C80F4125E130812CFAFCD9E178A7C897,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.162{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientVolumeLicense2021_eula.txtMD5=CDBD2B3CC1E92E7CD6F697A89A9C134F,SHA256=579C7B14A68B8C90E1F40EFCE29488AAF4C42A61F68E3BE1B4B0908E7E53EDEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.161{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientVolumeLicense2019_eula.txtMD5=CDBD2B3CC1E92E7CD6F697A89A9C134F,SHA256=579C7B14A68B8C90E1F40EFCE29488AAF4C42A61F68E3BE1B4B0908E7E53EDEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.160{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientSub_M365_eula.txtMD5=DBDADD520A224854DAE2B0DFA044788A,SHA256=5147EB65E7B771B1CD24D2233574D7C5615F74A7D15D44E4E72DD606A34A9493,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.159{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientSub_eula.txtMD5=55FAB09147C83C6183D8C8DEB466DE07,SHA256=F8DA1604C9FC26FFA2D849E669D693A5625070ED220985680160037B3B04C687,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.158{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientSub2019_eula.txtMD5=AC154D8A3B1315E61E5905FC6FCF547D,SHA256=07FB57B9DD876615FED4EFCD8A0F138E69C935E952B87FF2F4115125E06A88AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.157{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientPreview_eula.txtMD5=40CBE55E651EF2D862CAB8E50630E946,SHA256=6CC04F306A34D466A7AACE6100B8DC7BBBA2DDD628E54B806091063F4DC30087,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.156{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientOSub_eula.txtMD5=BB0DB45C09B92781D0EF1CA2CD32F18B,SHA256=A429C48FFA604AEFCFB4A742CACD7CA3C1DDE84A38DFB498C677CA6E1B27F977,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.155{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientOSub2019_eula.txtMD5=AC154D8A3B1315E61E5905FC6FCF547D,SHA256=07FB57B9DD876615FED4EFCD8A0F138E69C935E952B87FF2F4115125E06A88AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.155{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientLangPack_eula.txtMD5=48E7D4A8154B5D4421664066DDD1685A,SHA256=5509FC4ED3F1FE5C35E6DCBDD4EAEA0C617D886A6C756078B8EC5A520DB01A99,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.154{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientLangPack2021_eula.txtMD5=2DA4F091701534E85B8F277FE8C7BDA6,SHA256=1622652767D60E46D9B7F6D66F123165671C3531331DBBD512F77D55EF1B544B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.153{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientLangPack2019_eula.txtMD5=8C19D287750807D3AD86903C192CD5E4,SHA256=E33CB6AC5C64F7EFE958E87ED6F4F96563E3AA541EA96E993AFC5F5B64464478,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.152{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientARMRefer_eula.txtMD5=8FD374C4F2048EFFC4934FCC31D2B81A,SHA256=AC6A8306EBB2437D325FE8D82BD92BB9DEEB5DFD2D62F4D8F2D8AAAD888A0758,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.150{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientARMRefer2019_eula.txtMD5=AC154D8A3B1315E61E5905FC6FCF547D,SHA256=07FB57B9DD876615FED4EFCD8A0F138E69C935E952B87FF2F4115125E06A88AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.150{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\Client2021_eula.txtMD5=7D5FF303CA4BC979EA3291D94647FA31,SHA256=225D68F3826A8F8C3680EF65D2F2674D6CAE8405739195A777355DE2BF02D5B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.148{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\Client2019_eula.txtMD5=8BC382F5C7EF62C994061019EF544A3C,SHA256=118C396755991EA839015FA7C222AE8B45EE8DFD1F5E8EF4513B5F24DB09B792,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.146{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\CERTINTL.DLLMD5=04F30607392AAC967E47814C454A7FCE,SHA256=A5939C5AA065CA98ECECE25BF0AE20BD161ED976239CF386C6B868D2C5629544,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.145{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\BHOINTL.DLLMD5=0FF11D2468AA141034AFCA0D4E967666,SHA256=271003A22F102B18240F97F22A78F63E14A9C3C7EE4DB5D3AD784D2FB410205E,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.144{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\BCSRuntimeRes.dllMD5=AD7C4A642DC433D8F5E03563E47EECDA,SHA256=C65ED77EB2F2EE42DC0F43D9984DF09EC0B9418F4E75744EB720201A98D2B764,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.142{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ACWIZRC.DLLMD5=3909A3918E9F4183CCFB6C0739A9EF70,SHA256=CD5A214573E59920C1C1D51F61051B92B0285132D6A04706D28F93E0736E232A,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.135{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ACTIP10.HLPMD5=030C1826C426DD6EC659013544D40F2B,SHA256=F4E2A7FF9C9FAB3C94556E10241F470FF200F20259D4C898B96C8B5516CE7A62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.128{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ACCOLKI.DLLMD5=5FD6632A485849E622A0FE4C624CFCF5,SHA256=32EE77C8EE0229951F455F056B9426413F0A3690794EE9DB11DF44752B5CDD3A,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.126{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ACCESS_WHATSNEW.XMLMD5=0C9586700D66A72C7AAEFCB142E09584,SHA256=06D262200A1B09B7E9AF77C6E160B7D4258F433025ED1332658A778CB99EF1AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.125{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\AccessRuntime_eula.txtMD5=D731F3C8B73EB9F30B1881D0EB95AC53,SHA256=92E45F7F48EA0458B448B091ED828C1C71266938A08DA727C7172D2A097AC04D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.124{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\AccessRuntime2021_eula.txtMD5=AF56080679AE701909604D6A8DA0E358,SHA256=9D3E4B70BE8DF9D13E62C50DAC2DB6637A8197CE14D1FA8B2DCBF85B16854FC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.123{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\AccessRuntime2019_eula.txtMD5=79D594F981B4EEA2FA5941D30A55A576,SHA256=0AF4B6A3C4EA9213913660BB152A0EEC55241B1AC77FC72C99F777A4EA394F6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.122{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ACCESS12.ACCMD5=27C2D3E6786CE78F77F45F8B6AEEC97C,SHA256=A48208897580355DBFD87FF55D3AFA5153F359F1B70F9FC01770F5CEBB7BB814,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.116{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61CDDEC7DCA3B6CCB41A40613FB071AA,SHA256=607924D3686729612617B2BFD6E1D34B6B9D31627122CCDF38F66B123227E0B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.112{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\QuickStyles\word2013bw.dotxMD5=9341EE5031DCD4E2F19D4851E144CFBA,SHA256=086F00BF7F0E1F677B3DED5F1D7C0012D18084B6ACC72A5341AB44051EF9EF83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.111{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\QuickStyles\word2013.dotxMD5=4A6393AF61BF1DC7C92A6A715C938263,SHA256=FD625C6B304B5B8172866072290B2BAB627032EEF94E836931E6C7260F22B56E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.110{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\QuickStyles\shaded.dotxMD5=AD64BC506AF0A08EB09A04AF6E6A97EF,SHA256=0F113AC162264C1B9C9E28204706593A9DF88B8DE3098688FD77971ED0D92936,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.109{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\QuickStyles\minimalist.dotxMD5=AFFC0CDFFAB09601FBEC3925D2F92EB8,SHA256=719C4E5A817E3DDFD12FA1663CBA8D08819082463DEAA47B5D2F98417BC1734A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.108{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\QuickStyles\linesstylish.dotxMD5=EBEB95BE1C93DD48FB7378C317E1A805,SHA256=593F169990E6046ED850D975CF30A2C6B8039ED425AAC36DF4E1F720A2A24ADE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.106{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\QuickStyles\linessimple.dotxMD5=3438E6F7F494A5C633F94486B635C7BD,SHA256=3B1A67DDD452CD860CB84C4B1B6C885B9819C45F253C3E1D8420879389FCC0C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.105{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\QuickStyles\linesdistinctive.dotxMD5=456AE30E6BFD0C55F1244D0DBB9AB9B2,SHA256=C8240D580F781FA1EE5ECA7052B046DB4FE21434A9BBAF903A5C15F9701928FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.104{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\QuickStyles\Default.dotxMD5=C4BD139C3C4572E8C814C02AE557C8D3,SHA256=DF48A1E8AFA8F45B53FF8EFFEA1B04DF26D73C5770B08ED801D80B18A075F301,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.102{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\QuickStyles\Classic.dotxMD5=BE6B30BC31A915E6A19A7F4A7BA0D46C,SHA256=DD6DB88EE73C8F7ABBA26D6260E4CA37EC29780F5852FF8622E9DC6A0662D9F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.101{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\QuickStyles\centered.dotxMD5=8355ADF3C49D9EFD277C498537BABA2B,SHA256=94F89A2D53DC3E27FCF66C3D4BD7EF4CFF7C363101A92FB165A38B9A05ED4E6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.100{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\QuickStyles\casual.dotxMD5=47EE35A98FCC235BD91CB16AD52AD9FF,SHA256=FB28DF1D8B8E6B5838C024936F9109FCCB6B8E768EEDB98A70F05655E93F0C87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.097{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\QuickStyles\bwnumbered.dotxMD5=3C6153193A6219B2DF1E8749EA359EE9,SHA256=FC3C3DE1FBB1FC0B9F856D7D64AA60493C03A34499451DC48B47F2078C5A3772,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.096{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\QuickStyles\bwclassic.dotxMD5=BC1B5FF467378A292AFF16F8EEA44B25,SHA256=2379A8DC38C65B4B030AFF40368A83760E349504D0682A737214BA687BF32502,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.094{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\QuickStyles\bwcapitalized.dotxMD5=A32A19E6BE93033FAE8E47B16D1DC329,SHA256=03D0506771BF9F2F70A916211B783B42F2069B90A2EB309B72884AE539604E90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.093{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\QuickStyles\basicstylish.dotxMD5=4A4DA62AF5E0A6567EF77FC5E993FB8E,SHA256=AFA7BCE1660C75249E8E0B245E29A5C4E7FA3006E090638EDBE953A772F664B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.091{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\QuickStyles\basicsimple.dotxMD5=8AE8E84A0B3C5EF82AE7DC3497612738,SHA256=55D34ACFC2D724A54AF66C227C95ABF0F430D7C0EB7C0617C350A70C6158DA78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.090{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\QuickStyles\basicelegant.dotxMD5=BB1EDBB3DB7FA3B0F97E53A15C5714DB,SHA256=E3F813BF50C5B35B775AD7C33E1E90D87C4E3FAA7B23237EE2C56474AC28880C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.084{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR9F.GIFMD5=8BAE1D711C55EFC4A52D316554A2F2E5,SHA256=DBDBB7B0EBA8010A3641B84CE230CD3C155CA3BA05EF160248AF8E5144D45F66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.083{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR9B.GIFMD5=FFE541A50124156776D45AEE2EC73B10,SHA256=599DFB85BD219D22BD2BB72F66E832313CCD9B86C5B5B752290B452C41A25B56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.081{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR8F.GIFMD5=FCCDA913EA185FC6282FD7EA4E216CA6,SHA256=C24C6414BFB29FE26DD57131C724BF57CE93B2AA168247DB85659496A52FB993,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.080{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR8B.GIFMD5=372477FAD67409029AA4C88A7C4C2178,SHA256=F249F0D968B9F9F95036F6735FB8081FF9F7C96ED8345EF743F01E55D79598AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.075{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR7F.GIFMD5=96355B42E1C8E464C5245D0DE38D2D24,SHA256=8A4EFB6455827E97F88407F39D7E238744D943D798096771AE59ED30E6FB6241,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.074{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR7B.GIFMD5=6E1E956DE338594194E5CA8318E15D14,SHA256=2CF5E526D0A84B92C165EFD3BD1C425908B68363D5E47D7D82478B2BEE6EC451,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.073{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR6F.GIFMD5=5B363872B18686A9AA9AE99EFC05483D,SHA256=70F6075E3DDB1B490118810929CB822CE27C7D28A8AACB770B78EFFF1C6CF307,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.072{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR6B.GIFMD5=54D8E52DF627B2563C375B50ADFB2316,SHA256=8F594F26182A1DBE9A119DF8CA66950D2509C68A9FD31FD74B95588B9D747BC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.071{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR5F.GIFMD5=ABA0D1090B656A5DFF0FDB477FBC7703,SHA256=565DDEB7328B309759A8B544C41B645174AA5AB0EBC2536C92F5C47C01C9C304,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.068{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR5B.GIFMD5=6CB299B11E998A121BD154C3FC213D74,SHA256=E23FC8744E7F6BE93D9B4D93B9DD457D241C76CF162296535D83A4CDABAB655D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.067{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR51F.GIFMD5=9CCE5EB3159858FA08CFC9A7A65EF364,SHA256=5AF00198104222D16CBE0C4BFE389A4541A7C6C1C2A1661E3BF89C4A1CB4EA0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.066{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR51B.GIFMD5=D3350E0B1A37DC326867F327A30FE509,SHA256=C4FA8427A408302293D220E4F7130AEA454D3F93670F5D8EB7CC7B339FB4ACD1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.065{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR50F.GIFMD5=9F85E7CBCC41663653B8CD40CA41E8BB,SHA256=DE33D716F8D57644E68CBD0922A4A77566D71D8B59DB34CF828D8F222CDC07C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.064{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR50B.GIFMD5=C64359AD2D98C5B710500CED02F926F4,SHA256=404F48BC82E71296DD07768FF4B2747A0932E7EE98F14B0BFBCAE67336265796,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.063{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR4F.GIFMD5=B8F81816ACF4D2E496FE589C7A9EA51B,SHA256=2D5CC1D584E0C5874A0284FA52AFB0DAE1E36053E0A7BB45DCBA01B9DE6C69ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.060{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR4B.GIFMD5=D8324DBA667259DF7BFFE26BA1E4A21F,SHA256=542E68FD8F49F9F14D699F324D7B551ED243E00FBBC0386EDC3E423E88586F4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.059{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR49F.GIFMD5=AD152732BB1BA7620F6E5355F84FD515,SHA256=6CB4E779EA0D91C8461302BBEC8DC34CBF0C7D56A66CF864FE8327483DD5473C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.058{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR49B.GIFMD5=BA25B44E558C03FE9D207F1D0E3D8F7D,SHA256=A6F864A21A1FBA44E38D0530DF41881587CEBB72EC1B836ED2D910C4B2E3F534,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.057{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR48F.GIFMD5=7DB2A2554734C284750FF81BA9C235E5,SHA256=8072FA04BF686071CF517DC6FFA99A78E21808CF7143EB487089DA53FF8C8AE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.056{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR48B.GIFMD5=8102C5186EC6BA37FA22E6E1D6FCBD32,SHA256=D3CEB27F60768E5E7136E3699CDD2C0826490E3E2EF0F930CBA1DC82F2BF8A16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.055{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR47F.GIFMD5=D1C23AF64AA38CBE2CABB92F197968BD,SHA256=3F5FCB713F907418C272C3E75529FAD00F6A969A6332057ABB0458A0CDBF9445,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.054{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR47B.GIFMD5=B44089EC2B255EC88BFF452AC06CE678,SHA256=FDDFA01D62825A89267AA8B40E28058587BCEFB215185E7FE63231C246C321A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.052{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR46F.GIFMD5=002F3F1D507BC5559C905C6AEFD0C209,SHA256=C875E380B985CFDA2F769B0BF6ED7B1137CABC7813100B933A8E820B260F6890,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.049{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR46B.GIFMD5=1DDE314BE046497DF0069B9826683248,SHA256=155B0EF130152ED7397573BB99C9D9BC539D8A9A8BDDAF0816F5F0D726F676CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.047{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR45F.GIFMD5=A04E1EA7E69820315C8E037DDCFF3385,SHA256=66C5CAB1C182C61FFA9621900B72E5DEB0B28D1DEFD5434BB338B1642B11AAE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.046{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR45B.GIFMD5=EDB3EBD11F274FE2416A2CF0AD6DA376,SHA256=AB9B2045023C0C8708B13259E5FAA96613731C9DBFED83AB34CFF96318BB20E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.040{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR44F.GIFMD5=EF5EE185C312394D8B75F359FB548EF7,SHA256=A8195D35D5E3AA75804112AB91A101535D5AF27686C9D6907CC066A5B354FA72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.039{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR44B.GIFMD5=B8D2FF7B3653ABAA8BB696721FA207D5,SHA256=8E7844363A003CACB25C47DE6402065758383D6E08C6F6429A837B498C77BDB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.038{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR43F.GIFMD5=577D82A9304EE01D88F2795026208A70,SHA256=9C297061A56CCF6EE57727D7B201DFF03B68624355CAD8602C85439A17E1FB07,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.037{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR43B.GIFMD5=569D56AA7A86C9639FADAA057AD464CA,SHA256=D222D36FE9D20BE1176847F48BE15DCEA3E62F3219715103F79C169F165784DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.035{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR42F.GIFMD5=776856C5865A4A55907B9E2C3125547D,SHA256=42B1A09613CE0C247780B1BC59AB0F9266DABC9A437C02448DCAA583284578A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.032{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR41F.GIFMD5=3A067A00BD89D38E63CA896C7E4C44F7,SHA256=8F4C156C000C8CAF38B3B8C455B9526AAAA12EDF268501952B24DE5173BB9A3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.030{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR40F.GIFMD5=9F887ED097C92EDBD2B67F536A99CEF4,SHA256=CAD4D1CB287CB763EDA27403AB7B85A79A0A45CB942D2B6C79919BA13963C43C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.027{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR3F.GIFMD5=5930532EEC57BAD95C4DDCA3858C4945,SHA256=6939A4FF6DD366EF1BC8CA5134DA3D5B999BEA675698CF751CED11E88D3F52DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.025{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR3B.GIFMD5=5D92725C18C1FC2867D062A374F91069,SHA256=0BE1631CDDDA4AE4A8029EB4F446A23687E18E584FA69AE79D504B2BA4951E77,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.024{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR39F.GIFMD5=AFF2AAFBF875469E91ABECD3F8D9118B,SHA256=2C929F9F5628028C525085F979AAECD96E4FA992304526D163AF2CF66A2D324C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.022{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR38F.GIFMD5=D7CBAD9E7F145C299255E1F2A34B4E6A,SHA256=0EA3FBF6ED58CCC3AE1A8218C74381C01C8424115C94B341C20384C84402309A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.020{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR37F.GIFMD5=90D13072DD9CA64B3F6E2DCE307B5034,SHA256=2FFAB56CA79F0FF1661B33CC83C50F27E11C35E4094CC43E53B42B5E37C684E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.018{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR36F.GIFMD5=732D903AB49B32A0F69284A6810E2ECA,SHA256=E9363A7CAF235EDBB529F5AC89687764879B041E24105964BA0366D06E00132A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.016{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR35F.GIFMD5=94A767495F3E888320452258EAFA61EA,SHA256=22AB67C8A1DB704C3F61F93FC3151E9982FB5238F49C333ACA2C74670C12A61F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.015{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR34F.GIFMD5=246DF5EB8187373F985EA1831D60DC5E,SHA256=D159DD7A6F74402A51225B2E02B6163D4C054315D86799C79005E38A4CE58B53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.013{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR33F.GIFMD5=F1C8835E2506156952DF22ECA18A374C,SHA256=CB34DFE77E6FF03AA5CB13FA1B2BD723A357C06D0F89C86AFB40E4FBEE84479A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.012{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR32F.GIFMD5=3F14246123471010B62048AC85D87F98,SHA256=35EDBF5D3D7232EBD0E3C19D7F98ED54F90F823E3CC0FB56DC663E3508CCE9A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.010{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR31F.GIFMD5=B44B25837BEB5D1CE68C6F8F1F8DF3D6,SHA256=7DF05362415FE0ED5B71FA8AD01846F4FDDC6808787DB7555D7E41FC3EA885AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.009{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR30F.GIFMD5=AC82CE08DBEB38BA8FAA3C1282CEE5FF,SHA256=88A6F406F1D137C86DF3AC470B6BDCEEBFBE3F3766B1A46F207EDA1C5B35E4C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.007{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR2F.GIFMD5=4567B85641B1DAC5E84F55A4A4992A35,SHA256=160BF54E0832A493ED75E3D2429E82CED691537F0F76893EA80E1C893568927B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.005{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR2B.GIFMD5=141D29A00D3AB8BA171DA89ACD34381F,SHA256=00899DC108A62A571A5AB1ABF64125D37A5DFD1931228A89C260600B12689FC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.001{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR29F.GIFMD5=E113204A420A6CA09888FFEFF038A3B1,SHA256=B391650D307B9418E6B9BE26E6EFD3B3717100198C1F284282B16E138FE933DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:16.000{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBSPAPR\ZPDIR28F.GIFMD5=DD52F8EA06423E3276C47B39A42ACFAA,SHA256=2A8A3440502B74A919A3955059E040174C57034B1A7BB3B6C7BBC60F658C6B5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000447928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:15.277{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52699-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000447927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:15.277{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52699-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000447926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:14.857{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52698-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000447925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:17.803{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7B7E40593450FAFFCF21B0A2A39915A,SHA256=B832A110AC14B02CF45DCC9ACC50F42757D9C67353B49917528331E448B00E8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:17.538{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=082A59ACBCAA5881A7936A01E5D60913,SHA256=26F08754C4CF8B6CF9B542C3A924A11A5A9BBFD7D9DC2D75A8ABA4C46659C8B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.828{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.Extensions.dllMD5=B9B706C98861988C5106A7D7FA7CFD52,SHA256=0766748974EDE22E44F6CBCF47EC871AD183DC4C72AC61FF460A1F488BA49A1C,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.813{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.EditorRibbon.dllMD5=958DD06668551C7EC134B144E1552A5F,SHA256=69C31F0B2A7DBED0618950A9C4D8F81D95DC4D216D049F42EBB2CA3F514FF716,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.813{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.dllMD5=C56C0D274586A8F2201052E7F9F12174,SHA256=0A018F58A390F4B6ECB78467CFFAC0BE5672A6A2A69568FBB5E6AE784ECA7C15,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.783{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.AddinTelemetry.dllMD5=AAA8499C07F3AEB6238033B687C87C19,SHA256=8F9834638CCEEFB2C1DA9C3E5CEA9F2B2864936FEB856E4554C8EE171C23A4DF,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.783{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.HostIntegration.Connectors.dllMD5=2FCB5C297DFE24C6387710E98A1A0A9E,SHA256=56A018A1C8A3C559D04F7DACFE0936094A0229FBAEE19EACAFD213A389FC2057,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.719{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Exchange.WebServices.dllMD5=359F0E9B93011F95784828E334EC49EC,SHA256=AFA3C09DC7A1BFAF794C1566DBB7613F8BA7DE72C5CC7E55B785DA669DEB2466,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.703{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.TransformDataByExample.dllMD5=460E504C89F296E99454D1E0CF67079F,SHA256=AFB4679A8F5D014B259E52329B0E1CB4EF3DB408E9A4FE4732FD67674FD995BD,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.703{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatchingCommon.dllMD5=24159FA5F2F6E0848CF2586D0DA8E2B1,SHA256=1952C93328303CC92E947800BCAA1E7F579DA3154494270E497E1109F4441268,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.688{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatching.dllMD5=3DD4579376A10BFEE264AA2DBF2E62AE,SHA256=075643955CE250A0C530CE7E6A2C8EC9DDD7CC61D96313CB9408870314E4D9F7,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.672{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyClustering.dllMD5=F3961B23089EEEA0C82C8A7BA3FB1188,SHA256=5CFB8E85281B259100E3A4E1BEC934F555376698D46E309B28A4B81159D537E9,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.672{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.SapClient.dllMD5=5A0F74EB21AAF10F09C330DD3E925C28,SHA256=D3802A8425BC7EB46D64A91BCEA235904EF07FB30AD6C10B090A55AD30DCB57B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.657{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.Query.NetFX35.dllMD5=14C4F59E995167E93B831B64013B5834,SHA256=0DE20D1ED71FE7438147CD424AC987324A4AA6103C7B7B024378C187E13279C8,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.657{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.NetFX35.dllMD5=4800C92A11BD1C804C454EAAE106601C,SHA256=7EE17FD976F8A32554D54FD4E7135751F00B9E193E2EAF1352D0681C9C2D0CEA,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.641{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.Edm.NetFX35.dllMD5=25FB20E81A8FD9AE24A0905AD11D2CB6,SHA256=A5B07480973750E12BF8D7D8604467A6537C9A0E9DF78148E2276814F5973767,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.625{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\mashupcompression.dllMD5=C31B7C69F89A1A10ECAAECBEE9B51662,SHA256=411D4774DCFC78E97405A87B6B4A35819C2C2E25ADFD4CF7012A4B88EC2149E6,IMPHASH=5DBDDEB74328804FEDA79320977C4600truefalse - insufficient disk space 23542300x8000000000000000327465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.625{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.ValueTuple.dllMD5=D01BEB7BC16872ED93E23D1A34260008,SHA256=DAD592CA7387D602008667C990001C57BABA1FF2E814FDA54027086ECF8927EB,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.625{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.Runtime.InteropServices.RuntimeInformation.dllMD5=BC9819835281B94C21CA20A973B2D3CB,SHA256=6D16405CCA5A74B116F7423F25A5A1BC9CAA1CDD3C3C6DDAD54F9E7B0790C3D1,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.625{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\OTelCS.dllMD5=53C2AB58D211D446D950F92142B6099F,SHA256=63C9DA4E5D640A03A41C6FFCFA655372D6282B95D60CAC1BA777ADAB031A4558,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.610{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\NOTICE.txtMD5=FCB9833E1CFE323C3D838A77ADA66CA2,SHA256=9010D879F1E84430D0AB96DA758251909CEADC78E0BD2A9BACA8D47C06476C4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.610{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MsoAriaCApiWrapper.dllMD5=6F4D1F345879BDEBBB5C0052550F7A22,SHA256=4DD30A6D3587494932CA6C62C14887B44FD408ADCA97F6EDF05AD6805DC2B93F,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.610{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.vstoMD5=6F9CE59FD8B7EFC1A34B4C1E3FD39DE9,SHA256=AB397E918C1C5FFDCF208E90942F1876AEA5A9F5B4E6389D0A67A5BCF487A75D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.610{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.manifestMD5=7DACB2726ADAFD6406557303262D54B6,SHA256=DABEE600E4C373B075E6DC67C018BD5113FD9439799A0B8DDE95BC11D159B7BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.610{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.configMD5=6A161594D650A9562E63E71A0A2C085F,SHA256=ED4BA65F501C6A40D63A22EC42D40F60BC13355C309989E181A2427A751DFFC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.610{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dllMD5=46D8C1AEAE84198F149037B5692F9838,SHA256=445C532980F2CC2F3D9D8DD6ED78922B10B6DABF302882D16A6BC503B79A7F6C,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.594{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.VisualStudio.Tools.Applications.Runtime.dllMD5=D668D709A794C234BE55FEBA100DF628,SHA256=CBCD363343ECE390A25BFF91DE6FEE6807A166D6673A3C11451E479CB5A294E8,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.594{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Excel.dllMD5=12C66460D94E0A0E2B2B0B2077EBDF6C,SHA256=0398680AD5983638E6F815C91DB1B8058E2BDE99631D99984C51AC09F4F8F144,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.594{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.dllMD5=4F5E58AC14608F41D1A56868DA754DE5,SHA256=80C8843B66CDF4911A983512AAF0FB28F410D210D41374618D8A77142B20F4C3,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.594{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Common.v4.0.Utilities.dllMD5=E0668EE3A5BB75FF94179559CEF81BE1,SHA256=8721CE35FCF3AF59B2E8599797CF2182ED6BA2CDE5757C82B05B144008D2B59E,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.594{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Common.dllMD5=5E99F4057EAD3ACB48EACACDE7836E8A,SHA256=F57EDEBBA5F25126D82D33D479FAF528287B53FF12919563368274BE17460CA2,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.594{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Telemetry.Json.dllMD5=675A54571C7689D3870F792C73C50DB4,SHA256=5A6F1F5485EF04ED8AC4BF254A0107978DF6467BC8F99BE0B2F462F51D653D7E,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.594{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Telemetry.EventFlags.dllMD5=A09C8C410FE501CA0E6F9C5753D01610,SHA256=63C3C56EDDB43BB44B0DDBFF6C59EBDBA6AF86ADF525D03E89C66C7AAE302A93,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.578{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Extensions.Logging.Abstractions.dllMD5=0082337446EF22C7F31109CEF8BC898B,SHA256=978D72DB023E6CD6CB95E44256D9ED170CC8A4FB96ABB8C251F9FC22C2C2CB62,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.578{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Workbook.dllMD5=ADEED58CB0C5F5B69908C7334CC9F948,SHA256=BAC5A898D37BEF1C9BD4875CF054F479BB33DCD8EB764BB6AEDD32ACD3AFE744,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.578{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Views.dllMD5=65B93A2960C63D194BA55C1519F53816,SHA256=23686254E107F11BC3461DBAB4D758D2B33E8115B00ED9042FF01ED71C73F763,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.578{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.UWP.dllMD5=250E48C615E4AB64F90C5F1215C34A87,SHA256=65377BCF72086144FBE6C3742F0AE71F6B636C24239C72DA2944E66352DC8F6C,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.578{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.StreamerUI.dllMD5=77F3C539FEE4492CE55BE79BBF0AABCC,SHA256=6C429ADFB2DC566A4FFA27A71F85986EB5CB33019944AC4322DAD0D86896422D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Service.dllMD5=5258356B91E336CA7F551F4E51627657,SHA256=B5A22774BFDDA38829E7859811DF3A15AAD3A0B146C499C22DA4D1A95803DDF2,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Serial.dllMD5=BF985E9E52219D210B928C4773362A52,SHA256=D2A4FBDC232DD9D1CE0532A284FA329095496777A794328CC6FA828640C01FCB,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Manifest.dllMD5=E33E2E020C5DE0D562649DB1B5A9104A,SHA256=37E706C265363B8130111D269897915ED077902BB41FEACC0E3FF95A4E6D061A,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Excel.dllMD5=1686DDCBFD86AA58F0A889652A8B7C15,SHA256=2367761F74B0F8CC98827C12CCACF59808215A8E53A96525FB04CDB22876729E,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Core.dll.configMD5=67816A156BFB3C011911B1CAE743A8D1,SHA256=0FA163A247412EB78C0068BCB3F964CBF085FE8A1BD3783D63879B2272795718,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Core.dllMD5=03975EEE1C5DA3283BDF1316820D40DD,SHA256=AA2A22A9039F3DD8855EE27791C5205CEB053A591E44BA69421A3DEE0733441B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ACCWIZ\UTILITY.ACCDAMD5=E5D3197FEEA8A28AA5CC0F32C25A6A60,SHA256=DAA8D5EA269FEBC23D2BA34AACB4B4A970C13693802B5710849E0E37C3987AE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.547{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ACCWIZ\ACWZUSR12.ACCDUMD5=3B5EEB86EBAB85A6FB1903563F9CA0A3,SHA256=33402CE4A254A64CB6DB1DC0D0BC690970F14B7EC45DA2708A63AC5D47071B65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.500{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ACCWIZ\ACWZTOOL.ACCDEMD5=8854539DA82FAC292DB135F3332B5E94,SHA256=BE99D146EFDDEE3A851B815432280CF95C3D1A5813631C514F6D9E27B0FC81E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.391{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ACCWIZ\ACWZMAIN.ACCDEMD5=3C411DAE571EB53AD0EEA8DD89DE0005,SHA256=1E9317FDBAF7DC614ED0DFEFB5BF7EA62AB856BCBBCC65147E0EE164E8F7EB04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.297{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ACCWIZ\ACWZLIB.ACCDEMD5=AA56F344E71B9EE31F14E6D51788E2D3,SHA256=DB423C828A9ABDAF9D3491F1EE6F5E6548E0FCEA712988AC9CF7F33F1B2531D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.282{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ACCWIZ\ACWZDAT12.ACCDUMD5=BEDB65DF66250A92069604B7BF6004AF,SHA256=E47B6CCCF100B5EDD2CCA96E8F046A2AE26EA772C5194F94181CAF423D94C222,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.204{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AccessWeb\SERVWRAP.ASPMD5=FDA52446B3D2C84EADF1A223CA1F22CC,SHA256=E779EFC2D1753210D5371F0595C19FA10E6DE9D39CE9D14BFA0631E67BEEC4D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.204{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AccessWeb\RPT2HTM4.XSLMD5=2B7FC1FC195730C1786CDA85DB2B3E9D,SHA256=BAF530D2415B74F67513A7497B70CF258AFFE02B8C290E902D7CDDF9C4ABD00E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.204{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AccessWeb\CLNTWRAP.HTMMD5=3FE9D091A2BAB8C3D5E0AFBF9A9F4137,SHA256=7CACDE7FECB7AD78A3643B937B4DED0E509107DB5B8E2CE181CC3B80373407EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.204{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\3082\MSO.ACLMD5=15DB663381F67EA3FE2974D70E88BC25,SHA256=3845ABED9923E2D4E571D2F8702083B4B26957BF51D5C958E6E4BA0FBCF89547,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.204{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1036\MSO.ACLMD5=E30707FBB38F089FC8A7C5DFAD1B00AE,SHA256=4429EEDDA422DFFAED4C2009E17D627AF57331C0EE9DD4787A69E8BE10FD0CD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.204{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\XLSLICER.DLLMD5=5AD244E3827C2C5BA79E578B945115FA,SHA256=0F5472638D93ED39C2ED8EEF26FC0951631DC3B7BF5E1CD2CAE512F520B8DDE6,IMPHASH=100A472A10F7F96BF72CEE03314FE3A6truefalse - insufficient disk space 23542300x8000000000000000327426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.188{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\XLMACRO.CHMMD5=3C7D72745C1714DEC0AF54B00FD422F0,SHA256=8DEE9F556EBA3EE3707D687F45A4246CB4F4A437F7AF8A319F9A85B331678945,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.188{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\XLLEX.DLLMD5=322B8F2B17B540402EBB2D4EF332234A,SHA256=D499A5E17266A2810DF1D36002B579622ED82B774AF922E596B7AD5801576737,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.188{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\XLINTL32.DLLMD5=CAA30D79BBAF151F8FEF9E155D07A190,SHA256=AB525AFA1B13EC2698B36C4F154715396D5C64CADAE0DD0E563D8D1813638A64,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.172{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\wxpr.dllMD5=A9B140168366274458EB4D5F50549F38,SHA256=716B9B3131D6A493437E5A1E6F4FE77F7E42E258EA1975CC1E52C01B4B29D683,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.157{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\WWINTL.DLLMD5=E639E6B1098FE1F98DE3FEC39E34544F,SHA256=8517A86B001282D6255B419A5EDD63FD1CC772EF01D6DC6D649106C738DF927B,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.157{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\WORD_WHATSNEW.XMLMD5=272DE202EAAB37D7A367985771DE6FF9,SHA256=C1CFF07E008E4B8FA72A6ACAA6F93F44A7ACDF4942A799BD55E5426C000D4DC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.157{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\WordNaiveBayesCommandRanker.txtMD5=410C44D2918C15B973FE0DE194E3DDF9,SHA256=3EB829895DDA5903305055E8BD03CB1AAC0E8639AE0BAB14E6D1732B2D29350C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.141{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\WordCommandSuggestionModel.binMD5=D0F07455A947DFB4733E90F88D861947,SHA256=1501919149D5BAABEBD1DA475DDF7377C37CB9D7E85CE991AFFDEDFAC8BA8B67,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.125{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\WINWORD_K_COL.HXKMD5=DB9742E49C49C505B293A84518E95FA5,SHA256=1C17B95E5098ADB0C0E06AAC8A8C7C50C6A5EF1B696465D548C8A922F1D3A653,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.125{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\WINWORD_F_COL.HXKMD5=B8FBBC73DDDE31636552AB184B4E398F,SHA256=3C3702253A4695B5BCB18A2565B1D49F9F32F5F9F2442FD1395197970FA34EDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.125{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\WINWORD_COL.HXTMD5=1272ABFF2491787EDDC808E0A94F4772,SHA256=85A672D5832D245B5970F77EA4643DF4D34EA7FB55AF0BE9956478683C917851,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.125{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\WINWORD_COL.HXCMD5=1E96F4C8B4A487B43C87FB3E490D0DBA,SHA256=1734CB5FC09E6E57813FF14CD2EECF37233F042BADD62B6750CE23FDDD0C0751,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.125{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\WINWORD.HXSMD5=01DE1ADE9D3CD4C82B89F1DF40E4E5D5,SHA256=9F513011C520C270A0CC0D56156DC43D4AF151878DB2D81D6CAFF558B3FDE55E,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.125{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\WacLangPackEula.txtMD5=04D4DA8275B54ADA1370AE4A453F3D9E,SHA256=E6C078D58B95F8F3DB34EB6969C521CF9E36F066C6E29944BF2307929472E18E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.125{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\WacLangPack2021Eula.txtMD5=04D4DA8275B54ADA1370AE4A453F3D9E,SHA256=E6C078D58B95F8F3DB34EB6969C521CF9E36F066C6E29944BF2307929472E18E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.112{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\WacLangPack2019Eula.txtMD5=AC154D8A3B1315E61E5905FC6FCF547D,SHA256=07FB57B9DD876615FED4EFCD8A0F138E69C935E952B87FF2F4115125E06A88AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.112{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\VVIEWRES.DLLMD5=43C132FC45AF051FA9EFC90AEE9DF35F,SHA256=ED84F1A111452F68E8CBAC1DA07F529041C4FFD4CE90545408808553FF9C7CB9,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.112{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\UmOutlookStrings.dllMD5=67FCAFB32F7AAAB8CC7454EE963D50D9,SHA256=8DB8B9A165AE52152551FF56FE78C558DF7A12FEE5D62A1B98CE89F5592C9DDB,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.095{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\UccApiRes.dllMD5=95287308E940A982AFB3012A60A0DAA0,SHA256=52B32F1080965EBB332893A7CC5854AD1D08321CB4D1B84341D2F2BDC7AB1BA3,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.090{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\UcAddinRes.dllMD5=1CDF0EE4FCCB6ABEB64DE93EF6FCC676,SHA256=9137E311EFEFD49A68399ED0E090902ADF5612D49E9B9DE295F90B8A7407D1C5,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.085{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\TellMeWord.nrrMD5=0DB3A76839E619352311CCBAD4147889,SHA256=CD27CF0FBD7C474EB437575748213AF21D4E9056076DCE2C91D2B7416C1BD742,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.074{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\TellMePowerPoint.nrrMD5=24C4364F87E37A7D57CC396A262EE87F,SHA256=05DC8943DAAC95BC6E4DECB9CED9D35D253DB4DC0B7E34DB640A265CB3775F5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.065{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\TellMeOutlookTask.nrrMD5=CA07971F20C033C1BC09C840F44DADA4,SHA256=05D9F9086540D7932FFE74DC5AEC1404D6E5BC0007A20C1BD95BAD5D82EA3AD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.057{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\TellMeOutlookMeetingReqSend.nrrMD5=B058FB0FAE826EF50237117FC4AB6C34,SHA256=D16A5DC9B20F4829D208FE05F597C41908E409B72DCDF5D293FB35092819BBB2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.049{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\TellMeOutlookMeetingReqRead.nrrMD5=81E0A0DCEAE8C0F9C67FB4DF8E0FB982,SHA256=4840F84C0AE270359321A3CAF181722307842800061CD2897B2612C8D6E45EE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.044{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4183CDE19D9DF0017A40B5A71E153790,SHA256=A219E661B9A6236DDD3D01406C02FFF52B72B5C3A81022A78B4E540BDE0ECB2B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.039{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\TellMeOutlookMailRead.nrrMD5=5AB0EC6C879AC7F36166FB7633C96602,SHA256=7309FEC7216F210FFDD62EA0510746442AD7739AAEA32B9B537DBFBDBBCE13F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.030{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\TellMeOutlookMail.nrrMD5=9BD3E0E686961B71B8BA352A5631DB4C,SHA256=200619B1594C0133CE0CEFC79563A0CC80592C01B3AAD6AEF1B3EE2F5DA5B0B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.022{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\TellMeOutlookAppt.nrrMD5=13459F1F5F791720C64D9DE5BDAE96D4,SHA256=1DF9CF0B7C1F45C9F4D4493AE2F5EC6D8CE80D067EAFCF27A02C9A1C34A757C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.012{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\TellMeOutlookAddr.nrrMD5=F42586E463FB877213DDC94F07B83F95,SHA256=EB5348C2B9144194318B6C3B28BA71F94E2FB12DFBE37CB4D5681919AF39FC15,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:17.003{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\TellMeOutlook.nrrMD5=7F5270E7CF8E3349AB18B72984EAD225,SHA256=579CA025F901ED3E7322B8D1038609A034B98821B105929690292767483DE301,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:18.657{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Packaging.dllMD5=1AFD4BDEBC56A65FAEE7B602CC9CF9AE,SHA256=8757894F5E4BEFA25C107DB8E0788487DA26A463BA94241015284153B09BE1F5,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:18.657{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Models.dllMD5=F76A757526AF189C728C9B7E3281C828,SHA256=8A0B971E50F66267796B9DBF2EC6C73EADA04CE30C5D40019B3282B978239D07,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:18.641{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.Themes.dllMD5=A20FEB6C14D53C20506BE8ED5B6987F6,SHA256=98D733FDC1EB45F14F06C59F2C3B504ACBD07836BA237955705CE9D72AF96EC8,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:18.113{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ACF30029F64014BBE9ED81151AB52EB,SHA256=AD08E16402340FEBDF974A7029D852FE3CC058B28ADED0BC8B239EF0F1C414DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:18.113{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF5795A69174B02BB9BE0E8F1EBAA4D4,SHA256=F6C7A47AF320FD84EAF5EE1485BC586F78F1FC5E5ED5CFE8A7444D319F01DDAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000447929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:18.879{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBDD563E199D3B4BEFD3D46620D3C0DC,SHA256=1D87FFE12E0F50678797414CC65DA04B20529CDCCF6BEB2D6E01B215AD2FC361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:19.916{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5544D20F223D1DB9701E64C2D1FBCD4E,SHA256=32FA89666E5D9F31942C1D0AB4926E04976973CEE2BA1B8AFD0062924AA64708,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.972{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINSHELL.DLLMD5=764AA7215F1D002CE05EDA430B1C430D,SHA256=3F209CF541A9F1E464C81A1F5D59B2F3A0C66E29BD0F7DD327EAF6A346DFA41F,IMPHASH=2B188429DB7D4DBAD860431AF6B6EFE5truefalse - insufficient disk space 23542300x8000000000000000327536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.972{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINDATAPROVIDER.DLLMD5=5D1911E3C787DC95BB28156BDF9B6A12,SHA256=AC1293F3280AD1C9EEA490080EA861D1703E7A03686E7BD77D4E912A1267AEEA,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.957{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINCORE.DLLMD5=3383E0E00F4E4D4BA02C57479E1F1DC8,SHA256=E18A45D51F8A329F62E9621434C659BB13A4225D5B9BC056FF311E8C036E01FB,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.941{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\DATATRANSFORMERWRAPPER.DLLMD5=8E105E5632D9540BEA0CC63C8B24AC27,SHA256=FAF3E5142D260FFEA6E3D05F8C22403F47A1D3B45AAE183FFC42CEF7B239FDFC,IMPHASH=EC47096C0EDE93118971098269DA778Ftruefalse - insufficient disk space 23542300x8000000000000000327533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.925{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\WebView2Loader.dllMD5=323311B1673282E13516B3836EDABA5E,SHA256=4B050C8BCEB70237B7C7FF8FE33C613BAA262599F980CB50B19604F3F509B3C1,IMPHASH=2A83D48ABA3833CD76509F4D745E10BBtruefalse - insufficient disk space 23542300x8000000000000000327532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.925{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Web.Mvc.dllMD5=1AFDA3C6A92EEC2E2DFEFE5268A3D510,SHA256=7D0DF9050FF2F3F33749D08636783BA7F143852AA97E9933ED458CDCDD29FC56,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.910{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Spatial.NetFX35.dllMD5=C8794189509F6A3C4F81850927A49D0B,SHA256=8E9B87318AC68BC9F54C78164D242F23216A99B201BA3A5B7BE7BF72103FFD2D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.910{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Collections.Immutable.dllMD5=5F1780C6E49F9D6E0C0CBBD6BB596DA0,SHA256=4EA31037EE0D806E6A54ACD1918E31548912642AAD0CA7592A3B1935D9511D02,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.910{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\PRIVATE_ODBC32.dllMD5=296EEE442F5DC1940DBA73347B0244EA,SHA256=D253DBAD7B8B2623B540A1AD89A242160368EFE682E5D1DAC18EFD34E7B14AA2,IMPHASH=A53A8B8E66A0509D27E38EFF241A1292truefalse - insufficient disk space 23542300x8000000000000000327528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.894{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\pdf2text.dllMD5=CEE1B9B22FEC7DCAC48E9818C58D2378,SHA256=3A8D59AD09C9663E6627514EA16C09A56E58325C482AB346EF56F8C41652B9C3,IMPHASH=8C1AD2FED6D0AD4C344A6471F8C76119truefalse - insufficient disk space 23542300x8000000000000000327527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.769{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Office.dllMD5=57FDD8BE6071DFC46128DCCAD5E25863,SHA256=0194C022C826D59407487096D208896A2465BA1A4C58EAC1D1AB96D9C2376A7E,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.754{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Newtonsoft.Json.dllMD5=A597809857310EC341DCED44E560E22D,SHA256=8A45E092895ACF479005AC5A1CCA000F3D5C15507035719C75467F5FC3545DD5,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.754{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Web.WebView2.WinForms.dllMD5=62FE60E3DE2888CC7D116EA14BF515E5,SHA256=9F59401AE81922628F807A2B541A065EB28914511A25B88433CA5BA6763D23CB,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.754{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Web.WebView2.Core.dllMD5=00A80FC3922116C41503730AEAFD89A8,SHA256=17CA8F0235FF7FDF97C8D218C2C71C2A9F078BA3AB0999B960006FE9EC95E6DE,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.738{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.V7.dllMD5=4C5755F8D6F68F642A856B762773301B,SHA256=B6E21E6460DB9E413D6AE7B5C7E9B4A705A40F96486B8D8217AC6172D0CC192B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.738{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.dllMD5=7D223FD25FD65D7435AF9408B3FBA464,SHA256=28F63BA107441BDE10AC1DCED58391734F1C35E0E48775F81DF4058314AC8F29,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.738{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.ProgramSynthesis.dllMD5=3EA65B5D09BB05B254482268CD74E29B,SHA256=B58179AD5472C14096488CA3AAD285BA6B05B97FACF4EF78733CF7AF83033195,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.660{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Practices.Unity.dllMD5=FF9E69062D343B715828BD2F042509EC,SHA256=0BE3D405CB344C812B1BF390425734192321D1DC60FBBE82D75A54978D2477A5,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.660{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.PowerBI.AdomdClient.dllMD5=7943B64237347F51833A86A304A1A16C,SHA256=0AEF7567B346D40B34924D78384A87FE382E37E9BFB5C95D493FCCE4E9289887,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.644{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Outlook.dllMD5=4FE822F8449B6200A553D35410957C5C,SHA256=C3B724AC88C6F7B1F71D7D036508B323798E6B4315EBCED980B8AA6A2CFE178C,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.629{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Excel.dllMD5=BB94D9EDE1D92E30550D3C227DFE06C6,SHA256=2243BED9228FADF7BB05AB6A874A8F1A87B02BB0ECBF207A81A1DD1DD5287316,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.613{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Edm.NetFX35.V7.dllMD5=2C94316BF5402861777AE40C46FBD338,SHA256=260C841CB261133554D695DC02AF35C4347EB6DD584566D13A126AC1425F5C51,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.597{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Edm.NetFX35.dllMD5=DD5E538B58E1454CF2D96C76F6240CF4,SHA256=5A625EAB1FE91E8045B83143F115F530BD866C3D51960FD799E2219171A171C2,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.582{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.V7.dllMD5=0D138FB2466A668D3990B530F00BCB39,SHA256=09028C7463E0C3BEEE71344B4D94FDC9CEA9F66CB64D587EB626A6AA674854CA,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.566{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.dllMD5=A9CCA3E502400EBD87E4BD7C492AB112,SHA256=1C588CF5B604B676C01E39CD0319A1AA04E8CEEE47C827B36BCDBC3761B37746,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.535{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.MashupEngine.Library45.dllMD5=C7E6BAAAC025CFAD3B244C857A0ECFE1,SHA256=1AFE4394489B51C983BDFA8E075432A98BE74428E87AFC4921B3E0F8BCA9DD14,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.457{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.MashupEngine.dllMD5=71D96A93120D2C0CE406F0C45259EC98,SHA256=227A0F8AAA2881500BB4A6191F2D14D97725EC17E21BF560BDDC3078A32EAD24,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.300{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.WebViews.Windows.Shared.dllMD5=960D0C92FAA315CAD69A449B1680BB8B,SHA256=74EB66B1B555DEA5903D1A1A59E98D90A744CC57EB7BA0DD64DCD3948E5F218C,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.300{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.WebViews.Windows.EdgeChromium.dllMD5=72A96B13180BC1CE5526863AD51CD2BE,SHA256=E196B114A698F1EF42A52F12BC56263FCE5B7984A0CB56D4D550C2B846E4C5A1,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.300{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.WebViews.dllMD5=FCEEBAC3A8607C30E422DDBE1CAB9229,SHA256=04BC6272B03C47F7104CB81A913815D428DE2DB462189AD3506DDFF3CA15B3FE,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.300{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Storage.XmlSerializers.dllMD5=A6D001EFDB63D88AD02B0F48E6D5C8F0,SHA256=704A5E1FC9DEDBADBD2B34D10530CD13BA0F773FD60CB1CACDE858216A98E112,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.300{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Shims.dllMD5=D3B9A0D63893DBD4BF83DE9300D63281,SHA256=1A050AC33C8F7C28413C070F7BCA70317266527AE521FDDEEB9C0F40F4F09867,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.300{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dllMD5=6DE999AA99B450FCF07DADCE0B9E2485,SHA256=4B3B6419BC93193213F97D7CFE164FC50F0D2918C3AFBE1600625F4A02B6AE92,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.269{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.SapBwProvider.dllMD5=EB33B62224172DBF65A2DD64FF29CDC4,SHA256=67E4FF78CB27F20E8C0F1609480A841F786E0C95599C8EB73976C8C5A83A1CEB,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.254{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ProviderShared.dllMD5=80F38C6DF27368CD42C9DB86453143DC,SHA256=5008FCCD0D1F1E634235DC6FC199DA533A1CC32AF549EBFAEC56ADE341745D84,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.254{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OleDbProvider.dllMD5=40B9E6F518814C827B1B59849D90EC68,SHA256=D59985FC524FB7927C63CA5C2C064D75560AF97994952EC72CB79EAC88BFBAEE,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.254{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OleDbInterop.dllMD5=5BEECEDD0EA527B5A227EB31E8547693,SHA256=E37260D20E8F1313EB9A882FED17DFC7D01C995FD28A09B0FAAB64849BE5224F,IMPHASH=1B9C8C78191AFF12D01BF4EF400390B1truefalse - insufficient disk space 23542300x8000000000000000327500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.254{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OAuth.dllMD5=84DD371FDD37CFC6BF4C283FAF419D12,SHA256=83A123164CC8455027A11534A650201D7BF6732B23F8C52DC8C138D925801606,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.238{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.EventSource.dllMD5=66BF5089F3B759640E29E397A9AC5EA6,SHA256=843A482C7B139A5B2D84043A2CA904719361D3FE68AA4BAC56F9DA51D48A2E37,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.238{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.DocumentServices.dllMD5=1F843B7FB3AA066390B0AC5C05A0CA9A,SHA256=9E4139B24DD26C312E03A497FC1E2CF934DDF55E64275B5350B30DA5D6D19B56,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.238{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.XmlSerializers.dllMD5=3AA9E956737489C6715F93E0610235EC,SHA256=7E42808EE1751B2F30A6BD577B255E6EAA012AA90B8C4B028B07DCD9B95028D0,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.222{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C573EB391526E4354299E686EEB8031F,SHA256=72006B0EBC05ADA8C6BD0E171AFA63484F3ADFBDC82742F10BE81C00CF9062E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.222{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.dllMD5=B38D22481480D7AC5666C9AF6089D1C1,SHA256=1CFA2F5ED3417E5E7E3992BBD7354C388FEAD6D4353C8676BD44C14B1209478E,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.177{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.configMD5=A60049436C14B85D7E23900B083B38F7,SHA256=274F8B00B8775D1082D0F93737DA1C9D8033D00EF0AD59EB01A379302AB5A2DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.177{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exeMD5=334425AE8018DD83242A2D8EE2FB029B,SHA256=DF69337A193012AFDE84BF0E16272F7097A2814DA3EE2F4037A097F7297BC148,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.177{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.configMD5=D1A07403B1FECD2FBA724CBBF80D5C95,SHA256=B081DE573BB6B567AEDDB28B29A6D3952EED70D382AB81995DBF6B646BF71270,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.177{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exeMD5=D9FACD7677517BC6B94EE5994DBE2B8A,SHA256=CC0106C728A64302D53EE08824917A49C7AFD88F681758181D460EA0B66D84EC,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.177{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeMD5=6804EEB36AD9FBD32813C5143FB3C0D6,SHA256=BDB3694DE21421078375ED86F2D39512E0B4AD675C1EE7199663A79D4540F8DE,IMPHASH=B7E5875BE70879A65091A72B4DA94522truefalse - insufficient disk space 23542300x8000000000000000327489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.177{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.configMD5=D1A07403B1FECD2FBA724CBBF80D5C95,SHA256=B081DE573BB6B567AEDDB28B29A6D3952EED70D382AB81995DBF6B646BF71270,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.177{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exeMD5=A028ECD87A9545738221C6985FC4B999,SHA256=BE1FB3E427D3AE3E555FEEAFB0F5F2349DCA2470748FCE85B4F3506D86AF67D8,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.177{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.UI.Extension.dllMD5=67CA05C9EB974858720F5C3BC7E4A9F9,SHA256=A5828ACE9433C9ED35BC1B5B07B4D0E52F7439ADA6A769D4A11AEE50AC67658E,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.177{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.UI.dllMD5=34CB8EB1380D190CBE0E05E885548BE8,SHA256=1ED0197E6B98604A2AFC09183B2BB20946367CF77ED32C165E23EFFF3DE10A85,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 10341000x8000000000000000447948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:19.554{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:19.539{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:19.530{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:19.523{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:19.520{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:19.513{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:19.474{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:19.465{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:19.448{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:19.441{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:19.430{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:19.419{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:19.407{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:19.391{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:19.382{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:19.372{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:19.360{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:19.308{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:19.303{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000447955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:20.985{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC1B9E05B98229D44A2FC0B6525CF4A9,SHA256=750895085D740C74262572ED9F310665781B48D48DC5F131979B87A4A30501E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.994{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.AnalysisServices.Excel.Common.FrontEnd.dllMD5=F07C35444B86B4AF474B64D3AECCC535,SHA256=25C0DEC2A8D392FF8F9FFF2F9B78CCE7C850C63E0F908F944FD4926D59B005A4,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.915{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.AnalysisServices.Excel.BackEnd.XmlSerializers.dllMD5=64C86C7020F32167D2C91C7F5AC6F6EA,SHA256=62B9B9978A87C58F13E6AD24DCA198FEB812EDC7AF5F7BD4046312A110617D21,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.915{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.AnalysisServices.Excel.BackEnd.dllMD5=630A2AEE52AAC8050E01AEB68FE44276,SHA256=E9DA992414851859AEB79F984E4EBFDD9D29E67374B7787FC332012F90A0CFCD,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.900{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.AnalysisServices.Common.Wizard.dllMD5=AC416F90C8DCA83F614367F584947D01,SHA256=FAAA6B7D12A0656F40622C204F187CD24671E2BCE5F93A86F0EAA9D17D555FBF,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.884{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.AnalysisServices.Common.dllMD5=133DE1E4CD7D51448041C1C5EF6F222C,SHA256=2D8CEE4541A33E26E7FE4236BC39ECE4D019F93F8485914DA50DB19005E29853,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.853{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Interop.MSDASC.dllMD5=602266E555A0B18EE9CA7C1496D02B55,SHA256=21561EF42F688C4DDDF69B5AB3F5AABD4F22CE9FA0867E43F5EBD5892A56C930,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.853{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Cartridges\trdtv2r41.xslMD5=5E88A4345095EBADB7CB823B62F2177D,SHA256=42C573E6234F3C250577B1B682F5B1F900C95DDD4EEEA2F09DCF41F795F3382C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.853{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Cartridges\Sybase.xslMD5=F7874724269E873C93117768F2DBCEF0,SHA256=868B5C8BE98380C9C58A1B345C3E01E40BA68083B3D0DDC7E1D0294A2E92E968,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.853{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Cartridges\sqlpdw.xslMD5=A7C71B6EBA4A5F1EDC9ECF7E4F6E31BC,SHA256=2BDA2E3DD013BD941574D36A5D20680F6A723A8B68E088A32A875B618B342A08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.853{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Cartridges\sql90.xslMD5=423B72635EBF8F7F41960AA91B60BD6F,SHA256=B2EAC4DC85B29A7E996ECB039BF8BCC146D8D42BF11390F34A4A0437EB5D80C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.853{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7BBBEFA127382550BB1FEB2C72D7C79,SHA256=ED5C98E4CE863271FAC0086EC6ED8127B1684EBE5F753871DE8F345DA1C45C85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.837{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Cartridges\sql70.xslMD5=325582F68A42FD7A862EEBA94CD48DA2,SHA256=AEADFAEB1C997FC4B637103CA5A3FB77297960894529F263EE8FB6D5DC09047D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.837{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Cartridges\sql2000.xslMD5=9520C32EBDA4605E4051648E6E99BA5F,SHA256=DF180CC3F2081A5AB2EF78762C9A9BD157A0324A68A9E74F5A628B64F54D36F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.837{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Cartridges\sql120.xslMD5=09D3639E0C322634B03110ED84A8990E,SHA256=37806C83E9125BE1C8A9F3B1049AC1EE350D060162ABC6C1C2B600CB5DF290E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.837{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Cartridges\orcl7.xslMD5=CA885A8A458C81D9A8DDB18E3AE2F94A,SHA256=6F88C97E30D3899FE1380EA318827BDDD4C0B6D5F7E423D353500434877F297A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.822{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Cartridges\msjet.xslMD5=07817F87945C259A27537F904AC7D4CE,SHA256=4958924C76280F353FAA16E191B596867B454F5AF301CB1C420ED280CDBD4564,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.822{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Cartridges\Informix.xslMD5=73BD58F92FCB451CE5A768A3673F7C15,SHA256=035A6200DB7617C9C3235DC2C975C42A2E6B398A3FE23561A3E61EF1BE2A124B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.822{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Cartridges\hive.xslMD5=1E6D16E1C46BF192BFA7338DBD7122C5,SHA256=B767A68FA7E73AB32058D77C4786D72D155117437F49CEF5E6A4518460669188,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.822{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Cartridges\db2v0801.xslMD5=59EC54120AEDB8C6DCE67842A90EA53C,SHA256=20C39DB110FFED0588A52F3DCCDAC5C769B681A760E1EBE0B4D29F8BED5B7AF9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.822{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Cartridges\as90.xslMD5=7657CD6E4B01A396B99BAF6F5D52F222,SHA256=26C5A0FE600571F341FA4978A13723556E4953C28D4BFCB5D6D7BD041CDF07C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.822{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Cartridges\as80.xslMD5=F7764EDB7A6BC223E07DF8C3674159AD,SHA256=5D80A0A30D78431191F0A18DA67B53F6E805A53715C6C8D5BAABA3425950495F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.806{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\tracedefinition130.xmlMD5=E795987F418953A6212D9B16DF2C2B20,SHA256=AA231895BAD550F32CCCBB590C0E23BCB535238D7D90237581921CA8163F3B6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.806{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\sqmapi.dllMD5=57D22EE1AEA62B6EC08B58BC477EB5D8,SHA256=EA9730020035F8AD95322E8AF8CCB6F61EB2EBF94360DA03E37B09AF944FD5E4,IMPHASH=72DAC28481188E62C1C46EB31F00B666truefalse - insufficient disk space 23542300x8000000000000000327647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.806{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\ReportingServicesNativeClient.dllMD5=E389E73C4B5CB13556639F1D65FDF248,SHA256=D47FBB7B477237B2D923D362D5E3F8DB8AFC22378A1791CEE6C478948C59B035,IMPHASH=D1934E9E0A1DE77894786F588A3E30E8truefalse - insufficient disk space 23542300x8000000000000000327646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.806{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.tlbMD5=B8C3E5EE22808DEC59AF77180FE095DF,SHA256=236D405CADE947B7092F6A8901C053CF6E2A0F3AB1BEB195070246DBFAECBF1D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.790{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.dllMD5=E811F23C07A90AF52147D50BBE28E324,SHA256=3A786409E5AB924820C20317B08C29334FA3C6272F640AE05B185A96645F1310,IMPHASH=F787B99F25CD0AC9A0ED82FCBA33F7FDtruefalse - insufficient disk space 23542300x8000000000000000327644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.790{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\OFFICE.dllMD5=745897FC2816625A0E5F1AC0F9AF16A2,SHA256=5512CABD57B6E1FBD2B96C298D804A3795CD317F61E154AEDB335F6C119EAF62,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.790{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Types.dllMD5=D911F621B021E20A7D734F804D0CBDE3,SHA256=AD13123BB2ABBB31C044FF2ABA67843E330FD8E21B3777D0514B5B705401124F,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.775{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Configuration.SString.dllMD5=16D0542979498C5F28BC996040E1A8D6,SHA256=880E7F8506AD180B3B340ADC0D5EBB8D4D67287D3ABA84860BF99859F2F8373E,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.775{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportViewer.WinForms.dllMD5=26DC2C81A323C553CECD12C61D46724A,SHA256=22BA390D7B30AB5136F480B283F8F255AF60C3C25FE44D74D461E265DC832879,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.760{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportViewer.Common.dllMD5=3D844D9B0810ED6D27B404979F4BF72E,SHA256=13468F8DA8AC3C3D59E7BC4030A513F7E3C67A71C91CC1D014F6D2230E861373,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 10341000x8000000000000000327639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.733{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000327638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.718{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000327637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.711{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000327636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.706{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000447954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:20.181{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:20.176{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:20.173{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:20.169{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:20.167{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000327635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.698{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000327634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.688{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000327633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.677{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000327632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.674{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000327631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.651{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 23542300x8000000000000000327630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.650{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.RsClient.dllMD5=B6D852B1AD7F8D8B4147B8A20C94D1D6,SHA256=B43801A496383D7622F31E1AEAD77C5E16BA42DAB066CA92DE554E53EFF86006,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 10341000x8000000000000000327629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.646{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 23542300x8000000000000000327628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.643{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Forms.dllMD5=33B998F469868EF8ED936EA827749021,SHA256=9874543BEACBBC3E2E98573C0572F28B7F256BD6941F3BBCB2FFB18191D63913,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.640{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Common.dllMD5=39A09BD157BF6FB0C600EBC2751FB380,SHA256=7997633C6FD049888BD60B6E1F6F2D9DB79FD067465EFB88D1B96CDA0D9030CA,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.635{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.Interfaces.dllMD5=8DBD98DC0FCC45DEEFCCB9FBD46A79A4,SHA256=42A069E25F0D5F27450EE32633E6ACB5EA6ECB05C9D210326B0661BDF0E73F3B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 10341000x8000000000000000327625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.634{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 23542300x8000000000000000327624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.632{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.Diagnostics.dllMD5=F1B67E4646A04BF419A230D7A9796BB7,SHA256=D79E4C0103151CA2C365EB6BC58619929AA7FE4F56C781C4770FBB20D97E4959,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 10341000x8000000000000000327623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.630{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000327622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.628{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000327621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.621{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000327620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.619{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000327619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.617{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000327618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.614{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000327617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.614{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 23542300x8000000000000000327616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.611{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.PowerPivot.ExcelAddIn.tlbMD5=BD5647359C3B7679E35CC3A73B702DBE,SHA256=196C929E4277F7E55E89704FCEED847236E17A7C5E3EEE974796EE7B3D20A38E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000327615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.611{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 23542300x8000000000000000327614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.610{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.PowerPivot.ExcelAddIn.dllMD5=C20CA48B2E01389DEDF3342C77F805FB,SHA256=07054784C14137853ECC94630EA524DDC11972D3B75ADC9F1081EEBF9AF84B8C,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 10341000x8000000000000000327613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.609{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000327612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.607{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000327611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.605{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000327610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.602{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000327609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.595{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 23542300x8000000000000000327608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.594{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.Interop.Excel.dllMD5=574D91266EE9FA03432CF50DA30DD232,SHA256=6F262BBA82EED8A8D69FAC44E491B99CCA2D4CD448166291CE2186833E730A85,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 10341000x8000000000000000327607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.592{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000327606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.586{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000327605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.584{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000327604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.578{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 23542300x8000000000000000327603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.571{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.QueryDesigners.Extensions.dllMD5=9C3D9CBCA5D540F4D47B8E2D698B6057,SHA256=3001F69F4C9ADDFC61CC3E88D1B5631BFFC7E15AB01406F032A58FB7C84FE1F6,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 10341000x8000000000000000327602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.564{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000327601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.562{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000327600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.554{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 23542300x8000000000000000327599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.547{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.QueryDesigners.dllMD5=007281B5D138B6239C2721A2975648E0,SHA256=E3A4D0AF86EED4A2FF4D35AFA322686E94F7E04D7B399ED61F570ADAD36D0DE5,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.536{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.DataExtensions.dllMD5=A220AE915E4D6EC3D173A3A14284E8A2,SHA256=BEE6ECA5F5E9762F24EC3A0C6F9ABE192F0060888F3AE8E492E76C8703F534D2,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.532{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.MDXQueryGenerator.dllMD5=61B819FF5DA8A18C1F3C57B78513C5D4,SHA256=9026434B8BD3B7DB8454D2E83671E27FF795DBB3667B6E9EFB925EAF16079B78,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.529{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.DataWarehouse.dllMD5=0351BB36F8A46DFB6768EF1B203C7B79,SHA256=CAEE4293CBDEBCB6D21CDA6EBE6D17CFC5041FF36FB2CAF037C8A80FB6BB7220,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 10341000x8000000000000000327595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.507{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 23542300x8000000000000000327594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.501{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.AnalysisServices.AdomdClientUI.dllMD5=3F96A57D91B1B4C04BF5BD7EBCF62652,SHA256=D0F97DD9D5495426A1E15FE443100B99A20322D616F0C2B80D3CD8EA2C4B44AC,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 10341000x8000000000000000327593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.501{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 23542300x8000000000000000327592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.498{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.DataWarehouse.Interfaces.DLLMD5=EDEA57FFCF71100EFCA4B5B5F7168566,SHA256=EB022A9FC8121C083AE85CABE43568352C2062D01882718FEB6E3C26E4CCCB27,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.496{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.DataWarehouse.DLLMD5=287181398AEFFACF290B2FBB6B2F2F92,SHA256=6E91C3D419E85BA99910C674886CD486FAE573D98666AEF0D49AFE37098AA66F,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 10341000x8000000000000000327590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.493{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000327589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.486{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 23542300x8000000000000000327588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.475{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Common.dllMD5=09E7FA9039ED59DEEC57D89C95550E64,SHA256=002547C8414DEE8E49ECA3C40B6F616799C5107DB35174FF1CD47521DDEC0092,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 10341000x8000000000000000327587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.465{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 23542300x8000000000000000327586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.465{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Picasso.Sampler.dllMD5=4ABC410DD256B616FCB4D848F82EACC4,SHA256=E1C91C623CE9E3A9A12024FD866B84E4F1789C9928E41D1809CD741888E6BB5B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.464{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Picasso.dllMD5=4BDEA112C196E9448A194DD85A4F2DE5,SHA256=94A5885A29EBE7991A7BCECB926B0338A26B915665F20743BC68563EDA73CBF2,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.461{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Core.dllMD5=33488D142917590DDF4E4D9E839C3898,SHA256=7B0878EDB0317A962B84D6E1FC7F77DE4622C27C83A2F5EA9CF71230169D2234,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 10341000x8000000000000000327583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.446{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 23542300x8000000000000000327582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.442{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.dllMD5=A1E4D4344104CA4D3484010A84B50E7B,SHA256=0DDD718A638790941969B634724D74ED8763C336BA7720377586A2E24B4E36E2,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.441{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.Dialog.dllMD5=9834A594316521380027C0F0D5F93E94,SHA256=9B0CAB434A6DD3B7BCA2D7E027F51987F9CE0B7A54D85CF44E37F6E7C6E06A2F,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.431{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.XLHost.Modeler.dllMD5=3E84ACA248238D7A8D254C0787157878,SHA256=FBECCAA5BCD01B9CB65CC1E736F1AD0EB75720210852D6D469881264DD99C2EF,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.422{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.SPClient.Interfaces.DLLMD5=CC32C0581163652306DEAA12BAE6268B,SHA256=F25449D7B7143367AE2058C9ABBB930D84421A020C96F8A1BDF90D6A725389CB,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.420{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Modeler.UI.rllMD5=6F9E92F70E51EB76629D55658636F2CE,SHA256=3D8D861F95D90D7A2817C5D458978F61DB41DE5F67FD9FD27521B68380BBB17F,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000327577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.401{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000327576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.394{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000327575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.379{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000327574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.372{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000327573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.370{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 23542300x8000000000000000327572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.299{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D35CDC2625197DCD8082E83B3425FFB2,SHA256=80C38ED75069A4A37FEB5BE6DDE6176155DE4D00E9A4193AC3B7E3A238D72AE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.299{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAF23137F234DFB06349DCC42707D385,SHA256=F579E35E9B734F205595AA207B40C0F051A73AE4FAFF7A57216DB7DC4B4226ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.299{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Layout.dllMD5=78583AE724B50C332D994F7C657119C6,SHA256=776B95F681B00A7EFF1F4CF89A1E18163104336C804F18EE78403C0A130BF2FE,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.283{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.XmlSerializers.dllMD5=278364236DAE0A259BEB8BAC09F2FD9D,SHA256=FE085B083A34F6257F414DCA91B54CBDA81F5CA2AFF2BA3F0E4DF6059F68C50D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.268{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.dllMD5=EB564D51EEACD22E4A3BE15CEFC412B6,SHA256=7C204BB316144BF1DDE52C84667114DB6878AFF1DF31D163E172E5AF4E996A76,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.208{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.BackEnd.XmlSerializers.dllMD5=0E235A9DE2AA27DB96C139E54EA03D89,SHA256=8384835046D934D159287FFB3C0F859CA77266324C212E02EDE840CC25EC23B3,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.203{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.BackEnd.dllMD5=3C3A7E6D56F27E88F85D3AD162CFDBBC,SHA256=13819C3C4E267BFD889DADC237D9C2D99DAB24C4821C127D73D2D3A15EB71BDC,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.177{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Common.Wizard.dllMD5=7E1F381484E427765A9CF824A0303CBD,SHA256=9EE009A88FF16614FFA7B1F1A6770B332EE1FB6AB8CC2E32BDE92F6655366CFB,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.160{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Common.dllMD5=133DE1E4CD7D51448041C1C5EF6F222C,SHA256=2D8CEE4541A33E26E7FE4236BC39ECE4D019F93F8485914DA50DB19005E29853,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.144{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Interop.MSDASC.dllMD5=75060FC6921D523D804FC7C9821D0B0E,SHA256=1A6F83AAFCC00F1882145CCDA08E44D1DC29BE8030473FE671C5ABF2E1A8CC0F,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.144{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\trdtv2r41.xslMD5=AFEBC8CDAFB90959800184887DC7F1AC,SHA256=C196C51D3A2D29369D24AFA80531ECAAE652C079E1A2B3F67247D90A9B92CFAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.129{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Sybase.xslMD5=A16E716031AC4E6BDBD6F35A5AF6CB98,SHA256=A3CD6B7BFE0FF5CD9AFDAA2EEBB221A46E753EBF5EF410B65A14AE866E3D2AF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.129{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sqlpdw.xslMD5=8A573404F2B93CF45F19C5DB5CEA8230,SHA256=1389EDB75CFB19FB9D1C86ABFD9FEE7F69B5A46E5FF1ADCF6BE5F8E017669142,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.129{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql90.xslMD5=00AB2E6AF317B027233584CA05B0AF78,SHA256=E0E9D0B9A0F40B597CC6381BF1EC8337E1DEB4CD6A121DF26816C508F85A4760,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.129{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql70.xslMD5=677C55508FD93BFE1011659B6B85B17C,SHA256=4009EDE1F98F1AB1578C427F3CCB2C3259192A3A1AF14276B16C4448240A7C3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.129{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql2000.xslMD5=3D6DBDBCC35A81D0FB9FC99B3B09D3A5,SHA256=C79059B62CBC069F855D5DA1E3CC8EBCFD1D20F2A3FCF4E7C089985E19B88097,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.129{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql120.xslMD5=19DA910ECF9A0F33C52F49A9F7CE8FE7,SHA256=948B839BA0942AE0BB5BB05B2C210768F6E1676E5EF2BB7BE3400EBB97D96B8F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.114{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\orcl7.xslMD5=3053094B1445D6C292CC925F1B2E8506,SHA256=509A7E04DC2BB81FF781315AB182A738FFAB8AF059BD267D1D4B24A7498DB318,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.114{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\msjet.xslMD5=231AAB1CFA3C63327AD073DBB3D4371C,SHA256=CC200681625401A916F79EDA7BB6A179EE4BDE670A4AAD80FCB9C1167493EF03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.114{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Informix.xslMD5=F7380302CE9306A970E8602D74173066,SHA256=44BEF02DABBD62124A6310C2E73177F4ADFF4EABC6A10A4A73D3E0CF9BE55114,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.114{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\hive.xslMD5=5C873DAC161FFFBF25A13A928239958D,SHA256=6282498E63BAC2F13E302A789E21DBCA794AB1C4923660C0E330F931B8EAD0A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.114{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\db2v0801.xslMD5=FE2B9A3979B7882D55A92B06E2EBE4AD,SHA256=C686C484CE89B8E05575F70334E2B563B54A094708F4F4F79BA215C67EE07EDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.114{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as90.xslMD5=4B56DB7920F1DBD4ABC838AE3DB5B715,SHA256=521B163EADDB0EFBD741ABF553CB812594865EE0657AF9DFCD672DCA09BAB529,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.114{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as80.xslMD5=3F180E80B895CF04EC5E99DD7B63445E,SHA256=CFD3F8C4BAA855CEB0E45C3254B2975EFD43498226844C5D5765041AEF89B52A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.099{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\WPFEXTENSIONS.DLLMD5=0E7796AFE8E1D4DA1172083BD05F9155,SHA256=450750A4BD131988F9C7726827F0675B0C1FC9C4D8954F6EE4976A470F4BCD49,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.099{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONGRAPHICS.DLLMD5=2E936BE7DF79675054ECD00170715CC7,SHA256=E288E89557051AC5AABA44DFFACAB4C87AE7A6D34BB827AF8F28CAD5FB8DF4C5,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.099{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONENGINE.DLLMD5=2D50E15E31109D405FC08E8E34215C2D,SHA256=06C3A22AEDE0EF2FBE2A0120AD77E5F1DB689E9CB78D059F3F115A359CC6DBCC,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.082{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONDIRECTX.DLLMD5=F804C2A599901A850CD42D995FB0946F,SHA256=00FA82725282FF35EFAAB3ABED09F4732FA9261D68E8A23BF3A2DAEC57C5AA07,IMPHASH=5A635E6C3E075EC2523AEE48430E3FF8truefalse - insufficient disk space 23542300x8000000000000000327544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.066{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCONTROL.DLLMD5=ADF822D852A201958DD78DFD6E792362,SHA256=966AD9F1934C904616C73D59E7E8840328299581052DB1A562A04F8B2F35A5AF,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.035{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCOMMON.DLLMD5=DEDB210AFFC7308B7D0781909BEDB148,SHA256=E44ABB139BC9C7E8D01BA6D9D574FE3EB6A4B4958C816CF6E09218432F535DE2,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.035{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCHARTCOMMON.DLLMD5=1EC19C05DF2B8889AD1895B6FEF3BBC1,SHA256=9329885749B8090BC47A99C78E39CB6BE8EED3111DA001F5FD38A7A8C4E63FAA,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.035{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCHART.DLLMD5=351B491461BAA6CC4255BB64CE24EA21,SHA256=4CAD6542E8582770730C2D0BDADC85DD3D7EF23F079C085F7C78D98A79887CB6,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.019{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\POWERMAPCLASSIFICATION.DLLMD5=9A30B6CC73260DC47EDD662F01CD2620,SHA256=8A2631FD6C33DC135A5DB357DEEA3A1659F69409051007D8354C344920E93EFF,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.019{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\MICROSOFT.DATA.RECOMMENDATION.COMMON.DLLMD5=47D71BE5F9847C68FF640F4B8529650E,SHA256=B07B936E52506B4251C589898BD1FF7AC8C0ECED21493B356211D0F7F38FBEC9,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.019{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\MICROSOFT.DATA.RECOMMENDATION.CLIENT.CORE.DLLMD5=45645427AE0C1B69AE1AFB6BE5A32F46,SHA256=5D0F8F4854871B6596F884D214B3477BC22E0D581618118ACD9A6092B7F473F8,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.982{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\SECURS.ICOMD5=7629C728C7724C55346FEA56E1D5D019,SHA256=1FA844F64A369AB586372B50C24DC3ED8F2375CF5447F258B42F3C34140679AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.982{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\SECURL.ICOMD5=3BEDC926758AF0B96D9E36C393BA5A50,SHA256=83CC332ECAC8AD65DE5C19E85E2B7B6473CB3A09D8452147BE854EC8D0510724,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.982{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\SECURE.CFGMD5=DF6581497B7964251199F5128999A3C6,SHA256=9AAEF268215ABE43FABB3C8ADABF077D459E4625584CD932CC60BC3B66BB9492,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.982{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\SECRECS.ICOMD5=395E380E346C6F9A5A43BD405A15FD9A,SHA256=3705D7E872086F857CA7453D185B5F6B44AD89722B2A7532B30E17F4097706EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.982{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\SECRECL.ICOMD5=3A6EF5E973F244D098EF5E1158407E96,SHA256=7C94AF8836D5CB1CB00F5E52A8DFA746F0F5B9E570462A6ACD9FE96407C9ADDC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.982{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\SECREC.CFGMD5=1665B127C6E85D0238008412D8A55F9C,SHA256=44DFB59966BDEA7B1DE0BCE69FFB97B5F1023A980493C40E4B82DA2D84A1DFC6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.982{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\SCHDREST.CFGMD5=8DC0ACA250829584998D223EDC53F315,SHA256=9E55A166C6A9F6532ECBDF096B7DB98318A4DE548C5FFD42E3D40527CBD5FFB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.982{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\SCHDRESP.CFGMD5=73443F0DC8AF7B6147DE271CAD48AAAC,SHA256=85B95EB6C2124EDC03A521879CB76E6179458A704CF6593C868187F46FF53A48,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.982{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\SCHDRESN.CFGMD5=404D10A8D4B3EA661F2CEE6F7E3CED27,SHA256=98C37C5C2D21FF2AAFFB4D4F62D6D40C6D5D16269135C94DD2C2042C5827811E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.982{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\SCHDREQ.CFGMD5=2A7CB6A8AF74B5A1DC3CA553B9AD74C8,SHA256=CBEC4DA437B924F14F5CBB6A798103C1F8A6D62E6A418E8326B3D79B87471FB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.982{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\SCHDCNCL.CFGMD5=95EE3DB482C2EEAB461FC20F30C9445B,SHA256=31AE6214D1F35B761F1AC0A3A7E7561BC752F526C53BC21B548F0D734B51C18C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.982{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\SCDRESTS.ICOMD5=3D30970D684D0901AE6D0A1F1E921118,SHA256=041C67033EB2AFDB2CB458DA8146085E24F9E11976732DAB5CA56DD502300671,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.982{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\SCDRESTL.ICOMD5=0E568A6CF958AD094862945759935208,SHA256=EEBBB818C32072703AA1BCD9D7726BEC8A7444428930956B732DF5AA4822A374,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.982{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\SCDRESPS.ICOMD5=DF0151D11E3DD0AF25739AE04292F2D3,SHA256=8D7CEF391A60413B8BB170B8292EE2A5C87D402B825E2BF4036F80FF0EE8E76F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.982{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\SCDRESPL.ICOMD5=AABAA3E62558B95B76B1FE3BF53FF22D,SHA256=36C746466FE0858EF52369A54276A10C678BC9837B292516FFB45DCF9D4154AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.982{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\SCDRESNS.ICOMD5=12200A8C20868DD9E11146F3A7BDE5BD,SHA256=303B154FBC90F8FE07AB1B7A28A42A53AFA5E4B140B1EE678ED2A355BA97FECE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.967{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\SCDRESNL.ICOMD5=BBC2CB8A8395D6AEA03ADA042543B1A0,SHA256=5562E996AAC23CD64243ADE5B9C58D93CB09730361B0E9CC924C8D8FE8C9D77B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.967{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\SCDREQS.ICOMD5=8E8397080427E9B389B7009A86B6E6A5,SHA256=703A9D9616F5F2AA423D4970B23E7199177F8AE958362A56821C88FACD94D624,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.967{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\SCDREQL.ICOMD5=820EC5D04A36F7DC2FCB37B1114E51AE,SHA256=EB89B422356D0E020D5386091025D73BFAFC05F68FEECABB50C2254D211A05B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.967{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\SCDCNCLS.ICOMD5=E981227C311A630B33EAFF6ECE2F8565,SHA256=EA0111C2DCCCDE30ABA7901065CD9B032CA4FA39EDD015C8FF97571D0C7291AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.967{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\SCDCNCLL.ICOMD5=BB616D347941F08A45DD40171C4D4AD4,SHA256=BB13EB8D85ED3994C9E63524710C8FCA682BFD6ADF9D382E43B94D5E456855AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.967{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\RSSITEMS.ICOMD5=A3C61BD26F6080A80C2948C13AA7F340,SHA256=892575C459CC8B9324645659A7B27635CDBC99C6C3A2125981A5396255D45160,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.967{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\RSSITEML.ICOMD5=8DAFB32F95139FCFD4849A6A38AE2C1A,SHA256=6565E1EF6F590D8BADE1F7A79DE42772F88C9ECD0A3E221497C51595916ED90C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.967{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\RSSITEM.CFGMD5=34B2ABBF438E90C790A909CCA798493D,SHA256=9C26865B05737838EC81CE92DDCFDD83782BB30EBB2308BD5284C0D8BFC2BFF3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.967{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\RESENDS.ICOMD5=CEF83806D3846798A0B0846812126982,SHA256=5A93E9C74381289C5118EEDF4FB7839E510ADDD4D2C407D855C425AA28261041,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.967{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\RESENDL.ICOMD5=14E57A665022CB5A3AF0CBB68512730B,SHA256=F46E890C6337DF4EABF83E11DFE18AAB03CF93F28CD7BA3F85F583700541C8AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.967{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\RESEND.CFGMD5=C0E3EC05FF9C3E0EAD578543442AA3D4,SHA256=0C6DD6D557D5E8BB6BBFCCE1D8985E43703D4CBBA713CB654B752495A03F10F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.967{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\REPORTS.ICOMD5=1BCB82A2F645FE73A93BBD7A3983106F,SHA256=AA317A35AB0E4A07DBF18D5AC8DB7ED1A1C7715555B33226A6DCD0BDCEDCDE87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.967{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\REPORTL.ICOMD5=3A1808F7E98E6A8CE628F43EE6DCF177,SHA256=B73D1673CA00303D2F385A091786C77B3CE93C10BA081D01C61F7B4D9A403F52,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.967{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\REPORT.CFGMD5=0B374F569FAF33F4ADA2828876B6D9B5,SHA256=FF817C7284303C3AD4DBC909ECD7E4A9A329C9C2359729094CA86EEBDC908F9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.967{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\REPLTMPL.CFGMD5=96A3C116687EEDA6909EF45DF7AE607D,SHA256=436FE594CE94C628CB085E55690BDF5ED429BAD2347E5B9D36250905EC383A8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.967{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\REMOTES.ICOMD5=F4AE2FB941711286BC99C305B8C7A0FC,SHA256=B44BD10BAC61CF716267239A66DFECC05C725D35E658714861D13C7B714B9B74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.967{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\REMOTEL.ICOMD5=D6BD6D3CD59699E0A85504DFD1F23ABD,SHA256=331755710F7D78B04C48949B697D8466C4DB298D997F3EA55DA32EEBE1BD5885,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.967{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\REMOTE.CFGMD5=F1DF54E80EBC9B1226A22AD7A4A0B949,SHA256=AF24357686E22F5A18E80DC30C0334F904F286D665A83AF00C2544DCD548A3F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.951{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\RECS.ICOMD5=275E61FF14B73013F21512FB0B57133F,SHA256=5600659C10F2214AF83B5AC04B1118ADF8A29D48AC2D7272CD228F4673276100,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.951{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\RECL.ICOMD5=A835A015008A1B2BF44AFD867FEB758D,SHA256=C7B23721C17CFFB10D5CC9398278CA916F79314B9BBF38DD6470CDDA600BB927,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.951{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\REC.CFGMD5=B77100CB7707F12AEB523FC676372435,SHA256=198689ABB82DEB85DA62C76B82EC032B396A92AF3738316E40702F7851A6A9D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.951{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\RCLRPT.CFGMD5=38F190ECFF3196728726A64B21F069B2,SHA256=AD4A972234CAD2001EA5871E2FECF6359E46BF36092743D199B97109AB975F96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.951{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\POSTS.ICOMD5=524E7C620D3D272B094FC4A94076868D,SHA256=6E8FFF4884C9EED6635E35EE28CA5F661DE54CEC84B5C413BDFCB01DD730FF50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.951{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\POSTL.ICOMD5=68CF82220073A3EB35F81C40310A5B45,SHA256=D307576E58CB182C783654109013BC337337178AEE67DC23F5DC572BA7AEC17A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.951{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\POSTITS.ICOMD5=4E723E5C18A1EB4755933F089B347E33,SHA256=FFF6AF00871C0DF7ED0ECBB714F7FAAA6BF49CF90B307044D450A657F2479ECA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.951{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\POSTITL.ICOMD5=A7947B1675701F2247921CF4C2B99A78,SHA256=A7A757115B59922DC575A7D05969A49B6686B3170E8F9D4E47DC940321CBF498,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.951{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\POSTIT.CFGMD5=D1B7A751C6269553B97B84C422F7E8D5,SHA256=FBF0D0191B8597253CCA76351DF0FAEDA412274BC4DC659E107A9B83CE1EBE74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.951{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\POST.CFGMD5=A0F44EE99005200DA24A6E8F9A49581D,SHA256=646F399C56D0C63E6D99218662B09559B6B73348EA2FAEC7582C74AED381B859,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.951{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\OOFTMPL.CFGMD5=E7CB3B7332176CF5D8806540388088BE,SHA256=21D6F1F0564A04F3C6D81109F0430DCF38F6008FA24D5BBBC7538A27F1FEA98B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.951{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\OOFS.ICOMD5=6149FCE3263281D90C09DAFF735BFB07,SHA256=C1BCD2C0BA5269D2F13FCA2F860400C49CB86E7BBF067E3B9DEEF1EAC4F0121E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.951{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\OOFL.ICOMD5=D45790E860883123F276DFC102C7C962,SHA256=0EF50ABC2FBB9FCE963B2CF9B630BC719138F5DAE1426C6632BA8C792166E551,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.951{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\OMSSMS.CFGMD5=95EDA95AF2A7BCE0C20591704B47C086,SHA256=CB4AF622A654B0EE2595F67D012CB04986EBE2761F0080CFF810D0B34202FCB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.951{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\OMSMMS.CFGMD5=6BD5BA277195E6DBAB7C7308413CFE71,SHA256=BDD8CD28A581ED2CE73D22CD6480C863B4977D5FB0201F6D38C4D9BB964065C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.951{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\NOTES.ICOMD5=58FE758927AF42147B12D51D3553DEB7,SHA256=C2EE7BB2633263B208B646C503B3FCCC6FE7103CDCFBA86A1D35FEB0150774F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.951{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\NOTEL.ICOMD5=18B67864B02A85500C56FF7BD39DBD3D,SHA256=386513A667970143B930471BDF3CFE24102B140DA6F56E7098B30BD5D37C6A21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.951{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\NOTE.CFGMD5=7DBA7836641CC1A874DD7F0BDCD6C063,SHA256=1CCAC3A1F0D5FFADAE6A8E2D1F47CAAD07C5AD98D17E2D39874EC3AED33B9BEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.951{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\MMSS.ICOMD5=67707C2968CAD3C731CF966A29BCFFB5,SHA256=49C2AAB991F6DCD77FD5D643F28E8BCEFF4A4446AD6B0DD345C46FCF03418FB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.951{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\MMSL.ICOMD5=DC6D80E6DB0603675F18BD3A1FBAB1ED,SHA256=765C3F9C4F21AB9C0B89BC38363266D3D191B3A90E9CD9AF3C82405BB79F14FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.937{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\IPMS.ICOMD5=F7E2C87A0D78E48C1DBCCEA45CD96C6E,SHA256=53B4D14550239622C148877A7FC872E83546428A9371A3CC2D00E86221DE6D63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.937{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\IPML.ICOMD5=93A654632A354694B9821A2AADBE94EE,SHA256=21F104B8AF374057BBDD09DB51D7012C1BC1DC44C44C72077BF7FC3AD4385FE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.937{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\IPM.CFGMD5=43DA0536F2A498B41AA3A53501188D29,SHA256=E7CD8EBE5EADEE06375EB77997A6C0646E3F39CDC21934BC5BB5306D40B20AF1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.937{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\INFOMS.ICOMD5=9643C5B7252A4042A6185D2C77284BD4,SHA256=59EA1B371E7A6CEDC15B011A22AD8C76E98DAA5BDC4A9B19A443B89F22689349,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.937{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\INFOML.ICOMD5=26A34EB74C76550280BC70F9C1BA3103,SHA256=D4913F6A1A023F30DAAEA3AD96A5A98EDBFA6287ED1652E04E60CF8392DE0714,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.937{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\INFOMAIL.CFGMD5=9520EB5392809F95ED77A1D523C249F4,SHA256=AAEF277259147ED24517CD1CDE54549731C8920F26110134F3C0B2F179D8482F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.937{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\EXITEMS.ICOMD5=F4BEB03A4C6D3E1DC83E9D6A4E634E4C,SHA256=C7FE59E208349B99E94D2DFA26BD0E4B40C71DE5BF92384F041BE5C041B4088E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.937{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\EXITEML.ICOMD5=DD2DE9BF23B2C2036CF9A8ECB9002C5B,SHA256=EC0A7791F804C7A453E995B77A0B211CB8326F657BE13A44C1CC7B54342835CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.937{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\EXITEM.CFGMD5=328BFA21C8BF0F76CFBE27D4871DA446,SHA256=F0B32B336CB5520A71673507F780F30E43E9DF5FF34CDE98C43C8E3F9B79D11A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.937{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\DOCS.ICOMD5=BA634B9B7465A82AE9A94585A300DB73,SHA256=A0D047BC15326173CB34B78A5FA283EB750F7078E0C6987D982DB016A37E83CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.937{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\DOCL.ICOMD5=32310257791C5B66CF32566D3C6EDE13,SHA256=DB24EBB5E3509594D5415A4509C73D4E7B3995D98D8E79B6692C57992DEA813A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.937{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\DOC.CFGMD5=0490F1A0EF2897E0DE9BB708329EFB03,SHA256=0984A4E50E69A4963B3725452B350BAD2BAAD432BD897425E39259304EF68A44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.937{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\DISTLSTS.ICOMD5=2417A383D3F2EFFEE2061C07360954F2,SHA256=052CAB019E3C2F201E09871116780475A91CBCFF0DE03F2479B48FF56B2C70C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.937{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\DISTLSTL.ICOMD5=BB081465800FE05C26780FF7B4C49403,SHA256=2651BEBB19DAFDB001CC40F367E92E6E3B4293E1C169A395A6863282D153560B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.937{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\DISTLIST.CFGMD5=350308A79DC778334432A9BBE84A60CF,SHA256=032DB0C99BB26A033E3C2AA417AE3D22A3C2AF6CAADFABFFADAD1A63E4495E99,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.937{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\CONTACTS.ICOMD5=3FBBA498DCFADEEB0230354DE63CAB08,SHA256=3599F6E04E689E0A1BD1A3E9CD8C8360FD7A436B0C9716DFC9BC555A939C83C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.937{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\CONTACTL.ICOMD5=7D839C56D081DBED770887AE58CAC377,SHA256=5E89277E0301E1B53307A373C5DED5EA976AA5602C66F01CB07FE72F9AB842E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000327811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:19.442{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50996-false10.0.1.12-8000- 23542300x8000000000000000327810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.921{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\CONTACT.CFGMD5=C717D95EA9B5261E666A81D219EAA3A1,SHA256=B2237EEFC900034E95A5D4BAB9E21B90459BCB2788F6ACCE1FFC75DB2E93DB40,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.921{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\CONFLICT.ICOMD5=7D1B6A346E5E04B97D71C44F6C25D108,SHA256=3B490D17291AFA068729554B9E77D281EA0B0405265787281D31B356D6C10F29,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.921{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\CNFRES.CFGMD5=DE7C3097A2E5CBD2B2F1C02F750DCA70,SHA256=8731DCC1C5824B2F15EA2A049146269EE5F56EC554BC6650341B2968ACF8B440,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.921{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\CNFNOT.ICOMD5=E3E891DB3AC74767CC42507B17681911,SHA256=2DDD3F23F25D7033DC7F65DCA6BA1844C88E4E54875DC51671C7C4C4661E2F04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.921{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\CNFNOT.CFGMD5=93E2076BD7065A14FE1239E96BD75090,SHA256=E55C5F4DD61476F1161A07D6FC30454C6646CC540715971E4B474C0AC3299BA3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.921{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\APPTS.ICOMD5=3B9EE11AFB2D2EF4763F63310C1B6307,SHA256=266EE1D5A5ACF170EAF83CDCA9B2C4E96B19A286395DB2A178ABC3C25A72A4DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.921{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\APPTL.ICOMD5=986FB2E4B198A72B3DE74A4B2AA3E8B9,SHA256=8586970CDC62EFB65137C64C2B3550193F53F446AC6724309CE62BA0F4115AA2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.921{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\APPT.CFGMD5=B39934AEF6E21F775C268FA135FD837B,SHA256=B110673A99C92F6991BD4C33091E2A109D160D5632C385C0AC11023481FDBEF3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.921{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\ACTIVITY.CFGMD5=CEEE3139492F9AF81E7527E77B4914FD,SHA256=AE434FC8502EA4393C27ED1A75996DA7C67C420CFBB9ED47E54A9EFAE1EA1F3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.921{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\ACTIVITS.ICOMD5=55C93812C47BB92AA469381C1DAD6D78,SHA256=05F366FCE128968439C74C862FCEF0DA2B9D09142CFEBD938D22D7DB8C7C1DB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.921{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\ACTIVITL.ICOMD5=67F659CDB0EE35FD32FFC3D19F2EC7EE,SHA256=FDABE4D4227DC5F33FF6CF5D48D6AB5990C8DCD443E1AA22BDA62FEEB26C41CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.921{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FloodgateExperiences\StaticScope.binMD5=25436312962D8F7239D1BABD0C937D0D,SHA256=B18ED002DB2089306922D661AA100AE99CF35341E128A898D609AC2D11E005EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.921{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FloodgateExperiences\Shared_Definitions.jsonMD5=EAD91E524744EBC7DBE5794451512528,SHA256=E0F1B3A9CCE1B0D7D344F3CFBE5DA7D1F7994CB34EB62740B0115B1E11AAE891,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.920{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Document Parts\1033\16\Built-In Building Blocks.dotxMD5=45B3206B0A14EB850F21A52116F021EA,SHA256=C6407F48BAE9FF72044F64B06622076A84D9E8F36A9E0F4F0632A5E644ADB6AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.873{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CONVERT\TRANSMGR.DLLMD5=C62ED560B20D3436824BBA3D0563C373,SHA256=88620373AC1C473E1DBB52C25C732BED13D1469829DCF4DA298D2F2FBBC9D4E9,IMPHASH=828AF7300C1FD166B3F8183E47F40E89truefalse - insufficient disk space 23542300x8000000000000000327795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.873{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CONVERT\RM.DLLMD5=208096D4A280B23D6776F6DAFEF41257,SHA256=5698F237975FBE1138EA0FDE05CAFAAFA368C2D77F09AA2902D7985005746D76,IMPHASH=A9F81F204B0E7F72CC22824A0360FB05truefalse - insufficient disk space 23542300x8000000000000000327794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.873{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CONVERT\OLTASK.FAEMD5=DD8C86CABD91D18965E7D063C7DDB6E4,SHA256=05696555215F2E9557203EADF9CDCF9F29D5ACDC2F147A80162A043A645AD974,IMPHASH=2AA9A46BD74AB7D34556CC0FA815DBBFtruefalse - insufficient disk space 23542300x8000000000000000327793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.858{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CONVERT\OLNOTE.FAEMD5=C4ED36E773F1CC17AB9B83056386FEF6,SHA256=70F112340E96CB042C6A172AD94AC923B47E5A8CA8F6466B1A5036275D3CE1FF,IMPHASH=DA7199E3B6A9A1D4DA861518F56B93FFtruefalse - insufficient disk space 23542300x8000000000000000327792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.858{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CONVERT\OLMAIL.FAEMD5=6C09822A927F71DA778EB871BECD9EB7,SHA256=D7CD0DEF1A9B1C2BF03D25D9CAE60733BD9FDBF86FD4F14EC1459D188BEFE323,IMPHASH=4C96D64D0B05EF5A426161D9A35FE50Atruefalse - insufficient disk space 23542300x8000000000000000327791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.858{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CONVERT\OLJRNL.FAEMD5=B4A121ED487CC83A871C2FE432DB488F,SHA256=D53698BE59438C0F93BF83505B7E62EB32E12B8E68CC9BC50778841AF5B72D0A,IMPHASH=23EE717126453119D049C079B36B2641truefalse - insufficient disk space 23542300x8000000000000000327790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.858{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CONVERT\OLAPPT.FAEMD5=3B439032A2E99CC3647E93957E27A7C5,SHA256=1A53095801B30BA4F89159585BF206D22F36B18C7BB3DBF19C0CD6606D466B6F,IMPHASH=042C4E104B0DDFFCFBC7E8781AF08E75truefalse - insufficient disk space 23542300x8000000000000000327789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.858{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CONVERT\OLADD.FAEMD5=F8B19A0E7E8355D0FBA3F32168ED73E9,SHA256=FF1681AE6567F36BB68BB6452F0AEBC6BD1500579389CCA17E70CB4EAA80BFA0,IMPHASH=2A1A6B90CDA7EC48D8444B9DBF67D5A5truefalse - insufficient disk space 23542300x8000000000000000327788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.842{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CONVERT\OL.SAMMD5=2033CDC34509F09F7D53755F645DC872,SHA256=8F87D7479F719117E8724C2E6603231A55BFB715418302DE7F4E9EA536B479F5,IMPHASH=047794B38889E5ACAF3B39E0A5BD13A8truefalse - insufficient disk space 23542300x8000000000000000327787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.842{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CONVERT\DESKSAM.SAMMD5=EA480D4C145A3B611782AB54EC3DC4A0,SHA256=4A339D6CA1B964274A1782BE45C71C254E78A441F7ADDCCFA38DA6A2F81D1762,IMPHASH=FCE0487019F8659DA2B8710B08F2CD55truefalse - insufficient disk space 23542300x8000000000000000327786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.842{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CONVERT\DELIMWIN.FAEMD5=FCFD9378395170F5FD767B83FC2B6C53,SHA256=C57175854FFC7F282D202B7378C2B7A537EA76D4A6202C6E13FFC55AFCCF6665,IMPHASH=A457279C4E8EFD7248CC260514D51DD7truefalse - insufficient disk space 23542300x8000000000000000327785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.842{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CONVERT\1033\TRANSMRR.DLLMD5=712C2C9DCDE3087F2BAC3EDE93A2799D,SHA256=7571113307CF34E28394B612EEEF8FC418C2C6C218C0E86DC991EF67C1894EED,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.842{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CONVERT\1033\OLTASKR.FAEMD5=86A2250AF43154770FD281BCC9E1F94B,SHA256=A88851D8C3CFC16636A5364AF333014FF5C3AFC5DABCEDBD8891B2C65E85FCEB,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.842{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CONVERT\1033\OLR.SAMMD5=E836C433913BB48F7E386B521FFF2FF2,SHA256=9794F73FAA503BF326970A76A07E290982FD6E9FBD24025F879D081AD46A15DC,IMPHASH=1B84F3937F1534ECDA1E9B45D2B7E325truefalse - insufficient disk space 23542300x8000000000000000327782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.826{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CONVERT\1033\OLNOTER.FAEMD5=43A5396DCDF74F344CC7302485C8A32E,SHA256=465229BE55CD17B950FE88D3D02608FC6409946ACD73E575C9CB32B0CA9A8B00,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.826{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CONVERT\1033\OLMAILR.FAEMD5=5B8F2F4F3E725BEA3C96F66822ADFD9A,SHA256=E52EEE66BCFCCAF07814AB1E56C4634027ED6A853C1B64101AC60B03E1315954,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.826{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CONVERT\1033\OLJRNLR.FAEMD5=DBE0CE32A4FB9849BE8FF38B17371254,SHA256=DB9F237DAA66E109D4BD21C3C2093965E3C2CE3FF30A1C86CDD8DC3F8FAAE45B,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.826{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CONVERT\1033\OLAPPTR.FAEMD5=C08421E0B18154106F0301FEABB1FAC8,SHA256=FD4CBE88DBB5B2C46B1DCDCA3F2920B04ACA1DDCC6512E26BA29825001838E6B,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.826{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CONVERT\1033\OLADDR.FAEMD5=71ADCAC9E05F89C038FE9212B2CB32BB,SHA256=233BD867ABBACACE96A0C6998EEFB8EC3A36836FFDF6DFBE38E822283704FB2E,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.826{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CONVERT\1033\LOCALDV.DLLMD5=CFEE31E5E8C9601030C2EEE7FFFDB0AE,SHA256=8070DAFE0D0E929A91063C639DAFC95101DBAA254E951CB2782D1ED7224697BD,IMPHASH=F6B59F6C8149EFA78CFEA988347B1085truefalse - insufficient disk space 23542300x8000000000000000327776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.826{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CONVERT\1033\DELIMR.FAEMD5=50E792C76CD9B5CBC1FDB83EADF3DD26,SHA256=A94CA8423C27DE84AD948B2A60FE356A91ECE94F69776A2DED970F24EA84CF68,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.826{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Configuration\ssn_high_group_info.txtMD5=E93BA851C150C3DB5E1C600ECB9D82A3,SHA256=53AD5AEDE02146FFA4CF2CF08540FA7D6EAD589307BD72546FF5E14C4091D9B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.826{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Configuration\config.xmlMD5=3A4A01DA8E1179FB1487EC604AAA00A8,SHA256=46E88654C5D2AF7A8AC02E9549AD9C6645C3C3DEA8481A3565A7DB0FFA779E0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.810{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Configuration\card_terms_dict.txtMD5=C35F673F034531AC3A20F6136A9B7870,SHA256=644D45EC3CE1E7DE0CC9799F5F360D36E84CECF6357BC3B79F5BEC2175EAAE5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.810{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Configuration\card_security_terms_dict.txtMD5=B7152D240A2247DED39BCAFA2E38B484,SHA256=2292ABDCE591EE84BD4E5974867A854BEECB6C177CD259BA5007314015C281DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.810{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Configuration\card_expiration_terms_dict.txtMD5=837B8B70F551DA5C1826358A27E7C3FD,SHA256=C41032F401E64B1D7EBA581FD172F5C46586C7C37919DCD1EDC1801168ED83E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.810{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\BORDERS\MSART9.BDRMD5=8A4946ABB56A670640FA2E90D5CA8815,SHA256=02C51B76DD90762EC97AFE992511A84D47E441BBCC3DDB52FFAA039A8E3EC46C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.810{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\BORDERS\MSART8.BDRMD5=9858DCC705962614D83C579E187EEA19,SHA256=6E8528EB8F35DC3C3F9CCB92FC2EF8CB2E15A1320AE9CB7F15BD29F8D973B8C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.810{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\BORDERS\MSART7.BDRMD5=866D7A5B637C99AA06C29E56B8C713C8,SHA256=413BFF9CB476CAC33086BBC2B989FBE679CBC81B606C52ACB41016A6E9127D0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.810{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\BORDERS\MSART6.BDRMD5=CDCD0AA86587AEC6F911519558D11956,SHA256=45704CC0C972EA37377CA465F70A225D3B84EDA1298BA6F41498B296937F696D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.795{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\BORDERS\MSART5.BDRMD5=02521C192A2E0D52600DED792B6709BA,SHA256=838CC4FFA2C9CD72F00291606768AAC6AEAA8FE6A51CF61BC808737842D6E3F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.795{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\BORDERS\MSART4.BDRMD5=98E1E20AFC95940236B2CD44C0306FEE,SHA256=31A2F48A918B713F2F38CCC2AE10F93AF189C5A88BDC04D07A2A44552F422A57,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.795{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\BORDERS\MSART3.BDRMD5=2CCD15C3C616F2134551DE0280F6999C,SHA256=88BFD23E43795CE557BD250455A551F756DBC74C9535B3B43F931049EB08881B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.795{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\BORDERS\MSART2.BDRMD5=452807BBB7C0343C17F7DE8A4E1BC758,SHA256=292E1C5468AE5901361EA60E740F4BD070D3DE018BB3E6991DFA22D39404D68D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.795{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\BORDERS\MSART15.BDRMD5=12006DCF96EF789D90771720B70A0E28,SHA256=62A38632D95877346AB54CF175776A63A84C89C691213FB96D2C7E410459AB82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.795{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\BORDERS\MSART14.BDRMD5=8515F970C2EBCA8F21F7154C7B81EAA2,SHA256=4A27F89FE8A08232D3ED1DCADB44AC8A47D098DAF98029181144AD97F9B18383,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.795{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\BORDERS\MSART13.BDRMD5=DCB365425FC53D3EC5E1DFC95594FFF5,SHA256=B4076026E7F6174912FDD596E3F424F70E93115D9198F9562D8FC4D0B00AA819,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.795{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\BORDERS\MSART12.BDRMD5=F89F856A57A5BF3EDC9A821943150EA2,SHA256=6E52EA8B733A36C1CA24805AEBAA34EF9496033A3F18DFCF346B02E32945AFCB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.795{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\BORDERS\MSART11.BDRMD5=EE18E7E79557AC878F46F9873C02FDFD,SHA256=417B982AB7C5DE67AB3992CDE62DADCB69030B0E32153CEC9BB7566AD2539473,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.795{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\BORDERS\MSART10.BDRMD5=E79C07794B5D0F8662E1FB310FC90DD1,SHA256=95B12C0880111B21042CC77AC67F290C0491B7668F287D0822BB8839D079D508,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.795{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\BORDERS\MSART1.BDRMD5=07263321B006F19F3CBB6353D2FF7012,SHA256=A8DE1370BF0871F3B18DF94062468D831C3623BCA72A3D6AF712A33409A83A10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.779{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Bibliography\Author2XML.XSLMD5=6BB9A08E3071E89E5A00CEF9DBAA74CE,SHA256=DFBE26E51D09ED016C7269BB345F24443018292CACBA32B8D778A8F6609DD619,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.779{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Bibliography\Author2String.XSLMD5=38DCDDCC6D9071EDAAF7614FFED6821F,SHA256=C4EEF0F3AB223F299925DC63FA0BC24B522AF2809D18C12348257EB8A7ED42A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.779{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Bibliography\Style\TURABIAN.XSLMD5=F82561FF802442D12B8B77EC6EDC027E,SHA256=5B7A52DFAA9C3E9E340E081178B54E827ED591AC27DC098C3985C94BDE5CABE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.779{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Bibliography\Style\SIST02.XSLMD5=DAE31FA14BC97723A87F126B5121BAE3,SHA256=30F377F7AC24B022F52371ADA97CB057460265F4C8BDDBB521642B6E2462EE27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.763{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Bibliography\Style\MLASeventhEditionOfficeOnline.xslMD5=C9460BEAF863E337428518DAF5C09C5C,SHA256=A69368BE9AC843B088D739F1573007E634D1068DB0AD9937A95FE7A0690C05E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.763{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Bibliography\Style\ISO690Nmerical.XSLMD5=7777C0173259D8F4A4F5E69C1461CA14,SHA256=A343D61BAB2F25D138BDCC57D33C4A83FD494A54EAF3DF0F539E3B51CFE011F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.763{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Bibliography\Style\ISO690.XSLMD5=831E5489F3047AFF2EFDFF758FA42FEC,SHA256=7914A8B4ADFDC9A6589ED181DE46D3D735676A38AA61B8FAFC0F862B9EC3A1CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.748{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Bibliography\Style\IEEE2006OfficeOnline.xslMD5=96F3CCC20E23824F1904EDFDFE5CDA02,SHA256=9970654851826C920261D52F8536B1305F7E582C7A2E892BAC344A95F909FE63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.748{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Bibliography\Style\HarvardAnglia2008OfficeOnline.xslMD5=08AD981C6D9BFD066BF29A77A62F0FEA,SHA256=BCFB2EF3D37F7DAFCB9FF4D92885C5F87B4BEC7A3045BC7208460DAE7DABAE31,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.748{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Bibliography\Style\GostTitle.XSLMD5=234430F3D3032B9648671D3DF168D827,SHA256=DC7160C2FE5939E82BFEEE180C1DA8176C4914C034CAE8938ED6C9F7A9144F3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.733{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Bibliography\Style\GostName.XSLMD5=4C7ECD0ED5ADCC30352E2C06931D290A,SHA256=40BACD32DB58799FA95B4707588ADEA1C9065CD804712B69B55DDD332C037D4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.733{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Bibliography\Style\GB.XSLMD5=B17C7119B252FD46A675143F80499AA4,SHA256=8535282A6E53FA4F307375BCEE99DD073A4E2E04FAF8841E51E1AA0EE351A670,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.733{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Bibliography\Style\CHICAGO.XSLMD5=0D0E65173F5AE6FE524DA09EEDDDCC84,SHA256=787D1CBF076902B2568E8CFF1245E5FBEBA6AAD84240A54C4F9957084B93F90D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.718{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Bibliography\Style\APASixthEditionOfficeOnline.xslMD5=58AAFDDC9C9FC6A422C6B29E8C4FCCA3,SHA256=9095FE60C9F5A135DFC22B23082574FBF2F223BD3551E75456F57787ABC5797B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.718{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Bibliography\Sort\YEAR.XSLMD5=25CC28EBF46889C76CD88698D50EFDA9,SHA256=8036FAC594757F903F1CAC877DC9EB816437E0F50BFA23B2299DD6E2D3A7836B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.718{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Bibliography\Sort\TITLE.XSLMD5=89EBDC0B24173C89FAE093F4DFCD4D89,SHA256=1E1022FA979CF1D8237871F7E595FB9751454C0B7246E7D169C9A1E7CFF8D5A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.717{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Bibliography\Sort\TAG.XSLMD5=3AD2F7F3092B6DECA956587D96B857C7,SHA256=8FE6538942CB2014E1CD4EAB1C13435D0EB01715B18C8B73C0977592B70EF4FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.701{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Bibliography\Sort\AUTHOR.XSLMD5=77CA3DA9BA023F2CCAF3F8BBEDDA8224,SHA256=DFA1ACB8446865F00020FE0C25489015F78F3C214D42F96156F37BAF32411A3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.701{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AugLoop\third-party-notices.txtMD5=889700FC1276F2C88D803DDEEB75FB83,SHA256=D356492ADB525BE54D8CA118C9E7221B64FBD4928EB813E2262321B37BA9E87E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.701{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AugLoop\bundle.jsMD5=487F390CC187A445C1A111AA399B5DB3,SHA256=C8281DA1AE8EB2BBBC9F879DEE273D0DC73430C80D004F91DFA1D471E995B695,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.701{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AI\WordFluencyV1.onnxMD5=8E476F9E51206A5B10B759D0BF069102,SHA256=0ED494AAC23CB6946B17323EEF25D10C6D26D226472FC638C898A2EAE0C8A68A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.592{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AI\WordFloatieTerminalV5.onnxMD5=FC41AE04E1AF07BBC9A6ABD3E2741DEF,SHA256=C190C0B20B7E0258B25E5A675BC2BDF4EBA7370811AF6FABA864F552A6289D28,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.576{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AI\WordFloatieAllV5.onnxMD5=083253D94FF038ADF38EA545F10383A9,SHA256=B151E07544E2E896E0D307F49D1AC143B8CC6D69B6AEFE733E64D5696C601680,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.576{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AI\WordCombinedFloatieV4.onnxMD5=CCD49963C867270AABE8A2A10E26195A,SHA256=BE3161CE9BB21D8132EE9E1D45ACA6F145CE4A499718A420E958795FE9D7B1A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.560{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AI\WordCombinedFloatieLreOnlineV3.onnxMD5=037304FE3CFA273EBAF27E4DE97C21D6,SHA256=4F838D3362404F1B2064E12A0F45A32592BEFF8D88E0717625DFFFB12DD59CB8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.545{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AI\WordCombinedFloatieLreOnline.onnxMD5=4286008DC949298FC07220A9C17A3AB3,SHA256=3709369B7F217A9A16914DD600F1E19ED3122F26AF69609F5E1B2DBF858CB546,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.545{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AI\WordCombinedFloatieLreOfflineExplorationV3.onnxMD5=8AF01C49884404653833F3012E7477BA,SHA256=973923ACD7AFA918D92B0E973F96251DEFEF558E2E66D7D7C95A5218109D668F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.513{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AI\PowerPointOpenLifeguardDesktop20210922.onnxMD5=6ADA99C7C74C7F328D5A6CD380ED19AD,SHA256=6E8B24DD2C946F6EFE86EE24DB3D7FBD79716ACE5DA4F9D34ADD0F122090F063,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.498{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AI\PowerPointOpenLifeguardDesktop.onnxMD5=DC7342E43B9409602972C9CBDB999EA3,SHA256=FBDB0AE811A74D665AE2D58CC43F81E0BF233C8E11846A1AF6532ED6C87950E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.498{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AI\PowerPointFloatieTerminalV5.onnxMD5=1CAAA9D2D4987ACD28846B6A5C358BDD,SHA256=51B383B57CDCC2452FEE8A40771E1C07B7BBA1634AF7EC5358F8E896F18D3BCB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.482{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AI\PowerPointFloatieAllV5.onnxMD5=3D8839532FDB68323672A23A3D007A77,SHA256=1D2BC30EE2A6D096966F1F4DB5E070CA8821620739D7B71006EEE7C02A8C11DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.467{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AI\PowerPointCombinedFloatieV4.onnxMD5=DC0B1055297BC3D2A920528938BA8E6B,SHA256=EB1BA414C5C9E69DC38F062186FD59BC956C334CBAB09B6E8C16C219B7D5BAE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.467{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AI\PowerPointCombinedFloatieLreOnlineV3.onnxMD5=399ACC0798BF8D1BB5C95136286037D4,SHA256=FF8B5B76C9B98269961E29021C080B87AE34515AC47F15461CDD8A7E876D54E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.451{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AI\PowerPointCombinedFloatieLreOnline.onnxMD5=9FBF729112EDD768F6CECA553235A18A,SHA256=BFADDE6932A7E000AE78742A7C2BD3E1B23B4D14672A357AD6E874938F589FB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.435{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AI\PowerPointCombinedFloatieLreOfflineExplorationV3.onnxMD5=493E9304661DEE241C2F4057F6C8BE08,SHA256=697E5A0B9CED647033FD7E8E515E8E74059533F469E26A8FF0C754087CD4644B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.420{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\UmOutlookAddin.dllMD5=3948613D7EA9FAA9D4DC368DD12FF565,SHA256=3F9A6869CA700CEE5F5C5AC31DFC89D5C079DC135BE89B6F96445D115BA5CAFA,IMPHASH=A915DE27D5B4B1270FACA178F7D0D921truefalse - insufficient disk space 23542300x8000000000000000327719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.404{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PMAILEXT.ECFMD5=8627E3BE92113E62D5BC557EF22AF85D,SHA256=2D806441C6305CBE2CEB421AE10C8401EAE3032D89D1C5462161C7AEE9F7E0F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.404{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\OUTLVBA.DLLMD5=63318032EA0265D7C47833FB19B0CDCA,SHA256=FB2429E2BAFA0771BD48FD29C1AD481D64B75702389E58E52F7220C29A52DA1E,IMPHASH=5E43098E59E10993BD918831D945ADDAtruefalse - insufficient disk space 23542300x8000000000000000327717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.388{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\OUTEX2.ECFMD5=37EA5FE6087EB87D433EAC32023EC407,SHA256=3CB0F188EF9DCA492589905E7D05EF377458B7AC38A3254272C418230D1A6907,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.388{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\OUTEX.ECFMD5=00AE03704250863D6084FF2A350DCFE3,SHA256=D80726178A23683950D325C84C8D8206D168C046B74C4ECF5E8B4FF8860C88E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.388{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\otkloadr_x64.dllMD5=4E1760AC016BFFA6C59169CCF78D3304,SHA256=D33B4BE881EC160C13F1D5D41A5CBA350BDD9CBFD40F12E0FE22E5FFB996794A,IMPHASH=AB6D110924D7259EC6BD5586FD129264truefalse - insufficient disk space 23542300x8000000000000000327714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.388{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\MSSPC.ECFMD5=68088AA206A72834198DFBAF31AF4AD4,SHA256=32B3DC0DB0CB872E5AB6189997B9EF6F146F5C08C140120C84F77768A1F6B679,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.388{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\MSOSEC.XMLMD5=2F78FA500EA5F9D68BA461C145BE0DDA,SHA256=A437E34CC4BA5DA43483CE5C80ECC1959D3614654D6BD953FD167889DA588789,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.388{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\MSOSEC.DLLMD5=D6319AE98C6504B827341920352210EA,SHA256=54AF6DFF50F5288361414A8895F6A6C5F87073D308F19248338B4E454433DC58,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.388{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\FAXEXT.ECFMD5=1BAD018373103E521F17E425E52F85D1,SHA256=675E5CFA8BCF8C0A9F0FC74B3EBB6CD600C039CC276701EDED0AB54B4E443637,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.388{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\ColleagueImport.dllMD5=825A8655077662C6D23D96EECC77EC09,SHA256=9EAE015B6017E77E2929665BD85436A622B856C98D1383B8D78F15F5E7CED2FB,IMPHASH=2126876739AA7F18677CAB0DEA08CB59truefalse - insufficient disk space 23542300x8000000000000000327709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.388{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\ACCOLK.DLLMD5=566C13688B8FE2F06EC16F972D3FAB3F,SHA256=969C53CBB09BFA188467A34C9DFEC90CC7E0CD2CBB8E1F0374BC58E49C26EDA3,IMPHASH=7FD4E080A041031DCDC38C5E5D0ED093truefalse - insufficient disk space 23542300x8000000000000000327708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.373{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\tracedefinition.xmlMD5=607F5B093B2F5AB24ED330847A4B6A5D,SHA256=96E62CD8B6980D6E877D1B17D66856602104535DA721DFD2AE7282114ED5463E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.373{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\sqmapi.dllMD5=099DBE3EDB9E81F6FF805D8B72BEBB03,SHA256=C2CE7AE108860BD5E215F499511AA233CB6B6A0653CBD5C8194D7335DC2BAFBB,IMPHASH=72DAC28481188E62C1C46EB31F00B666truefalse - insufficient disk space 23542300x8000000000000000327706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.373{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\ReportingServicesNativeClient.dllMD5=E389E73C4B5CB13556639F1D65FDF248,SHA256=D47FBB7B477237B2D923D362D5E3F8DB8AFC22378A1791CEE6C478948C59B035,IMPHASH=D1934E9E0A1DE77894786F588A3E30E8truefalse - insufficient disk space 23542300x8000000000000000327705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.357{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\PowerPivotExcelClientAddIn.tlbMD5=B8C3E5EE22808DEC59AF77180FE095DF,SHA256=236D405CADE947B7092F6A8901C053CF6E2A0F3AB1BEB195070246DBFAECBF1D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.357{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\PowerPivotExcelClientAddIn.dllMD5=E811F23C07A90AF52147D50BBE28E324,SHA256=3A786409E5AB924820C20317B08C29334FA3C6272F640AE05B185A96645F1310,IMPHASH=F787B99F25CD0AC9A0ED82FCBA33F7FDtruefalse - insufficient disk space 23542300x8000000000000000327703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.357{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\OFFICE.dllMD5=745897FC2816625A0E5F1AC0F9AF16A2,SHA256=5512CABD57B6E1FBD2B96C298D804A3795CD317F61E154AEDB335F6C119EAF62,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.342{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.SqlServer.Types.dllMD5=D911F621B021E20A7D734F804D0CBDE3,SHA256=AD13123BB2ABBB31C044FF2ABA67843E330FD8E21B3777D0514B5B705401124F,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.342{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.SqlServer.Configuration.SString.dllMD5=8E428269A79373AE1EEF58826726A903,SHA256=A35696A35C2BDC1F56ABF282F13C547FF3148941003968B6B9C0EEFB6B7C8DBB,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.342{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.ReportViewer.WinForms.dllMD5=9655E8976046EC078056DA8D5FBFF156,SHA256=FFF4C46B74DB1B702BD41B7E899EC4EA2FB52BF1AE787551FA9521B8C6D744E5,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.327{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.ReportViewer.Common.dllMD5=7B2B191D1DBBC5F4DA999410D93E2ED1,SHA256=B71B93B3FB16A70343108AC91A2AA1314E4A66B50CEFB1679296A91E48137591,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.246{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.ReportingServices.RsClient.dllMD5=A9D31609906150C92B24E27E727B898B,SHA256=2F4E1DDE9467E145119108EE86E87E8152EC18E3A53E1340D2C28CA8AB604291,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.237{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.ReportingServices.ReportDesign.Forms.dllMD5=A7B97E94E09ADFE2897EFECCABB83B57,SHA256=99891259C8DB3680AFD35DCE8FBF6F955C8D29F5DF0D7144F26B8363DA3ABE95,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.234{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.ReportingServices.ReportDesign.Common.dllMD5=4052C21AB37D2D2B259A3DB72823A2D0,SHA256=15F0FD89A71D3C0EFE79C9DFF5584368E3755C72CE733BF77140F07C14F05E44,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.229{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.ReportingServices.Interfaces.dllMD5=7369CD700E74BF722962B811358CCD13,SHA256=265399A873D4E0D333F4DD38460BA5457609039907BE925ADEE0955F6DAEB839,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.226{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.ReportingServices.Diagnostics.dllMD5=F220E493833390E60CC6A22F5DB71C7A,SHA256=942DF8AC9F77CD57A18DA107BD22ABFDEE6F76B8428325A8F1A3A11526C9C6BA,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.206{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Office.PowerPivot.ExcelAddIn.tlbMD5=BD5647359C3B7679E35CC3A73B702DBE,SHA256=196C929E4277F7E55E89704FCEED847236E17A7C5E3EEE974796EE7B3D20A38E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.205{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Office.PowerPivot.ExcelAddIn.dllMD5=3D1BAF6EA7D9161840362735BE30F696,SHA256=C1A0CDCE9CC5070AE15BD05494A1190CF2AE6F446E23463412E5F994494105FA,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.204{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB86DDFBA454B820587E589D83268F01,SHA256=4EF0A522E568518ECFAA8023A67413F4B4BBC99054A605D75A9908EB83E2A37C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.193{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Office.Interop.Excel.dllMD5=574D91266EE9FA03432CF50DA30DD232,SHA256=6F262BBA82EED8A8D69FAC44E491B99CCA2D4CD448166291CE2186833E730A85,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.171{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Excel.ReportingServices.QueryDesigners.Extensions.dllMD5=4BFAA1EF467AAA21322FD22793C8E4D3,SHA256=EE960D7C7D6B1264CA70AEC6FA08F8738A6DA21C4C09176591E821C26BD50F5D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.146{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Excel.ReportingServices.QueryDesigners.dllMD5=2E5ABD633D8137ECB89D2D4EB9EA1A40,SHA256=16029B0A6343437B54005B5AD448820C2B2CD5A69B8B790F7B35F4B1D126718A,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.137{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Excel.ReportingServices.DataExtensions.dllMD5=648858F6552A2D3DE4D7FBDD65515ED4,SHA256=D2EC78A348176CE20AC47EA85272F366FF43170DF42028FCC7C7106F8E2C5C81,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.132{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Excel.MDXQueryGenerator.dllMD5=AE712B88250719545E8A2CDD1F9F1F1C,SHA256=A731E55A9D2ACA6102C6927ED34D6F9FBD9AE034409FEF050EB9FC37758F8C67,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.129{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Excel.DataWarehouse.dllMD5=0351BB36F8A46DFB6768EF1B203C7B79,SHA256=CAEE4293CBDEBCB6D21CDA6EBE6D17CFC5041FF36FB2CAF037C8A80FB6BB7220,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.112{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Excel.AnalysisServices.AdomdClientUI.dllMD5=917982658BB4FFB1292FBB95FA2D54F8,SHA256=984AD6C22C5444BF8AEFE6C781120564CD4808097E88175B3278D67280C7697B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.109{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.DataWarehouse.Interfaces.DLLMD5=0947A3B4E88B6B0FEBE3A02B3D2840CB,SHA256=6610FBE3BF54A49FE0409D59BD6DB6D5FBC246C7A998C6BE5BB3F748AAD0359C,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.107{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.DataWarehouse.DLLMD5=2F11457D7207669F98BF69A28A49246A,SHA256=1AF8AA2C1B1B61687E310E769B68F104738E36FE3AE19B7A24FD3CE933977DB1,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.090{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Data.Recommendation.Common.dllMD5=09E7FA9039ED59DEEC57D89C95550E64,SHA256=002547C8414DEE8E49ECA3C40B6F616799C5107DB35174FF1CD47521DDEC0092,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.086{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Data.Recommendation.Client.Picasso.Sampler.dllMD5=F7233520C52E6C0E09AC4097790A6025,SHA256=E03AB6176267E9D6313AC0D05C19113B79FE5F8C147BA5ED7B5B1032C9C50AA2,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.085{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Data.Recommendation.Client.Picasso.dllMD5=621BA58E8DC930323BADF656194E027C,SHA256=DB38BC41ECED724604A3CA455B7854779D47AD66D40FD8843827742884EB3321,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.083{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Data.Recommendation.Client.Core.dllMD5=33488D142917590DDF4E4D9E839C3898,SHA256=7B0878EDB0317A962B84D6E1FC7F77DE4622C27C83A2F5EA9CF71230169D2234,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.056{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Data.ConnectionUI.dllMD5=0AC2FAD0029D97BE6EFFF8E04D73C7BF,SHA256=6A7A08D787B6B67636B9097D1B3F8657BDC45FF252737B982A0C553EEA971037,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.056{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Data.ConnectionUI.Dialog.dllMD5=9F8915A442EC29D22ACD42F06D45E995,SHA256=99E5C3B018D4F5CCA12450116ECA4E2BFC9AD8642C29EEC41F06E06C573FE9D5,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.056{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.AnalysisServices.XLHost.Modeler.dllMD5=A491769CDC067E1FF8C3E9A2566FE849,SHA256=E25BD04EB58578FFD7CE1C06D4E5C6DAF05A40AF42CAC8509A59D0680799F82C,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.040{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.AnalysisServices.SPClient.Interfaces.DLLMD5=CC32C0581163652306DEAA12BAE6268B,SHA256=F25449D7B7143367AE2058C9ABBB930D84421A020C96F8A1BDF90D6A725389CB,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.040{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.AnalysisServices.Modeler.UI.rllMD5=739068890F8BDBAB5A8336EA66591E55,SHA256=4D9E37E808510E0828EA37F6A358C9FEA93F95C561160DD99248CD0884E010BB,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000327672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.009{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.AnalysisServices.Layout.dllMD5=78583AE724B50C332D994F7C657119C6,SHA256=776B95F681B00A7EFF1F4CF89A1E18163104336C804F18EE78403C0A130BF2FE,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000327671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:20.994{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.AnalysisServices.Excel.Common.FrontEnd.XmlSerializers.dllMD5=278364236DAE0A259BEB8BAC09F2FD9D,SHA256=FE085B083A34F6257F414DCA91B54CBDA81F5CA2AFF2BA3F0E4DF6059F68C50D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000328255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.960{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Redshift\lib\amazonredshiftodbc_sb64.dllMD5=D0725200A64A378E031E316A0366D0A0,SHA256=D5A898ED087589AEDA54063CC366CC4593D06FA330C6AC7C0FF8592095612807,IMPHASH=8E4E2BB70D7097434613AA786FE0AA34truefalse - insufficient disk space 23542300x8000000000000000328254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.960{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E927D5D6BEFEA1311102E810EDFEF9E3,SHA256=2DF43516FDF812437B91AC20AC2CEEC3621FF6E0B1F70E7EB63EDA17F1CE19EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.945{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=349DC8FB687A024E45C995000C1E4FF0,SHA256=F2AD0FA9D92831E65634CE55AA422F553FC5B26238273935896E313EA661CA59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.866{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\ssleay32.dllMD5=E04D2070B3ADD29166A0133D8B2F4E82,SHA256=D63589D1CE474C30E91B1BD60566D79967F3A651498BB7F1E697015CC56EB5F0,IMPHASH=1510A4E65159E2632E44C4D9A48ED4F5truefalse - insufficient disk space 23542300x8000000000000000328251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.851{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\openssl64.dlla.manifestMD5=1A779FDAADC7F3E0F315E82D290D774A,SHA256=55DCDD1FF714855C23EA434DCD7FE9C622FA194F6370B3DD8AB5662F81BBD35C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.851{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\libeay32.dllMD5=05C1E78D28B70D089D7610FC0467895F,SHA256=631E20C9DF816D4726BAC174D659993B01554C467A1801CC64941EFBB0E4CA7B,IMPHASH=7FBE30BC11B896C138D6EA87C3B12402truefalse - insufficient disk space 23542300x8000000000000000328249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.835{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\ThirdPartyNotices.txtMD5=BC5CDEC4C7696AACE444A7E5987206A6,SHA256=7B3AE543BB5DE5BF4E106585DB7588E8150F8F85035B862ADADDF2C780360B98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.835{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\MSIPCEvents.manMD5=27BE4F869C8FB167596900CF2FA6209C,SHA256=04DD059934D98733E5071AF69D85D431A6809E85C7DEB796B1294CFD6B9D7298,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.835{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\msipc.dllMD5=3BBA00A17338703832AA2E57738DD04D,SHA256=BEF02C7A60C804D8707F916E9D04A33FE32C19761D524001C3E8FF4A944D0FE9,IMPHASH=99437F4E5C9C86B1617DDF286AF2156Atruefalse - insufficient disk space 23542300x8000000000000000328246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.804{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\ipcsecproc.dllMD5=1F46C06A574594FE9F9D45AA5721EAFE,SHA256=8E6D7FA8D801FC6A81E209BB18FF7A99B55E60F5DEE3B0117F41CF573D47EC4F,IMPHASH=8DFF9CB0290A8321EAAA18E16B3B3C92truefalse - insufficient disk space 23542300x8000000000000000328245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.788{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\zh-TW\msipc.dll.muiMD5=106EB9B7696A371B53BA78F49AD66944,SHA256=1D11F110E80C6A7CC886DAB071D32537B6B715A5A8430BF06FC1000520C486BC,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.788{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\zh-CN\msipc.dll.muiMD5=BC3A7461E502C5B26FCA975B4D951E23,SHA256=09086BBC7358EEFEA6A14A7A241B7CA2D4D52853B193539DDF19CB456647D9E1,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.788{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\vi\msipc.dll.muiMD5=F35EA62FB2479B8A8323DA85884EAFAC,SHA256=349B0D5ADDBDB59CE95ADA1BBF5532C286F081FF962BF5BC30611C680AA18C2F,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.773{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\uk\msipc.dll.muiMD5=A59EA9D16B616E8BE3E077A74BC6928C,SHA256=A2D1C7DF867C4A42DC792B6E03B3488E7D68AE5FAD86478EB4BD7A4BF6667581,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.773{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\tr\msipc.dll.muiMD5=4CC39FD2F238DB3B97445E3C25B060F6,SHA256=38439E06E6BE23A07B9F423268D72D9A3490DAE8482C752CB14DF7AD9A551C95,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.773{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\th\msipc.dll.muiMD5=AABAC3BF02CD87DCF7958FD411E0DFCB,SHA256=910031CBBF1CD2DA257E1457915253FE12901FD2A5FACAC67CEDE28F03487734,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.773{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\sv\msipc.dll.muiMD5=2FB4BCD7A60322850311895029E9E8EE,SHA256=F085A5EE4F2BBB64B8ABAB8A34FA73529F929D13BE54F27E334C8590883480C8,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.773{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\sr-Latn-RS\msipc.dll.muiMD5=65030948E9D2B3F5ECCCF7772EA6A001,SHA256=80EFC85E50247AA06E67E095C56EA9D54EC1455A3529D6BF45AA9F08EDDF89A6,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.773{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\sr-Cyrl-RS\msipc.dll.muiMD5=A66DF56A9C60A7DB32365D77871122D9,SHA256=F1BB53210436D69E48A24A2FC224556D5ABC7A8427ACCC9915039D6B6D8B733E,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.773{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\sr-Cyrl-BA\msipc.dll.muiMD5=53AD1DC8809750381E3AC3524AEE791C,SHA256=DA123A76BD218A03076A71477DD133150A896667566246E09811498EE3EF9DA8,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.773{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\sl\msipc.dll.muiMD5=BBAAF6040130195C05737FE5AF6494BA,SHA256=4940717D479379A29B1F12F29F76635675E3A9314403E55A49EBE521BB2703D6,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.758{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\sk\msipc.dll.muiMD5=784242988DE7EA700A8B94C537459BBF,SHA256=94A8A71380B04804B7E2B4860C17A2B292653A2D61F4E33F923FFC0DCFB02EE8,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.758{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\ru\msipc.dll.muiMD5=763317E475AE3611E0D5279E93216213,SHA256=615057C8BC3845CD8003C7652774C666CF2BB1AD2DB60D0085BFDB0CED430058,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.758{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\ro\msipc.dll.muiMD5=BC22654444C8A61D48C8AE0A1D31F7AD,SHA256=70A94D431D5C2C9E7C632977EA181C24B0DFE517A34A9F7D83A2BDFF1FD8E728,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.758{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\pt-BR\msipc.dll.muiMD5=E58EA11B7A237775E2BF59EA76D1121F,SHA256=37345E5C300A6762E976CF6EB10CAA2631735E7AAE2D73F39BB8D1D4D30DA2E1,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.758{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\pt\msipc.dll.muiMD5=1C59948EE99289FA58DB59A30ADD436D,SHA256=12E778EBEB471D3CE6278F34C6CF87A8120E13B1B1C52979444FB5E7F425C087,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.758{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\pl\msipc.dll.muiMD5=DCFA6AF1B503C9333E6C248C9CBC6A94,SHA256=146D386A643FCA4E81A60424DEED31B95C9C65B89354BF1747E88FF2B5AA2AF0,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.758{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\no\msipc.dll.muiMD5=CB5B89FFA34E4A0BF2EE5FC499795381,SHA256=167DE90E6F71EFE12761F89C4F1667B78226B7B2107B68125AD5E432A9AC87F0,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.742{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\nl\msipc.dll.muiMD5=8BA657EDF9F2D66A35D09C06F241539B,SHA256=25512444916F31F29F1677E6E9D163391A25A907468DAFCB2A62B55322CF5CDE,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.742{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\ms\msipc.dll.muiMD5=020A0ED255DB7353FBC9D62BBBCC3F39,SHA256=510A7D992BCB8C0044081CBBBF63CFFB9D82CB793FF580F45A590C8AEBE08950,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.742{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\lv\msipc.dll.muiMD5=5908FBE180EE30A3BAA19DDD9F4B853E,SHA256=AD171B92DB719B66F5CBFAE5B3CAC81A2DBEB29228324C09F25008648AE5F0B2,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.742{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\lt\msipc.dll.muiMD5=CD86D3CFFF700AB3697268855517152E,SHA256=EE2E0226A21387913CE641864B27280361BBE0F1A8DC1BA84CBB00B0B3083C8A,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.742{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\ko\msipc.dll.muiMD5=2D0E1AC77B17DFE6EB100CA2F4FB0FFF,SHA256=05BD184E2217EC00CDCF7007F10181A9E9BF55AAD2668EBF5B89975AFE8373C4,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.742{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\kk\msipc.dll.muiMD5=B56C6F13279F1A0D561DB49925B0B976,SHA256=AD7CBC1F3063390472FAAAE94BAFDCAE9805A7B2B6DE879B65BB31705013C0E5,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.742{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\ja\msipc.dll.muiMD5=285C1BBC4248F84008418B675890FD9E,SHA256=514D48C572AAEDF9B52BC16CE4D7401A5301B64FD2583406088162AC4E56A48D,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.742{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\it\msipc.dll.muiMD5=2E54061F6AD72A13C2F2690DE10A5857,SHA256=B06FC6E2A9B2F36627C854F806BA59BC04A7B9A7BB6EDF5EC8AE5AACC577650D,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.742{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\id\msipc.dll.muiMD5=32C5D31D0319EB9264A757C48BCA6862,SHA256=8AD45C9D44A0AC5D4D135BD3171F46E8EB88DC757C2882B9332CC1A690A32E2B,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.726{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\hu\msipc.dll.muiMD5=CC6C739A5F90452CBD8F7E4C36E6BD06,SHA256=AA0D2D775852769F833C422FB4831138432318D7D9642E88F77F4DF02B1BE4D2,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.726{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\hr\msipc.dll.muiMD5=46DE4EBEDDDF4F4A083F4CF8B90BACC0,SHA256=50B6F584A2EAA71A41517731A8C05023D67CD1034A54405FB40BBF4AE5E78F2F,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.726{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\hi\msipc.dll.muiMD5=84917FC1D557EEA6FB4E85C6917FD040,SHA256=44C22F6F5419A0FFE45EE4163D7A08AE08538F3EA037549DD113492F4164D167,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.726{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\he\msipc.dll.muiMD5=B5912F4AE0F384D4FCA0DF9AFBE451EA,SHA256=F762ECB254AA888F3FFD23B1F27C2B73F220480C520CBFFF761CEB3CFF5CCC19,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.726{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\gl\msipc.dll.muiMD5=F57DA27CC531AF6DBA608AED0C48CF26,SHA256=54302D8FA4535F4BC31BA1423D69F93CB0F76CA342874BCEAA7A0A1A36A00BB2,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.726{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\fr\msipc.dll.muiMD5=4893F2E7A0B1B9705E462A721B89BDAF,SHA256=4DB3172A32D2B7927EADB92915F6253015BF9627D1DE5EEED57F32AD497D6373,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.726{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\fi\msipc.dll.muiMD5=C88A98E889AE2D1949CD40C9799E4E84,SHA256=43AD23BCBDC08AD2165FF2D10FB3379276FC9935782B10DFD3509D41872E2F74,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.726{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\eu\msipc.dll.muiMD5=D1BA7DF340A80D7F41E1A92B1E0A9D12,SHA256=0288564EBEBE3D5AC532533A27C48AF6EE39D3022AF3A631C1794AB5C1D36AC5,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.726{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\et\msipc.dll.muiMD5=312AF19C6B9C6EEB488245702AE83316,SHA256=667A45DF5CF249083048C92BBD3A54CD3AE211A1DE719EBAE60B449BB17AAD08,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.710{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\es\msipc.dll.muiMD5=C0FD7661D3C7B0EF81138D1A7A0A2883,SHA256=6B23A3961BF947116028C75F06B1A73E30FE5BE319C33AD5DCAB4F7F82283D0E,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.710{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\en-us\msipc.dll.muiMD5=1A92FB4532D9A7B8E136D50F80BC268C,SHA256=EBD3D1F65781B354B4498AAA7C9EEDA9A93CFB31AF0997F70CE560A914AAEAF8,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.710{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\el\msipc.dll.muiMD5=341D0B6F61E8495C12B8FBF78879244F,SHA256=729879D3E88A3EDD2DA360C75BC1642EDBDEF497733C319589B04CEA74DE2DDF,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.710{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\de\msipc.dll.muiMD5=FD3D87D37EFFADCF4565253B0FD426A7,SHA256=4D20BC6D109ABBE954ACBB6E5BB7C180E83F0F7DD58187CF9FF18DA2DAC93C4A,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.710{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\da\msipc.dll.muiMD5=D306032BAB394D4E1FD5A700A3347CD0,SHA256=1D49CC7DE755DA0AEE5788A2A917FED1D8BD104E43564D6711521E01C623B59A,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.710{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\cs\msipc.dll.muiMD5=A1D36266DF95592C596A6FEC35D536E9,SHA256=38B06DBA8FC931A73A2795374CB1B2A17A97D519F03C1D2446F345637C1053C4,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.694{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\ca\msipc.dll.muiMD5=35D7F583FC5FA1D98887241C90A1ECC2,SHA256=61A8A80A468D16A7EC5120A31D7084C75977EECBDAB68F1A5E58AD983C020E29,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.694{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\bg\msipc.dll.muiMD5=274DD34346EF5F145FD406DAAEDE6D02,SHA256=194046AE93B74FAE2EF6BAF812DDA2087D68A9439E21633B84C8128632EAC4BF,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.694{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\ar\msipc.dll.muiMD5=C3BCC2A03289CFEBFC40AB1F8E2FB825,SHA256=A625A5E0B93560B7789BEEC60B6C689B9818B80D7ADD976B2B26E505F4D4F332,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.694{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\WIND.WAVMD5=687B9D00399F5D7FD38F1CA35DBB0681,SHA256=687689502EFF09DEC63EFE753B4B16A0B35F5852AB1F128840B9E46CF61425C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.694{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\WHOOSH.WAVMD5=14AE23ECA4848F6F00E7EEF5737E5F69,SHA256=F748469A6DC64C51AC2962E7058B54CBD90129FB4E993EB0DF54047EE65D2B0F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.694{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\VOLTAGE.WAVMD5=D050433DC8545D178633A0F2DD218C77,SHA256=13576D767FE86E7F64FC5B8A0B46A21F2D856C47FCFFAEA4A7196770AD3EDAB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.694{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\TYPE.WAVMD5=7593E0E3EB61130AD19433753E8D1621,SHA256=350B39843228887509CDA2CFE5EF531EEEE5C09465843CD5E8510E50BD8A89AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.694{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\SUCTION.WAVMD5=E94900C685C5E77EF38F74FE653E0D10,SHA256=3053A05ACE86F945F1C8079DF4C35A76CFD7E56EC5305755F717AB05F1A478D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.694{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\PUSH.WAVMD5=7FBD66E4BB1596628CFB606C3635FA11,SHA256=C611CAA62A911BB2387AF89D80059C67C527A7968919242DC7913094B64A8673,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.694{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_videocall.wavMD5=F77B15F2C0C1564F9E44F5EDA4BDD161,SHA256=D52E5477DD8CE45CD3FA42C6C5F91C7474E1FF9E15D0FE2425BA2EB23CD26148,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.679{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_videoadded.wavMD5=5A2A1ED9CA515E9AEAD3C4DF503673F9,SHA256=668430F00439136B86FF38A78223F385C9B53ED58311F7B2CF790AF06332AC3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.663{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_untag.wavMD5=F2B4ACA33A86535F3529A1589AF249D1,SHA256=3C4B1E771423E633B018DBEEADD01D8F9082EDED84A6B71AE0A6E3617AAC3D0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.663{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_secondcall.wavMD5=6B030F719516D75AB8161D477EE18E1F,SHA256=4C2878EEB6DA734220C2ACBDACAA3BA304BF8E7C3DFAD2878726D95E1AB11BAF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.663{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_ringtone7.wavMD5=2861DB27A6ADDE885D43F34C4CEB840C,SHA256=13D5848C9D9C1547D93E0FE47942B425466604CA0F64451DE88DF178D4E23750,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.648{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_ringtone6.wavMD5=F7BD045B97D067AF7DD8F3ED870D57D5,SHA256=B38B6C8B6B2B11C2C69AC8249205F0290CB8C086423E13D601BB72D9E6D1A1DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.632{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_ringtone5.wavMD5=2697CAD4239D1522FAE1AB041C61D01F,SHA256=C41A268118A7F1A70958F9B52F609D17BF2B596B9C6F4D086E14EF38040D5209,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.616{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_ringtone4.wavMD5=564BE2AFC1621B5B6263F637CB0E20A6,SHA256=F2CFEABA5830DBDA02E31CCB0DCB964CF86A89F17585476F128AC2EBEC7FD5D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.601{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_ringtone3.wavMD5=1941146C5219BEB3674A4BF108F20CED,SHA256=FE91BA5ADAE686CCE98D8B203C15F5A8FA79B10AA90ED774F68F86FC505D4318,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.601{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_ringtone2.wavMD5=FD9CDB1BEA3C12EE74F4EF9A0C2E72E2,SHA256=7EC53261D6C0F4F88B1C305B7393813F6E02DF069E1776FCF6F15941D33B56A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.571{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_ringing.wavMD5=F77B15F2C0C1564F9E44F5EDA4BDD161,SHA256=D52E5477DD8CE45CD3FA42C6C5F91C7474E1FF9E15D0FE2425BA2EB23CD26148,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.569{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_ringback.wavMD5=F77B15F2C0C1564F9E44F5EDA4BDD161,SHA256=D52E5477DD8CE45CD3FA42C6C5F91C7474E1FF9E15D0FE2425BA2EB23CD26148,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.557{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_redirect.wavMD5=5995FD2EAFD19776E5BD61CD5B738BD9,SHA256=35964D4FB4908D7C763D622F75B9E82711C943BFE0F8698FB31B3BDECF3B3C5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.550{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_presence.wavMD5=F3AB61A2CBA6B2FE015E86F9F2D35B6B,SHA256=D305D25E7B1E1CB14884265AE9D76E65ECD88418FA736E002086B4C39A5178C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.540{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_onhold.wavMD5=689E8370361E123451336D831230E5F0,SHA256=C97A28E69D94CB02405C0497099F0D7362B66F52B6BB178939DDCA3C1FE79F4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.524{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_newim.wavMD5=3AEBD7F0AA9616D57CC55E4610E384F7,SHA256=536C9FFDD8B196269DCFCF07C9EF7B0E6E12DDCC38730C0FD37D0FE4BF1F5F09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.517{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_muting.wavMD5=6A295536C37DD5E08AF8B8FDD2BB3970,SHA256=1444FD6121E159A96389DE760AEBC2759F1314D5AA3E1F232D25D353EC5C02F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.511{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_joinedconference.wavMD5=1A9EC1CA15140836C25CBBA2CE637C60,SHA256=49712F77C84FB8DC5B9F39630DC1A994AA7291547DE5F857ACB4BCEE5C375193,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.502{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_istyping.wavMD5=6EA065783B687F23C78BC3F4BF1363B0,SHA256=27954A7C1E6B3E7BA54F9E13659BA9C87B558603C498BA33B1902FAC7373680F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.489{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_iminvite.wavMD5=3AEBD7F0AA9616D57CC55E4610E384F7,SHA256=536C9FFDD8B196269DCFCF07C9EF7B0E6E12DDCC38730C0FD37D0FE4BF1F5F09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.483{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_howler.wavMD5=FB01121E0D03E2AE82ED32F2345495C9,SHA256=71FD551239909C1EE680791F73836C413ABB6D57DBB27681A97676C02C8CFABC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.482{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_fsringing.wavMD5=F77B15F2C0C1564F9E44F5EDA4BDD161,SHA256=D52E5477DD8CE45CD3FA42C6C5F91C7474E1FF9E15D0FE2425BA2EB23CD26148,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.461{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_fastbusy.wavMD5=C836763C3A0651E714C471F699B61DDF,SHA256=3408BF9B26F6F8193E3531EC747A23103339B86285D56F98B86136785852026D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.456{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_dtmfstar.wavMD5=C59AF4661698FDC80B4EB0FCE83DEA54,SHA256=9599368A04A8CB9C64553F43F5896A2C265F2C635FB80CF514C061BFC468FDE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.455{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_dtmfpound.wavMD5=13EBD129231F9ADE1A0823473F4BC9BC,SHA256=7290A9B2325AD9CA9152EF38E0A34C680128C17A2BB5032737D8ABF247DDA0C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.454{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_dtmf9.wavMD5=03064934DA2B1454A5F574BFD3C8655B,SHA256=36618A02FE07375404D8D63900BA2757EA50DB72F070325573348DAD74457870,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.453{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_dtmf8.wavMD5=9B43DA128A0E290D5E7091437B303EB1,SHA256=98ED7F1E7C4772DF0C0E1781D00AF15EECA31E7894C85F45C2AE3649751ED18A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.452{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_dtmf7.wavMD5=891614440D6890BBFA0F998A20D47B9A,SHA256=FDDE9B2553463ACDF7D690900ABA655AFA276084924B428D72370EE28FD5ECF9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.451{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_dtmf6.wavMD5=8B5E063F52ECC07F60BC23DC6AE518A9,SHA256=1802E65A33DE801E8899097BA4C3823D0EA003857295ACE770704F6565DDFFB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.442{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_dtmf5.wavMD5=1E38990F41ED2BF83FBADB702EFCB210,SHA256=EDC738815551C441968D4378D0511EA8B8695DDFD440C6C0A16882EAA52AEE78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.439{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_dtmf4.wavMD5=375974432B33349709663DE09AB13D62,SHA256=CFFCA4E5ADDC09FD761EED03C991513257515D6B7B1D4DF8BC879B20B79072A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.438{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_dtmf3.wavMD5=2E273189254A1139A588995CB1C91248,SHA256=572F5084D75BCCCDAFA07A7A425CC9E5B1BC01DF8D88F1C5CFF05A2B0FDAA0D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.434{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_dtmf2.wavMD5=11A24FE108394E7E593B02D5D41C33CE,SHA256=26075F68EC6279090B1896D7D537F05782D396D7C7C367498EA36422FA993815,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.431{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_dtmf1.wavMD5=1A8B64D3153EE4117E9E156991113125,SHA256=AF8DA0AA1E654479F1B3778BFE36E03B4F0AACEBC8B60B22DA3A184B86AB860F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.428{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_dtmf0.wavMD5=96799C88B83C2F7D4954B5250A36C85B,SHA256=7A00577715939A162A43C50B68F72933FF19258257D0DD3B0460D1E19161E6E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.427{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_dialtone.wavMD5=1D375FCE4C2F4BBB5BFE013BBF4008D0,SHA256=F9753F609C45601790A839F3CC0C52A6FDD6EA81601DF619EEB00AA6386D0A4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.423{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_connecting.wavMD5=D708882EA2727C02C3D9685F1131A769,SHA256=3BF6E64B0FCD1FD26376F38F11F79BED3F22BDDCC1876421549BBE04B178EDB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.417{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_ChangeModality.wavMD5=9F53D074768E4EFA772EA03ECABA0FDE,SHA256=BD848E7C3DC0FB7984015C5740713779EE6A33EA166BF8EC3E3AA18D645E6EAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.407{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_callended.wavMD5=36725C819F5B9ACA4CE8EE27DED9EA83,SHA256=01F2B6B20DB26E3A26D0E2A35F8D0E0E7B1DC3C919B7B1136E9E1C52B3FE5517,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.403{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_busy.wavMD5=51D56A69EB11ACE582AB8D0DD636D318,SHA256=092A7B0CBD15DA59910B93E8B43C754317A17017D6587E7F6BBBDB526C519205,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.403{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA2245D9C1DFA756923FAD0F7ED2797A,SHA256=25358BA10158D074D2C5F3B3A2A82B3678048DD68923015DF002F767E937EC8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.402{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_appinvite.wavMD5=3AEBD7F0AA9616D57CC55E4610E384F7,SHA256=536C9FFDD8B196269DCFCF07C9EF7B0E6E12DDCC38730C0FD37D0FE4BF1F5F09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.393{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_ActivePresenterChange.wavMD5=1792FFC85D16E3212647BCC8ABDB4164,SHA256=2104BFBF518C926CE1CD5C6F0B095197CF89E117EF7109A5E29BD06DA92771BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.388{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LYNC_abbrdialtone.wavMD5=4EE500BA00890FC8F0E0745C3DD1A159,SHA256=95A7B4310F3D626BFF8FD7C92B9A679B01DE30E55989E2134ED1AB1CDF6EB685,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.386{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\LASER.WAVMD5=E94C385C27C3096E92DE1B39D6AFAD65,SHA256=2ACFAB9A56E4F8516190EBF13A7B93C845E52F5824D0196F2E285502E621920C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.384{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\HAMMER.WAVMD5=0D9913113500D917CB6FA3DF3587A05A,SHA256=CA7FD70C38A63AFCDC3EADBDD3694DD87A47FD3891B346B6A58EEF1764D3285B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.383{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\EXPLODE.WAVMD5=49B9DA9918858F2F28B32EE845FA4C4C,SHA256=4ECBD8D4BCD73D49E5A7D68F3E0074F4F9A8518FAE8B235AA96BF910C219A60F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.382{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\DRUMROLL.WAVMD5=340E970EA7C72E79594DD0C3596513F9,SHA256=75B15AB863A8AA6F20DB28C3400A85F8FF384675DCCDED1507486C961D893637,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.379{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\DefaultHold.wmaMD5=290E1C0972E5E4994ED5A953A87006AB,SHA256=C519287D487D51F1E03B18CBE83C8EDB23A6846C113CD1400BACEF0439A6CBEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.363{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\COIN.WAVMD5=238C601CF9D60A50432B497CA5F825E3,SHA256=3BBDEF4E7D3398C3617F8269642C6D1AA7B22E5332C67025239581847B41E0BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.362{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\CLICK.WAVMD5=3D628041A2CB17F222234DDF06B494F1,SHA256=A797A293428AFE1E9999A5FFCCD1AD7B9B581D427189DE02CAF66F389A70A31B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.362{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\CHIMES.WAVMD5=C2DEA2C78EB9CFDBDE343FBF9B55D380,SHA256=32242D72912A92504C344B64943DEBDE242EE77F34301E0EF220E80E3D8CFDCA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.359{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\CASHREG.WAVMD5=307669F8F2529007A5E14CD4A236B07F,SHA256=B449CA058DA47C005B479CAD24EA475DFCE2F62482D862EFA5B437E630CD1A1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.357{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\CAMERA.WAVMD5=B16282C042EF5E5646B4360579F688D4,SHA256=2BABB49407FF2972EFAF8C6821B0CD950DF3FE6E5FA46A94B09984AE5ADF7DBA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.356{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\BREEZE.WAVMD5=C8BB66660816C04933DE66D4B4CCE436,SHA256=479D4ECFA527AB1FF0ACD29F7BE41C1368A1BC39118752AC05DE24A8C23B6589,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.355{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\BOMB.WAVMD5=2697BDC3376ED348CF2263F24B05C28F,SHA256=A641ED5F90E4C2C4B955FA7522B8C35ECB10B93CF7F90E80BCBDC5E3F01545B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.350{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\ARROW.WAVMD5=B850034C11CEED4FD2A8F20BA3D57FFE,SHA256=D0D71D3F827F8C4CD9E4DB51A72465BE8426087E2B38467B3E639928116BD6E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.349{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Media\APPLAUSE.WAVMD5=FE2149CBA06CB3FE0ABDE6E26B0E31E5,SHA256=99E4B705D0C8B756C697E73426BD9BDB46B8E0EB9C1C317C77552D10E1C6BEDC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.326{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\WinWordLogoSmall.scale-80.pngMD5=F491A85840133B69142E24765D326485,SHA256=DBC099C8D83D81A8AC55FA6C0C57B1CAC8C1CAD57C6BD2DC4E6AD69C171A2BE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.326{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\WinWordLogoSmall.scale-180.pngMD5=6C3308F9232E99D5055E3316FA9EC988,SHA256=D6C0E475039DAFBEAFD861111FD01C9D699CE6B2452F0288482A4E2805FC7AA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.326{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\WinWordLogoSmall.scale-140.pngMD5=BA8450DDACE9085844EFB06A4420B2A6,SHA256=31FC47934E157F77A7DF1E835A6B4A3D4292F473AD4A3DEF094062B2C6BA3F34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.326{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\WinWordLogoSmall.scale-100.pngMD5=F2C420612E81CF3505FC1EFD248AAE20,SHA256=7FBF07CCBCA152895E0748FFD19FA4441FBDEC249182A783596DC1620024EF8B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.326{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-80.pngMD5=51954657FF807C61AFABAF4C9B27F8D3,SHA256=28A895FC41DA91B0D0F08A15D8BF342A6B2E9AC88923757A8A832A8E46CD5FF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.326{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-180.pngMD5=3CFA72BF9600A5C202908470690BEFBA,SHA256=55DD0AA19089368D66A58FA303429966EF83782EB0270AB672C761E1117A74D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.326{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-140.pngMD5=4247533E0C41C4828CEC5B5071D027FB,SHA256=4AE5B5C8D38D38B191BC9E36977F3F0C0C32B2E53CF6636A51088C3FEDADA07B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.326{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-100.pngMD5=0F2222A9A7DBB746AF8D640A799C8DE2,SHA256=3F8B3F4BD84F6D5B0CA06767A568212762B4CD53C608509B52BE7E6454C43A04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.326{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-80.pngMD5=EBE69259B4FB3C0E72B894FB65504B27,SHA256=DC4503074D35ED67C42111C33B6BA948E88564118CE3738205D090E9C0F3461A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.326{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-180.pngMD5=3DE38C0881D4572F7A3DDA2384F440BF,SHA256=6C0D64FF898C569D304EA67B39E5924301F5970214206B51C97EFE1C427AF15B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.326{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-140.pngMD5=367D9A646D37AF283C5363D598DB67E2,SHA256=275E0E50BB499335865E29EF5D63317E765EC331F306723BEFC09E6558F62F7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.311{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-100.pngMD5=00131CEDEBFB3F6A40E6B082DADB331D,SHA256=65B2CC72EEA3646A2CFD2BE61DC4FA7E41009597C0B66594C845CEA520A1BF22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.311{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\WinWordLogo.scale-80.pngMD5=361B0A10446DE08A27FC5BA1D947C50D,SHA256=C47F68B70C4B2C7BB0014D81C31FF27D8B0CBD056468A0578A0148CB9358A5B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.311{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\WinWordLogo.scale-180.pngMD5=D1C19DD06F0DD2E43924576766F90380,SHA256=43088F7D19C7FF4D8966DDF42A8505D25B2A4BADC635AF2DB9216A9353BCBE65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.311{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\WinWordLogo.scale-140.pngMD5=F686CB1073C992D60AE9BC174F197FBB,SHA256=89AD4F61AF724989D9613002E05B4044020C50AFDA67A069DF0441606B28F2C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.311{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\WinWordLogo.scale-100.pngMD5=B34C89F1CC6F96C9BEBF66F0838F268C,SHA256=F2381ECC56884890A874F50139F6CDEE2E289D5A563B82F057F4CB299D89B2D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.311{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-80.pngMD5=1893C64E3D131CB390F5403E50F4F116,SHA256=4A69C8DDC64C526C211784DA04E8F5BFFE336BB958FDCE27DD06583B75CFD551,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.311{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-180.pngMD5=0845166D45DEDB09BAD12297C5C1491E,SHA256=6BB302C13758D333EABD457A83253B0B684A46F31631D8EA7FC887683D017325,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.311{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-140.pngMD5=9A6A627E9852E4BB0F0024C49EFF034E,SHA256=98E9993770A6E22A18A87F1F5018B0B4EA8C374D04D5C5F4E015816C859F1519,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.311{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-100.pngMD5=034F1295A29E8E082FAE093249999E0A,SHA256=E94CD64810C7799397B2FFCAEE0C73F3D4600B08DEC86167AD905EDCAEFE28B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.311{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-80.pngMD5=340478781BA7130C515E515D3729A8C4,SHA256=650F3E84C3667E5A76D963D9FBDC38548F96E0650D0EDE0FFEDE6B079A0BE28A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.311{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-180.pngMD5=0DF67C942B844D38D56631209A65F35C,SHA256=F0EBBD4AB4E0D0810009E7FEDB903AE4DFB03858F15BF742429B008F2E7229B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.311{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-140.pngMD5=E4ACBF31C7491F01C2D4A6EA62C9AD0E,SHA256=55123028CA1BCE445E1DE3EE10A2734621D198B223A37ED081D32033F2DFA18E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.311{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-100.pngMD5=C1FB7C3E9013817AC86DD6434F2C326E,SHA256=0E2CE6CF8417E97892A3449BBCC240198D72828AE210FE6F3E1A80823F3CD260,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.311{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\PowerPntLogoSmall.scale-80.pngMD5=95EF44E6960DEE3C04F6752DACAA54AC,SHA256=D37CE140C81FE869C5F1B3AE49CDF30326338C00F61229FBCEF95C1D19FC2471,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.296{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\PowerPntLogoSmall.scale-180.pngMD5=55DE2CF0707592005986768A3CE93135,SHA256=3F904C853E3B386E6B33B589FCB53565C17F22127E6DD33BC3AC69DD4B88D6BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.296{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\PowerPntLogoSmall.scale-140.pngMD5=71B34E01EDB94042B75D6083D6761A03,SHA256=5EAE3CCC31EA35F9782728C725C194C42F852859AA4240EEBAD37555FD7678A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.296{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\PowerPntLogoSmall.scale-100.pngMD5=D1740185F5CAA2339709C9C2B99F31BA,SHA256=6358464522F1168D64D956E87C5D7BF9AD6B26B0585F5C11A001010E458C4F51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.296{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-80.pngMD5=7EF7709AC0D8817C3662177351A9CEAF,SHA256=7D557773DDD91B99B2F8E3B8143B5443D18DD1B84EB7F5F78FCE6075C4E5CABC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.296{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-180.pngMD5=A58213CD2A2E0650839D6525EDCFAC44,SHA256=379A869C8329F8C2166DB26135F8581AB44655DC86488E572267E1AC2F06A22B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.296{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-140.pngMD5=3DAD6AB27B511775EDBA75F96A794377,SHA256=4F2B670CCD930C02BC5B535D44D66D708A55442346753E3393478AB9DAFAA761,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.281{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-100.pngMD5=B18BD50C089000D95FC60DB43B55FA22,SHA256=AD8A75E6852DA75726DB6F993AF617E2945ACA6BDD7E6D5BB503CBD111CC9ADD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.281{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-80.pngMD5=A4C2A4EE2B28E6E751D553BF991675D4,SHA256=94556B63D4B9056140721657DD39A3C0FD439FB4DAABB11E427F139E8E146251,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.281{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-180.pngMD5=F55E73EA96B8889194717ACA3823E334,SHA256=F3911F378E8FBB002984B39A9237AFC0A79B8265A168AC18260295F6628AB36D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.281{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-140.pngMD5=98211330E27C9595BDD6D1766C175401,SHA256=E0A292536A4B7908CC1BD87E4FEEC117A321AB50B2D9FFA92882C60C12DDBB85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.281{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-100.pngMD5=37A9244AFC01F351012EF837C721E3E3,SHA256=3F319699BEF1922882D7BAC314978011E1E39C53F09AF5EEAD4E8926C714FDB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.281{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\PowerPntLogo.scale-80.pngMD5=50961BFE7C6C02BD17FA086F0C9C4B8D,SHA256=CADE4FA7A67144A20011D6E9BF4211C13CDF094595916FA7FB47A4F75D853617,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.281{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\PowerPntLogo.scale-180.pngMD5=878E312655DD489BC328BE1068A5887C,SHA256=2D9E4943027B02BB7F774BB8DAD2B1E9BA0E455FEC0E89A19B46109D0900B645,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.281{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\PowerPntLogo.scale-140.pngMD5=7C435824B4DA347817BF63FDC32ED33D,SHA256=00B3C60961EB027A61568CDEF8F1D04DE4FD3E192392F658892B77EF82CADA03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.281{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\PowerPntLogo.scale-100.pngMD5=5F5A8D21711488E83B0BD62CFCECA5F5,SHA256=1540497E79533861DAC588D8D010EDA0FAC729FF51D43E3095E71BAF4E637CC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.281{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-80.pngMD5=A2D5B596A61EE7120A2C49953B79FA3E,SHA256=960C634CCF1BEFA46B70890FDFBB8A8C555D163A8C212553F54992BAA7459BD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.281{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-180.pngMD5=7A35956DB6325F8A48C1BC2F354A4BA7,SHA256=EE22FB3714FAF7D0971759291404EEC6743EB189961872D8F8C4C689ADBE8324,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.281{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-140.pngMD5=C15915D01DC597155936FAFF86FA3C1F,SHA256=FDAEAE3A907ABD1A231F95DF85599269D053B5557F59B32D35CE028B59298BB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.281{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-100.pngMD5=CE5F783328CD025C65B98876A9F3C6D0,SHA256=7D7F9B815B1DB2E5249FC672B5F24CADC630581887C0CF2DE3CCA63C21FFA690,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.281{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-80.pngMD5=4C87AC1FF734F5928D883E7F71F57151,SHA256=0C3EACCFCAF0CDAC806D3BE50F6DF3723F6063A25EBC5512C5189CC0DD5B62AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.281{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-180.pngMD5=803479B630102E43AD88F2B2C3BED731,SHA256=5A10D9711F1DD1A3C6F7C975D0E218749419B83314E367308218AD5F524F1654,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.281{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39189E2C321FCAC184CAE3EB6337FF72,SHA256=B3A2E39DED68E7DD8E27F8741AEF0ECCF29E68103205C8D4AC163169439835ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.281{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-140.pngMD5=39277001D9FC16F3A4D53D25621AFAA8,SHA256=AC8A0F3F72805B151A91975CEB19020553B457DC97BDDC358600567E709BA1D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.281{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-100.pngMD5=FAF5ACCDEDD36DFDC310BDC015A7276D,SHA256=F9D1D301FBBBF9824E869E5390EFE7FBF78E0257EF4A08B6D936ED4EFC480E2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.280{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OutlookLogoSmall.scale-80.pngMD5=B0629D0BDCC51AFCAE91E320B56F9766,SHA256=DAD7B0D8A04BF94355A30DDEAF3CCA1A7F1FACF277CF49A153B69F1671CADE16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.264{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OutlookLogoSmall.scale-180.pngMD5=04B841EC9F85F0471A549212CEFE025B,SHA256=3D2ED023AB0FBCFEFC800ED605926AE0927A9D42A200A2B700BF43F41E3E1FDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.264{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OutlookLogoSmall.scale-140.pngMD5=6D7B278CA4F507CFEF0789942CBD0844,SHA256=74D493C154DB7C74D190733153CCD58502D633DF1338E3C255F28B629AC6A6D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.264{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OutlookLogoSmall.scale-100.pngMD5=D6F0BA785BECA9BEFE0DD963E13C1266,SHA256=835B10FAC7B1E3FAD419B89AE941C09DE7E9ED98BDCD79DF9735B660CC8DCA19,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.264{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OutlookLogoSmall.contrast-white_scale-80.pngMD5=3721AA15F100379D2EAC47BC8E8CC527,SHA256=FCC38626BD0C1FFDE678F4F7F810C6D98FB2CFEBC300B9DCC985142E4055041C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.264{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OutlookLogoSmall.contrast-white_scale-180.pngMD5=6401ED5AF8DF66B7B7DDE6E16BCF5A7C,SHA256=B7362B1AE85AF811069F60FEBDC099E7DABD75CE9F4929BB202D395B22C5555B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.264{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OutlookLogoSmall.contrast-white_scale-140.pngMD5=D684BDAFE90CF23D754D135413E348BA,SHA256=3C4443AD15F50AB0BD3F6439D1A82914BDE2A4053CA4FF93100D8FEB404D6933,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.264{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OutlookLogoSmall.contrast-white_scale-100.pngMD5=248CA78B650FE42D4A0952661C8F289A,SHA256=9D7D089FABEB94C827204524F3A082A76E23F0B29B4EE9E71E98B1AF8334C964,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.264{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OutlookLogoSmall.contrast-black_scale-80.pngMD5=7F32BC109C8407CF0827DF929700111A,SHA256=77A14876DB2FD9AF17D830B66E33B5ED40B010CF90EA77592B9F88E6450E8167,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.264{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OutlookLogoSmall.contrast-black_scale-180.pngMD5=D0BB4B272E18B6DAF4726E0A907AD69E,SHA256=0392E20179E586C79B99E34F6F5825C33EAB8AEA51EC453BB712EA1B2F8035F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.264{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OutlookLogoSmall.contrast-black_scale-140.pngMD5=094EAC23C9DA5E6F86CCA49AE1251151,SHA256=192ACBB07B23C098C0FFDDC81E93CB10EC99223A1398055D9D24B6A181119868,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.264{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OutlookLogoSmall.contrast-black_scale-100.pngMD5=F9C81E76096568BAB3E6EC7B04EF6C08,SHA256=BF75E15CDE168B96DC5A3E659F7CDEA92FC024020A8BDBBEB9DE752E53C78E6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.264{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OutlookLogo.scale-80.pngMD5=5FD4CB879FE9C28CD43979267559C3B4,SHA256=1E6238BECCCC47974F7A474B15F436828B6B7833BA91A67579E8D4A243EFCCF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.264{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OutlookLogo.scale-180.pngMD5=291FB560591860C10EAE66BDA8AA4485,SHA256=C8A0F308E793984F42A1573BAB857757114F3CC06E0389635A51A29598C87DFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.264{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F4727629B0A9953DFC2AB42B1A7348F,SHA256=79F12FF05DA1754D68C78EED92C02CC4C277FD326D6AF33E0167311282C5FA67,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.264{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OutlookLogo.scale-140.pngMD5=87648B6BFE090655EA2191BAF26EF89D,SHA256=3A51F1D0DB874D108B4033799E70A397EEA29B9020B44FED34B5B86811542086,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.264{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OutlookLogo.scale-100.pngMD5=9BEDF2D3394137C6C4A601D169D3D175,SHA256=91CAD8F8D5B05FFE81ADFB9652E64E8F1C68B9123E1F58E9C10655B8CDFC437D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.264{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OutlookLogo.contrast-white_scale-80.pngMD5=9C2DB90A2B7A2E4D80685009AE90E371,SHA256=414D3EAEC7AE95FAC6F8801C25E0E9964F1FC9D2BF38E40A821D49694BCD7876,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.248{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OutlookLogo.contrast-white_scale-180.pngMD5=A3E244E74061B98FEFA4D00FF2F43AF8,SHA256=B95A08C2FE1506DB0E4D57879D95C991F8624ED16E8FA08B2A692239AF7DE0AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.248{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OutlookLogo.contrast-white_scale-140.pngMD5=0B8BA7FEFED82F98D6E1BEE660E7E6D8,SHA256=A19447793D5A83F38086E3FBDB29A388F2A9AEE6FA781B6E7C159FB0C42ECBB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.248{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OutlookLogo.contrast-white_scale-100.pngMD5=A7CF70D205BF4E24911F9BC1BE3A9A55,SHA256=1811AEF9698FCC521E629B9172CADED7C0531F5676F6189F12DD3C961D765977,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.248{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OutlookLogo.contrast-black_scale-80.pngMD5=6D974EABAC816F55819EC9D80FF7C44B,SHA256=76D2AF1C2092EDE7E1F9CB20A910C746FDABF99593C714C7F120348C375CD323,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.248{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OutlookLogo.contrast-black_scale-180.pngMD5=DC65D65E35B3D19F3A08554AF53D1BC1,SHA256=39BFF08CB104F901C6147FD9581954D12D478A60578601A211F5928A4C2C94C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.248{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OutlookLogo.contrast-black_scale-140.pngMD5=A35D8C5C54DBE3E35B3D814A4C2BE881,SHA256=5DBE991A7499BB044019F9B06E29E800660C2EE47DC6CE156F6B8D2F853D2B8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.248{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OutlookLogo.contrast-black_scale-100.pngMD5=378280FA129E85B17488F56B5B17D556,SHA256=92AD7F5A222106986E309C098E3C175B3167149A74390BB34FD84F91F7FE574C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.248{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OneNoteLogoSmall.scale-80.pngMD5=6B4776093A6C7B95F0EB002630FDF24D,SHA256=CE27C6E252771E689A49ACB352729B363D55C9BEBC94E5628974D5BEC89BDE9E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.248{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OneNoteLogoSmall.scale-180.pngMD5=1BBC9EC806903B18DC7B692996C4EC2E,SHA256=5CBE63C0B63414FD8BB54E83A7288ED2524691962B58C24BD2D0289A3BB4DEEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.248{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OneNoteLogoSmall.scale-140.pngMD5=6643CD89D2BAC4D0D27B9EDA18FBEAD5,SHA256=4AD3C34A98840C56328D4DCC5DCAAF31D8C20C297BDD66EDAC4D2C62FF039C1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.248{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OneNoteLogoSmall.scale-100.pngMD5=BE202178E8B1DEA4402FDC7905A88E1B,SHA256=A0519AF5743955C05D10185108AA514EDF530617627D178C4120CD1D4AFF2BD5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.248{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-80.pngMD5=73DF47627A2A8DEB6AC23BD314EAADB7,SHA256=81E56B90942AA9C1BF2135B8E8755336361AB87C5B77FCBBDFBBEEADDC5135AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.248{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-180.pngMD5=CAD3ACAEEC0AEC1A61BE6828E1C8B93C,SHA256=8324BD68F8AACF2ADFD61377E68BB1F01EA4F4FB7F6E3A2F3CBB80FD288AFA1E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.248{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-140.pngMD5=2E38AA0240638110F36285CAA840055D,SHA256=C893C4E9D9F45E25515E85BD767408E2EAEDF84D8A8EB60048CCE400EC3E1E95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.248{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-100.pngMD5=735EC015D03B889667061405330D8150,SHA256=3602802E5DF25AAD6DEFFCD041B6F8A981E860AB17D647A2AD8AE798A121E1E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.248{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-80.pngMD5=A9F6F93269F2101309AC1EE0E1DE6DED,SHA256=A22D3600BDE5615FD3A63EF8747D9E656CBA6B14A36715EE07FE28B54DBE2662,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.248{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-180.pngMD5=4EABA077DD078DD198E46383E20815AA,SHA256=2E224384FED3EEA51A962FE7A2654A85137DF3E1BEACA8EFBD252A1FCEA6A124,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.248{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-140.pngMD5=C9DB64A1F884D8674ABFF7EB9D1D821A,SHA256=167F16449248875A1268F375115F98BBEF10B99F218FEA55737AF4A18E92B19F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.248{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-100.pngMD5=01B23714E14B8935A2CA216FA506729D,SHA256=E17959359553EC5E2EAF5D23118D3DD57EDE6E68C3EF9396B5D3D41C64BB08FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.248{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OneNoteLogo.scale-80.pngMD5=080A542CDC87274379D8DF1B2F018DCF,SHA256=A3077343E77DDEF5456F92993C39C2784F1766814F814B638765AD6E173116E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.248{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OneNoteLogo.scale-180.pngMD5=AEC890DD2134BBFD6A2BB802FB7DEF44,SHA256=45AB08637BA9A3CD15C5ED131D1E52BBD2D318A00071FCB0F16F9CC88F38DB8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.248{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OneNoteLogo.scale-140.pngMD5=2ABA6C94491AF7BBD7027A715B9428B9,SHA256=4EB0E565697C92892DB7A99F4257789D414D1AD5857A127DA51ACC7A499675E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.233{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OneNoteLogo.scale-100.pngMD5=71936268DCF1F12F2DDC125E35DE7D44,SHA256=689DD127E4B2D3AE0D7D15B3B54042CB298B13188B258BA383B5241549E14113,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.233{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-80.pngMD5=824A47D351AC836B76560C20D2FE316C,SHA256=0A74E63C65C918D27900847E6A7817E6E66BAD5CC646D3BE6C0A8106D89968B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.233{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-180.pngMD5=871714DAC1131B6A561D567A5721EF31,SHA256=FDD86399C9E9C6AD07F661837E4D6750606F8E47DD58E5D5F1154EADA1F51B75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.233{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-140.pngMD5=55BB93EF854C8C6A1AD0D7F95A75EE82,SHA256=88F52A95698C96192DEE1BB3BE39013E3D48480067E5F6F5D912A3749B1C137B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.233{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-100.pngMD5=9377E6CCA1F425F90F80E71D1DCC5CE2,SHA256=9F3685555FA940D403F472762250805348D5C9ACD1D7EAC3521D5C4A171D2BBC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.233{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-80.pngMD5=1BB19B361800DF2969CD1612DF6CC1CC,SHA256=DA9DC973384CD6688F236D2BDDD74D90EA7F417D95262B2FB0DB33D0DFB7A326,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.233{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-180.pngMD5=24DBF664810C6603623F838E56A60CE8,SHA256=65368CC8DAE8BD7CDD643D85F72616CB6BA030CF7A54C774AC5A28F18D12F3CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.233{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-140.pngMD5=3DF87769F728CAC6C8C58C9CD2A7BEE1,SHA256=A7A1D9074C0BA71E07653EDA8B734EDF32F003214DCA3DD07CDB5014300970BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.233{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-100.pngMD5=566585CC55FC9DFB0F21A091839EBADC,SHA256=094DB39D6AC24C50866106188CB150D5BAE5D157AB1A5D121BFFBA1D2039F34F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.233{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsPubLogoSmall.scale-80.pngMD5=C437447AFE2FA4806B9ABC2F9B88B846,SHA256=EE06240C8D3EABA15A8F139CF49B7ABDE74BC28F46A85F2BBF4E7C48F9C4B526,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000447975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:22.854{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:22.820{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:22.816{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:22.808{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:22.798{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:22.774{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:22.767{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:22.759{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:22.754{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:22.752{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:22.749{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:22.745{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:22.744{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:22.740{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:22.226{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:22.225{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:22.223{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:22.212{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:22.205{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000447956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:22.189{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E00BB22F855DDC7FD35CAA3C44D899,SHA256=501274B023C462D4644318DB5973516D00786D3F4E699DADF8721846B96C8F30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.233{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsPubLogoSmall.scale-180.pngMD5=0F3D09A8C6CCAE88BCA493848F612C70,SHA256=DA6192F16FC2E8E062DB452BA749A221A2EDFCE2B0A76CD632B9516DAA583CCD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.233{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsPubLogoSmall.scale-140.pngMD5=B5B027ACD364A0566B7FDAE43C11F372,SHA256=A0722C84279BBD2C213297F0D23E7C21B033187BFB85B98B852206CF07DD1851,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.233{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsPubLogoSmall.scale-100.pngMD5=BADC74E7620F1A9D23571B94E503ED3F,SHA256=C5F2B31CBA9BD24A4623B1B7E302130264501BC52EA82F902D86499A87984288,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.233{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsPubLogoSmall.contrast-white_scale-80.pngMD5=F541F8AC8404F213CCF422D998611555,SHA256=71983FB0606EA94F3EDF67936CD37C46CB4BCC66590E4788259F32471E1242D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.233{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsPubLogoSmall.contrast-white_scale-180.pngMD5=92C7043AFC9BBEC0C2A8921E27166EB8,SHA256=1D37D36F28FD3EFE13A6F93BA379BC338B01654E3772275D05726BFC78EB71E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.218{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsPubLogoSmall.contrast-white_scale-140.pngMD5=E2112D78BA1214448C9FDA30CD473432,SHA256=573422D3B55DBD92A2B1A896D829F1EC82039039787A1BF842544CC1DEE4DB22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.218{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsPubLogoSmall.contrast-white_scale-100.pngMD5=E1E166297CE855F1AC0F6F0C5D2E9383,SHA256=594662795BB0275D5A7EEDA382E233113BFCAF36D3381E6526C1F78142222F04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.218{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsPubLogoSmall.contrast-black_scale-80.pngMD5=D4CCE87DFE51705B258174FDF8A302F2,SHA256=F138100BA521C719267C6AAAC3648E273F5A872D8FF82143C6C224594875E2D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.218{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsPubLogoSmall.contrast-black_scale-180.pngMD5=0A9189CBE1AEDB3EBDB7B4182A9E0268,SHA256=E2DED829DAC46B1F70CE22EB9D94B1F6AC0B9453A3B02FB13EBB93D29B66636D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.218{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsPubLogoSmall.contrast-black_scale-140.pngMD5=F72BE2DBD97C930589096AE3490670DE,SHA256=D98E6C85CCA76288C144DFE6B9359A26299B3D89A9089E93D146DFE6BCA62FF2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.218{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsPubLogoSmall.contrast-black_scale-100.pngMD5=4B8839A0611CF0F6A94B508BE34884B4,SHA256=6C7FB0E67EC05FE021EE97CE1141FA83401EFE4CB2ABD45FC5100A8158B63E76,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.218{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsPubLogo.scale-80.pngMD5=574A9FA6050A34A6C2609D4CD7634D24,SHA256=7F0B32C10C3D0BC870EDDACCD53DAD6B12B0D3EB0A3A06ED6D5823ADFED770F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.218{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsPubLogo.scale-180.pngMD5=DE715CC52133ABBE6BBC9C5AB8C46E52,SHA256=B3F99C3AA5BECE00C35CEB1C5E60A24C11B2437DEA76030647DEE5D6C751B443,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.218{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsPubLogo.scale-140.pngMD5=F4EAB2E3FB47FA94FC020529E97081B0,SHA256=FBD2B50989A571B331437860F946A364BED69739A0B19348C28A320A356CA6C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.218{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsPubLogo.scale-100.pngMD5=1DF18BFB5B09B1705B87DD8B2321FAEF,SHA256=81ADAC3FB5546F2ADB277949F79C6551176577DE46324EB234EFF75FD9AE701D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.218{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsPubLogo.contrast-white_scale-80.pngMD5=12BBC88A965525B1EFC36FA7D42CA9F3,SHA256=2E78FD77B4EDF610AC7CAADB36D2B3959EC14CD461285F72324E124D0AD25A42,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.218{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsPubLogo.contrast-white_scale-180.pngMD5=936DF3B66000D610CA3B468CCA3021D6,SHA256=F9EF35493602567E584DF68143D5ACAA36A141B5993B87D2EB5CF16D725DF03A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.218{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsPubLogo.contrast-white_scale-140.pngMD5=5F4867CC4934661492A52487F639AB94,SHA256=9C5D743096116390DB03307F5EAA662D92961048F9F822B1114C97D1EC806788,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.218{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsPubLogo.contrast-white_scale-100.pngMD5=7D24DC4F9FDA3377B140AE3E20F6ED0A,SHA256=6A6B24DEC0C761917F40888813843C04FCDA945906A265A86F624F9F836FAD69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.202{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsPubLogo.contrast-black_scale-80.pngMD5=F8C1B954E81A127352EC04FE6AB87E92,SHA256=1DEAFEEA6AE75FC2506671F80F5841C79EA892A350ACE4B7E06780027B564EA2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.202{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsPubLogo.contrast-black_scale-180.pngMD5=931F2508277AE19BAB1D3B0700F77288,SHA256=275863160C9348C250B6C8906865BA367B56298F6306238F9A06D488E6F87660,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.202{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsPubLogo.contrast-black_scale-140.pngMD5=2FEB9632A852212EE33AC57F9B0B4D89,SHA256=18DB7ABC5E50F5594D12E76CB218138B4FDE0A43288F093036E5682216F57129,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.202{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsPubLogo.contrast-black_scale-100.pngMD5=00A6A3F442537761DC6478ED97BAF64B,SHA256=64B5248CDA7AC34F85C4314475856DAA7D195920003A0F3663952800CC038F2B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.202{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsAccessLogoSmall.scale-80.pngMD5=CFC5A4016FCD730976FF61DDFFE62ADE,SHA256=477B997734696EF313386A3A03D584B47EB0989E711AD868361D00EB22C9830F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.202{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsAccessLogoSmall.scale-180.pngMD5=2D569B98230D27BF9E73A2B55C44B50E,SHA256=4098268DDE5D76F104A49ED33BEF1387E1DB70305B4E023469A1C169B94EB35E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.202{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsAccessLogoSmall.scale-140.pngMD5=8EE9094D77AE761BAC6D993558BB9003,SHA256=310CDA37CB498228C4EE3C86C6A142509F2856C89C5A830A13CA7913CF6DCAE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.202{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsAccessLogoSmall.scale-100.pngMD5=3BC1E3A441193CDF8BECB6D129C4A440,SHA256=34F031E8596CE72694FA9D7251A819BF3B67E56367C12E728336891CF78EBF3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.202{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsAccessLogoSmall.contrast-white_scale-80.pngMD5=457DC1CFB31EE0106E4D9279557D5BD4,SHA256=FFD5692C9CA4ED970A2E2EC84C18F0D56F1BA2273B2F1877BE192577B78F0C21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.202{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsAccessLogoSmall.contrast-white_scale-180.pngMD5=157AC8BC5D106B451058455218EF7D50,SHA256=E2DF2276F4DA206F05DC835F1654861BF8449EF887DD74092192316C023C01C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.202{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsAccessLogoSmall.contrast-white_scale-140.pngMD5=B748218E328472641DAD94B40ABD29FE,SHA256=0F5334393E4A39F56A7AB3CA13A67C02B11CC923959911236FE4F08DB50A6090,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.202{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsAccessLogoSmall.contrast-white_scale-100.pngMD5=827DAA82A219F613D7C57D38A45A2F32,SHA256=6ABA2539BD12A8913977ADDFAF93F50D0FF5765EC07EFD45A8DB6642A147F11B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.202{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsAccessLogoSmall.contrast-black_scale-80.pngMD5=3600F796B7B4C9FA360CF48AF3CB7165,SHA256=8DF5C4475F557A09A11FD832F12B9927BBA4CCF58930011DCE96C7E8DB09460C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.202{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsAccessLogoSmall.contrast-black_scale-180.pngMD5=D9A6E42D136C261868058A59FCCE7395,SHA256=C870C14D4903A547BBDB0018B2B8F5063E9A4E61E6E92E9D217D21FBD633A0DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.202{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsAccessLogoSmall.contrast-black_scale-140.pngMD5=869890D132C74B6E9386D8AE6B9B7927,SHA256=C453765272EF375BF5D86F2FEF0BB0BA79737128E651F5760915D6F54851EB0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.202{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsAccessLogoSmall.contrast-black_scale-100.pngMD5=C2898AEDBFAC907B16BD0562B594389F,SHA256=1EFDD160E0E6F6F6C83CFC54A9488C070EB9772C29E191285DB893B7E29A85E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.202{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsAccessLogo.scale-80.pngMD5=37E8C1DD32B0063A0FE5D9599986B9CE,SHA256=ECDF9F92556FE2CDDFF664CCA2F8CC97022DD951F80F8A3841C56B3A792A8487,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.202{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsAccessLogo.scale-180.pngMD5=AA5C0F74D4F081BABC857B8DBA20EFB0,SHA256=7B3BD7B12A9B312E53AB376691B506DFC5E6706530C4937E4AD240083D669DF9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.201{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsAccessLogo.scale-140.pngMD5=B5185527994F6D7549A4A02BA5EC9E3E,SHA256=D01E3101DAE535D9FE791DD200C387F8D334DA311D8145E333642BA0FC3CBEC5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.186{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsAccessLogo.scale-100.pngMD5=225574D43994DD6B14230A97EB4B249C,SHA256=33B8F98D0925EFC375264B627E53DBA17F14E3874DCAB5746F62415DC63300DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.186{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsAccessLogo.contrast-white_scale-80.pngMD5=6C42B5259B74396BBDEF4B3E70D703EF,SHA256=B39C865648A65D70B4451445CD5BEAEF579AD964635C68A4433407A62EA85008,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.186{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsAccessLogo.contrast-white_scale-180.pngMD5=42150177B8EE835AE387B868A98CBD27,SHA256=6C2FA00EF9E896F08AD9C8DF26FF3C14EF652FC3143C6F9525ECDAC04DA3CEED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.186{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsAccessLogo.contrast-white_scale-140.pngMD5=3F1A90D9370FB08F83BD355891B28B3E,SHA256=DB8323C2CA0358C8EF0ED474590256C291E63DD376CBBD678B098123F9EBBC81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.186{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsAccessLogo.contrast-white_scale-100.pngMD5=1E0E88203048A0EBF44A93A32BBB0CB2,SHA256=73CE25E12D5F0B72D747DE78402F35FA5199B91868EF788BF52C3F3D4BBAF544,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.186{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsAccessLogo.contrast-black_scale-80.pngMD5=D87A3C3E80E3DF0B83408A2B939B5616,SHA256=5353A88039F3F9BDEE8BDCF0C68B02778581DDD643EA18C1709D541922376372,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.186{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsAccessLogo.contrast-black_scale-180.pngMD5=082831260D1812FE140F760D4527E601,SHA256=29E0B22D36BD2616FD20082890788253B315ED8202BB438DF2FF8A4FAA516D11,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.186{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsAccessLogo.contrast-black_scale-140.pngMD5=7C6F2EDBDAB85BC42F88FD1B180BB707,SHA256=47EE3101FD57150E6E850D22F7181B1AD8353DA79031C938C89E85032292D0A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.186{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\MsAccessLogo.contrast-black_scale-100.pngMD5=B020E6BF16DB82B330FB59EB92D34805,SHA256=B5F40B2A6C020BEF77E3C421877C4ABBF7D7049C50A42F30AB70C16387919EF2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.186{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\FirstRunLogoSmall.scale-80.pngMD5=B2F960AE0AC77388BFE45381FB55C662,SHA256=ADCCDC94797DB96ED5061F9FDFEBEFC1AF845929770B5BE1C4006100FE1D991D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.186{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\FirstRunLogoSmall.scale-180.pngMD5=728F41A33D79185311B3F80B446304E0,SHA256=138A9C3F8D6CCD0B2A46EA95189E1C41D950F598EF14F7A177D22BFFFF71FC56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.186{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\FirstRunLogoSmall.scale-140.pngMD5=C64605F46EDB1738D056A71F795E8D74,SHA256=43F59168B69B47A24D7F8CF8B6EF1E0EA5D4471C8ABCF41538212617B97B70EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.186{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\FirstRunLogoSmall.scale-100.pngMD5=C5D63376C30DDD4BBB08C5E99F95D18B,SHA256=DD78340C875DBEAD3E057384DE6EC6EE2562F2312AB36E3C2CFD0A1522107BB8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.186{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-80.pngMD5=5A23770393C4B27CE78B548810FA1E6C,SHA256=88369DF2EFC03BC7A57DF4256AFD8906FFC55C98FF6633E3B94A43DD70C66C8F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.170{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-180.pngMD5=804D91E73E2EB73FD00B72535B53E67F,SHA256=57F002F28FE16FB4B010D4853364AAC12DC98C2B16D25418260986AABA674981,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.170{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-140.pngMD5=7B4D5504770061FC0E2FA0B910D6C929,SHA256=28D557724ECA583ECACA85A6173CF1A5DE55BAAD40450D8F8ABA8081B7AEE9D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.170{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-100.pngMD5=91D8C38EF4FD1C5657C72701D80EA320,SHA256=0F6796FEB8051CBA97BA5AB12481496E654104B62E144351E25117B5EF70857F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.170{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-80.pngMD5=C40E184DE770BE3A88D8F81E00AEF44D,SHA256=EAA4D952485E509695B0D3035F5E0CE8B9FE76BC1006BBFA11AC6B18CAAA9583,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.170{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-180.pngMD5=49DF5C324AD6CF0AB41363551F83D790,SHA256=3B8CCC0B7CB196AA71016B900A3A5B9BCCA38018D1305C57BA169CE726780CE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.170{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-140.pngMD5=E958C73EF77EFCC4D4D2574720369E92,SHA256=D42365DA8506F9ACBD428103DD38DADA366283966080EBDDF0010D42FC9FD039,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.170{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-100.pngMD5=F93D3BAE51A5545E34DBD0ED2DA67DE3,SHA256=97BBA11C3DC559EBE68E0DB3B673512BD06A453E4D13FF9C4989C152BD2822A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.170{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\FirstRunLogo.scale-80.pngMD5=FC51024EA87308701A8227A24C12EA2C,SHA256=0A05F8D5863006C42F9A876EB6BE99F7713E5F3A8901E3DED817EF2A9068F8A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.170{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\FirstRunLogo.scale-180.pngMD5=1C371AA122D4011F85039C5D3B7B5931,SHA256=26BB1DBB0AEC9922EC1C71215C4D33F164A91965079FBD976F46B2640310A058,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.170{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\FirstRunLogo.scale-140.pngMD5=A748D8EB8878DA963ED01A6D1A4E8DA8,SHA256=2BBE8B4D878011A522546E12E812DAB267EFA43DBC323EE6C53807D7BB1F8CE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.170{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\FirstRunLogo.scale-100.pngMD5=6790252517ACACA6AEE66B7765165DFC,SHA256=17E01C86794EDED6B8EF959DF22597219EB002DA9F5B5753DBD5DD6F0F5F1049,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.170{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-80.pngMD5=66E8E5ED3E538E4512CC8B762C15C17F,SHA256=5CAE84EF92E598D6497A26967787065E43876CA48C580B4FA49E3C980A8395DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.170{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-180.pngMD5=8FB58F28AADB47F58DD3311AB094DA76,SHA256=C7E34A0159C728DCA10F367DCF36AB6567218EEBF95633AEDC4365D5BB2F56BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.170{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-140.pngMD5=8A39E7826CD0E697B2010E707CC7E6F7,SHA256=2950D503B0C6C6DFCA5BF7DE8C20578BA84AFAC489756FCE629BC6BE8F8C0F59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.170{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-100.pngMD5=61370B2C646491FE36C6B83DCFB404F8,SHA256=6E12B8B1A6D4E96827C2B11DBA7A732229A8BB2A54E15D6CB138BCD1BB09FAEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.170{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-80.pngMD5=1CBD5F9DE2BB547FEA63ACA192C04573,SHA256=E0F8AAD0790796753E998EDD587D7DA7B5E206797F73B0A02933EFAEECC89439,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.170{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-180.pngMD5=A3A3DCA9099A69D7DA64B64980497AC6,SHA256=099FAD985652CD634C4685ADAC0811A8E48F4F6CE3B0BC00DB49903FDAA89B4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.170{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-140.pngMD5=374E2729C2A825A1464629E5196A5CB6,SHA256=D5B202FDF17200AB999958AD551270D33DB7C89CF2041630CC35018435DDA3CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.170{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-100.pngMD5=48B6E8658EBEEDCDD74C78F0DF460A1D,SHA256=B2CD672A6E6828FCD0F7065FA6B7A002CE8A25AF40BED0BFCDC8C0AD1E49F2C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.170{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\ExcelLogoSmall.scale-80.pngMD5=D382294A3ECB55BD57D3DC909AF98564,SHA256=9F7F8C3786EC9F2A3193590D1A16DC6FA47FEF51F03DEB3D652F0606456469DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.170{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\ExcelLogoSmall.scale-180.pngMD5=96CAE17A79CFECBEB0EAEA2A30F76FBE,SHA256=5A5C56797F11DA1267858746E17FC52A8430F7DAFE0A806C35132B49D7B39A73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.170{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\ExcelLogoSmall.scale-140.pngMD5=5AC4F25D855CB30838C04A6839F330BD,SHA256=3513D01CF34BB7F73F36A5ED4BABD2E659201C8393DADDAC21A1E9E341328209,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.154{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\ExcelLogoSmall.scale-100.pngMD5=B62085A570A4A12E46A3DD73036F7223,SHA256=F11FA2B1DA1CF6EC4C5F2733C4164CBDE2B3CFE9A8F0C256438E4A74A5B8C7B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.154{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-80.pngMD5=C6A78E35CBE5185CC135359F79A69AA4,SHA256=DFE62BC935DAA6B2F450CCA0C841E19976930D3E7C46408A501D47B78F2A5728,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.154{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-180.pngMD5=810B1673F874543AB2D279D7D9B1AE0F,SHA256=9E2234333959CE12066FF28C8BECA24A750BF76BA77A062B68F1BC8F20695162,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.154{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-140.pngMD5=4E4AC9B63C05E2FDE6712F91CD7FE712,SHA256=154EDB9CC6FFD1771E722CD755E4CE512EFFE5B4004CFFF3CC7569BB5AF9250A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.154{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-100.pngMD5=D234C94F02FDCBA983FBCCD6CB44F064,SHA256=3210F382082C1CAE1CD571F31F940A86B0B0B6474C8C0358C31152F3225D20A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.154{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-80.pngMD5=5B89ABB1156409BEED4653712D55913C,SHA256=C883FA89163269C2849ECE292A2D68E6BF99F1712B115EABD22AC6F2EEDA07DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.154{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-180.pngMD5=E6B5FF7340FEE416173432CA1704718B,SHA256=F5F16AE486C4ADED936B567F2CA6470B6D82D1379D5DFD83A1CB8516780B1063,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.154{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-140.pngMD5=B44EA9F00213F3713FA4303435100293,SHA256=5AE3AF0AC939789158A209C9906BAA01ABF8BE5494F01F816E1845F7D66CFF03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.154{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-100.pngMD5=2D488CD53F9BCDDA85FD434C41B05685,SHA256=9F9088F082D3E30E1E3E781A96E5064DDA15FF48070709B7D0578ECB9B439EA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.154{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\ExcelLogo.scale-80.pngMD5=920D7C0956F13BF6A8BE728424E1F016,SHA256=51DDBA29F8ECD6E2463B2A873CD8B0FD2496397771E07226781DFD7A5BE46462,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.154{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\ExcelLogo.scale-180.pngMD5=75CEE77C693978E0B54AB3D3E50B43D7,SHA256=D3C63AAD20E56400497D85A52298E259F11873D873AEAD6CF0A7725487589498,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.154{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\ExcelLogo.scale-140.pngMD5=5F94F3ED8B0D992E9CD85CF2E8F5754A,SHA256=A581AE91A55071E05177998A19A1FC0E7CB1CC1CFC9D15A3969DC1C388B38993,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.154{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\ExcelLogo.scale-100.pngMD5=70F66A51A595B799CD308D5A6C3C4AFA,SHA256=5E3BCEF3B54BCFE0038B7CBEAE2BCE92B6F953F69C2B8EDF5C66C807B2BA2875,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.154{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-80.pngMD5=BE801F8132ABBFB76001C885176A9328,SHA256=EAB08DB0CCA71BB973B864B45CEDF95D842F722A319EDE055A894079360BE1A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.139{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-180.pngMD5=CF49F1C4CF62D49170CFA86698946CD0,SHA256=61F8C1E164BD2E963A2E45953C53AA88A321FE12253512DA0D8C45EB84C62B99,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.139{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-140.pngMD5=896E7E6D5D83AADFADF1A551031AA92F,SHA256=5812EC709E1A8EB5BC461D1ECC694FEB9E5AFAC8D0D9A0AE9B061BBCB3543856,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.139{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-100.pngMD5=25FA46B7005F35C5A6896E38136AAB2F,SHA256=90EA48B01D81A47C80BE2F8F208E11FE827E68833A83922152B6DA37B8945FF1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.139{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-80.pngMD5=A968F7B79074B165CF9D3FF3119FEE19,SHA256=27F1371F3691AB3C406C9814F341C1D6C67A77B68BFBA2D05E594EAE5556A791,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.139{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-180.pngMD5=546430D9213D9C9711AEEBEFE262CE69,SHA256=93DD16D28B39A26FAD399E8F26684A09468E0927F2D9660B4B30A11D9326838B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.139{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-140.pngMD5=FB6B1BF95648FF857BC7840547969921,SHA256=CE2EFB4A852D5C7C6B88C0B9FD69F6763EF14AF9D6401E0EBE75EC4C60BE5860,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.139{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-100.pngMD5=DCA7B42D5D983AFD9473E4770CB20A2F,SHA256=640EBC830E235F61B5BE466250DF4FCB1B00424F49FA1CFE77719EC5290B703F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.139{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LivePersonaCardRollback\TPN.txtMD5=3A9C1A856B2DB78FE2CDF46CB502C678,SHA256=D8564EE6E00237DE21DEF152C7988ED60FA474EFEE31835CFE5D913516E1CC6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.139{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LivePersonaCardRollback\lpc.win32.bundleMD5=28539F9CE863DC0FDBE3F3CE5ADF57BC,SHA256=E6F9D87ACB8B3684845F1CC173F425FAEB28D4FB6954C7225B0134B76E90C485,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.109{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LivePersonaCardRollback\images\default\linkedin_logo_small.pngMD5=D7838C32A6505EDF01B3C9E4661EF745,SHA256=96FE970DCA25141CE337195748567EAFEEB7F6EDB4BA7919EF1948A05DF2CFED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.109{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LivePersonaCardRollback\images\default\linkedin_logo_large.pngMD5=32280C53148B8347AE63ADD2385EB8BB,SHA256=3C9947ADB0429BC2B3EA52FAF11EE0134BFAF95F637C05D93BE1A02A90729C56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.109{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LivePersonaCardRollback\images\default\linkedin_logo.pngMD5=09432B6216C165D665680F77528377AD,SHA256=3969C485556F3E08C0DDC0874F9BF899C0F8000C4D2BDA8B3FAF65063F24A6DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.109{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LivePersonaCardRollback\images\default\linkedin_ghost_school.pngMD5=C68093A7FFEB0050EEBCB2F8DA7B79E1,SHA256=76E56FD7F6DBE7DE8644C66C4FE374E97FB2477AE6F6D8FEFCA3F77B97D3759F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.109{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LivePersonaCardRollback\images\default\linkedin_ghost_profile_large.pngMD5=99BE21C24202A0D9A4D408F8B3EB6B3A,SHA256=FBA69CFE37FE0D80C9188934D486E0300E5D5F1DF818AD078E4522E3484F50B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.109{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LivePersonaCardRollback\images\default\linkedin_ghost_profile.pngMD5=CF352AA961FD771E782B06C8A6565982,SHA256=502F0A90BB2C5A51C1CE9AF6A480143E333C3983FE68B1503FB4A3047B42EBD9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.109{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LivePersonaCardRollback\images\default\linkedin_ghost_company.pngMD5=262888491AB52EEC0C0C930A549FB481,SHA256=16752B26C117D72A57B354D2E6DA44656536256A51EF36CF08B5E6CA91E6D3FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.109{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LivePersonaCard\TPN.txtMD5=3A9C1A856B2DB78FE2CDF46CB502C678,SHA256=D8564EE6E00237DE21DEF152C7988ED60FA474EFEE31835CFE5D913516E1CC6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.109{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LivePersonaCard\lpc.win32.bundleMD5=4A792E6E591BA2E61D44F3521886F626,SHA256=5274BFDEE37D4CC54DA9033F37669FFA5938A8ED955FCDE9A93FEB5246896CC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.092{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LivePersonaCard\images\default\linkedin_logo_small.pngMD5=D7838C32A6505EDF01B3C9E4661EF745,SHA256=96FE970DCA25141CE337195748567EAFEEB7F6EDB4BA7919EF1948A05DF2CFED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.092{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LivePersonaCard\images\default\linkedin_logo_large.pngMD5=32280C53148B8347AE63ADD2385EB8BB,SHA256=3C9947ADB0429BC2B3EA52FAF11EE0134BFAF95F637C05D93BE1A02A90729C56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.076{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LivePersonaCard\images\default\linkedin_logo.pngMD5=09432B6216C165D665680F77528377AD,SHA256=3969C485556F3E08C0DDC0874F9BF899C0F8000C4D2BDA8B3FAF65063F24A6DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.076{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LivePersonaCard\images\default\linkedin_ghost_school.pngMD5=C68093A7FFEB0050EEBCB2F8DA7B79E1,SHA256=76E56FD7F6DBE7DE8644C66C4FE374E97FB2477AE6F6D8FEFCA3F77B97D3759F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.076{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile_large.pngMD5=99BE21C24202A0D9A4D408F8B3EB6B3A,SHA256=FBA69CFE37FE0D80C9188934D486E0300E5D5F1DF818AD078E4522E3484F50B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.076{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile.pngMD5=CF352AA961FD771E782B06C8A6565982,SHA256=502F0A90BB2C5A51C1CE9AF6A480143E333C3983FE68B1503FB4A3047B42EBD9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.076{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LivePersonaCard\images\default\linkedin_ghost_company.pngMD5=262888491AB52EEC0C0C930A549FB481,SHA256=16752B26C117D72A57B354D2E6DA44656536256A51EF36CF08B5E6CA91E6D3FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.076{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Library\EUROTOOL.XLAMMD5=9DBBCF43F19D6158855448BE1D91F509,SHA256=C0815D9AEA5F8A5E537B6827734DDA7206180FCCCD4B64C552A5921B73FD0443,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.076{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Library\SOLVER\SOLVER32.DLLMD5=30DDBC3807DF5B3D7DB6E578D5C89F4B,SHA256=612CB6D76ABB04D6178247343BEB10849EF5C3300DA8D0422E6F5A9D1CF64F3C,IMPHASH=988BAF2CDC0BCA112E342682AA41A875truefalse - insufficient disk space 23542300x8000000000000000327922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.076{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Library\SOLVER\SOLVER.XLAMMD5=2544A2F714409664B006971FD0BFC435,SHA256=F8D527690B471AA734B9CD7EC5B57A074B2602EF839774653A61B26D28685B1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.061{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Library\Analysis\PROCDB.XLAMMD5=A9D9C501B0108F9B883D2ACDA0250AB9,SHA256=741C17A07F90BB7561F2380BAB0E632E617F1CEDF4F867913889DDB0C3B97493,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.045{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Library\Analysis\FUNCRES.XLAMMD5=9F03ED3680A98EA99FCF519DCE8412E8,SHA256=10F0FD1A7F199BC6D90E2ACBA594D3AC26EFFFC04484B3C807F3D55120F0BB3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.045{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Library\Analysis\ATPVBAEN.XLAMMD5=2A207B19AAF6EE69925A171EEAF4F7C0,SHA256=436F11813C3244BE8C890EC8DB091E742D651EDEF8E1CE813A2CB8C7F26CBFDF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.045{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Library\Analysis\ANALYS32.XLLMD5=DA20C0DB24EB3AABF83EDAC5E5C23D71,SHA256=44C0255CB85DA27CB9C728E64B42D88BCAABE8F75BD10C95BB1F365288CBFA7E,IMPHASH=D4D0AB4FDC1158455ED3959C6740D0BFtruefalse - insufficient disk space 23542300x8000000000000000327917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.029{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FPA_w1\WA104381125MD5=0520BAFFC5F6C3C1A2DFF66E43A8291E,SHA256=C21BAF2361C66A90D8D286F13A512E4C8514C769056AB4981BF401B26823F268,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.029{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FPA_FA000000064\FA000000064MD5=CC6FA8E60ED94D306D514D9930DEE7F0,SHA256=7E506D1BF14BB32985B0210D703BA426601D18757E3BC6A39E8C52EA9E9D0A8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.029{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FPA_FA000000055\FA000000055MD5=F9CBC44A8B781E831956274757EBB4AB,SHA256=78BBA0AC4F04FB7B9D85C856ACC8BF7D1AE40FD16F9304A3DA7E001D9518071C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.029{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FPA_FA000000050\FA000000050MD5=4C962C6A01DE6CD6730F79CC118FCEBC,SHA256=8AEB20EE227BBA42567B8A244D62146A8224616668951338E93C38A050EEC716,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.029{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FPA_FA000000011\FA000000011MD5=AF9F9DFF40CFFA3B0B0C438011DF1366,SHA256=BE5C37EB975A29075826E960CB811D3CEA95FE6704884068E24D3B3E8C8C136E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.029{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FPA_FA000000009\FA000000009MD5=40BC1EC7439061B13D9CD89B6A5DE934,SHA256=1AAD4D40623C34A59C53F50B30CD22BF5C6232318B88B9ECD1AFCF8B2DF6E526,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.029{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FPA_FA000000008\FA000000008MD5=3A33488A37E745975F4182AC7BEE2D7F,SHA256=F29077F74DABCC7781924E87F7AF76EA58F49884F3AC52FE67123C7FEE2A6B08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.029{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FPA_FA000000006\FA000000006MD5=353705F3818AAE6B5D6F798FE04C9365,SHA256=F563876B4842F96E8C531E9634B4E4744D0B00E53CD6A620926808EE07EB747A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.029{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FPA_f7\FA000000007MD5=076DA17371CF733B80C94ECDBB89C965,SHA256=8D1EFC687FFA121E511C4DA70038B282AF828922D0A59DFA49BFE78A25E9B248,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.014{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FPA_f4\FA000000005MD5=CF4DC5C61FC505C332FC2020C7F6CF04,SHA256=62C91114E437C3001CD71CFEDF5B6AFE640DA30B4BD8F0FAF9A2F540C85B3C56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.014{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FPA_f33\FA000000033MD5=3F71F904B7C53B387D9AF57280D37A15,SHA256=A01B236854F8781B8DF1A507E9CF4068808D3F22E7D3D028532A8099E12E5ADF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.014{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FPA_f3\FA000000003MD5=80B1F805BD7C38C87268C31DD60EFB3A,SHA256=C6C51682F44819E777476F76C2B9A9264DED765CAE9720967FEDB829A3E1A39E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.014{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FPA_f2\FA000000002MD5=40E997A655517CBAA2C893D1FCA40AD4,SHA256=77C53F60B0832B395CCCC7FBC3AA0786212C5055E3AFCCF3C9A56573E7EA9F9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.014{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FPA_f14\FA000000014MD5=98337EB879C9965A481AB5CC4C7C63DE,SHA256=5935B71212C78CD49E4AECCD2C80C1CD853E5704072F07382E62570EE84B229D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.014{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\TASKUPD.CFGMD5=9BC8BAAB3894E1424CCFDFE5A6CDFA50,SHA256=933FB1FCD84FB2B9279423A0A3D412D766BAD8A36DAFC80090DCC2860E468BB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.014{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\TASKS.ICOMD5=5BB49EEB6557EC5727ADB24084916377,SHA256=2B7EF07964508843CFD0AF4C13FFAF6BE9963BF28919AD48DDD8751958179486,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.014{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\TASKREQS.ICOMD5=B208AF908B892B190A7660F48A738BE9,SHA256=A0FB5A8737D2EC71FA39887FBEA1E85A68855DA8D2893E11CAA03F4330F40C02,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:22.014{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\TASKREQL.ICOMD5=74A6D5803A9C071B1FA50C8A0DD66CC8,SHA256=F66B6E7C11725F1477FC11195A999C0D159D056E9F2DF9821C6ADDCDEC8B35CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.998{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\TASKREQ.CFGMD5=718C1F059D65495D17B9D6DC32FE3F69,SHA256=B7CD4C8B1600AE029031ED5E606FAB546DF3580B15E02DF7FB87096FB601B982,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.998{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\TASKL.ICOMD5=3EDE80682A563D9A2BEB7D57137A93C2,SHA256=B2659A926F7B3AAAFD2AB0C4993C670215D91BEF49B0F876CB6A3A61EE3C8A10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.998{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\TASKDECS.ICOMD5=EE9DBE73CF40FBEBF919300AC61D7D9C,SHA256=4372299EB819702F8188A972A28E9E8B6AE03AF6F678323E16799BA735678782,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.998{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\TASKDECL.ICOMD5=B52E1A369C36DD7112AB8AA51FF93071,SHA256=307906B5AF5ECB42D228D404C03FB4B995EB9A24471910E113854F134F2DED93,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.998{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\TASKDEC.CFGMD5=42F2D037E27083E7AF3DF79549E05608,SHA256=83B8A4B23311026E6539CE99D53DD9092C9C6017AA5847DEA7BED7289D504BED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.998{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\TASKACCS.ICOMD5=585CDFB98F182CCA13462A8486277735,SHA256=919A1950377A61ABBD48EA4CACAACD1D7BBB9409E1C5C39CFC49C327D8FF0BD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.998{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\TASKACCL.ICOMD5=3B85B6C19F8CD3AED92F448E573428BD,SHA256=41BE013BD98740AA8D0CC976FCA2167B4820450676D0ECD9502661091A4B7F41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.998{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\TASKACC.CFGMD5=7D2AA9B711B873712F779993EC4E04A0,SHA256=2627B0802EAB57262E7623ADE1E5608E1B4F3F07F896DBE28384C022F20EC6B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.998{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\TASK.CFGMD5=9729309B81F03D028C26A43DF019602D,SHA256=718CB57118987B805459E5BC0E04E98646FE30D50E4B00AEFC9181B653591A69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.998{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\SMSS.ICOMD5=6B54889F079E1D65157FF079AE837C48,SHA256=9159B6C509A07B120712EB3E6A7BCD9A211E001EF14AE5F09484BD2E35EBB6CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.998{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\SMSL.ICOMD5=CBA7EBA85435694942147E97B84F7F61,SHA256=386DB83A021088B7C5604FE4B5B12CB39C5518F9ADF03DD8439EA49E29570D21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.998{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\SMIMES.CFGMD5=A8095F3647524B7D5632760C7FC93BD1,SHA256=0F0660B513D0EC83CED4D5EEBEEE23AE19511B1FA8E6B72376E7C91DA5052631,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.998{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\SMIMEE.CFGMD5=36E93EB0F6CC79BF105C8689D0213888,SHA256=C8DEF9433B0080C2414F74409AC4F823978CC1C6FCCCC2FF26D37762C78D702C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.998{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\SIGNS.ICOMD5=F0F9B3768B206A70DCDD42A79B602C39,SHA256=5018CA72C293498F53DFB618DF4F5F541F0B4605214E21B519FBB01892A38338,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.998{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\SIGNL.ICOMD5=AAE6D39F1DB71CDCA4F3739C0AA2D44C,SHA256=553E01FDCE0E724215B09503238EF4A7F9E397206006E1701B88EAF9B28E697E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.998{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\SIGN.CFGMD5=13BC60E63BE9ADC5632E463C98F19E1A,SHA256=A4CE986137670FD9BD0DE40CE5C5E017BABCD46CB1B1E79CA0049FEF6994A6FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000327883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:21.982{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FORMS\1033\SHARING.CFGMD5=2531A4ABE742415444242A87A6D351C7,SHA256=AF39FDC40C10A0ABB47F6E1D200657CAF346742E1D32F2B3F0A8376679717B9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.993{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL054.XMLMD5=6DBE7732AB9E74287EA0417888E25570,SHA256=9647B40B575B98A2F8F8C3F0E090F37A0C4C0B694CBF555F65D6289F1DDD36BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.978{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL048.XMLMD5=ED05CA2FD6FE674C2953286DDA63445C,SHA256=8C06A52C6B0D344B29C4FCF8E7607922E74FE92A1A3E5B10ED667389DDD3F5D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.962{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL044.XMLMD5=767D1456B538F4E824F0389F3DD50141,SHA256=66C6B56DF5B76A50B2D787729E1F8821717299C78291EC2BD93959DC5066E0E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.962{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL027.XMLMD5=B36916F82F628A7B2C46F931D2A16AFB,SHA256=AB790F6E12F98E7607203F14E09229A537020F6E45B4045F0AE3B9D67C903734,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.962{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL026.XMLMD5=DBEA823572BB2727BBE599B1ABD4340D,SHA256=C3886F9B4E74684FC0C620914C7324669EF2A854BFC9E30DBFE720AFCF6512F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.962{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL022.XMLMD5=8816377173A180B0989102274F5844EB,SHA256=AFB31136A944A971C55A3714BDE3987670FA9D51E83819FB3D1B24C9DC81F499,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.962{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL020.XMLMD5=567D5D54B7057B0656664B87A4CCE230,SHA256=5D0D894FDF1F48940848754E285125DC71EB80583359E9640EAA9FC42C1084BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.947{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL016.XMLMD5=08711BFBF2B16685984FE2D50480B24F,SHA256=07BB5578F273E2F69A592146E97AF47FB7356BC7C3408CE3EF8170E7AC1D323B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.947{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL012.XMLMD5=0BD5B908FD2414CB358E7F5B92A64C82,SHA256=3807E25C7CEE959D5E0FE48763A72B4D9AB8527654031667557A8F34C820168C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.931{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL011.XMLMD5=A3DC5F3EA9B3FA4DCC1F7F2C31A379D8,SHA256=5883B8E7E9968A58B527E6A0A57993268DBE1EB9EC55C1830AC8B8C0D4A31BC5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.931{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL010.XMLMD5=962C75F27CFDDCF71DB79E0A77448BC2,SHA256=CCDAD2EDC6ABB83E3A14C35F53399FA94359C1E4242C36F7057D53ABD4063BED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.931{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL002.XMLMD5=1864C5301B7FD57BC009898E0FDCE7CA,SHA256=34F1A9349DC20E168090D0751FEDD29C718F86DE15DEEB6C0C9C8C7C238F66FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.915{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL001.XMLMD5=544F502153A5BB91A33ECA3DD1A19B59,SHA256=63DD6C1407D0A9AEC3A814DD54884AD25F0EBF732E1C0C6C14AE9CAD7534C56A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.900{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookReactNative\SearchView\NOTICE.txtMD5=76C57CFF66295B5E8141568D71716394,SHA256=D53A454ACB6F651CBCE8A320F242965D4A9F950B3FB410D736C41C5EB1154A39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.900{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookReactNative\SearchView\index.win32.bundleMD5=9B9C490854DEE464E1D3FCC973924552,SHA256=A5A84C0312AE5BFBCD836085B7616176FD795D569CE0FB1069A9222A82E6DC06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.900{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\YAHOO.SE.XMLMD5=FC9A01384283F760B245BAFDE02893CA,SHA256=7BDB5BE38475510A7C05A3444B122A62E8CF4C05B35E656CA4DECCCE4A55D968,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.900{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\YAHOO.PL.XMLMD5=FC9A01384283F760B245BAFDE02893CA,SHA256=7BDB5BE38475510A7C05A3444B122A62E8CF4C05B35E656CA4DECCCE4A55D968,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.900{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\YAHOO.NO.XMLMD5=FC9A01384283F760B245BAFDE02893CA,SHA256=7BDB5BE38475510A7C05A3444B122A62E8CF4C05B35E656CA4DECCCE4A55D968,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.900{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\YAHOO.JP.XMLMD5=B1D44BF4BE3B12C5DC81CCF412559323,SHA256=342480031F95D081B1F70E803F58D5BD351DDC8EF5311D4B0B93CEE0C38CF963,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.900{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\YAHOO.IT.XMLMD5=B396C6616C701DB76AE34037BFF88274,SHA256=7A67400D2CAFBB3906D9E4D43E9F2DC56CACCEEC668C1FFF3232AE06EDDBD2A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.900{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\YAHOO.IE.XMLMD5=4AC759A0010213C0DAE4AD7E6B954AC8,SHA256=3604443B58BDCBED2EF73FC449B0B53064FBB084C005E2FDBED7C9432F543BD2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.900{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\YAHOO.HK.XMLMD5=FC9A01384283F760B245BAFDE02893CA,SHA256=7BDB5BE38475510A7C05A3444B122A62E8CF4C05B35E656CA4DECCCE4A55D968,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.900{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\YAHOO.FR.XMLMD5=4C94B28355D47465D0261400D01C2D38,SHA256=D2BC826AA84A40AF2A3C563D384C39EC672CD055EB9016F1FC6676B0831C5458,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.900{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\YAHOO.ES.XMLMD5=B9CE1AAAC75D784C03763858648A8689,SHA256=0DDC9E6D83FFAD5D7CC5AADBFE33F12241285034937F7B1258D30AC1AD3392AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.884{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\YAHOO.DE.XMLMD5=6AE5357AE96F663ED58AEE772B0A71D1,SHA256=C07E81C5581A4A2CC812277B0A2D1A06072BC0EC74CCD2B8A8C35A14F568D0B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.884{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\YAHOO.COM.XMLMD5=FC9A01384283F760B245BAFDE02893CA,SHA256=7BDB5BE38475510A7C05A3444B122A62E8CF4C05B35E656CA4DECCCE4A55D968,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.884{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\YAHOO.COM.VN.XMLMD5=28B364C3E536127315B00D28D582BC79,SHA256=9BD2820E091647AD56766F142D905F8869B27E9FE3AA25036D70BE807E681CB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.884{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\YAHOO.COM.TW.XMLMD5=2FE0D0003A0ABB13D2BDFE250DAC3694,SHA256=E51B82BDFE6BB2A251BE98F0C4053BBE029E5E5A19222D862E03E05800D4BCAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.884{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\YAHOO.COM.SG.XMLMD5=562AFD4E5B71F349A7BD77D9455673FA,SHA256=ED152BF16B4FE10233D71169EF5805E021678413BFA6FCF69BC6C6798B168D94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.884{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\YAHOO.COM.PH.XMLMD5=05E8BA534942D93BEACC7FA204497D9F,SHA256=B468A5040319551BF0B0848D0C03A59CA2189AEC914FED4939FC7EE00A9D626A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.884{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\YAHOO.COM.MY.XMLMD5=D2E73CF91A05AB5130B704FB99967315,SHA256=4B1302C1CE8180518EB66A4BA4052571942F9C75F9F2D1998DC371F6AB33E9CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.884{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\YAHOO.COM.MX.XMLMD5=FC9A01384283F760B245BAFDE02893CA,SHA256=7BDB5BE38475510A7C05A3444B122A62E8CF4C05B35E656CA4DECCCE4A55D968,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.884{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\YAHOO.COM.HK.XMLMD5=C6B25D8EEDAEC73648D084C45E2451C6,SHA256=3A1CB0F689B79BBFBBB6C29870623B2306E449A5B2C050C1B33BE9D6FC201FA8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.884{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\YAHOO.COM.CN.XMLMD5=63D4A31E8ED0A74BE917F8FB115A8096,SHA256=C53291FBBF48944DF71A1ED49D7B6CCE90F2F80CB7A2E38702FCDE456515DB3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.884{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\YAHOO.COM.BR.XMLMD5=5B8D838A12C6443CB8235264B8258C5D,SHA256=F9D50ED83F6691535590CF8A29729EC18C6C737B04E084DA574F681C8C935F26,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.884{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\YAHOO.COM.AU.XMLMD5=460204377C86C8BF37FA59E336831AAB,SHA256=F71B9D7F00FCB1871BE35C7E984F0C946AC6E75946DC4800F231659FADBC0527,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.884{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\YAHOO.COM.AR.XMLMD5=C5F52824779E014FCA9B6E5BCCDD7748,SHA256=4DBB7476B3CA07B69528355422387A5C638471CF1A9AA890344DD6C5B1D607D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.884{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\YAHOO.CO.UK.XMLMD5=4AC759A0010213C0DAE4AD7E6B954AC8,SHA256=3604443B58BDCBED2EF73FC449B0B53064FBB084C005E2FDBED7C9432F543BD2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.884{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\YAHOO.CO.TH.XMLMD5=C97F325596B9B1D1AD51B1E82A01548A,SHA256=DCB2C3FF0B84D025FEBD9E5B166F35ADF13B457138928C4C08E16A9AE4CB528B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.884{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\YAHOO.CO.NZ.XMLMD5=460204377C86C8BF37FA59E336831AAB,SHA256=F71B9D7F00FCB1871BE35C7E984F0C946AC6E75946DC4800F231659FADBC0527,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.884{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\YAHOO.CO.KR.XMLMD5=FC9A01384283F760B245BAFDE02893CA,SHA256=7BDB5BE38475510A7C05A3444B122A62E8CF4C05B35E656CA4DECCCE4A55D968,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\YAHOO.CO.JP.XMLMD5=F0F1F60CC29525DDFBFD402381E0E42B,SHA256=1A5E7B2B72CE5096B08F1B78CF2906F13098AA35257C6CFD69BD077A9983AC19,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\YAHOO.CO.IN.XMLMD5=4B6D837FDBA1FE5306CC2C0DC630E4AF,SHA256=171D526D78A4AFC93738F60881B6F05726F59CF992A57718122863E766CCD169,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\YAHOO.CO.ID.XMLMD5=2D8E27619A4D15BCA2A2B04ADB8C4FE5,SHA256=CE4C5FFD3E2F77FCEC8F782962B6770050CB8476F71242EF178D0562069B5843,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\YAHOO.CA.XMLMD5=2A2E2872F1539413D295BBD853BFE85A,SHA256=0A990E1A0A5D939A2017CF956CB61477DC7682F7F36805651CD830D884BFFBC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\WANS.NET.XMLMD5=48348A555BD85B4B1CF3584A5A75F185,SHA256=83D385170A47A8ACE4D43944A9C7529F273F5523BB074AAA941DBD2BAF33DBE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\TALK21.COM.XMLMD5=F7120202954B5559DF4E0C9BCD7B7B16,SHA256=C5CD6124B33DA659724837C3B83B5A54C027B5C9719D1E6AF2E778C9811E1DF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\SWBELL.NET.XMLMD5=C306FBF279B5DA3857EDEC138FF5B0F3,SHA256=EF213DFA026F3CF024FB6A7D4277AB28D7BD4F4CEF59683D4EEA2271547754B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\SNET.NET.XMLMD5=F7710CE421BBF817CEDC3A6FD1701A57,SHA256=7F4EDC269D984BB5ED6A93B7BEAA266C92B6E197DAA785B241CCFC0CF31023E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\SBCGLOBAL.NET.XMLMD5=04145F8F0B2C7D65DB4C99D720784AA1,SHA256=9A91428EF84D31A5672AC60F1197D691E258963E4C8FDDC1EC78E6BF1246942C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\ROGERS.COM.XMLMD5=76679725571122B0BB69B3CAA7258C28,SHA256=79F89A7FC54D36847A2355A5346922803749E460AB5C26CF3381A3460DF5132A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\PRODIGY.NET.XMLMD5=270E3DD19E197C61433CE57528228051,SHA256=D2D1E799D95DB4E1BA43A466C4029CD1FBA8F586AD8A8A845C5B6F1B2BBFB0C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\PACBELL.NET.XMLMD5=EE9E1890F7EC7AAF5E466BA46ABFAD68,SHA256=9B6C9C9E1FA04B32463E06331A7F47086BDB13B8C8AEDC529EEBCA7B92C7D242,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\NVBELL.NET.XMLMD5=24EB0BB361A99D3BDC8D37E9DE1D7926,SHA256=DEC02846EF9C8BDD108A65C9919F6985347AC63412538F4139DA178CC13A7916,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.853{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\NL.ROGERS.COM.XMLMD5=76679725571122B0BB69B3CAA7258C28,SHA256=79F89A7FC54D36847A2355A5346922803749E460AB5C26CF3381A3460DF5132A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.853{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\GMAIL.COM.XMLMD5=C0493ED3247FCCD51493A968D71ABD0C,SHA256=35E0CFC556050512C8E19D81C9BCA29E85623135C2D97DB0072BF4734DA48265,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.853{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\FLASH.NET.XMLMD5=16460D48998FC7FF33DEC3A33413CE42,SHA256=6A3475B1039B1FDE47EA9F5BE3124E7C812FB0A0B68163D3A763A3EECE8FE1B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.853{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\BTOPENWORLD.COM.XMLMD5=F7120202954B5559DF4E0C9BCD7B7B16,SHA256=C5CD6124B33DA659724837C3B83B5A54C027B5C9719D1E6AF2E778C9811E1DF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.853{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\BTINTERNET.NET.XMLMD5=F7120202954B5559DF4E0C9BCD7B7B16,SHA256=C5CD6124B33DA659724837C3B83B5A54C027B5C9719D1E6AF2E778C9811E1DF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.853{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookAutoDiscover\AMERITECH.NET.XMLMD5=DB8F644908E1AE52C9C51544B3E84093,SHA256=6D0C439A131E82DF17FFB0633057BA402D5D5BE33A73B97494BE77E8B5C8A4A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.853{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\osfFPA\addins.xmlMD5=2BB281D2F2C6F1C1811626FF2C02B537,SHA256=10A16E5F9DF3430BB5166FC37273C75FA08E2FC9FFDE61277987762B1EBC8046,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.853{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OneNote\SendToOneNoteNames.gpdMD5=5047CEC9C08AA6B6CE46BDACCEFE986A,SHA256=551FED688509A5D587AB0082E1E612FC7D2485595F2B55BC300FDC5F83BB036B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.853{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OneNote\SendToOneNoteFilter.dllMD5=3662BF5C56E4DF7FEBDC3CFD08E9E4D5,SHA256=21BBCC0E7193755159A1D841BB6EE9A580A0FA4F1BBE95B4C2C36C118BCDF012,IMPHASH=AB24A902F724D73A3FC0AAF53CD78A28truefalse - insufficient disk space 23542300x8000000000000000328295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.853{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OneNote\SendToOneNote.iniMD5=640E4D188A62FD78B2AD43AF47495CEF,SHA256=499E42AD8161DF80963C9890921C98E3EC0464B431F4A78167EEDBDB3CA95789,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.853{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OneNote\SendToOneNote.gpdMD5=9D77694DAF3D4E5073633D0DAF5CD720,SHA256=B1B5E571607D91B5E1611E1310238C83F4E219C02AFF47608C289FE01D9C2D4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.853{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OneNote\SendToOneNote-PipelineConfig.xmlMD5=D7EF893DB4590A85390F72194D40C0B0,SHA256=5B437FD2A956337F71E8E69E9231D844F95BD5C6420DDF0C0155624E7D7168A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.853{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OneNote\SendToOneNote-manifest.iniMD5=91CE083419EBD92711946F7525E61835,SHA256=30AD3DDC45EFB0EC9D2557CBD226E522F2CA78C40A10CF7576B437F7F735EA38,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.853{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OneNote\prnSendToOneNote_win7.infMD5=686088F195B704C0EA577DF3BAC9BE6E,SHA256=37B66A457203324B5A6C8D65720A5D90020FA3FAAA766A4A8A44AF8A8B09A1CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.853{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OneNote\prnSendToOneNote_win7.catMD5=397594FBB76E0EDB7C35250347BB02DA,SHA256=64745086F122716C9A5078FFCDEE3C733503A8E15F59FEA0EE5ADF1D3B41D364,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.837{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OneNote\prnSendToOneNote.catMD5=46617152A7D964CF3532EE008A4EAA19,SHA256=C73BE7A5E5B3D641EDD93AAD497B0C1AD0587AD9998F166229FCDC02668C481B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.837{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OneNote\prnms006.infMD5=F6BBD70FA6229EAC8AF2B7D62BDB2BB8,SHA256=378C6DA2C15D79A8F79EFF3AA4F5F13AE64EB9B760DC061E5A488992A1D874D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.837{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\salesforce.iniMD5=B4AC1F73BA8548DED15A2EF6DC57E008,SHA256=3DF1F4D27252D96A40444C588B12FB0A6C25B75B052DA663AFC13A052C615658,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.837{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\redshift.iniMD5=A8840B7BB7E0E4DA3AD4AA99FD7E6282,SHA256=1E32394AC97318756C7707C4230C58DB9AE25C17AB0589747278609F2B7E12EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.837{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\zlibwapi.dllMD5=C51BB9322C59E2AD09DAF9CE9BC108F8,SHA256=C5E9E112D83F4EC191DA12084C6854E98EE99231BBD6ED2F38BCDE38EEBFD079,IMPHASH=AA8B89D46B51E3CA4A0D11459C181DF0truefalse - insufficient disk space 23542300x8000000000000000328284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.837{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\sfodbc_sb64.dllMD5=ECAEE0CA125E6549182E6B648FA4EA7E,SHA256=4AD44B287B24429730A731CB7E8E7D6DA0E70649B656288B8171A2503D1830FD,IMPHASH=5609D3B19DD3271486F62251D009E1B5truefalse - insufficient disk space 23542300x8000000000000000328283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.665{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\sfodbc.didMD5=FFB3606611396C4D93B19BF08C2E4A8A,SHA256=B42928EE42A300EE24F8B09B98B45BCA6C4FE1E66EAE46910BD25FDF84D1CD65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.665{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\sbicuuc58_64.dllMD5=B8C3F3F6EFC41A3FE1271052DBC478CC,SHA256=3679736225FC3DB8DF2BEBC11A147E0346087A0F80817EADAFDB68986817CA7F,IMPHASH=E3E94C33450289658D8F33B3507E44CCtruefalse - insufficient disk space 23542300x8000000000000000328281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.634{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\sbicuin58_64.dllMD5=D773E023117A753B53F2D1F9B9A96119,SHA256=9A5DF9ECE210F100259443284F4330643E1557BD12C0FCB8A1DFC7E81AA70E56,IMPHASH=CAE492EF7EA8335582FD197F8448E553truefalse - insufficient disk space 23542300x8000000000000000328280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.603{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\sbicudt58_64.dllMD5=B6525CDEC4EB6421B5C32EDEB31C6822,SHA256=37521F70E98328E637CE57C522EF64989CE87F65396A1C63A3602CA1944E2080,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.335{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\cacerts.pemMD5=3ADEF09E6A80026BE33C7D5CE29F03D3,SHA256=9F7AE4218F627F4D8B2DE64A04F192025CDDC5DE488B7DAEFC8A87C6A79EA954,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.335{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\zlibwapi.dllMD5=C51BB9322C59E2AD09DAF9CE9BC108F8,SHA256=C5E9E112D83F4EC191DA12084C6854E98EE99231BBD6ED2F38BCDE38EEBFD079,IMPHASH=AA8B89D46B51E3CA4A0D11459C181DF0truefalse - insufficient disk space 23542300x8000000000000000328277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.320{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\openssl64.dlla.manifestMD5=3CCE9F50A5D24BFC7CCECC37E3603EB6,SHA256=DC968206AE8139A421AE26FE3A49446D72F2CBD4C30B34B6777F10A1CAC3978F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.320{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\libssl-1_1-x64.dllMD5=460C06E58F6E9222308755A14886D2C6,SHA256=EADA3200C93EA93A4B011AA23CDF573F64A7B857C7FA478D4F0DC81528621751,IMPHASH=F18FB023B04B443C3E9F25B1B472D0C8truefalse - insufficient disk space 23542300x8000000000000000328275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.320{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\libcrypto-1_1-x64.dllMD5=29ACDE08DC8DE8F7F4B883682C0334BA,SHA256=89D5101FB636B65962CA45A5ECA585A7BFB8EF1E950307F997B5BED02619C6BE,IMPHASH=93816E761E9CDCEC68C173BAF890878Ftruefalse - insufficient disk space 23542300x8000000000000000328274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.288{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\libcurl64.dlla.manifestMD5=41E5AA78417F14584B9B8472BEEEB888,SHA256=519172FB949453597F26223837008BC8674401E111B84E1499922B82EF8389C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.288{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\libcurl.dllMD5=DB0397611349CBFA7B6DACC325D5729F,SHA256=8AFF6AC5F33DBC0E8E80C8D853B01644A4B5A9B2D2D55C216FF4DF83DEFE974C,IMPHASH=177783C00B3A58597D371AB67DD5DB3Btruefalse - insufficient disk space 23542300x8000000000000000328272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.273{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0171F55FB1577E14B32BBF95ED7EE2E1,SHA256=C94620715676B3B23F6F6F9DC8D9D105F199B0A9472CE213C33BEC757BD2D88E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.273{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\zlibwapi.dllMD5=C51BB9322C59E2AD09DAF9CE9BC108F8,SHA256=C5E9E112D83F4EC191DA12084C6854E98EE99231BBD6ED2F38BCDE38EEBFD079,IMPHASH=AA8B89D46B51E3CA4A0D11459C181DF0truefalse - insufficient disk space 23542300x8000000000000000328270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.257{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\openssl64.dlla.manifestMD5=3CCE9F50A5D24BFC7CCECC37E3603EB6,SHA256=DC968206AE8139A421AE26FE3A49446D72F2CBD4C30B34B6777F10A1CAC3978F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.257{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\libssl-1_1-x64.dllMD5=460C06E58F6E9222308755A14886D2C6,SHA256=EADA3200C93EA93A4B011AA23CDF573F64A7B857C7FA478D4F0DC81528621751,IMPHASH=F18FB023B04B443C3E9F25B1B472D0C8truefalse - insufficient disk space 23542300x8000000000000000328268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.257{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\libcrypto-1_1-x64.dllMD5=29ACDE08DC8DE8F7F4B883682C0334BA,SHA256=89D5101FB636B65962CA45A5ECA585A7BFB8EF1E950307F997B5BED02619C6BE,IMPHASH=93816E761E9CDCEC68C173BAF890878Ftruefalse - insufficient disk space 23542300x8000000000000000328267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.226{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\1033\SQLENGINEMESSAGES.XMLMD5=FA8501E75E6AE8D3B99D335189F621B5,SHA256=DAD12C115FCABFE8A4B773371C6DB92677EDAB168BDCE5FB9772F837B0C0EC3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.226{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\1033\SFMESSAGES.XMLMD5=FE7876695F15EEB5F0869ABC4BCC8D6D,SHA256=B8624780EDEF4AAFFA3E62440C26D737C1D7062404CE50852DC13343BC6456B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.226{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\1033\PGOMESSAGES.XMLMD5=50302C0F7DE0313029EA4DA93748232A,SHA256=65654AFB0EB34C977805BF1F37C29B6C9B7AB608A6EE23A0217B5AD7D457710D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.210{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\1033\ODBCMESSAGES.XMLMD5=AFC8083E623B8CE36E64B32629A09776,SHA256=BFFF66EF87B1AA12C7F67150994CF7A73FB8D37D2B8C7D375C615D7D6C06215B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.210{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\1033\DSMESSAGES.XMLMD5=52F99D2FEE1D7D44FDED542E444EBDD8,SHA256=E8F0042AF4F677F16A3D16FA56CBEFEA2D3AC91812F1C9AEED6CA720BCCE4D43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.210{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Redshift\lib\sbicuuc53_64.dllMD5=B704796AE75E69D656065DF160DACB2C,SHA256=FA8ADF27AD48B7F6D0D8BADBA4D1F281464B893625C23E9F89D8E4CE61C0F09B,IMPHASH=4F756DCBAB005A73CF18FC5D74E08406truefalse - insufficient disk space 23542300x8000000000000000328261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.196{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Redshift\lib\sbicuin53_64.dllMD5=AF0B0BD948EF47889917EA201798CF4D,SHA256=98EA304365647242D089CF60F85AE5793A6A7ECD5E3CA78554D5D8D5DE905DD8,IMPHASH=F0C7D4F44A18A527224E8627B8681BE4truefalse - insufficient disk space 23542300x8000000000000000328260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.177{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Redshift\lib\sbicudt53_64.dllMD5=EF09DF5386F5275543820D98A448A3AA,SHA256=A2D0E5DCBCAED9F7E71F2E6810001AECADFA7F03CA71EB8256BD15A5FD772A8B,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000328259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.155{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.155{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.155{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.139{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-2000-00000000BD02}2000C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000447976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:23.291{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=948BEB65A16D2C07CE7CC24875A719FC,SHA256=3CCE76F233D76CBAF3E53812DDB1C4C0BC942A5D1EFB57A1F13879D249367289,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.986{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\msth8FR.DLLMD5=18A6E559C6B1DB0B848C277E31E1FCE6,SHA256=C1D8F24DBD1B048595353FF4084E201E4D166691D876988B8618410F65F3035D,IMPHASH=1F9BA183B4240B2A401375683A699DBAtruefalse - insufficient disk space 23542300x8000000000000000328464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.986{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\msth8ES.LEXMD5=70401E4BB62DEC18B3F9907A78B800DE,SHA256=77F8A279058EFE0A7EFD8EBFBA3D058DF62335A393162E96182908B089E8D3A4,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.939{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\msth8ES.DLLMD5=7F389231C1EAB097167A0962398B673F,SHA256=CF9E7E716AC47C821D43265AC8D661E20D90A98423E2A5CB5B51C2189757D066,IMPHASH=1F9BA183B4240B2A401375683A699DBAtruefalse - insufficient disk space 23542300x8000000000000000328462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.923{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\msth8EN.LEXMD5=48028C9D02B598E6EB752DE4C6EAE45F,SHA256=BADAEFE3752EF34F2A3B9DC2D290521628162248595FFDD8804998437CAB97AC,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.876{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\msth8EN.DLLMD5=C6D559CCF2621EA7CEBF08C749B9D164,SHA256=30335341BFD0B45518350F8F5712E2D10594583FE74D57CA4AD04F25A9596941,IMPHASH=1F9BA183B4240B2A401375683A699DBAtruefalse - insufficient disk space 23542300x8000000000000000328460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.876{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\msspell7.dllMD5=A00C7991D25779BDB906111EE6B1C651,SHA256=9D8B806EF3ECCF850DAFD3BBCAED02706AB645ECED7E63AD528D5D713E09667C,IMPHASH=7182EF5F4F7D6B5AEDED28AA5A94DFBBtruefalse - insufficient disk space 23542300x8000000000000000328459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.861{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\MSSP7FR.LEXMD5=3BBAD996927B3DA3CF5A457ED6CDE4C7,SHA256=A683F3CFD409A0058736A746D8585C0EE06FB4EE59D0D29C386882C5F08972A8,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.798{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\MSSP7FR.dubMD5=DE504021F3652C12A3399EDEAFEEA3D7,SHA256=FE252502B4A24DD9C39DC629BD5C2E17867AC95CD6C2180514B45E11E1F5F79A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.798{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\MSSP7ES.LEXMD5=5946DAAF35CD7F3D99E36C6432034997,SHA256=3C69070EC5B2074C2DF8FED9A8A660FCE22A81E3A59B7E34A8F0FBD91DB43DE9,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.767{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\MSSP7ES.dubMD5=DE504021F3652C12A3399EDEAFEEA3D7,SHA256=FE252502B4A24DD9C39DC629BD5C2E17867AC95CD6C2180514B45E11E1F5F79A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.767{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\MSSP7EN.LEXMD5=E955B5484CEADED99BDA3586D408AB9D,SHA256=11F92193B7C3E2C7535A5CB1F703FF391A289CB43A4E94CAFEA549A041125B5F,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.720{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\MSSP7EN.dubMD5=CCD675228D695BBEFCECB7FF4EE397E1,SHA256=75776FE6B29D7AE0BDCD89E9679E488F9E65001E84F62EA381B9A7F91EAAD912,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.720{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\MSHY7FR.LEXMD5=1F4B6F14B5F13BAAA81F6F53EAB7CC76,SHA256=999065D36E1F2576D74D839A6EDA7CDB30EC1183AD5FF9BEB79E37EEF368C1C2,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.720{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\MSHY7FR.DLLMD5=57EC22A9B720694BFDD66564CE315845,SHA256=3D70AF0C192300AA67F5B80665406028B1FED260C2DBD6B164FAFC468CD4E46C,IMPHASH=66D0FF2BA38E7D5A7172D2DD0CB1D67Atruefalse - insufficient disk space 23542300x8000000000000000328451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.720{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\MSHY7ES.LEXMD5=B52780C837BF33945A8FE5809E27B93F,SHA256=808930169306493D14ED4AD693B8A92FDE242865B8167227A78C915D1D87C209,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.720{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\MSHY7ES.DLLMD5=B8884F3E8BCE945040BA3EBDF106EA30,SHA256=A23D18A9DE8A0199B704496F58B7B4F1A6EA487A167838F876A0D1B6F0EF9A68,IMPHASH=66D0FF2BA38E7D5A7172D2DD0CB1D67Atruefalse - insufficient disk space 23542300x8000000000000000328449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.704{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\MSHY7EN.LEXMD5=498D1783683428D79705FAB0906B339E,SHA256=FF07477E50D6FD9DB1BDF2D2FCF935072570C74391FCF5081F04F418C0EACF07,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.704{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\MSHY7EN.DLLMD5=C72E50F293E3E03671AA791B3AC313B9,SHA256=49195A751C9842FEF4AABE80F9B1D0B85B9D50126BEF2C27C33171E57FF10B11,IMPHASH=66D0FF2BA38E7D5A7172D2DD0CB1D67Atruefalse - insufficient disk space 23542300x8000000000000000447978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:24.388{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0799D931A0A6E50688BA382B60F1E917,SHA256=F11BD4A3F714742119EC9F0BF9AE8794AE2E5C94598AD94EAC4FD81899DE650E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.689{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\msgrammar8.dllMD5=C54BA946FBBEB682C4FDD185027943CF,SHA256=E50E28C7E914D69BC5A04E5C90A5CC40B1013529606ABB1F187B6B5FE221C4C3,IMPHASH=452E252F6283951369EF914476D23488truefalse - insufficient disk space 23542300x8000000000000000328446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.673{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\MSGR8FR.LEXMD5=0C3420A1B3B4625E2909CF323B38E2C5,SHA256=EBD23B0D74E0F186D420E9BFB9E037B01F48B88E4ACBF772D67182191DB4D680,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.579{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\msgr8fr.dubMD5=89A6D6E39F7DDB956A19D5F7F64A148E,SHA256=353AC9F522F71EC6DFA7BD57B54B4C20175727918114052AB125F06931387CB7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.579{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\MSGR8ES.LEXMD5=037553E5D9F53AB7D9734F8433F368F5,SHA256=56319D79E380782BF06FAB6C1B4FB192C6A993BDFFAA871C0E9A9457ECF5E51F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.501{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\msgr8es.dubMD5=89A6D6E39F7DDB956A19D5F7F64A148E,SHA256=353AC9F522F71EC6DFA7BD57B54B4C20175727918114052AB125F06931387CB7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.501{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\MSGR8EN.LEXMD5=AD5EB548112CABD7075750118614BBF5,SHA256=FE6D60C81AB1AEC56C9D0747D031EAB4C355216F247820057EFBF5A1696823EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.353{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D0C6B1F7E78CA6B79414C366F2291C0,SHA256=1F2E4BBF975553F4D380C6BB26E2916BD9E42668012E2FA556C68BA1D46B98DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.290{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\msgr8en.dubMD5=89A6D6E39F7DDB956A19D5F7F64A148E,SHA256=353AC9F522F71EC6DFA7BD57B54B4C20175727918114052AB125F06931387CB7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.290{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\msgr3jp.dllMD5=2F7B1C24C833CB670429ADC4C1D9304C,SHA256=EE4B0FFD42D7FA7B52121458D2200995CD1A94365CE9C2081FB064BE3052ABB7,IMPHASH=11F998C7E1159369DF846B123B1B75D8truefalse - insufficient disk space 23542300x8000000000000000328438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.275{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\LTSHYPH_FR.LEXMD5=0112C4CF3FC362ABA4F17D10C44A7D64,SHA256=A5995B4E674AEDC1682A5DF5F83D6A7E163F57836D713A793C6B293320CB1353,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.275{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\LTSHYPH_ES.LEXMD5=F5AF3411989D8A524780877ADEE493C6,SHA256=8CA70F1D16450FD45677B0AA0E7F3CAA91370F6F1DBFF9FD3DDF1BA0E398ECDC,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.275{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\LTSHYPH_EN.LEXMD5=67FC927409F8DB3CC85108FE8B039C41,SHA256=6ACCF9A88C4ADF96EF24F0B232FF441DB3C78278C0351F7EF833EFC9A58DE67B,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000328435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.259{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PersonaSpy\personaspybridge.jsMD5=FDC65C7011DDAAA84BE2B9CF18F1A63D,SHA256=4AB6268A98711428184B1D1D1443D81500416E521FE7758C32E32F82A51B775E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.259{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PersonaSpy\PersonaSpy.jsMD5=A42F78E9F902B39A81075E0139015D2C,SHA256=DA4646C7816D78814F81C2041A8F015D43560376A6FAED9D98EF485A206A9648,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.259{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PersonaSpy\PersonaSpy.htmlMD5=9A519C2CFB5A94630C667D06513853BE,SHA256=A9EC11E8675E40C7351BD52AB0FC4BF04E1682F19329C41E44F9664EBD687EA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.259{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PersonaSpy\Office.Runtime.jsMD5=4F5B3896AFD852FE1334CAA3B2BD60C5,SHA256=F4975E55C5508A41CC927754AE855C78C749B28F014CBE41EFC4FF35F5881BDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.244{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PersonaSpy\office.core.operational.jsMD5=D7AE754D1627F6FAA4A5EAD8945AC2AE,SHA256=D4664782AEC29E67A690FC85FAF63544BC7EF5ECD4BDC2D7363C2DF5D9C10D0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.244{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PersonaSpy\notice.txtMD5=BD4CEBE840C2B7FC478E01B2F3808EE1,SHA256=7C5F461BE587C8A5AF8A40CE8676879B3C1DBB0EC181D2BCC50D7C8254E3D461,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.244{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PG_INDEX.XMLMD5=3F5BD43C350324B5D4A9F89D2B3FDD50,SHA256=B11EF92DEF98FE7944D4EB33880168A1C2E892C47CE2D7094A0E998DBBDD624E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.244{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGMN121.XMLMD5=7993E3215E80867771CAF2DEADD1E0BF,SHA256=BA0DD02AFC50FAE4D40EB2CAFC653F6B6B605178F1F331DA1281479C820DE5D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.244{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGMN120.XMLMD5=66362B9A219BE4D24398B3ED87A0942C,SHA256=FAE4F58A394238A0DD30DB771C5E28236400460ED38A5290EB8333507EA2428D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.244{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGMN114.XMLMD5=72A00EADE3E03FA7D0DD7648BEBFDB03,SHA256=41138F25A078A5B8BCAFEC7CF9E081E855511D54259B90D793BE9BA0A8D972DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.244{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGMN111.XMLMD5=551A6D1AEBA1A805B06ADF05B0F0380F,SHA256=737002ABD0C705D9604A02A864AC872A0207939837CCE3FE4062CB920DCBB02F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.228{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGMN110.XMLMD5=FB75E40C1EEF79242B759B6270D3B47E,SHA256=9070C30D37E869472779238D0B7BF66DC36FEF12850CA168A7A306C6BEAD94DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.228{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGMN109.XMLMD5=55C5BE4248B44250AF06C18CA9F0E26E,SHA256=9CE1F11803B5EF669DEA4698820BD2C333A005F62F811B6071D45A284933632D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.228{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGMN108.XMLMD5=B4CE25F53DC1B73C5E53E8D338273DB3,SHA256=D8F2C286C0C756588336CE2FD5778EE8866AA9239E25C738D16FFFD456794720,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.228{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGMN107.XMLMD5=412E7AA26E9FAAD40501076CA5A72CE4,SHA256=00220DFBA05AA5D3C9ACC26553A43BB73F1A673BCF23D781E7467BDDDEF17B96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.228{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGMN105.XMLMD5=8C4958E0F921F142146822AE70109AD7,SHA256=D6A851B92874494AE1EF97D7C8D3DB7D84C9D923DEF3A6BFB174E8F1E84AD065,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.228{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGMN103.XMLMD5=F29FEAD76B889D84D61832DCED348972,SHA256=0503F9977ABE3435297DDB2C19F87B7E58A1280DDC1C1CDB5C7679A4B4329DA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.228{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGMN102.XMLMD5=270588291AF3F59C7064EBFF9757EBA0,SHA256=046AF5A2F0E189C3CB5C634B126EE93B5A75C6417AF9BC73D81D73A481AE7D4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.212{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGMN097.XMLMD5=035FB190901F3B9A1211E086F2A09386,SHA256=B1F1B77D3B11299E3AD654EA736FFFE91E04D92F0D559BD7F2C394C849DC5F95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.212{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGMN096.XMLMD5=0812A51746E82E1BF100678093B8F595,SHA256=0BABBCD9B236E8D040D6E9DD4C2BACFF49DFAFB5F72ECCB19438CA2FB1B2D4AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.212{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGMN095.XMLMD5=8207E3689A83F100B088A1F2FBA2C972,SHA256=D90AC83C17FC07F3FEB94F0B9D21EEFCE23D70B1571DEF19FF329B3F461B270A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.212{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGMN092.XMLMD5=2DF33579C640458BE39620039AAB3793,SHA256=E10BF752C784585FD6C04255B9222BF9B54A93CF7C30B983001B53EB95EB0C01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.212{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGMN090.XMLMD5=206476D2BA9CDF5C7A563A020F3CF40B,SHA256=0564765ADB75B538A6143A2FDE69E8ADB6DFE319F2050B7E92492B10F9583DAF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.212{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGMN089.XMLMD5=CC5292CEE5B974AC253801EDB90260A2,SHA256=77A88AB3B18DB1EE9E9EBB217C4F23961A3E93D1046F9661CB8BB8B3BC907A4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.212{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGMN086.XMLMD5=B32B72748203F7AD7300653C8F26A9B4,SHA256=8688A38AE80013DDE4BBC420EAF6F2767E24F9757C6226D160D405B1F4BCDD00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.212{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGMN082.XMLMD5=6B4A76A789368617AF937CE60C7DC5CD,SHA256=2A2AC199EB48CDD9CEDEA8A5561DB5B7FBD832524B2DB47A4C7595DB4AF219B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.212{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGMN081.XMLMD5=295313436008C70542EE0F12B1D6F81A,SHA256=0195628EA2AF5BF337935E8118B544E5B76894DD7AD2F03A3EA1863E440F7E06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.197{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGMN075.XMLMD5=AEFC54EF3184586373DBB262BD68A362,SHA256=337B792E389D4D58B12A625E58C21BF18F9A15F368C1544DD349A0B2D28D1E63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.181{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGMN065.XMLMD5=C42DC9B789398A924D5CC41095BF0B6D,SHA256=82A41B3BB1ADA40BF080CA8295346C82AC9692D444FEADEB3B7996C3E0F15BE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.181{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGMN058.XMLMD5=06A8BF3829B52CAA19DAB046487776EF,SHA256=506B8EA58F2764B282ABC12708084A82DD2874C95D26B14F426495FE4C4CAE55,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.181{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGMN054.XMLMD5=E46BAC6C6FBEA2013DCC6B99D0819E11,SHA256=A31DE4D20B806DAC97F63EF9C808CDC55F0C0826468386B3115FF52377E5DD1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.181{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGMN048.XMLMD5=833DF07173AFBD8A1A425C2E15CF4E38,SHA256=A8C3FD28BAF7FAFC9E24B277D5DFA03746DD6B8C5138C44919FF157BBD6D0DAE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.165{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGMN044.XMLMD5=66096748B02ED7B7D39ED0AEFE9EB540,SHA256=D4126BE8F2B25DBAC5183FC7F8D29D67AB0E41010BF268F52468DAB0E078437F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.165{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGMN027.XMLMD5=FC045A185BD99D4512386ACF73812183,SHA256=57CB0B8707A1CF0B5DAE872B4FF8ABC8DA8B83406A2A91E54D243627B3770ACC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.165{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGMN026.XMLMD5=53F8C22A2E8EAECEF8D94190D0D7015E,SHA256=AE65608D1D5E8D3E5C65EA5529DA6CDEF03614A2B1FC539D4D6E8A706E237421,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.165{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGMN022.XMLMD5=84712D5AEABF953B220A2A05665EBD5C,SHA256=0DFD1597E2DC09600DC2BDE97CCB7CA3945ADA805DBB54410E68CBB9EADD9D43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.165{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGMN020.XMLMD5=E976CD076ABEACEF0AAD2C8C2B2FE70B,SHA256=AB12C3F846C6BF48D888737B81A6669518D569389D023AC4A666F10883927059,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.165{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGMN011.XMLMD5=F2CD000547F05CC10BA3F5B745C932D1,SHA256=B575C679987FD059766C24FE3E7D7300673C8D0B22E8DDD397CE694244AFE4DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.165{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGMN010.XMLMD5=1F15AD08368B581E4E36248D3D4A6617,SHA256=0CF17B663C8C93AFFAF0D995392BAE63FE66064156FFAF1E4043F1724D989558,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.165{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGMN002.XMLMD5=363FBAA5FE3D12BD8E60688AC80FD252,SHA256=A63393DC807033893BD25A86A579107122E5650D68156CC954F4861CE228973C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.165{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGMN001.XMLMD5=D97CEAED297533D95078DE906FF163B6,SHA256=0E59D625E62D4E2B42893A9ABF6869B1A93AFA038A830A8CDF9F1EF124551F9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.150{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL121.XMLMD5=428FBE89298327D17E71F798A2AFA4DF,SHA256=BA7AB31171C4DFAE45EDB99E673A03C3D2D33AC177BFBA2A05F3E8316CB4AE53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.150{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL120.XMLMD5=27F5B16EC036054E26DA1A1D703EF992,SHA256=968F61A56A49C12A6F4D68DA942A840332616030180481BEE4EA4D1AAF83E71C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.150{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL119.XMLMD5=0DCCADF4B57D0CA7DF1B6954F6A327BB,SHA256=8F4755D1AEF8AD7A5FC03A91DBDF6CDF207AE37C66655EE7BCED8482A7027484,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.150{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL118.XMLMD5=30E140AA9E9CFF63F75D7EF252B8BC20,SHA256=D1EE03FDCE21B33099778CCF4B9E8A12710C5548304A210CC519D92511D8FFC6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.150{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL117.XMLMD5=615FEF8F32BB52CEFCA34DE0F7174B21,SHA256=E1B219F11785B04CE5DC91289C61D94219115792591E14CF477AA3E05A8FAEAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.150{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL116.XMLMD5=41BAF2D4FBD3EA0E9AB7AB8DCF771687,SHA256=78F29D21991C840FFD084B0C59535837971836E8585A5F541991DE7F250BB812,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.150{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL115.XMLMD5=416DF8123096B2400065C1529EC0AD36,SHA256=BBFA236EF383AA153BEA67CFC441E9079C6C4D87C7A14156964837BB5051B2D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.134{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL112.XMLMD5=726707599B04EE4BBBEC432B43BF386F,SHA256=39C7C46D0A56A231C8B8A751ED95766C0182BB669AF1FA9BB21E772A1F6DFD0F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.134{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL111.XMLMD5=603C7B1A78D6DDF2C51DF9E3CB2C9B97,SHA256=7D8E7D68A4AA28EF97AC35FF245F59F3ACB1A54263B17710D43B71DEB2D1A8F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.120{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL110.XMLMD5=36A9121637E134D180436BCD7F3AFF58,SHA256=8A8ECF0E876EA39FF569867E286BDA83C5388E696875E7D01BCF05513CDDEA81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.120{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B7097817C0C5599D1810E8CB7F2F1EE,SHA256=ED6E1A440F094F42895C74719981AA5D0D86D133B2434226C5098E89FADEE3DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.104{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL109.XMLMD5=CD6B363100212A34A9EA268800A86751,SHA256=DAA320D9B002682B0663F058DA2EB9E1EDDC17D1C92490B1BC4E7830C48A1608,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.104{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL108.XMLMD5=2DCD6A139CA6DD0BC535B8C134638466,SHA256=4AD99A8A5F33F18F50F472E21D4767BF0C55BE0135CB8B6A46AB6539FA32342B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.104{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL107.XMLMD5=0CCC389546A18CFDC5D078AB0A6E8C67,SHA256=B8FA2C3C1BE5DF5543835C623987B36AA44A803A749CB525D39CCD47F36C8D97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.104{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL106.XMLMD5=6A5B55BD05401BD3F83C04DB40BECB53,SHA256=3BBA3432D7BDE5C6434C0BC59D106358F6D8EE4F1800B5365DC5BBCBF7CB8600,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.104{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL105.XMLMD5=FD1E2182DDB025B2D6432F01D4A4875D,SHA256=74B750F4DC62C1CA2D60449BD6D975BC6060B039737769846F8F01FDFD41BC96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.104{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL104.XMLMD5=527389308C3EBA2B3D2E9E3C86BD9C99,SHA256=9124F5C64F0254A0AF24BF771BF4E779DB78BCD08DBB7716693F5DC410F193A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.087{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL103.XMLMD5=FBB72C4BD361151DF75D82B842AE4D44,SHA256=9C9319F11310DD33A49F5381D0B2A2CECE3965677E9BF55457367071A9856FDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.087{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL102.XMLMD5=5DDE3EADA47970D36D20BB4CB8558085,SHA256=54FCC9E187D6D9F560D9D0C536B03ED63A6E62FB1727D0F6E69B69EA26DE1831,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.087{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL097.XMLMD5=6723EAA67E430FEF5DF66B73F47CFFDC,SHA256=4207FA5431A6349AD964260DE42260248CAABD8F8D7993BCB5CCA1E02FE8BEA4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.087{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL096.XMLMD5=BC84EF8E5CC170ECF97210B0919ABEF4,SHA256=2A714D26FF174FFAA188B33501DE08A3642B56B0894DAFAA4030F47F30137097,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.072{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL095.XMLMD5=6D01ECDE06A113953012E7E3DFA34B3F,SHA256=0A12520112E54581828AF93D995957D7BE9AE5288FF363D01B63B48F4BF4E2DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.072{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL093.XMLMD5=EF894422C2FB7366749339C8B77449B7,SHA256=89B8E7D60DA0176B77084DD617639E335E62D9DE29D02A160EBF2D726E09AD4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.072{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL092.XMLMD5=52B85FBFCA1458FCCA36321C4C4DD92B,SHA256=C978EB08B4F2BCE81EFF46A0AD3A1917CFB9F1667BAE1A2F81D0F67AABE5E4C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.072{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL090.XMLMD5=7B3A7A3BFDEA935AD8F1FA1FC716F67E,SHA256=5AC720E4552AEDF0B064E4C9E8ED0F7DCB60E2C0E5024A873DE74FFB3A2DF9F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.056{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL089.XMLMD5=A80F1BE8DFD3E8A94AE87233E1C66C58,SHA256=64ABDBFFA3371B951957FFC8A66AD4119E412FEF01708A647991A30294D54DBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.056{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL087.XMLMD5=1788527A66146296CEE9F0D33618A8CC,SHA256=ACC3B6514062AC7EC9E87E2D90AC58EE1FCC16DDEA351499726C5A6AA3F8740D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.056{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL086.XMLMD5=3DAB0549D14B9EB2966342FBE2CD8FDE,SHA256=60D13DD8B078373D839D0C234400177B15D71C01480E004FEEF89755B46FAEF3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.040{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL083.XMLMD5=78D442905BDDE4D6A2A411172AB682C0,SHA256=3B4471B91D7F2A562D134CCDB481D1D6A0545703265908799F8E5C8E426C572E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.040{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL082.XMLMD5=DB5C6F03B6E7F776FED09A6A0D2575A4,SHA256=B9224EC10C9A7BAAAC711C79E2A95C9F4D92398808EF4153E088D6A11BAF43C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.040{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL081.XMLMD5=C8781A07208CD207A08CEBD8FFD18E36,SHA256=2B01C065208939350EAC1BC976E3FC0CBEAED43067BF1561330EDE0D083E4213,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.025{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL078.XMLMD5=EE554A1B66D2525F6C7C7F756736D9E0,SHA256=D94A85ABFBE72E6E3260293F183C3FCB4786CB842723B9FA677D04B6A2B090E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.025{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL077.XMLMD5=ACB1092943EDB2F4D1127DA4CA16984D,SHA256=736C8CAA73A5271D9331BC4CACCBC60D6705866C61F20FDDE800DE6B903F93AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.025{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL075.XMLMD5=FC2D6E617C038FB5AEEF79B81150E83F,SHA256=615543A30240EFE4793855F23D0EFCEB98FF34E963B34109A0CF86D4CC870145,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:24.009{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL065.XMLMD5=8466A028087D41D5AD0F9CA122691E19,SHA256=8CCA61103A6B68764CA8E129CAAEEEBA3B30DA7E8397CCB223D96C38B6F27F9B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:23.993{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PAGESIZE\PGLBL058.XMLMD5=5EF47E99BA860FC4945ED6C6F024B32D,SHA256=AECD2DACEA01801F5601BAA1A03A0D840DB0E9A3143F93B861155360D7D683EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000447977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:20.706{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52700-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000328693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.983{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\SIGN.XMLMD5=DA8876150B7E7E515A8906313426FAEC,SHA256=4AFEC5B1CC1259607FF40FA9E08267D3AEFA86B488B1A16854ED7459A3B37866,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.983{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\SIGN.DPVMD5=62C9B0C9D4151B7102C8EFA57261CA9F,SHA256=21603B55E648D95271D85782793614D9AE726F764002A21C62832211BD9E5A9B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.983{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\SIDEBARVERTBB.POCMD5=FFB7E53D98B5DE231BD2B0C6F8F4F7A4,SHA256=312770521A4774FE64BFA3E0B809296F7F807E66B7D65E6A873804481F294618,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.983{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\SIDEBARVERTBB.DPVMD5=F0646C0FCD2279888B3AE787620688A6,SHA256=76C512B675AA861A627B29F2F12B4646922585ACCF13D03A451219A003753388,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.983{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\SIDEBARBB.POCMD5=BB6BED6664CD59F173F5D0A2E423A423,SHA256=141DD79B667A705E645EC365CBA6E326228131380C637A4659970C8CE562798E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.983{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\SIDEBARBB.DPVMD5=D4685C65C945834C9BD1BE7B1977E7D3,SHA256=C16F8C4CE4196D8995139B79E6FE6DDBD2043D716C16C9073AA638159BD945FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.967{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\SIDBAR98.POCMD5=A96773FC59D7C94FEE836E66C903D641,SHA256=2517ABB935D0A91506F34ED70EABC8B218DE50953E49FA0E02C8FF7E493B80A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.967{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\RSPMECH.POCMD5=1F0F2DAF7711D95190FB54F1553AB79B,SHA256=1733A38E77A73A337AACEE6F43E08AFE8CB305A411DF0362A9CB1F365BDFFCDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.967{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\RESUME.XMLMD5=D4B5E85185C4C0823E707DCB1D51F99F,SHA256=27A12ED84C12EEF3B3E524F58B91CDD226F1AB84F719B495FE00961A8CC2CC40,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.967{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\RESUME.DPVMD5=5B204A195E96B2EAD77092FB8850948B,SHA256=EE3C302492A9C60D985AFE4D53959CC10F7DA6338B936FB2AECE5F01FE85426E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.967{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\RESP98.POCMD5=351B3571CF1F9C74B37E2AE0DD5A9B5E,SHA256=8E777815D6BE3704D20AFD75ABEA505BCE3374E5BF88EE186A19B804F2F00EBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.967{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\RES98.POCMD5=9CBD7058B8CF1C9D0D90C4EA9A471200,SHA256=CA818A201BF1C862F39280253546A893C8E012EE99A78426C97D51A7517FB8CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.967{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\REPTWIZ.POCMD5=DDFCC7E770D5E7209EC8E53DB3B361A8,SHA256=00AC19326B128E090D96D5C36D9B60F22AE772A64560552AEE3BA1ADBC2DAFFB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.951{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\QUIKPUBS.POCMD5=E58AAF799E456CA12DC25A83D41FD212,SHA256=F0D33F88169D42D0ED2D1E63756BD45E737DC2A193A1B1EA4EFA45405F4F53F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.951{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\QP.XMLMD5=FD28DDA8B42A218EEF1915828A4CBB6C,SHA256=805944BE5197A47B6465DBAFAC49FEBDE2D0804499F52B9BE1022AA0495C7554,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.951{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\QP.DPVMD5=073A6157BF2C332AEF6FFD9E01C5E11A,SHA256=B76648C072F32587FAD2053F3725A2CC392D240CB3291910896A91AB731390FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.936{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\PULQOT98.POCMD5=5714E2AFEDD6C476AA33EE3268F8EEE8,SHA256=120C0BD7CA6D7CECC6279E5680EF03143F7A9DA0FE7D3D9584003E67B7E6F16A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.936{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\PULLQUOTEBB.POCMD5=4579CABF0A8133C282878F8FB3F6B8EF,SHA256=A9986A2BF1A771F1E4A9FEF95FE31BC1CE136E6CEA28DD042E3BF6A0D6106FC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.936{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\PULLQUOTEBB.DPVMD5=3EE7AE66025663723CC8A144D4391948,SHA256=64FEEA0348941BABCDBD638FAF9859B52B2BDA2F37CA8E4157663B5D606EFE6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.936{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\PS9CRNRH.POCMD5=363A6941CED60CEB6ED769203EE617CB,SHA256=64102C06BB8416C4E8D2346AE7C07FA5C2A0C9BC0803A1F1252E355B78A44E69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.936{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\PS2SWOOS.POCMD5=EDC1F865C36576DC1032BFEAD6C9D491,SHA256=CB88583FFF3B1483832E883B685C59B3712277D16E8DF1FDD60535DF8D9D4B9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.936{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\PS10TARG.POCMD5=2FFF32AF4198830B30DC9C98577655DE,SHA256=3A2DE9362ACE12A5894057F07DFE474EE2A695D3BD1C52F47437AE44E795F764,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.936{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\PROGRAM.XMLMD5=4FB2EE2EADE3267C6DA39276A93003A9,SHA256=23B4C2DBABC8351418F9E33CA99858ADF6467E8EB48695EC8A350147FEBFBB1D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.920{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\PROGRAM.DPVMD5=FF59B1EDFE2EE9BD0393F5A2C6FC6E4F,SHA256=52501D219C9FEEAECDF4E82544554BF602BDF1F739742CDD323303E00D05E29C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.920{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\PROG98.POCMD5=772FA88A9A34610E582F8BA1D7CE2606,SHA256=F72A70E6754DFF24959135DD0ADFBBC46B6D5C92C71449D1F6AF07DA43DE9AFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.920{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\POSTCD98.POCMD5=649C1FDB89585479702896C688405700,SHA256=92EF38C30D9C195FCC090A881F61B7960B4C43555E6BC6788A6B47667A948CB2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.920{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\POSTCD11.POCMD5=F2AFC822219996EBC9A80106ECAC68ED,SHA256=287CAA2F92986AB35CA46F4AE83EA15405C0EC7F87C93E3460D762D93A0F0551,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.904{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\POSTCARD.XMLMD5=0453415EAC3277B00FAB8DBD3513E910,SHA256=9184188DEEDD976E77988661508F78F13B8109747D722673E9675C811068F76E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.904{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\POSTCARD.DPVMD5=761E933087DAAA0F097634814C7A16F2,SHA256=FC5140B58E80D3174199CB03A0DB5F07975C4CF8200E8E66B6F06EBDF18CF098,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.889{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\POST98SP.POCMD5=7BEBA65F0EA0E3637C4D2AD53C422A0F,SHA256=7E78573D8BA27826BB21F9A3751FE0631C79FCAD80A29CD4690F213A14179D9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.889{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\PNCTUATE.POCMD5=F2878166441D998C8D1D4547AEE1B316,SHA256=EC2C7265356C0205F54FA8C4B7D4EFE38D4BD648256DF874FC080C6FE0E1E737,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.889{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\PICTPH.POCMD5=0B020030F63E93869568392C9EC26EE7,SHA256=8F517F48376FA55A9D1ABD454A65A19557E90DADE80365C1333D210466541409,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.889{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\PICSTYLES.DPVMD5=99A805CD94207914B5648E731F46206D,SHA256=06B9050ED462F91A4998AB8FCC1C2A9AF9FEA5DCB2BA80191109FCF8D25D5FED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.889{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\PICCAP98.POCMD5=D2D813797F000E642CAE93A663AECF02,SHA256=BC6DB4C24625BBA2F2690AA3FF2C13523E710609830DE48EBA21DA977B34AFDF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000447979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:25.486{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2109CF6693E39E0714E10E8F41D3455C,SHA256=16AE88C8F4D2FE50E4131BADAABD13EA1033F2294CDDC7917EAB97464BEDB753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.889{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\ORIG98.POCMD5=442A50059B81A58E2610D128DAC62A44,SHA256=DED4175E02E947F6BDB0F7BD22D25CA6D9355E38033EC573578B74C301FFAD73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.889{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\NEWSHM.POCMD5=1FBEEA24A6BE7A73EC76F75D9E5CB55B,SHA256=3206F6B9B74500388A33B20ABC6E70A73B56AD8E49B6AA6A836A6F0AA2048A5B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.873{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\NEWS98.POCMD5=D1BA7BE463368F72F42A8C5709247B56,SHA256=D4CE64E9FA617145A2CAB5ECB734F58808F8B46BD366B1B86B4202369E0C1089,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.842{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\NEWS11.POCMD5=D8E394EFC6219542556343A46AA08FB1,SHA256=C8ACB43303C125825335F2888A1BECA81698D374E4A0D6A4E747940307317C0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.842{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\NEWS.XMLMD5=4B03C05FC519E481D43B1511A4C3E315,SHA256=4BCACF527951128AB21BD10C68D5BF16612400E53BE4BCD7C22BB230EC133607,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.842{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\NEWS.DPVMD5=6F2CBBCCB2F0515EB4620FFB48B5F323,SHA256=5D5430655F264322096DCF216B01EE37ABD7E20510598A025CEF84CE45B0EA0F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.826{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\NAVBRPH2.POCMD5=34AA410AE50F7603B9832E58CB66D9AE,SHA256=790D6F487A1CF6F3948FEF0F6B662AEB0C932CE347BF9D04862F91AAE7B555EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.826{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\NAVBRPH1.POCMD5=B4418370A712233BDDAB565BE60A623D,SHA256=DD0D0DB554828FFD9D6950BF0C4BEDF45E153958A385DCC0E51F4628618C0896,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.826{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\NAVBARV.POCMD5=7E6FE47C7D48C74561275410FA4EE008,SHA256=C5C46515B9B74D4DD0E84F86123590753A4CB205F63134E0F5DED877F1469E61,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.826{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\NAVBAR11.POCMD5=B89151077CBD18B0C600757882EBBC6E,SHA256=9D8D99FF8396B3986B0DD78FD94396C6722A7B70ADD226B51B2AB1FDA74B1A82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.811{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\MSTHED98.POCMD5=04FEB08D35DAFC106B33AD10FF805994,SHA256=55315B30A14567A1BC6D4135CBFEA88ADA8A5AEDD3160899321A8FB047B56150,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.811{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\MENU98.POCMD5=FE7152CC7ADBCB18232B900C2AA27A0F,SHA256=476127B1A8707B7E01A0C489476E0B78C83D6138D7F5CB99DDE420D7D1AF0ED2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.811{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\MENU.XMLMD5=D1BCF166C5D07413F0122A4A6DC1AF9C,SHA256=8E9EC0FD4A6C18F1FABD06687B0108631F2F89FF89BA5DB8DC1D98F22DA84B5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.811{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\MENU.DPVMD5=FF55D8FB02777F355B3F8CBED091FA84,SHA256=C03C9B0B962B3CBA39AFFCB4237C15BAC6C3949F144A72DF0C99D987C1BB06CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.811{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\MARQUEE.POCMD5=94168C3BE9ED57854CCFEBD06C1535F3,SHA256=EE4A2082A1DF3B2922EAB4C4643454F2713E8E24C9B4429E8EE2E047D8B4705D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.811{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\MAIN.XMLMD5=3757F59205E2F91F3371FE99F425FEB6,SHA256=7D17ECB386DC81C74518C342CA17382E371A32280F500FFB61D00331A8E4D2A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.811{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\LTHDHM.POCMD5=F44FBA4A84A3FFC7219177008A9CF473,SHA256=F1A9191951E44AD5EE3531AF64F60D3B690BCA5223AEE0355E0B4B996C9C3BCF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.811{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\LTHD98SP.POCMD5=CEF0F8D0ECE0148C66BF2398845111BB,SHA256=4D6D8530E47DA9EB78AF459F4FF9CB814AC157CCD9AC943E6391BA962D1810D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.795{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\LTHD98.POCMD5=66775072AA8BBE8BD9161D4386FC7B03,SHA256=1315CDEBA500F739F1B1FCB7F1AFDCCA8A08A311A0C029F88FED13B2323F568E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.795{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\LTHD11.POCMD5=32AB366BDB4BC87C23BEC9717BB746AD,SHA256=21E0ECAB1943F1BA345BB6004925CFA440D4F97541AF0F63872F871D3D3389E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.795{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\LOGO98.POCMD5=6F452E14FAAF222751B75575C8164EE6,SHA256=859FE34F324D003923493DA47B15E3A40F3323F7352A635FB5F8293B944862FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.795{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\LINEACT.POCMD5=6B644ABA16E96FDB7ABAE1A19F157D1A,SHA256=1F63303E29BA5D64F580099CC02129FA65C2CA011D61E29CEA1F8B3E27D63366,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.795{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\LETTHEAD.XMLMD5=010CD7E94A509AF0DC40F6129D519208,SHA256=29398A46F6BBB77729D688CC9F0258DF5EA82253E1A8BD9AACADF5D639588941,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.795{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\LETTHEAD.DPVMD5=FE75BA716A410D140A1CCF9EC151CBFE,SHA256=346C6FCC4AE1C69DC7D5E1C3F3E24FDC16DBCDA9F42B2E46D97B2C9AD36A0CB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.795{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\LABELHM.POCMD5=E73AFB7ACE45E3FB8421C6B99115CC37,SHA256=6C1B826DD58653267F662E2A1C70ED132B9124FBF1147D4FA45A9C9D0D7DA65B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.779{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\LABEL98.POCMD5=ED7E11AFEFB1B76186B17B107E4FAB26,SHA256=5A2ED2B0BABB49C72E34C05416AE37E6411C00A86E04C6B08C42D93918537DD1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.779{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\LABEL.XMLMD5=AA098F17F82B5B4F1BFB6B38CC4769C0,SHA256=F0B3B5FCD343F0BAB5B73710DCFFE9FCF90FD774543D9EB246BC1DF925CAF559,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.779{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\LABEL.DPVMD5=5751016DB457DB8D71E435C78DB1A362,SHA256=758F62A5F17B7ABE5006EA6601A7BF94544216F3DA33F546109B77F3BF60E66D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.779{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\INVITE11.POCMD5=0C74EC36BA5EE90B15D91D5F888234FC,SHA256=E92E4826DDA14791514E91F9C7C69802B2B2CC53A86BE4DB35C132FA9D226DF2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.764{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\INVITE.XMLMD5=4FA20E2DEF84399657C2B7E9AB14227E,SHA256=D483D404FC34AC8004B6653F3D2FB658D72CD19FD7B8F2FF102FE8E5055CF70A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.764{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\INVITE.DPVMD5=FD02067A0DEE0622FA5ACDFEDE7D53B7,SHA256=080D41B4976034DB4B3A93466FC5C1F93A2DEEA7998444882AA1D2A55576AACE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.717{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\HEADINGBB.POCMD5=F813D4C7F0CCAFCA760BE2C594836C60,SHA256=392D649E1F826A64E3BACB4A873008F2BD53152AECE25417937C9EC7E13BB3E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.717{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\HEADINGBB.DPVMD5=F71F69A106F17D895A8C801707B389AF,SHA256=47EC0D4B393A40ED99D1BB224B46F5970E677532020F78E462B584CCF4148E69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.717{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\GREETING.XMLMD5=2F4FF4266B4450894C716BB86B8CA567,SHA256=60E062A4B82A3809EEB6ED94DE24FCB002F0CF07CDF20354D6DF8A7C4E5A75DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.717{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\GREETING.DPVMD5=785A903903443A0129A0D91771CD8A75,SHA256=DA361ED3B61977B1C198FB97B9AE975615D440BBCF37440903482410478C23BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.529{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\GREET11.POCMD5=90E5120C9225BF4C731E6BE3B7BB9E9E,SHA256=68F029134AAF37C4541FFE522C79D3FBED31BC9401AE533B2F42AA67C013225E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.514{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\GIFT98.POCMD5=2A4834ECA5E793D6E8451A510244F73D,SHA256=E2EA938277CB812AD79180B4E605BD56EBCB22AC8C8FFA91DDC54B7B485D786A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.498{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\GIFT.XMLMD5=1E4B85AF206FE94972495FC3C9669A00,SHA256=1F77141D7C505318F27ECF0FE523F7128B520D884E0E0D3DE566AB43999BB069,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.498{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\GIFT.DPVMD5=2427200797A4DCA70AF19202EF8D51A2,SHA256=E3A12FE4A1D8770FD597E2D62C5A34229F8BF12B74A565510F8F12C32DC015F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.498{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\FS3BOX.POCMD5=887F3865C55517A1EAD2663DE5019998,SHA256=007D574F67B715D8AEF2889C2A1745DC18E5D1BF298176AF311FB093693FF23B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.498{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\FORMCTL.POCMD5=DFB8C3E78CC6328D3D6D8E45DA1F028D,SHA256=074F3F73CC1F8A31D0780D076C44A1BFE90DB7C100B0749D19505E721099304D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.498{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\FORM98.POCMD5=FB2ABB7E74AEB0BFEE44E2FC1222B74C,SHA256=535524D65F8C2B0EF110897C1D8F76F6A83F71F61C3613DD52F965E66A35A4EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.483{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\FOLDPROJ.XMLMD5=2A48B714E5DD1FF04B7F422714A51478,SHA256=3D458241BA067C5E552C87B6992E774F8CCBA753E783B296942523F1BA6DD856,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.483{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\FOLDPROJ.DPVMD5=C67E0D4A455E74237D399ED8753FD42B,SHA256=FA1BE2DFCDD8DAB0217EC9C65B499A69E867D0ECA4AAC512CE3A15C7B7F58805,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.483{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\FLYERHM.POCMD5=2FDCD308F11B11E7A440A6B06963CB6A,SHA256=ED2D60019139A86D801FA0E5DE254CA5D983DB38190CB45C8A56D996DD893E10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.483{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\FLYER98.POCMD5=8BDFDE843F44B6B960A721F48EB790C8,SHA256=0E745197DFB61A7D127103CE827E7E55B2BA1C927889C331015F748ED7B8B9C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.467{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\FLYER11.POCMD5=BEC9412198BA7172CFB2320B9C042FAE,SHA256=591C90242202A2EA4A4792FC3EBC08CBACA58A8854B4C5EF95A7F151AC722918,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.467{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F565C2DA92B964E5618571F5565313C4,SHA256=D1A89287916A1833404B57E2911BCBB185E634CB18E66758F0094140402CA40F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.467{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\FLYER.XMLMD5=D30A43D1E1EB6BFC51D4D508760C4CA1,SHA256=1FE107DEAD3094080CF77A74412EB67996328ABA8A9DD35E46FE4291B160F6D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.451{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\FLYER.DPVMD5=2F2BA71E904BE3D43008A6ED12867058,SHA256=E372A5CC24D55D886FF4FBA5A321A0D672E733389BCF6FCE263396209EAE2A57,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.436{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\FLY98SP.POCMD5=198D102BC1A80F62CE364AD96DE369FA,SHA256=5A49B30D3E065E1AA8BB36A05C95D833B6406140F77308C4E76EBA8E8516C3F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.436{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\FEZIP.POCMD5=2218EB1B4C48834D9194C86363A7B42B,SHA256=75B90C307314D048DBE059FFA0006678A5CEB0ACFEDEE2F27803DCD4D1DF0701,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.436{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\ENVHM.POCMD5=D66C93671FE01A95B3014DA141DC4989,SHA256=FA9A5AAA95F904C5067FED0C47DBA4A1F4811E887501F9C8A65838475CC24DF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.436{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\ENVELOPE.XMLMD5=371F96DB8CCB4C56F5ECE8B5851D6529,SHA256=D5A8329A946A0154461B3218B4974776075386CCEC02500DD392F8B82AC55403,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.421{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\ENVELOPE.DPVMD5=8368AE0710A70A0C8790AC593669895F,SHA256=EB9EAB0D8E7D8D2B93EFEC3CA518EC38D3CFD5D7217FC9F3D1E93ED91F03FCE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.421{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\ENV98SP.POCMD5=9196D83D469F4EAFC233BE6BB7FD6B65,SHA256=3EF2599E9B7CC4120E2B3C999123BF715DAD547B6816B64AD9BD9B6405F86635,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.421{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\ENV98.POCMD5=15FEFB684E85AA90A598417FF0C2B527,SHA256=BC0E1B3E745FE09321880670D5E8A89DCA59E6CA2031D6100AF9C7BDC82B70C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.421{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00A1C11460FDFCCC67C251C5B982FDFF,SHA256=ED3A42F9ED71D649F68DA3A49024436C7F55CC75DD612C4FBD426E769D1984DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.421{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D3E1F19DE700ED32794075FCE4A21C8,SHA256=AB13AFA5AB5A8CB9AD8413EA2E5696CADA34597A28C786CAF6B8083FD51F8D6D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.406{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\ENV11.POCMD5=8034DD38C9DB81207C96BDF09541BCF3,SHA256=3D6E6B2F1354B69B46AEEB6C25D94CAC34517C50C570222A727201DD4079914C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.406{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\EMAILMOD.POCMD5=36A18EC3D4502DC3E2B76BB784050CE5,SHA256=010B20B7934DEBB5E2A2964319A382337E2D7BF7F56FA57BFDDC516E7ECDC202,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.406{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\EMAIL11.POCMD5=BF41DCFC694AD9930AE8DEB57FAE213D,SHA256=A1F8BBE34B30CF669682352EE25B439CB667BB4D4C6BA8276819AA038D9CB866,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.403{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\EMAIL.XMLMD5=E89CE5DB2DAF38DBBB7625B1FDF632B3,SHA256=04E1D7A6737790E7A078FD38D329EFB6BBB8B82AA55917906F2756F5C6906715,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.401{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\EMAIL.DPVMD5=602A184BE40ECC33161E4615A998AF3C,SHA256=45C746C2D922D55B5665ADC25C941B73D971993CACA08F38A1F70B6EFF5EB3F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.392{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DVDHM.POCMD5=267455D225BF6DD1831987840133CB9E,SHA256=623B7DC01BDA633C030322EFBC5F26692BA27DE1B61067CF4920625D009EC43B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.389{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DOTS.POCMD5=C3829CEE43A73EA9B288090304AD9721,SHA256=CC34D29885B7D3DDBE443AA14FF93CF53A86A4F093501B08B8AA4FD98268DF0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.388{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGZIPC.XMLMD5=BB524B0F87D16ECB02E39C4368AAEF5D,SHA256=F53DED2947B298DEF35BD7B696089061DC1D08C68BB3CFDE507C5A916282C66F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.388{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGZIP.DPVMD5=48AEA795D7F69CF0B71EF126B2191B78,SHA256=5B480664EFE482EF65CEB3DCA6E97B72726EB40AE8ECB996211CCF0CDD20237F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.387{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGWEBSBR.XMLMD5=0305B0D1C6261777962541856143C171,SHA256=808C4476075B0268948B364FE33669FAC22717BC9933328D0750737919224F6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.385{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGWEBSBR.DPVMD5=B64D768BA46413FFA69C11DFE0FD4D5B,SHA256=FE80C00F81B839F7A950211BE8C2E7B04862B9BF368351A4D3E08C8A23E7CE31,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.384{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGWEBREF.XMLMD5=F4ADE7F7898B4D445E9B5ED1494CEF50,SHA256=7046A66471B710E6FEE4298CBBB993E7DACD346CB9956135A1C97E7A2AC84116,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.384{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGWEBPQT.XMLMD5=5428CD8216CDF2DC1E8C803A183B3F54,SHA256=44D4DF53A49BFAAD2054F5C935F6F2919A1EB516209D3831FF926A5EF61B63F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.382{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGWEBPQT.DPVMD5=A524FBB5C117EE732F3DB14B06070F33,SHA256=FE23B205823EBD63DC5B04484E2257674D2112BC34B2668F0CD1919C2E05710F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.381{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGWEBHD.XMLMD5=C0599BCB8BB2D810B05F237CAD59F301,SHA256=F663E817E6FCDDC71B38641D6F5EC0848E112443110465DBBD1B5FE88632DFFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.361{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGWEBHD.DPVMD5=2B9AFDB7A80A5E94340CE55D27A674B3,SHA256=3CCD3C16B5C45DA15228F6BAE986AD18F5998E64D17414972265A7EF9D5E801B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.361{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGWEBCAL.XMLMD5=BC6465716497329220969C30AFADEF90,SHA256=69D6F08ED0FEACF1B083945ED524AA23B1767B04CBEAEE081727A77B81C80E25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.361{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGWEBCAL.DPVMD5=6CD060530CC552D8F6F6A72FC783C03B,SHA256=2A296EB7B5A7ECE84CC8452B1E87332818359B22FBF81048A8A9D82A1810AF7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.361{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGWEBBTN.XMLMD5=50291E1A931D50099C6655FD5271A2BB,SHA256=326C91BBE85E16584F93C9D33D23894C210871636D6AB7798634AFEDD8864516,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.361{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGWEBBTN.DPVMD5=1DBDE30E05C45AA8B6DA9640430F9257,SHA256=3D3542CA7A7561D5209F25F474856C93D0AAA5DA39D9ADA39C99EEB0BDDE8C92,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.361{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGWEBAD.XMLMD5=2AC9F185B512793D463E1C3298985FE8,SHA256=01E7C3BDC13E1016DB51C7647F2B76112C69D1B07C26A09D0D1143391AD44041,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.345{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGTOC.XMLMD5=DB0B68FC2255AC0EEFD8D34BEE921B76,SHA256=93407128FEB294B2805FD721560084805049DBCB1C461B201B0C2B5EE33A9AE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.345{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGTOC.DPVMD5=319ACEA29D0F46DFDFDFD3136397A022,SHA256=7541BB104C528C206BDC6F2ECE238FB3C1F8AC5EED6A7CF987949651D2A28F37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.345{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGTEAR.DPVMD5=EDB6004D27FE27846AA1222598E24DCA,SHA256=821B02629BFBC7C337F23985345B6B584306A0E4ECF3FF64959F2FB01F789864,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.345{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGSTORYVERT.XMLMD5=6A5039CC39A04C06B7E3D6DF2E54295D,SHA256=47486EE06F2815D74308760D89DD5EC7B75CE1CF3A2B18A01689BB11CFB370B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.345{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGSTORY.XMLMD5=F86CF0F9F28536EE81CDD40B3FB85A67,SHA256=66C0B54EE5498D835C5299061758FCEB555EC35001E3FABA073FA830A7223C84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.345{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGSIDEBRV.XMLMD5=576D032FF8B955EECD81E728FBF4C2DE,SHA256=97CA548C438D3520485DF80D7B952009B0A0143A2CC82822A5AF786999F50CD5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.345{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGSIDEBR.XMLMD5=8A93906A9EE4A326F9A3D9887DB18555,SHA256=340C643872C88D97944347D8649503560E340111FB2CE8A0DFE0165D250FDF95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.345{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGSIDEBR.DPVMD5=61E7143425A7A60F0FD6509541415120,SHA256=D14F1F57941C2EA4593496714596B288BDB73C597F194546B751D036D6650F3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.345{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGREPFRM.XMLMD5=A0EFAF2E370D9A42DFFEDA0FE04E2FBB,SHA256=F6375B4CA98D3F5EEBF6B9ACECE3D7FFFE3AD517B02DA880ABF10363766AD001,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.345{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGREPFRM.DPVMD5=D5161C56673725729FA439E5FFB2E9C5,SHA256=4F8759733DEDA528E1CCE1749FA2114873A8FCE6BF31F1B72A260BCBD566C558,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.345{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGPUNCT.XMLMD5=331EA994904EBF93B49BDB5AAA89B669,SHA256=9BB4CDEC2DAE164E98642C2531B89F8AFDFDBE00E3DDEFB77643C857921E91EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.345{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGPUNCT.DPVMD5=35FC9EE08193744AD90D9021683CB2A2,SHA256=821B3DEF7E83938A1438BAA19DC721ABC5A58FECA8B513945733116160C6D204,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.345{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGPQUOT.XMLMD5=8DAFA9906B9FDDF24A239DB81298E47A,SHA256=8FAEC190ECE553B761D90B8402FA14ED23ACA119138DE481D2D5ED86CD740F4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.329{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGPQUOT.DPVMD5=537FCF01B1931E72F38C14E9D071C416,SHA256=E971BB05AA1F55AF7660057C84C89BB0382161C8B8F62E640E757C82FD5793C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.329{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGPICCAP.XMLMD5=4E8CC7BDE1C5F04B64333FDBA00A543A,SHA256=64E7BBD67941BC3CCD9FB024574695F0D686C656EAFDCAAD5E840F4E942731C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.329{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGPICCAP.DPVMD5=E8230DA86769202911EC52C70321B2AB,SHA256=A2B12471F884D3AE96EDC4E2C81BE516445C988158C1E1A573EA3A04B61E4E3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.329{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGNAVBAR.XMLMD5=D0FB54CF492A1BAB734E4ECD01E1469E,SHA256=79FBD59725733E4E6D792B5B64728ED29C2BE0F39953B677982360528417F54F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.329{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGNAVBAR.DPVMD5=2668A99D54FC8C64306E829B0AAD3968,SHA256=60AF8640576CF78AC0A18355EBDDAB9C7BFC7BC6A671507D43A9FA1530AF13E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.329{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGMASTHD.DPVMD5=CF3BC79FD30DC54C55E1D4F261D2E98A,SHA256=E8D5927F552C0412448477B4F6F72D6072CDDFFABB59CB486981343AF59D3731,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.314{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGMARQ.XMLMD5=9CE6F1FF729DC0459A9395DEBA750A7C,SHA256=928F6B2DCA17102B27F1FB0C4E511A968A538CCB466C176D674D5836B75A8EF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.314{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGMARQ.DPVMD5=AE3BF4559C39C1B85A5275A271FAC3E6,SHA256=7992061D57BE54A8F36AF1E784FE03F2F14369C20162F3B3A8731DF0890B9220,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.314{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGMAIN.XMLMD5=1564BCF598F5BCACB74FD9F2D7AFF247,SHA256=136FFF2841F0FFBBEA01ACB25DAB3A91C0856124477F046DF477C30291A6A4D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.314{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGLOGO.XMLMD5=C6ADA538BB1B05BA2B94EAB959A0437D,SHA256=A0C20935428B12BEEA28E3C18ACF9A375CEEC2480B81AC1FF91814AB53C5A201,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.314{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGLOGO.DPVMD5=01107CE4D0A614311B5C38CA44D7E05F,SHA256=6456EB1F6774EE19C618EE35AED0C05277DC084327900343CFB7A8D0F1E108E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.314{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGLINACC.XMLMD5=3A625596ED304D9F7C736791F5143FB8,SHA256=09F518091375D81724EBDD2109DE6CE7CACA6C577918B34EC25C04D1760464C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.314{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGLINACC.DPVMD5=29E79D13A2D5921354D404C581B9A75F,SHA256=BE98973FCCD02D9D6513EA46FA9F6F1F2044B8954BCEA099E8ACB7E008D6F99C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.314{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGHEADING.XMLMD5=586EF30915931E83C88BCB38047C4722,SHA256=D400603A00B669514645F5573304E24B5E73A985FDCA26C5255D141829BC1082,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.314{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGDOTS.XMLMD5=BEE828211F217A8340865BF581F59AD1,SHA256=C319BFCAAB1D02199F4404C53B74AC883AE71065930955AC363DEEAC6F859024,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.314{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGDOTS.DPVMD5=71C266C45A53908B1C3473F3110CC48E,SHA256=599B3BAC32772E9C27A9F30B05F61FE5ED74528A9A0D2C963D02382E06BD47D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.314{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGCOUPON.XMLMD5=8C36730BF9AE1F78609E512BD5B82A5E,SHA256=D5CB29177A36E0599F910F57A783E4B6E6DDA5AB298B11D07F473FDE421461E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.314{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGCOUPON.DPVMD5=C0CCE6FD80ECC7586237CEBF4AE60FE8,SHA256=35D886EF1D1BAC4B6347AF903C88FF8EC95ACCEDA7F8F23F0A5A411BB5AC2A49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.314{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGCINFO.XMLMD5=C80F1E09C5A4608C4A1C48BCC43090BA,SHA256=38477C01C3F3864BFBCB082A760FC83DFBF82CBD812A6F4AF8CCBFCF2253598C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.314{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGCHKBRD.XMLMD5=B2EE4C8CC1B985975BF8B51B265F1A45,SHA256=DA1390A83A6F80CBD2D31878F6E13FC787503160DC60A27EBF04B64B1F8721CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.314{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGCHKBRD.DPVMD5=E42D9B1A47FEA8BA3D7B947E2CE78C78,SHA256=68D05BEA0C8D88BBF0E0E517AF6036B13D9D2FA0C66C60A0C3DD0C31DA044410,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.314{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGCAL.XMLMD5=E9D493E39D7ABD7DDDFF65F391D2518F,SHA256=05F71566322DCBFD2F67521DD9F4128D55671C4FB800B21476A0102D896B1F29,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.314{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGCAL.DPVMD5=936B578C48A8D4FA48BB409BA47ACD66,SHA256=6CE9AB955AF87C6550AEBD359D92C3E435AFB69DB6A8236F96130FC6283424B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.298{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGBOXES.XMLMD5=26BB550C932464F4689686B644C942A4,SHA256=2AFA21526A96940911568BAC1CAA43BF3254AF7EEAEBA88B9CD32FEDFC77BBBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.298{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGBOXES.DPVMD5=B8DECFDEDD0F5391F908BA6003C34151,SHA256=67C8D00AA1E967010ADA40D6E86EC6D20454F81FBC43833D3A3A9E9B6BCE454A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.298{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGBORDER.XMLMD5=1A55946DDD2A16C62A16E8DF7DFAA610,SHA256=2BDFBEF5FE3C7C866C4E88674CD73AE76261DFBAC70F469F96133D00ED6970FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.298{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGBORDER.DPVMD5=A49659B42E8E2D2A2CCA180ACFA30D92,SHA256=A94A9F6683DF1F2DF1B40A1FB96D59835136A2A8E936CDE4A71122A3F4D1A404,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.298{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGBARBLL.XMLMD5=80C5BC454689068631A8752257C77D76,SHA256=236579FCF46595B32C2B9AF2B192C2CED78552C50E85F6B522F8FB073FACB7D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.298{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGBARBLL.DPVMD5=7AA27DE6F0DB431F6DDBA5FD35088FA9,SHA256=164BC353D91CF72067725539C59BA515A46AB45765AF47D7A04CF4DB803F72C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.298{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGATNGET.XMLMD5=6B16558764B0EBC4835517F2B3E21D97,SHA256=99BB0CF749969E85B4107112B4E992DA9D2E7F33BF70EA733C33B10291A0D506,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.298{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGATNGET.DPVMD5=CB0106F619F449EDAB3C15BE99D04AE3,SHA256=A917F1853A286C61E126B44279B76A5789117B4C85D3E8EE4849A9827D16F777,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.298{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGAD.XMLMD5=AF2AEEEE9CEE636BBC33B410799B58D4,SHA256=C6BF9D8024AC91246A3CC808DBB7D71D96BC84F29EFAADB021D46D38D25CD28F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.298{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGAD.DPVMD5=D3BBE56EC6D466624B28A565137210F1,SHA256=91B0F91846FE695149FE82746C83D9AECEA81980406BC16BE001F5E66B21D6F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.298{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGACCBOX.XMLMD5=F3A7B3320BA63D4DBD6A30552C2CF6D1,SHA256=C0DA0964A0A5FC3A1D0148D5637880E8F0697BB7F4CFDB0F2941AB64CEFE31C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.298{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGACCBOX.DPVMD5=71500ED543437693EEFA039A1F6A5184,SHA256=8CECCB7E6D2EDB335BB4FF65055DF629562067D97FF53E978D2580586834EAAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.298{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGACCBAR.XMLMD5=3AC408515717FDA6D77C0084151FC70F,SHA256=2393CB89879C8863AE359E49EAC162CE502AE3B5C694BACE27A61AC63755381D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.298{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\DGACCBAR.DPVMD5=3F96CCE33F032EBFB4F684FDA933CDC5,SHA256=F5561C9A741A40EC4CA71112FFACF41E7EDA38D5492B9B070BB317C375475C13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.298{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\COUPON.POCMD5=064537069BB8218DCFF613BF53C8D324,SHA256=570C0FE15406459C52464F42C9567A0CAA6A29976CBA03BC27B88DE7C35EACAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.283{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\CONTACTINFOBB.POCMD5=6A060AF8557351098BB6136BBE3123A7,SHA256=7D90A3103F89127AEA0AF7DB94ED6BC070AFF62A238473D7610AC2C8C8831147,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.283{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\CONTACTINFOBB.DPVMD5=DF0805C52F4FF5E9FED558E0FA05EB9A,SHA256=062EED94A0C3640D003C0A8E8B1C85B79D1C52EBEB25373C494923CBF39C9277,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.283{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\CHECKER.POCMD5=0E72AC80B6FAC87AB5A79FB42349FC95,SHA256=BA42B3306D5E4B78007E90F116107DF4C8919576A67A9AF4E76F6D208F66062A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.283{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\CERT98SP.POCMD5=7B7240AA790548F35E9F6416DCB05AD8,SHA256=D1D296FD1D186699E28A8626425E36D84F8A48040F201096A070A3476477C754,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.283{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\CERT98.POCMD5=DA69A1A5C781C85EA59B90D92FB53DEF,SHA256=7C60A6107BA7DB4172291A8734C047223C58F4A727EBB4F797BC1D99E15498FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.283{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\CERT.XMLMD5=38B48F00283C82AF264B5ECDF0E3F4AF,SHA256=7E71194052F3D45CBC0C7A3B19FDE785B68AEED98BDE80E3CEB7716F1065619E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.283{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\CERT.DPVMD5=8E907E5020C5F994CC3A8360DF6A1B75,SHA256=BD1D1C91FE33AE2366186C72236B79CC231B74C5CAB70EF2461F565E8258B84A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.267{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\CATWIZ11.POCMD5=1EFF94A703F42A0F0A332D5F45EDE419,SHA256=9A6BD13C3A2DD69D91B7A24EBCF4881760C0CE4494FD50A2E574C3F40EBF1F06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.267{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\CATWIZ.POCMD5=7CFD49AF25B1988A4791BAF0A380C4EA,SHA256=69DFE1B3BCEAD91EC6148A1393297F2F83CDC51076AD07C763C45A409DF5C08F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.267{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\CATALOG.XMLMD5=97045A9C3430270A1A1DABBD845BB1F3,SHA256=7FC0A5C8D0F04F0A5AC2CE6D083505818F38F37BFA09BA5DD560C22442E0F25B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.267{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\CATALOG.DPVMD5=837BD5E26309ED10053577BA337F0FAC,SHA256=7E052230A3FE518F78FCC76C46DD7834BFF4FE7DD436757E18416C8D062C5B64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.251{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\CALSO98.POCMD5=0085BEE5CB21D1E18C9731FBAD0F706B,SHA256=889A265F8D950DB953F75843EEB9449D2E5D1A6C59CFC06647A7079EE905D481,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.251{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\CALSO11.POCMD5=7AC701274335C21FAF6FAAA32811392F,SHA256=5283FB5CAE8CACB24D8D7B3DE4362B0B63511480CB3E389B123DC1EE1BEDE86D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.236{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\CALNDR98.POCMD5=FDFA13A155C0BBE41FFAE02374C5C6CB,SHA256=B923A037648F2F070261C2B89A93EB3FF8B2922EE3E1316D90DB4DAE1C8AC294,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.220{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\CALHM.POCMD5=25D25810FD147C89C35901AB1FFDDA95,SHA256=1A813F21006C825FB2654709193C5BA89482DCB94BBE2485C44FF9755617CB20,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.220{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\CALENDAR.XMLMD5=5A05F1F10353AE446F86598AF0312CE4,SHA256=08FBE5D8477E9FEA0672D5DAA90AD61AAE0D436FC6C19EF0827A194B9FE5A6C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.220{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\CALENDAR.DPVMD5=226EBF650A333DDB6BB1BBA3F23AA1BE,SHA256=F62FA841966333F64D856E322B19DAE3D0123A87C2CC20F262D059634059BC6D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.189{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\BZCRD98.POCMD5=493F73A6CFC9BD9291701CAB345E4771,SHA256=2A5CF8CB3AD0DC469C223526838275A4560F742C0BB780809484269548E2D56E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.189{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\BZCD98SP.POCMD5=38C81841C20BC36C7EB5475B4964FCB3,SHA256=9B86B4F2380CC17CAC508FF8F862A2BA8623ED4764622F3A2D4C214ACA392037,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.189{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\BZCARDHM.POCMD5=12DAD7374136F27539E6FC3C115D83FB,SHA256=418898641762BCD6E0D27700D20E6586C2BAEB5BCE1181C3F6942BC61F02C8E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.189{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\BZCARD11.POCMD5=57A9DD6729442CC538A6896A3FA0B0C9,SHA256=3D58FEA89ACCD191BCFFE93C1EC0244CF02ADD19DDE02883A47BC5199CC06591,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.174{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\BS53BOXS.POCMD5=A8A1716D563A2643D2E6B9911513422F,SHA256=E0139EF59789B1911CFC661D5921A21346508742B56F269A180E744408D16311,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.174{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\BS4BOXES.POCMD5=29DAC17DA15A59F9B5C4377C698A8E4F,SHA256=DDEB3557D4AE097598A939AF7A5770DF37D6F54C07CC5D935A92736DFA0A8FB7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.174{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\BS2BARB.POCMD5=6E2272CE25B8DB72C3F820E837623734,SHA256=E4707A592692891A1296E3F01533D5A5148180958CFEC866DAE09FBEA8197B0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.174{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\BROCHURE.XMLMD5=20A07174C0656486D3AC4ACC2BA54E08,SHA256=F878F197496253F440606055681D3A4C34607F5641AB0F788E058CBF02BFA8C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.174{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\BROCHURE.DPVMD5=12D6134B89BA1BF88ACABEF254F304AC,SHA256=A90CDBC2665F899F593EA433284CA5521F4DF13E785C74D9997891B8105CC642,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.158{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\BRCHUR98.POCMD5=4EF3B02E901E2DC20F1A665B7B384B85,SHA256=B60E04C7C48189E6744D44604AB5988C9D69856ED6C9EBA391AF40E4D17AB4A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.142{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\BRCHUR11.POCMD5=9F314D92470337700D3A93EFCCBDD715,SHA256=03CDDF1481C3C0E395003713D5D751681BC458A396D08BEBA1F57D327E7808D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.126{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\BRCH98SP.POCMD5=27B605E1C2FBECAF5CF3C2CE80BA591A,SHA256=7DB79E87FF5D50FC292A5DF08276DEFE9570EE67369F82BA3EF981C38F91296C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.126{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\BORDERBB.POCMD5=DF2D11F09DA1CE8CDA0398E43E3F59C0,SHA256=D74AC15B7274FF837560D7A5D08E835844EB7C85422A6A86D5828D96971BCA54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.112{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\BORDERBB.DPVMD5=24D37E1B9B3AC4007525B3270E2B7D57,SHA256=10668ED34DF9FB38F71510EE3F4905B87AF4F99CFFE6E7B30D74A820162A29F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.112{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\BIZFORM.XMLMD5=D2BFE80BCB7880986A01DED9B705D5F9,SHA256=73BE4FB7DBEB1A649C3E3D76AECEA34F38A085E5574A2C5A4318099B211F5F37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.112{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\BIZFORM.DPVMD5=958F4B70682EF75332638F610F32090C,SHA256=9DC74AEF494469B0995D770957584D819F476EFA88869C04BA54E99E78B2D062,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.096{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\BIZCARD.XMLMD5=BFF2D832CAF15A8BE6AF2C84A527B07C,SHA256=B4C12A69C502D1B2405206C72D90B22A9809F82D35F96B282A6CE4073546EC98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.096{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\BIZCARD.DPVMD5=4C317AE1F801B5BAACE660FE3A5EEBEB,SHA256=76840C65CBFBED0FC2DB7B6FF7D5CFE195D8C38A58E753DFA4A66FCFCFD90444,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.079{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\BDRTKFUL.POCMD5=E14394F26099BB86DFCEEA2AB4E98405,SHA256=DEC7BC0EBF767827C66FA5660B3B6ADD59E281689BA67D264C5C7D45257080CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.079{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\BANNER.XMLMD5=06EFD5B5D66EF5F90CA8DA8041942F5C,SHA256=B94E0A37B00425F43BEEF55A504CDD75B7F2838D13B96BD6FBDA3754A2043D3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.079{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\BANNER.DPVMD5=1F86C50B90A0FD19D4F901E49D09FC2D,SHA256=E37AF49C78C903FB0B4746C32E248230D7E43099495A5096864F4D2455F21C95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.079{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\BAN98.POCMD5=61B40B5476587A2D524D9A479EB143B5,SHA256=7D57E17A837DFEF62E8DAC749719B761BEBB32ABAC4130126C74E6F5A16110F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.079{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\AWARDHM.POCMD5=6ED98A0FC70259C06A4C5085D8B0A703,SHA256=5529B0C586854E05EC111548A1F9122F4D1E91FEB290F8F653E43C373DE3EBA1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.079{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\AIR98.POCMD5=1BB1C75F0586BC8692B6A9DA44D67749,SHA256=3F31203A2D8176EDA1E6435D545BD570F00E57036EB6447475B51190EB27A1CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.079{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\ADRESPEL.POCMD5=230DDC3E59AD5C6FFDB228EE4079AF18,SHA256=ACC6EBCA8AC4351A3364A8A1F7E4784D2E44CEBB46A79BD93FAD85136886A377,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.079{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\AD98.POCMD5=10DF984EBCBF631577C9B1E9E277E3B2,SHA256=F7B98C183C0C428C84434E39925AC473FE68CF6665B4C2602A43FF7AC7E02A0F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.079{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\AD.XMLMD5=93A0BFC2F97399EA0705393C0F3F4534,SHA256=847703F85C8E2162E7E1A0728C2CB9AB143C7AEB2BC3D6ACC071CB907E17AF92,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.079{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\AD.DPVMD5=652B2C34B901EB5990018FD4D1DCC114,SHA256=0CE7F38F261A3969A33FE50554F3FB640C69A5A694046CF20306BD659C4DE9B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.079{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\ACCTBOX.POCMD5=378E44A10B60478231A63AC0BFB67BCF,SHA256=CABAADE80AF9DAED08ADF6CE49C50B5D971D7F383E5BF19A88C746765C3450A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.064{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\ACCSBAR.POCMD5=B7AFD0319FD2DEE8A033F9D0AC48B8DE,SHA256=3C11D3C754E8733EE7973B88F45ABA0A1CF0761812D74897D336B50EA34C2198,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.064{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBBA\MSPUB9.BDRMD5=CDE0E094D9179BEA653CEC11409D3992,SHA256=EF91A7FD8A954FC502A190BDC0FC1CD8F336A03E1B20366DFC32DA924DDA26E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.064{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBBA\MSPUB8.BDRMD5=4FF7AAEAC730FC8995A87E9233C59905,SHA256=18DFCD1B3CC9E6A5D39DFB462652626AE86F6285444BCBAC9F0EC824C15CCF09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.064{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBBA\MSPUB7.BDRMD5=D087980A16DDA53FA3BE013D1ECF1AF7,SHA256=60808A2C7ADC2455964982C41D568B336070FFFD1BF60A83B9E50DF9C5FF3E42,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.064{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBBA\MSPUB6.BDRMD5=4877F0AD09F44EE686CF14390BFE21B7,SHA256=8755AED064AFB7919F5AB48A13A268F833A1E132C478AAEB25E68DB3BBA2A3B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.064{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBBA\MSPUB5B.BDRMD5=765971E076DDA0F75FAA6231F19B0BA5,SHA256=44C31BB35F340E4716626403BB3CB3A6235D7DDFB0C0A7556D4EF0C1347721FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.064{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBBA\MSPUB5A.BDRMD5=6E2AEAA3E01842C466AD6F41844C2A99,SHA256=A3A6B3CA442726F0B991E2B46F4EBCA234E22608DA428C9439AB3326FBC0AD9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.064{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBBA\MSPUB4.BDRMD5=DF375037977C8504706542D07E48DF3F,SHA256=CB2FE6F217E93320791ACA4F4F544756AB16F0E07865A77956DAC13672568648,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.064{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBBA\MSPUB3B.BDRMD5=5D4BFB16FE733022E2982F118F3B4163,SHA256=0C6ED134B4A32BEB698BD25B2249ABBF9707AC177DE69EA191AA4520F05276E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.064{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBBA\MSPUB3A.BDRMD5=58BBA4FBFADCDACD28707904D2341C4B,SHA256=A44287EF7D18CB5CB5719DD2A131074EF9B20EFE4BEAD11361E9C118D8D2D67A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.048{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBBA\MSPUB2B.BDRMD5=592CF41B7157A0352F85C6CD39319CE2,SHA256=F68E8141BFBAEACE5FB9B995780AE5CB0838AA3841785D860C621A45764C3674,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.048{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBBA\MSPUB2A.BDRMD5=4C013DC165B317C374B5E5093AA3BAEB,SHA256=24DD1D3F07CF6BF674B0DBEA9E84BC65B37CE9AEDFEA3A818DC7942F909882A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.048{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBBA\MSPUB1B.BDRMD5=1E638AB5E5E7FB51C131A29CD49CF912,SHA256=CDAD590C21A5E761CC81CA810D67BDA06A208516CA91BEBE1549C5B43E384A79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.048{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBBA\MSPUB1A.BDRMD5=6263CCEF9EEB8F5A8B31BBEB6236804D,SHA256=15819B994279364E4CC0FCF4CAE57B7CF614F13CF9A062EA74F32FF97D53812E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.048{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBBA\MSPUB11.BDRMD5=2A35CDB4755AD1AA27E055D00EEA3DF4,SHA256=FC0B0E52C5C632227051437CAFE146F4314E84B7219FC4356F8C81F2162493CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.048{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBBA\MSPUB10.BDRMD5=B6A34B31A48977574E1BB124A39E00F9,SHA256=48C1BB8C3FD960DB9E2750409BDCA83633C9711B6D7E156732DC0998473C23F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.048{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\msth8FR.LEXMD5=72E5C0D0DF388892E910E295AB36A5FA,SHA256=CA79D145D5069DA66677984D36C78A7067C5D2DF060ABAFEA3A260E6EFF82D66,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000329112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.982{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000050\OfflineFiles\taskpane_3b461cd5fb76c7186ed594dd80bfc675.cssMD5=69F5B6E38464E5236558E49DD0D2A764,SHA256=D5EC2755BD34B59881072B67B172377928DE1B3E334FCC5670296A083DF2DC7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.982{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000050\OfflineFiles\strings_be31f3388d6ff8a96987a96ffce664cc.jsonMD5=91B1F809074AA751C55DA7F5B4D0F81F,SHA256=5E121E51FE9583A47DF7EA3715887D10A8DB91F77D1864DE2DE5D25D91DB1CF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.982{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000050\OfflineFiles\polyfill_2d13038415350e59836e226ef59d2a91.jsMD5=EA40F7F7FBF471DCDFBA4DA1527212F6,SHA256=DE331A0AC74B91DCD69FA1CC640356699BA73CC97C9DB23C2BA47C26CE282F23,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.982{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000050\OfflineFiles\NOTICE_2797df0301cd9822169d954746ef24a4.htmlMD5=5112455A5710A4529838CD92D5B3A5CE,SHA256=0C9296BEA91310DD4618B2DE27E8656F67772A74566D09DB2D44C27FD93F95A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.982{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000050\OfflineFiles\icon-84_e971d5ec51b4cc4825e3049d91638ff5.pngMD5=678B746F7C0DBE441CA65818F366B84F,SHA256=A30E4DD64BD3F68E053BE6E18E5B53A6B3E83E027E541F899A0597CA840F6E04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.966{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000050\OfflineFiles\icon-56_674903567b669a834e4e49dd869a6bac.pngMD5=3D822AFB812B2E9C1389DC0E8BC944C9,SHA256=CDB59E26A8BC63EDD14614882A32A1CBCECBB8F8FC4BC6EC05E47B06F257FB89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.966{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000050\dist\config.jsonMD5=A1E8D06C673FCDDDD15B2CDB8E827D13,SHA256=5ABA473F78E8215E6ECB4FA28AC3AAF4D0A158353CDBF4B17B1E45B7DB79AB9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.966{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000050\dist\en-us_web\vendor.jsMD5=01738FD9FE516B4B7DB3E9A9EE4B8A85,SHA256=A0E448FC1DF929094C57F8B7113B174314F24FE0C66ECC1E92ABC3C650171252,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.951{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000050\dist\en-us_web\taskpane.jsMD5=E8EA73A19A160D516FB0198E36471153,SHA256=30605F892B0E5BD2825941D055ACE9431BEFA874D44B8C0D72F2586C1B105852,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.935{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000050\dist\en-us_web\taskpane.htmlMD5=8B80CB6B4C54E80D7C03BD9BE4150DC7,SHA256=99760DBF3EB456FAB0D1ACDDE82DE6E23EACA90D4B9DC9A7845E3B60272CBA0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.935{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000050\dist\en-us_web\taskpane.cssMD5=69F5B6E38464E5236558E49DD0D2A764,SHA256=D5EC2755BD34B59881072B67B172377928DE1B3E334FCC5670296A083DF2DC7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.935{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000050\dist\en-us_web\polyfill.jsMD5=7749889576E11EE2CC404EA87AA40602,SHA256=B8E9826B7E6FA0D0EF32A0CB2495EDC89444CF310BE85C7E01F48EEA42D70373,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.935{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4F3F80FC89E5820C48D5839DCE224F7,SHA256=61E05DD525BCC5004224D1915B2BFD6262D0B2B90944E5021255FD95DEAB1B19,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.935{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000050\dist\en-us_web\NOTICE.htmlMD5=5112455A5710A4529838CD92D5B3A5CE,SHA256=0C9296BEA91310DD4618B2DE27E8656F67772A74566D09DB2D44C27FD93F95A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.919{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000050\dist\en-us_web\manifest_web.xmlMD5=5B35076E8C7FF91DDABB3406BDFA2DF6,SHA256=2C6EFBEE0E88DFDDCE8B34BA1E63295F110362E314A585C734CC0846989FF0F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.919{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000050\dist\en-us_web\manifest.xmlMD5=5B35076E8C7FF91DDABB3406BDFA2DF6,SHA256=2C6EFBEE0E88DFDDCE8B34BA1E63295F110362E314A585C734CC0846989FF0F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.919{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000050\dist\en-us_web\assets\strings.jsonMD5=91B1F809074AA751C55DA7F5B4D0F81F,SHA256=5E121E51FE9583A47DF7EA3715887D10A8DB91F77D1864DE2DE5D25D91DB1CF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.919{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000050\dist\en-us_web\assets\icon-84.pngMD5=678B746F7C0DBE441CA65818F366B84F,SHA256=A30E4DD64BD3F68E053BE6E18E5B53A6B3E83E027E541F899A0597CA840F6E04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.919{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000050\dist\en-us_web\assets\icon-56.pngMD5=3D822AFB812B2E9C1389DC0E8BC944C9,SHA256=CDB59E26A8BC63EDD14614882A32A1CBCECBB8F8FC4BC6EC05E47B06F257FB89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.919{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000049\strings.resjsonMD5=07D6FE4DEAE25917CBCF6893B2F620DF,SHA256=FFE25100307957CB1D342854B2C2CBDBF1CAC8802679EFBBBE90CC8A01C0D8E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.919{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000049\StoreLogo.pngMD5=3B41150E4CB804AA1B26CCA06DC509C8,SHA256=EA757E4A70287F2A5AD3C5388ED2342BFAD38CA41969EA23C84D8CD499839D9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.919{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000049\manifest.xmlMD5=E50B0BB819AE8E1FC23A7FA3F57F73CB,SHA256=744BBAF91508CA33299AFC8FB96407A685D5D3342B49A71095038BF7DB129697,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.919{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000049\index.win32.bundle.mapMD5=52CD6B417F054F6ACD7A11AB0ADF166F,SHA256=2455F023BEA3366A465B0307EC5228D18E6097B211B9B1CA641EB05541FD6CB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.904{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000049\index.win32.bundle.LICENSE.txtMD5=0533FBFFA8A478B12D0E3C27C8A3385C,SHA256=DD9EAB76D3F738B4F1B8F08CFA79D2F6987BD6DE58E1CA8AE111D857877C40E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.904{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000049\index.win32.bundleMD5=1554896A89CE34E8BDE4D243988F5302,SHA256=409DA5342E0DF07D9C18A16FF534B8C20FBA135519F5131C815C47C1E593791D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.904{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000049\catalog.jsonMD5=D5591BA209A0E47566CF647B2A668792,SHA256=6C172CB3E97E21530B84C2F7F3544AFB55C54FD8F302A08247AEA37B971446F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.904{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\urlmap.iniMD5=1B9910A09A985C0B5663B9070073774B,SHA256=DA8723B4B5737B3736B75118B82DDDE1BEE29649075B6041DB679B50CD2D31F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.904{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\manifest.xmlMD5=B75301C300E5E0108BE7B67FD8B1FBAA,SHA256=390B17FD3CF36FAB4FA5769DB331B03825E1AC455BE040A7A89E35D592CA3E1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.904{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\icon-32.pngMD5=D2C43C8D877C3CB50ECDEBAE2E04FDA0,SHA256=078849937B78B3D29111677581D78420F1BC66E9BA81A72E63E35804B73DCA3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.889{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\workbox-8a7d9033.jsMD5=55747D0CC81C84EC7D3AB0782D84F364,SHA256=E8A13DD6ECB9EE4C0DEBD4616F1F25BBCC03056AD9D83D13A34EF25B230456E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.889{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\urlmap.iniMD5=1B9910A09A985C0B5663B9070073774B,SHA256=DA8723B4B5737B3736B75118B82DDDE1BEE29649075B6041DB679B50CD2D31F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.889{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\service-worker.jsMD5=5BEB7AED1A3F49E263DEBEAC7C7ACA16,SHA256=FD8AFDBDEFEFEF2A9ACEA1853D271E42CE60AF7749B65673C5CA0D7F903CD5ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.889{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\runtime-main.89d38147.jsMD5=73DD7706DE1F6D10AEBDCB838B729415,SHA256=9C69B9523FFE937CFDD208A9AE0555637669AB243C19AB29141D6F4BA38352B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.889{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\runtime-dialog.399244fc.jsMD5=6ED1B8BF1AEAA0172DEF7F298AF37D04,SHA256=CCFE66510979C7570F630F6B0F61268AF9BBD47F5605F303E25F0FCFCAFAA21D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.889{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\run-from-button.9f4d0611.chunk.jsMD5=13C5F276802DB7B264C05E221EB28A8F,SHA256=A0817E97F0B283C8BF2A88C1C2C66AD91F44AC7ED401A77CA2926DFC0CB9DAC5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.889{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\recorder.25f3f18f.chunk.jsMD5=A4B279197522822E95D1A28CC294EADE,SHA256=006FBF8F8ECEC437A956A27167C530E7DEE35175E3AE077770B88DC49A9DBEF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.874{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\power-automate.7a2f1eaa.chunk.jsMD5=CD308DA7C814C4A321045098D1EED7A7,SHA256=09B8817403EB01B34A7975DBE682F2BD79B0B121D6236D1F60C1C631CE9A0841,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.874{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\parser.67ec6fba.chunk.jsMD5=C834B6A9B49BFDCD530C08A10F9D4623,SHA256=9530BE31CC7185CAE95AE7D274D5A31EAED5E40F10BDDB6B870D6479D6524B61,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.874{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\office.script.synchronous.library.4c71c338.chunk.jsMD5=2BC6480861D718E0986B67A505BACD7D,SHA256=C86945250136727286447B12C80B88EB5D6BED1342DA3662EA77D2DB35657F0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.874{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\office.script.synchronous.intellisense.types.bbd91d80.chunk.jsMD5=8FC11753361FBDD5F6F6E6C6ABF6F83F,SHA256=1E08A39F2F1FD2C231F4F25C4711B62E9AC3859AC5862372459BE6302BE37890,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.874{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\office.script.synchronous.intellisense.synchronous.fa86f8ea.chunk.jsMD5=72D3A46B9D48E48667F873548150D8C4,SHA256=09512393E86239E9BF7EFF48D1367CC0B642BB0F111B02CFFAADC9DE0D960B07,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.874{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\office.script.synchronous.intellisense.batch.0fe290fb.chunk.jsMD5=940B272F59F62A03834E0866B3969854,SHA256=8B57E2D2731A5923611CA72D431892EE8DECE94C45218F4CCA6BEA0032D94659,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.872{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\office.script.sync.452b50d6.chunk.jsMD5=5F9353AA7DCF94F53D5F3255A439A190,SHA256=8C85FDFD716D822DF13BE9C48BEDA212F42C1E6DDDA9D5226AF60E6E82BBF8A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.857{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\notfound.fbc35ebf.chunk.jsMD5=3A1CAC90CEDBA981EEA994B5D175B80F,SHA256=519360B0452AD470809CDCC1040028F74DECC6B9FBB61B2C9D68E99CF0426636,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.857{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\main.1b01c83e.jsMD5=07CA6585D6B46691390DBB9D900BB6E7,SHA256=A27B0C394333074D37F5DC277FEEF4CC6277CC3A09E69AF6788459982B583A8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.857{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\LocalStorageWorkbook.13055c45.chunk.jsMD5=13105D8DBAF62B8A78B2154E6989FD8E,SHA256=8C9D7ED9C60E8BA548FB99779703121101589AA949256B158626C93B72E4050C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.857{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\LocalStorageVersion.cabbec5b.chunk.jsMD5=A720AE93C08C255E1CDFF746E48EBF77,SHA256=3C94AD4C85BB399CE192EA1B314C94A9B45C9010C06B9B8C6C8B8994D0BAE3A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.857{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\LocalStorageUsers.868a1877.chunk.jsMD5=C59B4C0C3525FB39758E489AE2FEE3E6,SHA256=56F67D91CA384A3A97190677832898B71E3D48064025C453CBEADC9C001F32A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.857{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\LocalStorageScript.4ec77c4e.chunk.jsMD5=E756C682020D378CE6B6EE184BA16937,SHA256=B205E13F18F3994E98A2C4840ECED7C43746319AE34D90D28486270C724FB917,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.857{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\LocalStorageConsent.78fc542d.chunk.jsMD5=346B55F76992F3B9045E57305A439728,SHA256=0ABA9A5BA83A6D650E11AFCA43881B192BBBAE9B886A54F005F59951B0741F1D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.857{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\LocalStorageAdmin.3f9499e5.chunk.jsMD5=20289ED1DA58D036B0BACA19DA52E2A1,SHA256=A7FBABF128E295C4FB812C91F7DCB79375F79CA2BA27A0F139E80A0C6A080F00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.857{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\index.htmlMD5=0D4F78A876535A677CB5DD9D555B5A41,SHA256=175166D486799F1F333803EB1C6E8268F773217751BCE812F879E2C7F955EA21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.841{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\formatter.b1594d00.chunk.jsMD5=68DB319A7A6EAAEAB0D5A52E66BC4393,SHA256=3EE7BBE90FD46892C22F2A83A740ACF67AD2AC116A48453E41089F6EC1545E49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.841{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\favicon.icoMD5=C92B85A5B907C70211F4EC25E29A8C4A,SHA256=3D10F7DA6C603178340081668C4AC5B3AE9743CA9A262AB0FCD312FBB9F48BDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.841{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\editor.a36488ab.chunk.jsMD5=68D8DE5F3412BA4CAEB90E2FA514D273,SHA256=C4FD7273D49395AEAC8A9E1604285B44D06769E84D7A0E89D45111CB4464F937,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.841{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\dialog.cfdc9cea.jsMD5=A1A5C7441BD62618D01C7CF6CEFD6E38,SHA256=1929C8BFC2A18D119F62A146B9E7CA943D353A696188BABDD7687417D088D8F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.841{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\asset-manifest.jsonMD5=A504526BD99D7B8787A570800488DA0C,SHA256=D6447BECB725C9BDA046751D3A337B342F4D6423AF7AEDA0A09A7D726B600A94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.841{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\about.8c3fb8d9.chunk.jsMD5=9AB496D82449A69754955E86059F01C4,SHA256=40E4F1692EDF5192FB4D827F34D14D50B1BE0B9A8A31B58ACBE3FED41A56A01A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.841{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\9935.242de044.chunk.jsMD5=A6902287C22096E851709ACA69845D17,SHA256=718E12BB38F53E9D408D8D1531BE840CF3B99E4C2CC37D7168C64E5ADA08546B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.841{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD5CFC9C665B8B4B14D23103D1D6BA1,SHA256=EF5572CE1B884573DF57238CA718B7D37835573031538C6F878C501311AB5BB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.841{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\9790.89bb3e24.chunk.jsMD5=38098721287F9904C2A8940F5CD8B4A3,SHA256=E8D27A36B1928E954158A41271C9E1E7C1E8C2C8AEF9DF23418EE3AE65BFA807,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.841{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\9753.44e6e616.chunk.jsMD5=D5391946A7B0FD6A1184742C0E2C03CF,SHA256=A52DED0A92EED84C39C3C8B195277287AC448188E5A8B33E8826FC6CD8A08122,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.825{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\9696.964d7872.jsMD5=828B26D3305FF6F791C49C468B7F0272,SHA256=95C8D1021CA49AF2493753B377D7E8378E887C44A863FE191C73194462FFEE00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.825{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\9681.64514b4a.chunk.jsMD5=3B5D01E36419418EDA78A7587BD157B8,SHA256=CAF0210E0FA016994FBF86EB6F5C8C345AC5C6DC903000A5B4B9153D1EE9325E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.825{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\9606.70771098.jsMD5=59AA2A934C6F426983C0A45394B32552,SHA256=659D7DE0E4F51D4D11A61706DA218250D2CF86812C31263FDB7149A216DE0EC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.825{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\9518.8866d9a8.chunk.jsMD5=6497634C190A309C0F7BFCB1C9FCAECD,SHA256=47754CD9773FF02937C013C554E01D41A5C4A836D7331F801728650E310164B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.825{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\9384.f03df890.chunk.jsMD5=0C6E7B9C55F7A411028E888A3DC1E18F,SHA256=A03CFBE284A91C372DFAEBA0D304044E27070C6B97401FAE04DC1ECDD8EB6837,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.825{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\9218.454784ef.chunk.jsMD5=DCB35BD9D2E13B4EDA6E4555DAB48914,SHA256=21C3282F79473CD40EA2EEC940B6162911A35E3CDA68FDF3C2A652D7B70D0BA3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.825{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\9198.202765ca.chunk.jsMD5=C5284A794BD1ECCC07D73730478A69DF,SHA256=49A4B1AAAC145FE3757091CAA5AB64E6C3F18A01E44AED859548055DF4C2F6EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.825{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\9176.775bb9a1.jsMD5=D9AAAAB3ED5B64898330CA50D8F0307C,SHA256=FAF8643F4A441813558BE32F75B09D8FC0426E93B4A5CD5805134E2F13ECF77A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.810{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\9097.31d3acd5.chunk.jsMD5=AA57579CFE4563B97BCCEBFC747735F8,SHA256=2A3CD20236D49A4B36A45737CD5764CBB385C6416261C3F243AD4EA11E7CA373,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.810{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\9034.367c10d3.chunk.jsMD5=496957A5597BD7F7CEAC50BA228DB9F3,SHA256=782ACC6438FE8628D6AE7A50E8521D0738E3E1DE73E521B11302C5E00903B680,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.810{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\8894.834b4c4e.chunk.jsMD5=7DBAFCCB7319714422EF55344FA2FED0,SHA256=03B646A10A9926F0061A62A68F5A0D629606F7729ACACF23EBEBC74E658E6C83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.810{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\8857.dda84f71.chunk.jsMD5=EF4172A329D135B1E973A7567162BA1E,SHA256=DA8833865314B38A2D8E90EB3E04213B29ABDAEFCC3EC3557B3C53818CEEF03B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.810{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\8846.c85afab6.chunk.jsMD5=4B6739F48F8586250EB8F1FE6E35697D,SHA256=BA1D681A34A80356ECB28677283EA5C45FDA5CD1D090C3EC586BF601FAA607D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.810{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\8642.dd159f74.chunk.jsMD5=9E11B2DA72D1D0175DD34F4625EBECCE,SHA256=A2AE533507063EB58D1D070E002592B99D603EB36D3E963977F450EBE39F45F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.810{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\8555.eb1bcb23.chunk.jsMD5=7E593D45AF1D91EC7BAEC0CB2A66F208,SHA256=39C6FCA5380F1DDC28291504E67DBF36B32A4E78A88DD7E2C7B0EB8729564C7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.810{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\8509.334f1edf.chunk.jsMD5=D1909F6C52D885C9884259211567CD3E,SHA256=8D428A7EA65F376D2B77A1C34C55FD7193A2DADB1347D64C54E48A39882D5FB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.810{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\8371.11e0a706.jsMD5=3362969D050C3762673C1B519CB125D0,SHA256=EFECFE6149327A20DA82358AFC75D7CB90A7F9DC38EB086F1EF38A636F374CA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.794{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\8305.f6c6c925.chunk.jsMD5=19516E69A04DA01B28EA62BEF95B1F7D,SHA256=37FEFE6EFB9780CF84A88D84119778EECD545F63703C96351A92D66457330D16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.794{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\8257.ff4753ab.chunk.jsMD5=593EAFEB7ED5F8D037464FBD7989C317,SHA256=074D8B370494A986B2D4B9F8A59A2256224C5D16A82AD401AA79FDE84A6875AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.794{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\8236.eb0fce98.chunk.jsMD5=04AF50042509AE0312851029AA68B00E,SHA256=7ED289381E6E7AEF0BAC2E2240DC91DA6C0B93F6D81DB137200873B5A7B0AC0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.794{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\808.fe7cd903.chunk.jsMD5=B2B0C053FC83DD0E8FF8B28E105E95F3,SHA256=E92A2DDCE1603E249CD20E28FF754D291711F62E87A37931C3F00AE9A54ADD7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.794{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\8024.efff1fe5.chunk.jsMD5=32CB005FE3354C8B7CF52D97C167823A,SHA256=AA89B8639E6ED49444107EA75EEDACED4776A3DB50426D8A5A1C95D0ACBAEE56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.794{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\802.fe850f86.chunk.jsMD5=119CE2EBDF0AE4934591CD5C751DD488,SHA256=59774CE6E20C12D6562ACEF039C362A9AC80A655EAD1F5909E6E22FF13597215,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.794{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\8006.930161db.chunk.jsMD5=BE9D99AA757A4FD26F62C476BCBCD16A,SHA256=9E623BF8247C8577AFAADC45CDDBE4FA4EB381AA6B2D1B62DDEA773DA355C13B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.794{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\7979.bf9bae5a.chunk.jsMD5=112CA71DA5B15CA645044F9EEC785B26,SHA256=058B7B47CA350AED0CA6C955FA1D6FF1C8BE446297DF8ACA75796D907473B45C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.779{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\7905.2e4b542b.chunk.jsMD5=0213A3AA77C2323BB22868A6A64266AB,SHA256=19FA4654C726396415B72B367E668D89B781C19AF214785C0A3D2168F9EAE743,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.779{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\7823.ce534a01.chunk.jsMD5=4FC30E10F04129BE99310A2F18B72626,SHA256=9CE8D4B6C119659E09895EB54C72A5D9A254E3E2AF40B7FCF24C98E24DD434B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.779{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\7790.464409a2.chunk.jsMD5=4F774EEA46C3AB57F238451A19E3A93B,SHA256=E238EE46D3B1BD3CE52B882F2112BB414EEBFBBA168BE2CD86F6C9B6A820E81E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.779{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\7592.c031ed4b.jsMD5=6F19E2244666A22BE005CB901BB9F1CA,SHA256=FDDD90171F146A8BC07BBAA07F7053C91299408974BF173564910DD463695FD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.763{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\7555.6f23f5d0.chunk.jsMD5=A93002DC25679B6A9D87B0C14DCC2818,SHA256=98C7FE9AC3C89151CA11E6E77964B895D5639BFBC248D1FD53B2183819BFF1D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.763{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\7539.2fdb83eb.chunk.jsMD5=883E0B1586226CC524DD9CBCED3329E7,SHA256=382BE7F54B9CE6C9D68EAEF8C9AF114C11B12926013F6487331049EDD4B5FE13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.763{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\7482.1c5a84d7.chunk.jsMD5=C396CB6E67178F0D0ACEF6A2F95083B6,SHA256=0797CC72990D92AC47535303AFA1AFC299BE0E301B55EB1DA4D018047D4A1A3B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.763{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\7423.f13c06f6.chunk.jsMD5=5E6C21237F7E33F8E0000EAF4D7A5B5A,SHA256=A82DA49DC4AD3E4E1B81C647782C0FCCFFC8AC12D2B8FEAFF12ADCFC90C0F26C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.763{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\7361.7aa36965.chunk.jsMD5=1F2C12E01D36A01131CC72311B3DDEB1,SHA256=496D530828298A57373523D5E889BF5A6C53D38CA2CFF9BA813AF6121155F4F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.763{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\7351.80d77192.chunk.jsMD5=D420042D6BC6E64E7F0B7710FB82C18B,SHA256=31D3C3B792A3CF56DE966E4711101B8551438683F790726540EB5AB3B0BF4865,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.763{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\7339.9781ac9e.chunk.jsMD5=6C3FAFBA6A64F31055BBD5E7113DD631,SHA256=6BDE12E0C7742996576B34BAF1400D2D095453137F54ABE63401E88C70BF4DEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.763{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\7251.a32f599f.chunk.jsMD5=BB43678453FB09537404DBAA8D3E000D,SHA256=926A84C8D80282AAED2427F54030D11102FCBB072A100D8B4FE8A0C53FE77255,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.763{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\7159.f999f385.chunk.jsMD5=2056564DE7F34A4143B5E845E4FD8DA2,SHA256=7DF954B4384172321C79A6B1E3789BD6FFDC3B5777FD8FEA3B118EAB91531586,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.747{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\7085.c6b615f6.chunk.jsMD5=487BCF05EEB316B8BDD6CEFE2011FD88,SHA256=84EC048517E000EC708124E31AA2627A3A5D788CE7BCE5FA57F12C9DFC0DC0FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.747{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\7063.21fc5030.chunk.jsMD5=E32F2B2801F5EC1ABFD4CE5E7A66335A,SHA256=1769CEB98F98CDEB8CCB0D0E6760493929E21CBA05DE4C6C9279CBDD5741CC7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.732{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\7000.86be73c5.chunk.jsMD5=E05D624C7AA85B07BA6C0F4FC00F3F67,SHA256=037DF04D0C957CF03F7FED74895488D1F69A7B5E9BC5A998FB213E3741FE0524,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.732{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\6813.f940403d.chunk.jsMD5=1D704B94CC3E02FADC0616BCABA2EF9E,SHA256=66F7C629E189349840B993E5C238F205021A4A0E2221F0C0A0C3D406E076EED2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.732{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\6790.8e2798a7.chunk.jsMD5=720F71C6969524AE85D9457D0AF876E5,SHA256=34D3B3ED58C2A04BEC75DEBC92AD9E112702BB7B274D4E54141C1137B7D2A881,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.732{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\6553.061093d8.chunk.jsMD5=917FE856D1B110CB6E05090586B24B57,SHA256=0AD9D8DE75C44D22205B1D233AD69D6966C761AC762CF5A4963E8BAE45964997,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.732{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\6543.31e16942.chunk.jsMD5=9DBD6DE58C19488505315FC9D25CC1CD,SHA256=377D24F8FA5F16DBE0672CC0CBF024D1AA22EC19C583A9ED149A1D1380A58705,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.732{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\6479.d5f0921a.chunk.jsMD5=357BB7EBF5E2B80980B5D6418C2CE778,SHA256=747F6AFE2ACAB162730D3E2AC4A2743E893FAD3BB4E7B6E5980B54E1487A7E80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.732{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\6358.7009eaef.chunk.jsMD5=A09AD971770F076120BAFA37BC44E98E,SHA256=758D9217CA2C2A86BD10900F4D0DC51787C7DFF286955D63E53D14DC9CBDE572,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.716{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\6354.f86d8f00.chunk.jsMD5=8E0EDF65E4CE6A82D7BA8A33F932EEE1,SHA256=25A7CBC2EC325BE9810DC23751F521BC1A6A4E8D505CAC2B6D0BAF6A7C8F75C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.716{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\6332.6010af9d.chunk.jsMD5=FF4B1488757DA6AF506D4E8F894950D3,SHA256=CA279FA7B301396A84F54A706C4E6F9A691E9F2B5BBA98149D5E531E3755B9C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.716{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\6106.e033d666.chunk.jsMD5=223DE9AC77EEA75A20A154E1C3347428,SHA256=091AEAB5937BD26C1F46B903188CC70406BDE87C0AB73A2F4791F7983337173D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.716{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\5946.3a7f4aa2.chunk.jsMD5=4E2BCA497760A31AC4D3AB4ABE5FFBFD,SHA256=92F8E1B62EB113FB9C90E556CC2804D801A0E626E5312504ECA0050A7B8EAE2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.716{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\5945.4a9185c8.chunk.jsMD5=DE644AF540C6468AC8FAA6D372453534,SHA256=75705C17C86772A6AAEA4C276F01EECFFA0303C2FC0FB4AB40D14054EB5DA718,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.716{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\5758.157070fe.chunk.jsMD5=B387D42E8A555B675BDF79475A7157B1,SHA256=9F6B897C07B9D6E047B612EEB06085EB065E3D9FFEB5EA14303B87CF97C04711,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.716{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\5734.44b7349f.chunk.jsMD5=6F4F76F888516CE780AD6CA7E328CF8A,SHA256=40C7FA5C9A54CF57DF90FB51E116200C7C7D893405B7C47C8371BE0E5F3D7F0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.716{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\5679.baea91dd.chunk.jsMD5=2FD743C91D695FA5EB32116A555C5D5C,SHA256=A0E3038A11734F00A048BB8E6AF1C0A87FAFD928862738BC37614A7D70974FF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.700{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\5446.6c639bfc.chunk.jsMD5=17D80E47D10D29A96BFE31EB02621C40,SHA256=A77F4FAEB63081CC8F815DADC50D5447D986AFF61F009297B423A3F582C8B533,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.700{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\5413.0480a4c7.chunk.jsMD5=67C18C0499FD8D29A88DB228114844B4,SHA256=83F6B8B100551D003D00745916F701E2A624FD8863188DB473EF2001D1193A54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.700{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\5337.d0411116.chunk.jsMD5=DDCF6AF3663EAC670F204D2D1B89EFB2,SHA256=0C5D9D14A4C4552962D10C406CAE3F44F9F1F040DD1B73B27ABBF885173A5ECA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.700{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\5210.efbfc7b9.chunk.jsMD5=30C425E65D70A504D58BA3302D962B6E,SHA256=C4A9112B6B3EB07607295DD84804C518240AB83A64699953FC47B6753DE88DDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.700{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\5102.20cf7590.chunk.jsMD5=3F1FA82DDDF16A92BFFAD03AA486F4F2,SHA256=1C123A4B2E3412851D23FAF72C62B05B058AED1E732D8D80D0F31158ED2DCC05,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.700{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\4840.85080c6f.chunk.jsMD5=93642C5507A244D9984A03918E59DE74,SHA256=BB0C3855B29A0DB3DFB79B1342E624AA8F1C5BEFBA2899104373216B101C7A99,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.700{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\4811.734aada3.chunk.jsMD5=AD2DD2BAA38DB5B0A4FF8DC9BF92D34E,SHA256=2068AEE4416570C64332B0EED81DE34FB8FC480AD98D65400471E1F9B69B45CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.700{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\481.b8e59a5b.chunk.jsMD5=5BCF855CD0C1EAACE22A8BFCF3772172,SHA256=2DE20B587F169CB6ECD4CBE84D856078F18FF76103A53D821C87A4EAFDF28D2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.700{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF89E515792FBA7D2DA4D524725E25B9,SHA256=82F28713BBCC5B1683D231D51D283DDDC446DFF98E4B23A0ED2FB0C5FDE621E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.700{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\4673.67f142ab.chunk.jsMD5=0EA7BA2ED65F49A2AE3F0E99DB93432F,SHA256=F74BF02235A037428A5CFDC41BCCF71A3C9FC66E8F7C03DF966749DE2D9E4FD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.685{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\4658.06edbf6a.chunk.jsMD5=F3945AF099F8D9CDD61C2023C0A51773,SHA256=9C3687C246114AD2E0AA441F89E6CEE913A039709F7FD32139D8BC042317BE93,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.685{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\4581.6a57b8fb.chunk.jsMD5=DAF5F4D78F6CFD8CFEE45A5D7A6C454B,SHA256=E8980AD86CBDF5B3DF9005C90373DA9B6358FECC9766CDDD80EABD42DA36C1DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.685{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\4512.0c6e0320.chunk.jsMD5=CF0AACA2D26A580E0A3D61A06ECEAF8F,SHA256=BED1B4CE7779C3CEE3EDE15197433CFF2AAA0D2672D42753FD793926997B69CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.685{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\4477.7f910efc.chunk.jsMD5=C4BE598E4CAA3BE4F646BA5D80BA5D6C,SHA256=F0951AA12BF3689CE4D9686AFC54D3D4E5668FB07FA5C2AE7149AF3CCCD589BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.670{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\4438.13bfcee6.chunk.jsMD5=57B863398F05EC676DCFB92204D84E99,SHA256=289B3C95B4D906148D0EE645679E1BD4FF7AE29EDB2BF9E84BFFA7D31EFB60C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.670{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\4432.55abfd7d.chunk.jsMD5=A0264105CAE17A71A3349D1FD0D661BA,SHA256=F371FA881D76D69021590CA769F49D08295638A5BA4708D3016A34E33125A529,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.670{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\4151.a431cf30.chunk.jsMD5=4392773D7865953C0CB2C597688E76DD,SHA256=8C9418C2DC642EE16362D54C28D635FB777AC2A55DDCCCACBE26113863D0C66C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.670{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\409.f69f3bd0.chunk.jsMD5=9C53940D5DFE37E374BAF7DDEFA3F264,SHA256=35977F772A0E1577F5EE5A4F64384A3AF344E8A626272D9A4464C2D4AB0749BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.655{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\3996.7027c5d0.chunk.jsMD5=FD3279BBED3BDD2587FFC79BA3FB5E37,SHA256=A26F6F967585C26D25545F496E8191B7E5CA36FFE0CD327C21DF3FC5C6AB0C46,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.655{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\3965.aca04b86.chunk.jsMD5=069FA8ECB4A2EDAB64BB628386C536B5,SHA256=CEA1C2B955198A9B27032F135A70BF85AF8023C20BF09C8D15F4E3823EBD7E9E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.655{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\3847.8d83cec6.chunk.jsMD5=FA7619B9791CB8332E4D209F5E13EBA0,SHA256=579AF228CB995C188DF40B5CBB833F3FAAB816872E6937C30247341500855875,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.655{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\3668.10d8d6b2.chunk.jsMD5=8FD861904431BD8CC5942C3289CFEC95,SHA256=ACBA3019DD799537FFBD1D0D7F99393070FA7CE74D639BFC281E60E367E45849,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.655{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\3657.71192316.chunk.jsMD5=E4394A7A59BE79928DF1D5FC34AFC266,SHA256=99053DAED2E475E596F44D72CE1FB80F58AFF955D99CD848703F1A71EE52F707,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.632{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\3632.41648961.jsMD5=7E754C19A40855E61199ABD1A28F46AF,SHA256=1B5649D2D855334BBAEE5722222B7AFF24D060AF85BC2F195F0A8CC218BB99C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.631{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\3282.55f696f5.chunk.jsMD5=F75089DA9E42CBA2ADB3519B03858A77,SHA256=95B17CC758CA19A0AF78DB2C25D9BE0895B260015DF8EE2AEBBBD1133A89D7A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.625{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\3220.2d516107.jsMD5=349DAF3B5B66283F3AF709883FFD5F71,SHA256=091C2827C8D27397F12A30DB7DEDFC1A540AD37A324E96BA30B1FA72AC60DAE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.624{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\3196.82350daa.jsMD5=949CA91B8C5AF469D5840D1E6D8A6666,SHA256=8E1A2B5D6855253ABBD1A4399721965D8DD65FB71FAC1771DBB687C0CB3F586F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.622{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\3082.4952d7e9.chunk.jsMD5=4700923951DFC0E6E317330D108FB1E2,SHA256=937574D0B2DFAD001E45083928D149EDA33FC6775CCA754D486559CFCA01A36E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.608{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\3068.7a6896b7.chunk.jsMD5=84A98E97709173F883DCF2A34B6FB854,SHA256=81FD8D307DEE7A886AAE2401D0F7F660D15AC4DB0EB300EC03097CF1B36C60ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.607{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\3064.c51b1a32.chunk.jsMD5=D1D076759385DC42E50BCBB3F9BB2555,SHA256=7C496703BF33F308374919A065D011E6BF771D08856EAB7250C9BFB7F584F63E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.606{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\2971.4b602abd.chunk.jsMD5=3ACBE1B52A434A4EA41D1DB72AE6FC77,SHA256=647E3BCC4E2E308C3FA6A268F74CE8162815DAAA009F18BB4FA33D5339832A9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.605{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\2921.b3f0acbf.chunk.jsMD5=168FEA1033B9F75F06177A92DC473813,SHA256=8EBC3B82655A899C22620D94F4FEE8A77A381D23C6E746F9C5285E008DEE6151,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.603{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\2903.9e10001f.jsMD5=DADA829DB094E6AA333A92281655CEE9,SHA256=C02402E076D1E54B6211AB36822DB874B97D2A1F18B318F982E51363F3875C25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.599{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\2714.73867675.chunk.jsMD5=E1591579A41AC6E7A9F847EDEE5C3B5B,SHA256=C613B15DD9A8D2755828A665CF0FFBB3CC04382D293E7DE2010DF8659D6D4AA4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.598{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\2680.276f1816.jsMD5=D9D5B2D2235231ADEC133027279C8315,SHA256=FACE1E9A9FA8AC48704D172F97D139228761AD01AE8FF520682AA4C517CB326F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.597{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\2634.59117974.chunk.jsMD5=0F9169D2925B75AFE0C711F29DD90D5E,SHA256=166F2297702ED652A216247C6BF41FBE78C1A32ED51175519A4337D9DA7103D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.594{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\2566.8199776b.chunk.jsMD5=9E445C79B27F0712119B226B525EE56A,SHA256=592A4736D419E57F43DED89D4AFBBC8933F7CC14D5ABB9CDD97A2375FBDC750E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.591{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\2492.16ae3728.chunk.jsMD5=6428E4640C0A307A299342C559E23C30,SHA256=28FE9FBF25275AE0B5A66FBAF75B64A1BF57BA47259A594F2E7D79B6CCBC3D84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.590{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\2478.2e58e431.chunk.jsMD5=8EC7B4A2178804D31C3BE2DA9045FF1B,SHA256=249A0DF4C9CBB61F4E85BFF8D9A24B0C570F61CD186F76F5D7FB9DD51E54216C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.587{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\246.d8a609c4.chunk.jsMD5=9F7C40D6EA741E375E73F6D05AE47157,SHA256=374C9DDC1FF583E3AF56391490F1D2B9EAED283B24E3776C76559E56F9EC2961,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.585{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\2409.6234aa05.chunk.jsMD5=71AB583DCFF833CDC59EABAA0C0C3064,SHA256=9A3E0ABF14C6C202230A26FAC130135AF851FB3512025AD690D7D4D985C1BD44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.584{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\2396.2d131223.chunk.jsMD5=52FAF2B15D0B8A50E0C13C389C7B90C4,SHA256=27803960431DB609016868ED26B0A844CDE3AD2A421C461646FF2A8DB38C28EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.583{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\2390.bd32dfc7.chunk.jsMD5=B81666D4B000BF9D6271566DB9145C14,SHA256=DCED7A5A6D108B272B12480147E84AC9CE38A14AF470B9D8BF1F942902164932,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.581{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\2246.8b31cbed.chunk.jsMD5=611E1FFB2668B226263CB664DEBE5050,SHA256=964995D2E86F2B2C5F6721212EE28974223191190D927FF047B3E98A6FC0BC10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.579{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\2238.fff4ece8.chunk.jsMD5=6B3922B8D332E812B85B637A940BC041,SHA256=2532CFE4F5892A2E178A127B10BC3D2FBF03603A1B4EC3688AAF763531D1C014,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.576{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\2233.fdefbedc.jsMD5=FAD226E8C967D8402B16DCFDB311967A,SHA256=8E9DA6884D1E5D0F49F2EAAFCB29A7DBF9582C9896554EDE5CDED6A5ECAD008F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.574{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\2218.d9cc814f.chunk.jsMD5=68F2305C39128A3A427ABC64A411AB9D,SHA256=CDEA6EEAED1DBEE6E00ADC434F662FD8FAF1E272D2DB91F7E758F7E61E0DFC93,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.573{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\2126.d440d037.chunk.jsMD5=9FA232B91A8DEE4421499027999B42C8,SHA256=201B49963EDA3D4EB1245F54F4763457A144162E0064B5D48233FC693D818633,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.570{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\2090.427a5250.jsMD5=62AFA32001182C250FD9CE69209B4C47,SHA256=7867DE8A940923EA78D8B677B5F6EB8B3E1CBA7269E40512F8B307B69BFC2677,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.568{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\2009.e5a027b1.chunk.jsMD5=052044228C1CC09C18F2C02BCD6037E9,SHA256=177E868F2A00DA5805EC3556D09D045D4F4CCE78B8F055F1DDF3B69B3A544A3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.567{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\1866.528edfe4.chunk.jsMD5=4E538DD3AEA950EB572D241DC7FB6285,SHA256=F95E06A063BD0E684E992CB00B6B7D473CCF8F991EC00F217B30279864479499,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.560{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\1794.487d6448.chunk.jsMD5=149556B33FCCFE459BB3131F8A31951B,SHA256=099848C5766989245FA18441A549A0EF83FFCD4F2A8DC5EDC068101B1BD37767,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.559{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\1722.b4fc5ffb.chunk.jsMD5=7CCD1FED8627BF3554A070A10B456BF9,SHA256=68BF4E41ECE49DC38284D78C51F4108F081D612909C474129CE569295D7DF557,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.557{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E6EDB333914830095E8BD1FC43E0A4C,SHA256=3F9899556ECD074FF7BCBDAC63CAB9034DEAE4821FAE0A1F73360EB5C6D2536D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.556{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\1593.3737f9d6.chunk.jsMD5=DEF929B8E43F3DDC3D4BC4E5EC78A679,SHA256=3D601486545A78D7442EBC00F24FE69101B01D81118DAC6B6FDE5A68888481C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.553{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\1554.093ad8b0.chunk.jsMD5=965F1949BE02ABFA56840EBCA245EA51,SHA256=77B4378A568C93FEFB0B43550DC2916E1F2ECCB6B65FA81A6AC867ECB43E3C6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.549{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\149.a89adaff.chunk.jsMD5=397F539B4FE699F425687E807F92FE9F,SHA256=FD34050B2F3421D7FA10C291F2547EC4FA1AF004B81C017B7C27815F580B8F45,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.547{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AE88293B5C3C98C4EC4B2D0DF733373,SHA256=866AA5E0F3189123E9CFDC6CA168C1BA9A976F1D4D8298446DE9A43B75E05693,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.540{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\140.4a72fe72.chunk.jsMD5=EC2049DC6FA799827EE4BA391C11A40B,SHA256=88515D4DBDD6EAA693D78E12FFD9D4E965226BEAEFA98D310F93DDACE8232080,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.539{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\1283.50ef9b66.chunk.jsMD5=CC12E42A682BE9519343499FE4CCEAF4,SHA256=3FD46081C78728AA5D3A54AF2ABE1B73B33F4C93FF75BA04E02EAB40F24CAC65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.522{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\1206.b0ca1ef8.chunk.jsMD5=B4DA5637595411ADA18711A734F86D5C,SHA256=DF9B50700C35791A3EF2DC5A8C6ED724468859A3830C7D41E82E5CE302DC60A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.517{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\static\media\sharepoint.5c36b8152d853047c3a0.pngMD5=3946A5B521910CBBFFCF881B9C3BA69B,SHA256=CA7D77B32A71E7F39D0CED5F147E18C695C47E6C7CCF829A99B247CBD6FB089E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.516{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\static\css\main.35e52b1a.cssMD5=0B2491CFC315FDF5BA0C1A9AE4732B9D,SHA256=61B9F89A2F01B9B598A7AD7A8D919F5FBBC18F086ABB48725527D01AEEFE0721,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.510{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\assets\images\vsce-tp-32.pngMD5=C2C48FDD9C7E38F7756795D7C836DA54,SHA256=8BEFFA737E9389095C927721CC91BEACD84B6784E223EA181FAB4C792D473244,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.509{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\assets\images\vsce-tp-16.pngMD5=ACF59555E84A34D3F74EEA9D9DD53B8B,SHA256=D11FD3C1777CA161773A27B9AEB97DF5A0F54F43AFCB4DEEDA5FDEE75FEF5148,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.508{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\assets\images\script-tp-32.pngMD5=0A53F41922BCBEA446FE39E3DE1569E8,SHA256=B467F13EFDA27C6DF7E2ECDB5686A0F47D42038C0B6260C32BCA17832BD62DD4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.508{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\assets\images\rfb-tp-32.pngMD5=523E056B373F7044BA9DF61A519035D6,SHA256=3C9F925144997DD2629FC1EC33E27B1D33A788054C76A94998426A745841E624,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.507{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\assets\images\rfb-tp-20.pngMD5=F6DE04164F852883AEA92CC903ECF973,SHA256=44F803A6AF75CE083F9D13AAB540FFBA061C24B48011DE253B9B9F03531FD250,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.506{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\assets\images\rfb-tp-16.pngMD5=ADDAEE26AD652C339C403C262ECBDC17,SHA256=049361F679EFAC61F56AB7DE6E4839C667020A3246EFB58BC38EF82069B3CF03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.506{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\assets\images\record-tp-32.pngMD5=94BBD92B045CEA0EE0A13D7607B427D3,SHA256=5BF95DCFEF5B8B3952FC46A2DB33173EAD1A29658B9B4CD87FBE400C61D9EF98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.505{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\assets\images\record-tp-20.pngMD5=ACA9349100A63E9862BB345F827C07BF,SHA256=AFEE160EA085BBEA34E0DDFAC39270CFFAFE1FB76FE635B8129EA0CCAF27D62B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.504{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\assets\images\record-tp-16.pngMD5=4D8BCA69D0EDB1568DCA44C3E9A6FC67,SHA256=06FBDE567D5F30371748D91D6A77C83B70163DA04CE4DD7154A7FEC1CBD7B294,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.503{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\assets\images\record-80.pngMD5=FCC6DEE4B244B95C2A10D3539ED142BF,SHA256=D401A24BAB56C6946DFC9B9CC4014DDC0024C69CC0EFFBD7B397ADF42657E938,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.503{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\assets\images\record-32.pngMD5=9852FE52F1A8595463448E96EB663F13,SHA256=94D56EDE2D30FBA9513885737B98737FD57CE5700E7952B45164C53234030C44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.502{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\assets\images\record-16.pngMD5=A33D864C5F37AD5EAE2D4C5EA0CCC368,SHA256=F4100BFFBAF7E475EB90079443A7C7BD198C022F2FC048BBBF064C0F4AED8AEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.500{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\assets\images\login-80.pngMD5=DF963D2A2B11CE4E3EE958588163114E,SHA256=AE2C3F5F85425032131A851C5FAEF8B05EF5E45F06EFD825F27353CDBE767804,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.499{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\assets\images\login-32.pngMD5=B018E3954B4FAF469867D1F93DD6322E,SHA256=EB8BE9AC1DA848B28C1144E498E9E6770EF582482A658E6D92CA5D4C055733BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.498{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\assets\images\login-16.pngMD5=AEBABC845423B5476E19C63B68CE8863,SHA256=EB49FE08EB3158EC1365DA6A0172B717E13FBAF863E0914F0B4CAEF71E855752,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.498{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\assets\images\icon-large.pngMD5=4AB329B5E403F131FFB123212902BE4F,SHA256=3B233C839AF3DD967C3D2D0787B6D1522F766C82CA4AA451279FF2E89FA11D8F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.497{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\assets\images\icon-96.pngMD5=8A1CBEB2A18903EEDD3BAC34F0091DE8,SHA256=DFDB18DA96C79F72FE4E20733CE1052531B047596A05ABEB134DC1AEB905A56A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.493{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\assets\images\icon-80.pngMD5=050142808CC975BD7F7E2F2F36941FE3,SHA256=D0B60B3AC5580221D3B5BC01559B1EF10D8FFDDAFC327A4773E56DC28C2FFAD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.491{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\assets\images\icon-64.pngMD5=6D9A0C0AB3170F02B5782027EEA34FCA,SHA256=C44C0154B0AC72A99B91E2C7762C79BFB2795FC3F833D3C2522563A41AE02EA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.490{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\assets\images\icon-32.pngMD5=D2C43C8D877C3CB50ECDEBAE2E04FDA0,SHA256=078849937B78B3D29111677581D78420F1BC66E9BA81A72E63E35804B73DCA3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.489{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\assets\images\icon-160.pngMD5=43787CCE9C9558964E4E9818FA27AFFA,SHA256=225308745F740AD886DD7DF33B55173B6B560F889AACD56D623B608717548AA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.488{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\assets\images\icon-16.pngMD5=8AA408DBA4366EB140B25E77E680A315,SHA256=766C0EE133D6E7969C9456385BC984470395347FC54C97FF35510A0E57D20B62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.488{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\assets\images\flowconnector-tp-32.pngMD5=A65BC916FEDCB84663079B38B169FEA4,SHA256=335DBF5F884E9A09769B3F8D000ED51D96D6F67A8DA3664448063703BA6FCC8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.487{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\assets\images\flowconnector-tp-20.pngMD5=A4D1D0FBE60978F5E3AA8997BA87B886,SHA256=F9324BAA450F71B6BD952087BD35C468D4F74E620093045E284DD1F6EDDCFD46,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.465{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\assets\images\code-tp-32.pngMD5=416CCDABAF09E7F1E1AE50C9D56704AC,SHA256=D7DFE4A37636B9D66B060EADD518EB911ED6FE591FECEB618ABB2D990539E786,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.465{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\assets\images\code-tp-20.pngMD5=960C5929BE58C874E2195EA715CB59E0,SHA256=B1D178217A8B9783ED875601FD82628009AD05C8072A8615050D730924A5D470,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.464{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\assets\images\code-tp-16.pngMD5=5A8186EBB3BB21F35E8355B162264CAD,SHA256=A3C6DE5D26207AF7700963E453721E6C194D1398B2D77D1AFD6EAD90BFE87553,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.464{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\assets\images\code-80.pngMD5=A69501DDFE6E94A099947DAC126E39C3,SHA256=41386093532ABBB689085C5EC80EF31A60991CC88BD8828CE626BB77328E3360,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.463{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\assets\images\code-32.pngMD5=4B458D1E57030248F432672F925FAF8F,SHA256=B13DD7DB451AA712C3A6908CAD7BDDEFE66DE16CFF7AABA3D2C29D8F675E0351,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.462{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000043\win32\assets\images\code-16.pngMD5=DE8B9A8AA4AD617F3F14E0147F7D26F0,SHA256=4E952DA2D4400066E65497AD7957139383CB4BBFABB7FE92B7E592AAEB2A6026,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.461{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000042\strings.resjsonMD5=F4DF4D7D986DF002BF8988CFE82BF891,SHA256=59C9C1F006AC7F169A42D98D8CB1D0C1976A8BA97ACF64A6247C200387E70340,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.459{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000042\mecontrol.win32.bundleMD5=D7AD7DA92FC9FE387AD85EE53F0ED8B2,SHA256=881D9E8A4CC5CDD4FD406CF5996806F24FC8A66C0ECF1B3485920D8B10ACEF98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.443{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000042\mecontrol.pngMD5=68F795FD371004E3C79D83C04583B93A,SHA256=589A1F69A151D6C434B2F1512708DB333ADFB50B09BC7ADB8A3E82BBD6E461B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.443{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000042\manifest.xmlMD5=EB44BC958FE14AF324C7E8E4FCFE6D69,SHA256=8909D515BEFFF01BD0E5EF7B99EABB85E117FB8A221137E7ABF9FDDEBD8CB91E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.428{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000042\catalog.jsonMD5=82007862589A7E48DD8CA7C537B3FC6E,SHA256=8DB3720556608A757140067C2F68A8D84F8480500E53643857A37CFA96B0C3B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.428{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000042\assets\assets\images\MSFT_Text_62.pngMD5=8D33029C6237A69E588B9DDA8FF69F21,SHA256=B54C459D34B9A4B611F532799A4BDE6B37C3460876727D16000B32818A75E49D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.428{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000042\assets\assets\images\MSFT_Text.pngMD5=60E6D15D825D8A1E80C1410743187461,SHA256=BB85AA2437C3137DAFD232352BAE2D124F33C1B0A4EAE09BFB9C31C1797078F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.428{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000042\assets\assets\images\MSFT.pngMD5=7CA15AE524A03FDBCE1B3416E0EDC29C,SHA256=82783208D69280BC65D55ECC6F7652D3DC5ADB7FBD32BBBE04609BB4683512A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.428{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000042\assets\assets\images\add_user_72.pngMD5=AB5048490948648B5E2AFE9B2A1C792A,SHA256=91DDE7308F3457FB37C89BCD77C1B8B1033ADD61C06F48A508CBC23CC8FA6968,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.428{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000042\assets\assets\images\ios\arrow.pngMD5=73CBFDAD6D4EF9F243F9AE076A0BA0AC,SHA256=9336D875BAC6A571EA59C05DCE931BE5FC86E842DD2CADD3B193570F37816097,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.428{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000042\assets\assets\images\ios\add_user_2x.pngMD5=C5EE810893D25E1877A6B01890A14585,SHA256=1BED16E1B5B4E231CD086C521DB8B9C0B5C4817A99C2DE75BAD9ABA1C2734C96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.428{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000027\manifest.xmlMD5=7F683C31D94AFEFD28241AD36B115B0C,SHA256=55B2F6DCE8386A58C69A7F6F4318BB58A5E5D4E288AF44E0253DA67A2E4490FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.428{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000027\comments.win32.tpnMD5=D7F48E389FC7B4979710E3BED44C105F,SHA256=DC0E905B47512AE666D0C4E351DBC1BAD1B13DE7CC19A64FBB568EBFD348C3E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.428{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000027\comments.win32.bundleMD5=1B33B7C85E35C497C11DFC5D3A5F1281,SHA256=ED3114B97E109A6310C9C69B3596F62C2822E8984F539CA8F2BC7738863FC059,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.412{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\strings.resjsonMD5=D8F9117E0A4A68E32FB6EBCF448473F0,SHA256=560315C60ED687B6DCA3E10D80BCB76547F77B3E5F1C00F73AAEACE1CAB1BE1E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.412{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\manifest.xmlMD5=6A53C3AAE0CB23BC87BD305F5EB6EE69,SHA256=7DB9A76ECB5D8A9A080B4605DFA539A35D3785C0450B89E2837A73CF2514982E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.412{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\catalog.jsonMD5=3ED7CA5D37EE0DC82018735064B3BCC5,SHA256=9828656396257C1F915C76D0DAD705A25B75B31B339A5A59DED44695206F7206,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.397{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\CardViewIcon.pngMD5=5FDC02DEA317B399D2EBBA270D815D42,SHA256=7CDAC1206C933B521CBE3A41E9F2425A8BCA4FDD59C98E2A5E5F48D410A7D925,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.397{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview.win32.bundle.tpn.txtMD5=49DC091696D6A9870BC2512AF413B76D,SHA256=D9B269443A8E0360FFAD9BF1F3C307B17F87223CF99137E8D2A90DF0778AA9E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.397{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview.win32.bundle.LICENSE.txtMD5=2AF46AA8DDFF65B0180B5F8B778BE7F7,SHA256=B8C1D6D488813E1875307BD002A5772C4C4FAF8F3C0BEB575C594C76B13AE856,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.397{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview.win32.bundleMD5=B4F9DCED226DDC0D64CC7B6A94E5901C,SHA256=1D8EF00C69174C0A0A28EB24D7DBC6A1CF37C6A0362CC12F55F2D298A03B48ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.381{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-warning@4x.pngMD5=602B7212331164E6E557A95C77115FE8,SHA256=BB4480C3E4697AA2ED66748010F97E9709F6B5E947AB9F0FECB0669107A698E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.381{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-warning@3x.pngMD5=9A9025F8A854155687FD7A7B5E32F3FE,SHA256=3D198834422582E8EFAAFC99151E3FFE2DEC2CB7DDCF9B803B6F688F1E6E8576,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.381{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-warning@2x.pngMD5=E9C12878120C827268A9D569A6BD403A,SHA256=3B2E56D7D50CC9AEF9324E17E888C5B504519EC603705A7BEFC439B23AB83D92,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.381{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-warning.pngMD5=CADD7F8E8E8136E9BDC53DD103BF5CD9,SHA256=5C81A4D6BCC1B5CEAD78340BCB786DBBD0DC69BA9BCB2B0A7E53C6B2DEC11D05,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.381{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-moreimages@4x.pngMD5=70489FCD5FA727806DF6F9FD6FE5D53C,SHA256=F7D2AE8262ACEBEE238CB1C0886B5859945CA7D59F458112383F73B5E2AACA8E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.365{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-moreimages@3x.pngMD5=FDADF465C967675D0AF5C97D6BFE0BC1,SHA256=62651E0F731BB9C190BDAEE102C7C79CD7EDBCFAFD63EED3C39D5A161BE6B0BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.365{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-moreimages@2x.pngMD5=E69B9CD5EDFF40F6783F232C370D6483,SHA256=989234A844BE6509B4CE803DCC45B7BCFF7B8781279F0611C649086B05A4B617,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.365{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-moreimages.pngMD5=CF98998EA5C3B55DA4978C6F528CC6E2,SHA256=53F2B4D59D480E55AB03179481324C960F3923234F72021BD383964D262560E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.365{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity@4x.pngMD5=E7630219ED4F414DA14DDBCD965EB44C,SHA256=32E5EB9D49C6EF16ABFF4E0E294CC345AAEC8A74CE5129DC2A437421ABC7A560,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.365{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity@3x.pngMD5=E67DE0D4E1CA00FD81E4B9B399E1DEC6,SHA256=429C4D4BBD5BB5E127F5580A531783C85C6ADB7B4A80F0A5269A2A3B6A447579,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.365{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity@2x.pngMD5=C98CCF6342D631F2E6BD90F875D2D60F,SHA256=222522B0C995A625DDEDD6CCAAFD9932175B05C946E9006F4C7F78622F1217E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.365{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity.pngMD5=47CB9A15584C3022EF9200EC88DB503D,SHA256=080FEDDF0204EE511B80C8AABD931169F252E4E464C39CFB8C1F33342E810568,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.365{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity-dark@4x.pngMD5=F7B2F39E2BCE73D1F6CD3588F6967F4B,SHA256=87A2F985305D5963BDF18D258A7B2C5699F1D636F0258B4C54AD258574C92850,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.365{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity-dark@3x.pngMD5=E84BA52D2BDED344230B6D190372E45D,SHA256=6E8065E05F5628CBCAAE5679D1169D3AB1192CC2D74AB60EAF86399B19AE8B96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.365{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity-dark@2x.pngMD5=A2C27D98142673492FB3AB77F094F0A3,SHA256=B1EB7134F9C5BD6707DCFE775940E300192F4EB7495189E59EB9F4F492E1190E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.365{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity-dark.pngMD5=ED3494CF8EC469636118AD827ECEE6A7,SHA256=0630C71D309F549234168B1A4B7F499A4B9850BF9FDBC35F2D5897F852292F2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.365{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-flag@4x.pngMD5=86B2E97CBA13D6D0F910D031DA2DAF9B,SHA256=9650E8205E57A4FC31E412BF463C37EA30250709B9CF2F9F97014FECF39EAE76,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.365{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-flag@3x.pngMD5=53150A6C7673BBBFD9FBF844EC87C579,SHA256=37E12F983AA8C5AEB99B6DBCB39025A822A9B86A539D5ABE412800DE91E247C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.365{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-flag@2x.pngMD5=2AFA44D4DBB6C62A2511B33747053CD7,SHA256=E179C63D99892A39D1E162EB1F10E3CE40C397AA5103E9078A47D670689DC469,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.365{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-flag.pngMD5=D45B5CF08AEEA18A6D7205D470C48F51,SHA256=D6DD6E7DC6584F35993CF8D51AF5A569F947109102AFD52F05F8E99EF22789ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.365{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-flag-dark@4x.pngMD5=50B7EE65A737BCA0C14859C5E585CC6F,SHA256=FA1DF1307459DD7EB3B30084D1844C9F2E3CF1788AC209FD407AC20973AD6A86,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.365{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-flag-dark@3x.pngMD5=298D4623458A2A114080B6CFB12F78EC,SHA256=0D6A41656F0DDE7F54E818742952351F8A62D0264D31CC258A0EFD67876DAAA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.365{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-flag-dark@2x.pngMD5=D19E27936E11E2C0D36D85ADD50C8E01,SHA256=EDA8C29A93550D166F955C5053EE100328194795062221B913A6E120EEC1464E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.365{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-flag-dark.pngMD5=C6D029AF7F89FDB803D9DAFF70A2A1F9,SHA256=472D20C7232526D267102DD1E2F03B9494FE918A3D548C596F4D21191A754495,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000447980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:26.678{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0CE5CDFE7518C9BCC672794ED3B84AF,SHA256=F0ED2938A14CD60FAA5245844F8219DDDC52D60C0F4603EF368EBB8D39CEBD74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.365{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-checkmark@4x.pngMD5=2C905FDFEB998482E19691CCFA629FC6,SHA256=E1C924C3DEE911774EA1C95A293547C7C7559400755CA91EB2515413C0DB25E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.365{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-checkmark@3x.pngMD5=8167F392A772C89051A0295B099D2FBB,SHA256=EF17C6ADAECC0DF75F8D8A8D368F489E383ACC09A7AC712185DD82BBA5389005,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.350{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-checkmark@2x.pngMD5=F31B080F4BC88F2BDACE35EE08A4E4D0,SHA256=3F26ECA29F247B440DDB6DB0CFBBE161B6EEADE1698FC69CEC54AFE4C4C14EC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.350{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-checkmark.pngMD5=8846E482CC4E931A90C5CE6C4E9159EF,SHA256=243AB60A77E796EA1497E657DD3C899D1955E8A4D2350844DA90C099C171A225,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.350{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable@4x.pngMD5=642B4E640ED88F2CD1EB130B72C545B7,SHA256=B5A253E98FD700F360DD221361361F2F3602E7F6B84C99C572A651EA4D8BE98A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.350{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable@3x.pngMD5=6D7A172EF8F4DB22A38E21C5C476FA4F,SHA256=F88D0C87966475D8A8B9F2F71E166C1F6C89118D95E274831146C955AFC40554,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.350{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable@2x.pngMD5=E3158261B6015DEB8A26BBC0BC7C6C60,SHA256=D84BC9CF30F1EFEB115C00F592C4915E96D6571E9438D8B6D5B06D40C29B033A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.350{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable.pngMD5=9052DB248FEDB37B82897E37CCD1DE26,SHA256=308036E80E1A90CF35160D9AA7116A6CA2D32C55B3666885108B0EF094700B51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.350{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable-dark@4x.pngMD5=EB3F60D32526DCCD0BBE5A36431B8EAE,SHA256=3114512FBFF2B05A10988E34D93993573CF6CF3C11B9A054BA7C756EDFBAF347,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.350{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable-dark@3x.pngMD5=6691C021E37817EDA4DAD76675FD30DC,SHA256=590548A182FBA7B70647289238CEE26C942361FA670EE9DBC469CE63C5A9E600,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.350{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable-dark@2x.pngMD5=8E8AA56B646CECB71009ED4E0CEDD3BB,SHA256=57FD5B011D069ADB3E865365868CB286A58BC628D559FE2D0B4124066160FCE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.350{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable-dark.pngMD5=36C49CB1ED04BE4B61881EC9E09FFEA1,SHA256=F6F3E690C5FB375E4B404707EBCB69A3B9D0B473172BC302CB76E79F02D4727D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.350{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-separator@4x.pngMD5=69E43B1E78F78B8F071CBDCFF1B0347C,SHA256=F531D90A644BECA4B42A2D8B7617CA09AA1C69C342A576881965DECB62362030,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.350{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-separator@3x.pngMD5=EBFAA33032EAB84ABF00C39F34308C08,SHA256=EA14A65DCA4C8B5760B7D66C0D3EB93E65F7887C098D0CC006FA86AE85501285,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.350{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-separator@2x.pngMD5=7E04DDD07882A82A8CFD15C42F9AC241,SHA256=8C4D1E8A3437CEEF92FED87F3B6EF1AEBD57BD7CA424632D4051BB61C4C4F928,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.350{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-separator.pngMD5=FCAF19407D509F03440A8BCCE26A1DD7,SHA256=6F9CB10DB48893E6DC5F5E78F7C34E3B2FCBF3C93F01A6A803238395DB9644E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.350{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-separator-dark@4x.pngMD5=FB0D8CAD35D1A093C1C9F72A2110F7F0,SHA256=25FAE6EA6A12969B5D66CC7F2CB834A314C652FD09C6EA5C013E2FE4F348CFDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.350{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-separator-dark@3x.pngMD5=93369629A4719DD4D77DD788141D28C6,SHA256=6B2DFDB91DBD70FAE5B5B2E15E308264328D42392290EE30623224FC9910DBA2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.350{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-separator-dark@2x.pngMD5=036AB4AEB5B6AF462C33F0CB3E7C5C86,SHA256=210D03A9BFEC985E388C7AB7BEFF99141EE2227E8A282C2C31B8FE1284C491DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.350{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-separator-dark.pngMD5=CFC19ADE1FEBFBF51ADE5647EE93E07F,SHA256=A86FEFCF08DD8A9ACE00AC267D02FE88E7A9068BC3849EBAA0A3E049333DB884,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.350{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-overflow@4x.pngMD5=B41735037E519459FE991A1E7A1D4F69,SHA256=CFB3DA4D28990E9A46BE707D2E84C966A83A0865C9784667F10C8739DFAFDD59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.350{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-overflow@3x.pngMD5=A991EBE0F9BF318A76B24F5BB6DFBE65,SHA256=C39C61139C7162E21BDB030CA857197D9E2CCF10E8108B03F9D8E73D6FFCDFA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.334{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-overflow@2x.pngMD5=ED2CEFFC0EAB6AF4704A621C3551AA2F,SHA256=49EB2087146E432684CF2CE61762E0A97E20B85CB6785ECEA085EEA2AB6E6DDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.334{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-overflow.pngMD5=44268A87F6C867F205678E25B0303966,SHA256=4261D3B3BBF8220557DE0D6463F589B9C7A9F55ABAEE939AADDC36EC1E34F2A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.334{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-overflow-dark@4x.pngMD5=09843D22B81D6D412945B1A4827DB8A0,SHA256=28184CF22914198CD3CE164BE3F1BCC306D2D3F9F39B3642CDAB0B8404CC86B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.334{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-overflow-dark@3x.pngMD5=FFE244AEAFFF189988F68E3EF3E71743,SHA256=CA42C5FA96680A61C11008BD917980DB7F3EF0DDA894013F06F614867A8AE5D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.334{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-overflow-dark@2x.pngMD5=98C54BEAC7878FC05649AD7C1FBC8B6E,SHA256=CC2CC1FB7ACE89D3644956E03F4A41DC4AA1FE03A04C142E41E4C94CE2FA509E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.334{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-overflow-dark.pngMD5=BE3CA3CAC6D82E622E1AF203F1C0C562,SHA256=B689DA3DDAAA7EB495785B6B437DC0BB34CEDB20031DEA0460B6C44B03F7FD1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.334{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-caret@4x.pngMD5=2BDEA63FD951D5093A12E257A6929B85,SHA256=BD37FC8A44E58F249BB498579C9EDBBAC864456EAAD929A3CCA6A96D8E004F10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.334{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-caret@3x.pngMD5=1854E02F6FAB62722F11C8E7498200B1,SHA256=E5AA17519CD08C0D022561BBFAC65597758CFCD9A8CF2AB4E6C0E489824E5059,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.334{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-caret@2x.pngMD5=1F13DE5F93E10EB4D9195862CA6959D2,SHA256=794AF163F92D7D8721AAD5ED6C3C81494560272F94EDF59B7C4566644A38EC90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.334{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-caret.pngMD5=CB77E864A53BF0188A383C12B3FBEA32,SHA256=5D077D334A8563B54B422C1567765B2C6349DE91DC9B8BC2D7F7146FF3F7DB10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.334{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-caret-rtl@4x.pngMD5=47FB1561CFCE8A0854C4A5376B51AEDC,SHA256=2BBEF269EB3452A6C874ADFE119ED127BCCE97D70D433DF055670B5AB02AE842,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.334{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-caret-rtl@3x.pngMD5=A456F1D9E3ECAAA654B59045763D766D,SHA256=8D740C32CDAB565A0249E019630260330647B5C20344C608B6BEF3899FF58FB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.334{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-caret-rtl@2x.pngMD5=75172CD580ADD7F92D76F3B3AB70B9A6,SHA256=F9F626313726E3E9FC962389682801D8762D12A21578E9AE0A6108B61DEA6C0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.334{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-caret-rtl.pngMD5=4C79DBC7F5D6B77468CEE08DF9A7C23D,SHA256=BC0FF89CD415935DE98645DB1A5F534528B8C233B0D83AB2EF177C6A8085E041,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.334{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-caret-rtl-dark@4x.pngMD5=24C8F7EDC77F0D636D213AF7C48D89C9,SHA256=061E851C1321A6F257116AE1676AD2DEDE867D8327B2092871D1BA11C8559438,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.334{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-caret-rtl-dark@3x.pngMD5=34BACC2913C53F8AB06039FD8C8940EC,SHA256=0ECC7DA26E8D2698C5E713AB617A8397E501C904E8799C78916ADF5CCBA78DD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.334{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-caret-rtl-dark@2x.pngMD5=92BFCE852509AE5BAA51F8402FCB0485,SHA256=60A73C7730D627F1F7D7683C8EF02A0C5524D2AD9B837175A170618447517660,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.334{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-caret-rtl-dark.pngMD5=C47F3E09005C3CC8CB794A1A0DC8208A,SHA256=78BEEBCCFFA22B823F1CEDD8BE88270FA65956A3DD0EF1DC7459B656B7CA1DB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.334{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-caret-dark@4x.pngMD5=AE52C74B4DBD83AB1874C66A9BCDF7CA,SHA256=42A92D470BD71A30E92EA56E6BAFE2B01ED33D0D83D11F5AA9A8844C74B8D58D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.334{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-caret-dark@3x.pngMD5=A3FC6DC1660A511DDFB2188914488B6A,SHA256=0D8D6BB023A27CF1147590629F89D701F10157AE254EC4D705D93901199790C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.334{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-caret-dark@2x.pngMD5=DC6647879BF7C07019453E3206D25B5B,SHA256=8093773C70DF2C0CB00F9DBE1188F2C01295ED820C54BB0849E0FBDBA071790B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.334{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-caret-dark.pngMD5=CC500F5D560979AB572500A8EE92294E,SHA256=59B21F2F8053A4C5A895F8982D99BA494E5879FEFCEA1968B08830EAF3088A07,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.334{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-backarrow@4x.pngMD5=289D70309F06527F79F6F25D1F470F69,SHA256=BB9AD0E45D85874464D6D76B685F90073C4CBF178D8BDBA7D61D7E0CE70E152E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.334{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-backarrow@3x.pngMD5=8AF0F3900B148A36E18DD318D78DD0DF,SHA256=70D2C877736E4DBD2DB51FE41599CA712582C0BEAAEA135655E2CE0C5C54B86D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.334{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-backarrow@2x.pngMD5=4DAA9C9BE5E5161154F2A46A6B9F03EC,SHA256=BAE384CF5E25058DD31BF51E1A94BD10BF0E5D9E46D7DD1E09E7170E7F289C16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.334{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-backarrow.pngMD5=5158C13967505DA510116076A5DA4A85,SHA256=613CB5C78A295A8E21FEF7CD9572CEAEAF254BCCA50F7A0FC362266A1A8B98AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.334{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-backarrow-rtl@4x.pngMD5=7644D75B199C98B1E72AEB39A03EFB42,SHA256=2AD2EF456C8E16E07706392D0129712C25E8787AE405B211555C13EF9BB40DC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.318{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-backarrow-rtl@3x.pngMD5=61A1871F6C3835E4E62339765DEDA3D1,SHA256=EA975DB3EB49F870C977C70EFD5EE34879CC1C59D5ECD8B22EF34035DC28F72A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.318{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-backarrow-rtl@2x.pngMD5=76B7886651A14156536A1B47704859E9,SHA256=DC5AB9D3660F4A20125BB29C37CDF9ACBDA0472158BC94B00C71ACEA25AC4060,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.318{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-backarrow-rtl.pngMD5=D4D4DACD9573A83C4EB2C4834D7DB3D8,SHA256=FFF4FC42E0261D5EF95AAFC900BE06F53A69A77A268FC00F94FDEDC08C384DC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.318{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-backarrow-rtl-dark@4x.pngMD5=2614FE84FD09C741BD84770D04A10934,SHA256=0F0C857F7FB17EAD4B85797ACF23429247035F4B9E3F5783510B2DA81EC82AC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.318{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-backarrow-rtl-dark@3x.pngMD5=A755365AF7BFE5E2DF63B9819AC644A2,SHA256=2620E517A5A57D4A0F8D4C8FD7F4D3AB0FA7E694CC37D2057411A6963AEF163C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.318{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-backarrow-rtl-dark@2x.pngMD5=11E30CAFFC18F2E95D4C0F2BAB82E4E9,SHA256=F4488D292A8F29F0B517AE9902FE8F2EB076B2F7EDC5FA26A77E0321784B8374,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.318{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-backarrow-rtl-dark.pngMD5=F909518E678B37CAA662F01999F876B9,SHA256=A585CED1E8246783187AFFAC987AFE1C64C5AC80AE7B619AE8E7DA955B7D33E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.318{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-backarrow-dark@4x.pngMD5=53BFD9E162831A83AD7502759425D087,SHA256=86ABADA817C9779870A2D1D01B7FB40AD9EEA426BB87FD3B3ECECBF80B2FF286,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.318{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-backarrow-dark@3x.pngMD5=8CB6C4FC18EAACF2FC6F3B422F0E1A8A,SHA256=C43B52C5273B3233D3D24A793FBCE314ECAACFCFEAC9216EE1202D68B58F1611,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.318{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-backarrow-dark@2x.pngMD5=A3C43F927705E6D54D6689D1078A704B,SHA256=9C69947621975174DF3C88A56E9B6C3E4A06CA7590577E8C258765BF12F1F6E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.318{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000018\assets\src\assets\sdx-cardview-backarrow-dark.pngMD5=43570C02F318FB08821086E0E86BB3C4,SHA256=11BF50D10F4DA219F8432E42937B7AB495C6A89F54FC62A7E1058B321F3E20D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.318{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\urlmap.iniMD5=ED1A32E932203DC9FC7219378C262C03,SHA256=75D7E8DF4BF4A9671D554C2F593815EABC4258E15715E56CAAEE237710707D27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.318{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\smartLookupIcon.pngMD5=5196AFDBB4F440D006E6E74BB1C831D1,SHA256=4A163125E8428718C5289B2F72A25D165B52473C344357B034F2D8B5D7A55A9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.318{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\manifest.xmlMD5=D153F656666A48949453BFAB1ABE0A94,SHA256=6536851C2B55B837FB27697EF47A389EB55E8A079F1558D37554E8AB4BE7078B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.318{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\word_4ce4a05b791a68198d52edc311e474b9.jsMD5=96DBAFB2D0E1CDF9D7FB1B23586C27E2,SHA256=982F0388298971EBBF3F2221B724C53FC28987A24A25A424EC1EBBE1E51A157B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.303{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\version_f5be7499b9bdb333a30ce9f03024418f.jsonMD5=60D086279C5E5E4AF572DC1BFFDA5084,SHA256=D32F85B651AED4F7AA2955B554E5831CD4EE38082FC4F0657AC7CEF149C39024,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.303{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\urlmap.iniMD5=ED1A32E932203DC9FC7219378C262C03,SHA256=75D7E8DF4BF4A9671D554C2F593815EABC4258E15715E56CAAEE237710707D27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.303{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\uistrings_dd9402ab0419469bb0174092ef65736e.jsonMD5=05B4146D5F5067864107D61963492E1A,SHA256=95112318D7EAE9614BDD21345EC988368EFB495E3B727AED07136CC2BE394F67,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.303{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\uistrings_cafa4bc48b545bcba65b38d2370e2fa9.jsonMD5=5FDAC4680FDFBD81672BC9FF9CEA4764,SHA256=FFA66DBC64685C2C02E6F21F63FC522E65E6733465051D8B13BEB296E2902BE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.303{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\uistrings_b8805cc6353e728319035ddf987440cd.jsonMD5=38C15E983E6AF377205E63C8D535CCFA,SHA256=A50192C376A1D97A0EF1233B9BE06B36737C57B427AEC6C791BB0EC433FC40A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.303{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\uistrings_b84181f371a0f12fde22a5652dca1176.jsonMD5=7352E9B32C43CB9DE007AA1226FE4FD9,SHA256=5D438979CDC5F4D6A22F509EB122B4ED37DF4AA6B1074A7DDF145BDCE9F599D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.303{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\uistrings_b01999d0d0b2011e823a3acdf0c52443.jsonMD5=7CEC6921AEFFBD483E2FC5C4C8779A21,SHA256=C8DF278961712C6E9D38625BC2A19A51BE1BD98DCA18D455DDF5B8BFB7426FB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.303{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\uistrings_6f13fbd478f6640ed120659c6943d04b.jsonMD5=908FE861A0972001FB8AA98D1C0FA3E8,SHA256=63BEFEC3CDA0FE159D4AFA3CEEDEECA84EA7049401A452EE5DD490EA4E92DD47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.303{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\uistrings_5d8ad69ef82f9adcf969fef6bce4d4cf.jsonMD5=BAF56124F1DD7D3593CA7D2452CAD392,SHA256=6110CD44E349C6A9A1C588D67CFA8BE793A91F16E9AA9A491B286BA2C7F2650A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.287{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\uistrings_370d955eca721ce461697c8ad4825f32.jsonMD5=A2642283633D2142412BF74FF1235692,SHA256=3F1BAEC83AE96ECA80C8795B6CBE7DC547CEA8E5EF159609EEBD9AAE50C5D739,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.287{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\uistrings_2a688a1edc642378b791210056a0af76.jsonMD5=1B3963A4C9A55BD23267D8FC08EE168A,SHA256=751040C5ED7E7CC0B63FD16986DB31E6EF7C3DC1A68C1970A30E01359EF7B515,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.287{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\uistrings_0b013255a0fd19261a0a4e37310b8570.jsonMD5=56442FEC4E942BE67C1034A6D067440B,SHA256=802FFDE4233FEFDDA2BD4701317688826C2E6DA5476CE950F8201B3D7F63D261,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.287{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\topicIcon_b16037638a4ba876629af99984981887.pngMD5=FB251C086673E216B820FF28303F2D32,SHA256=B6586EDFE1208566CD194CC6F5ED6F08F6651D7CA87BB4351A1B3C41BC931023,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.287{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\smartLookupIcon_da35b2f1d1041698116a2ddae0f48327.pngMD5=5196AFDBB4F440D006E6E74BB1C831D1,SHA256=4A163125E8428718C5289B2F72A25D165B52473C344357B034F2D8B5D7A55A9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.287{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\searchIcon_fbc2fea530c95f0c74d758bff8a6b1fd.pngMD5=02B3014647C3FC9843EA4AC11B0A9E71,SHA256=EA13128129A4F225633CBEA86501DD14A6F4C401282EF6FA6E42C5842D3350BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.287{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\samsungIcon_85a6c6ea2c15ba57eaf32060960588c4.pngMD5=E14C950FDECEB4E0D24FA586C4ED1A9A,SHA256=E16B64FB4416B159F39FD04E3A8E7628BB4AD6DF90922EF5796F75213C538385,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.287{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\researchericonsb_e95867439e0f782d25a113dcf462821a.woffMD5=341713662FB8C3BE8BCB47DF5BA25E6F,SHA256=A2C4E7054E4C6002D3EC1940AC231A0E9C58B7B91882827E3EAA9DCD4F2EA4BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.287{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\powerpoint_200394254d85b2ce6e3fce0c26c3085c.jsMD5=91316C801D2259E591F0FFBFFDACECD9,SHA256=AD2B9EB19B620B01F680F8F62F206AD6946FCE43C3F7FCC7FA7CC7228D24E672,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.272{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\onenoteIcon_83e8346eb9d71b661ec49d3adbab6291.pngMD5=CD2249667D608918273543EE8F8CA55D,SHA256=BD8DAB65DF340E10B265BFFD2787F189C97519AA5BAF54D0FC7231B3EE6E2671,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.272{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\oneDriveIcon_9a7317e3c933f95b3afc03246d36ebc3.pngMD5=EDD061AA8CCF5D22289D7201D6B1622B,SHA256=87E0D54E8AD6E7E4A292BFB9AF7CEF64F9655A6EE75612244B561D334E46D755,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.272{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\office_strings_e8eb970f19e88996bd36f229596676ef.jsMD5=C4092B14BD1906C2F2574CEC5230851F,SHA256=1376EC969C4C86EEFBEA7B0331E3694C21CC51645FA72DC32367D8A6C6E7151F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.272{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\office_strings_e1e2be1cebfe351ae478a9546de98976.jsMD5=BD8358349419E0EA416DAB8A38B5F220,SHA256=03CAFB2E092952FE515EA78B8C74BADB364E93CC19A02255AA5782B58CE50BB8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.272{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\office_strings_a1c45df64982b948a74de074fc32e6c1.jsMD5=CEA06A4759AD96C0AAA25514A2C9C865,SHA256=EE1CCACB972B5C6B6D5332CFB8DD886719787C49D55E71466614004E667B44B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.272{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\office_strings_8b2183a1c5421f28896d536c48435ef0.jsMD5=C10A900988EAD570F78778AEC656F122,SHA256=D9D4B93B32702DBAF43098A30182BD2D84AD7D09E1650FA402465D5C784F0C40,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.272{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\office_strings_89314a378424fcee6bf3aa427b90e792.jsMD5=D4C11CB6365ADDF4387DAA0675AA3FFB,SHA256=30567F4AB4CE02CFE048AEDC3A31FB6340AE05E35F14730C668667CCF1DDB8E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.272{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\office_strings_82cf8dccf84ac736ac04bb7e599bc596.jsMD5=7A2B97D46FE402A8A14B26C00BD8382C,SHA256=46BF3C0FC85FF2CFA4C95E376B1A9BEE4A88D043759E68A293413C29AE0695C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.272{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\office_strings_828d1c07bbdf7bf0c9b047883fa85dce.jsMD5=46ACC63051D510E8F53877FEE7135E0D,SHA256=33AF69C2768F6D8AAC9C6F67685E4CDB451410CA83603CE24F0FBAB80A43DCA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.272{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\office_strings_697f96dbfe908df9976ac4b460f6a0cd.jsMD5=3398458E7515E55B82141F4E66421E44,SHA256=DDF15BB329CE032F396D6251483B24203B0472B758506B06F05FE7E0F3E2AC8F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.272{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\office_strings_3e303795af1ad7a38eb6af53bbc34f81.jsMD5=DAB35B92EA492E7E315EF89FB97C0A1A,SHA256=CD7FBDA1E1C2C8F6D312BB201764EC3797A1463365952537F208C6FBB190FA8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.256{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\office_strings_247f8f78dd7820085808b5e8fec39119.jsMD5=92A3DDF4C14AF9EB4DB2939A2B2712AC,SHA256=5B6D3F98F8A755878F226B38FDB1F7C31E67B456221F253B70F95AA331668594,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.256{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\office_strings_199ee4d44137aa5267fbe3c0a2edd335.jsMD5=21406DDEF123E9EE6A74091ABF8515ED,SHA256=1F02AFDFCA35F0B9B883ECD1CC5D8C26A93AE0D59F848164AE2CB86722045585,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.256{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\microsoft.office.smartlookup.ssr_b191f4e37cf056035c0f7fdee974c856.jsMD5=7166FDFAEA16BC84E1E277C78ED196CC,SHA256=5F06BCA20CD3F09E1ACE3A2BB0CDB1AEFC097062BA3B72226DE89853EB3B6C2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.240{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\main_ssr_46c487d6d7b13f230c7747eb828cadaf.htmlMD5=33446A5B18A89AD433C3B6975BA3DDC3,SHA256=EF01B8DC6B342151424BD0E536BFCB4AF1708C3C075C151657C133FFA75C06AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.225{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\m2_colorful_b2e1fc6a95c2aa8faba8cb19e7c9c882.cssMD5=D26D990A01F4D3B0175E09BA2368891C,SHA256=640CB70407D7708BE86EA1205E48EC8851B8B86125E3BD5437293C7BDF11FD28,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.225{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\excel_68ec0aa4d32d41d1333aa7055bffab5d.jsMD5=222D8F221C3FD37EA144F1504CCBCAF3,SHA256=333B8B6F09DED409EEE9E1BBBBAF99EB953C215326D8A886A5C339862BEB3581,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.209{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\bookIcon_fcbbc341e9278675669f34f98c743680.pngMD5=D804AF5DA6761D9AD5D4F0C5777F608A,SHA256=C5FD1B14D632CE6600902DDA7827DA81BFB39D39D015E00A0EED34DF993D527F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.209{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\bing_logo_hr_a306e33152ccbd76c5bf5c8a348ac4ba.pngMD5=9D2262F3E2EE4CB9DBFB234F3E913AA5,SHA256=A89D2780D13BA3A1019C6BA89EE1B0D7EDC084A45917F33D0B8ACF5F63257A34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.209{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\bing_logo_hr_2de4e33e5e7e5a691c3b649f3d4dd57d.pngMD5=C7DC234DFA2A908E781825E4B5C6F9FF,SHA256=0FAEA4C528D64DBBC0E9DB182001EB15CF735D1F63440CA851B48E069592AC59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.209{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\bing_logo_63258b0292d3f17af26392290f7e5a53.pngMD5=BFD05800B1D9204DEAFB0476101CC749,SHA256=D95C7EF297FD5E14EA87D4AA212D0E753A61447E9D152A83F9152F1EA1D0804A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.209{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\bing_logo_4bdfa776ecd5d0e2df4c618625b9a205.pngMD5=935FD6897F540DFB6446796F82FFE8E1,SHA256=0C0FA75B85495D4B2087069B4C27266452422CA3113B0C40DF1A42E7B6AF166D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.209{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000006\OfflineFiles\bingIcon_feeadb2a8ce8ab1f88a97e90d98892ff.pngMD5=80450BB4773057ADC0E8D1289C886824,SHA256=5376DF7214CFE11BF8CF786AC56CAEE0C586C30EE7EEA47995C9561CAEEAA15F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.209{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000002\urlmap.iniMD5=687E906945214956ED35B9A3CE39FDF3,SHA256=9D6F81198E51CF11DB42C9C2877F75E87D6D9F82A170FD9BE3F38A594B0A6F5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.209{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000002\TranslateIcon32x32_1f2d44713f9f6ab18d3b456732a6cd5c.pngMD5=8F3AFA12B900AE59CC14AD46F94FC930,SHA256=57615343CB5DEC0E2A792C544AC8C98C191251FE09A14A082C847321E3B22F14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.209{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000002\manifest.xmlMD5=BC0DDB2C50D556846E0AC1BFF019194F,SHA256=168DE91317D5E6D0A8A03BA15F2ECEA79DA3D75A611C912719B0D4350D8CE65A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.209{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000002\OfflineFiles\word-win32-16.01_ed80d9cc3e5e16021558d5eb7a01e861.jsMD5=B2D871C75DCD992716974A93F839900A,SHA256=E637A277BAFCD8DFEE4C8752B336B4F43308C717498A15FAD8C4E5EE2FD53B5B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.195{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000002\OfflineFiles\urlmap.iniMD5=687E906945214956ED35B9A3CE39FDF3,SHA256=9D6F81198E51CF11DB42C9C2877F75E87D6D9F82A170FD9BE3F38A594B0A6F5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.195{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000002\OfflineFiles\TranslateIcon64x64_4a1bd8d712f9ec5f0da0b0e389dfdc1d.pngMD5=0C675E7E6B1E3F1ED30758CDC3B5ACD6,SHA256=377EA076CA783F1FACC7E0B49761DDBAE0E8391B951D2A7A66C4E09E80EACA2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.195{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000002\OfflineFiles\TranslateIcon32x32_1f2d44713f9f6ab18d3b456732a6cd5c.pngMD5=8F3AFA12B900AE59CC14AD46F94FC930,SHA256=57615343CB5DEC0E2A792C544AC8C98C191251FE09A14A082C847321E3B22F14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.195{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000002\OfflineFiles\transition.min_a0b28cf457c0dd6e141c9c00e504b0de.cssMD5=484A4DCAC16847D00A87231E4C41E074,SHA256=FF4DC5C2FF1EA5E5A340B1367EFE3A2A5A73ACCD1E5DEB69D8A84BB5FF29B899,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.195{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000002\OfflineFiles\segoeui-semilight_b5b989eb23ca971f099562b180324310.woffMD5=897F07BB31E3216CBF844B2C09E2CDE5,SHA256=D80D802E75F507EEDF21E356E97486E64D3E95AB39D05C6EA8C8DE72269CDA8E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.179{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000002\OfflineFiles\segoeui-semibold_adf3bdddb5e8fdd95786966de9f5c041.woffMD5=6B8D94EE3B0185FEAAFE1F19E9587F1F,SHA256=D3C4759FF3ACE9D0C256C41D8023F87937D09910B727976A9E849122AD433522,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.179{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000002\OfflineFiles\segoeui-regular_b37aeac7678a117d1c8465480715a4b8.woffMD5=8E5BEAEBB27BBF92146977BD1062EB11,SHA256=D79AD533ADF61E76CD74AB32D3D2F53AE11F50360F2F7C95613E4D23787502A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.179{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000002\OfflineFiles\segoeui-light_4b1c012d11ad79108a2eef4959135ba5.woffMD5=E48EA1AC1846A2E80CB60F9A23494A50,SHA256=A44F35560504D57DA16A54F02B58F02E1873E9F2FF905941E20573F24AE8A7A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.179{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000002\OfflineFiles\react.min_f22492ae996884949f5f0e0204796add.jsMD5=0DEDF3475B2F1E2D7DA6BFB3D8FFDA4B,SHA256=F7EBD2A9AAE0DBD4A44593E01EA1A16A4E9F0270135377C43E4375630FA2DB9B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.179{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000002\OfflineFiles\react-dom.min_27a8068f7845b22ea825b6827cfd2b10.jsMD5=5EBC6EAE0A9381D2B4F7226884014CAE,SHA256=B29F279FD0328476A46B189BCEA42C22CB85FDF350E940E1C0938C00444CB31B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.179{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000002\OfflineFiles\powerpoint-win32-16.01_2c90016cf355d77927ea709f3a928ff1.jsMD5=CBE02973A9D28731FE2D352AE2F2E3BB,SHA256=2B5CC3E26CE6104D16BAD4D3354907ACE7615F602B0918DB0144602A839A42B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.176{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45C9D2768FC0326FA45D2D855F10D65E,SHA256=844BE8E7D57C0EF3F7858ACC473327E4BB74F60F30EEAAA9516A8A3573DB4D3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.175{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000002\OfflineFiles\override-onenote_6338dc399ce9c5ca929aed55065c4a07.cssMD5=45992DE745D6D37E59B789A17D27AB7E,SHA256=51016E5295A2147AE3DB8FC31FEBFBE761BF7B51D3137459DB23B7152A133102,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.174{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000002\OfflineFiles\override-mac_f76168c82308f7c9849fd2840fe8d259.cssMD5=9F8BD181B137B4A8F5AB52CA6D238797,SHA256=A6491037CE2EE3D596A9B0A430D7911D5E7CF4B81AF32BEED4043B19762D99F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.173{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000002\OfflineFiles\oteljs_e579e36d1615cd8aaca470d9521db7dc.jsMD5=058417DAFB7ECA253C26134BBE030137,SHA256=585F8B00B6E1A2175360E7D991A1A2D60AE135DF2482034A7F7CBFBE10A62B52,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.172{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000002\OfflineFiles\oteljs_agave_1dc45f7a7be81b74944d97fb2754ebde.jsMD5=ABD7110EF0E4C2F7F8900CA2F1E46431,SHA256=8D8426CC48710988BD62EF3BA4148103C719F4B3CE40A3407BC6E3FB597DA825,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.169{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000002\OfflineFiles\office_strings_247f8f78dd7820085808b5e8fec39119.jsMD5=6DAE09CF02392A81E6E6EC201C1E4703,SHA256=960F8EB4DD53639D78CAFC1C92D9F51BA5CFE1FC77F69BF0DE31D93A6CE12CC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.167{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000002\OfflineFiles\office_2e97d65336bd5d3533e966e9de09077e.jsMD5=145C4755DE2815B6B4AED1F0A3909765,SHA256=53006D3434A0F5C6B4300A8560D5244ED54393CF347C22A45BF731A4C2FA9563,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.165{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000002\OfflineFiles\o15apptofilemappingtable_0adea789fd8b78dd36198df126e1d6b4.jsMD5=D37774BA8CB4B31CD21B5726E256A6CD,SHA256=2490429F5D9BAC55D691CB2CA5A080C4121C3554FD7646264C7336ED3D3EEB6D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.159{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000002\OfflineFiles\MSLogo_309b8bcb733f64e790ff5eaa74076fa9.pngMD5=9F14C20150A003D7CE4DE57C298F0FBA,SHA256=112FEC798B78AA02E102A724B5CB1990C0F909BC1D8B7B1FA256EAB41BBC0960,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.158{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000002\OfflineFiles\jquery.min_a9aa74d836a33524bde3e897ad35f5f9.jsMD5=475F3BDF8D1211C09E8B8F1D83539D27,SHA256=E83C17BAFCC92FEDCFD3A0D452D05FB176D1BF87A5FAC78F89C400E11D82E00C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.155{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000002\OfflineFiles\index_8ceba61edb30c637224d774a3b44d863.jsMD5=8CEDB3778DEE52D4E431E79096F5B44F,SHA256=729C1737CAE735C2C08689A3D9F704296BABC003E236F72BD7A1B074F52AA895,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.132{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000002\OfflineFiles\index_4c9490dec8f0360011c7fa0a50ae6d8c.htmlMD5=ACB69491DB3350076FEECFE1A0596160,SHA256=72B84A6DD88F98BD391A3459ADE6C923AD36432A060A3E0A14D5D6644BB53997,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.131{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000002\OfflineFiles\index_0f04b91d96ac2a62fd94dba0e48647d7.cssMD5=FA4DFFABD477012616505352CDF8215D,SHA256=45330B116034BE9240CD96F043AA266950EB0A39640FDFC44B184A684BA676ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.130{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000002\OfflineFiles\fabricmdl2icons-2.38_7902e1ad6fae63779becd982d55fc755.woffMD5=49177F093B8DF96169AE05E30C057494,SHA256=B04F780EB91FB9B361EBE091D58C499333DBA57648E1ECC9C85678387178F64E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.126{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000002\OfflineFiles\excel-win32-16.01_300069b6e101288c1fd6b41b0047e111.jsMD5=7F4C7590143824F39B477DA4D3293C41,SHA256=39000223D2349C723BC4C6DD4ED44D3D6F6D9CCA2874AB2BAB9E426169AEBB8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.109{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000002\OfflineFiles\dropdown.min_ee47ece9d48d13a62b12e60120b51d46.cssMD5=1D5F97FA8AF469FD21BD1183EF820450,SHA256=21658C00C91C14B9DEA0BE1D5962E19C13779F5E6B40FD62724A061C6399C45D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.108{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000002\OfflineFiles\aria-web-telemetry_2f887958b7dac9ae6002b7a964a7a86c.jsMD5=AB160CBC15A05701D835200E65385636,SHA256=4B01583F47575A9B732D2CB98E019066E540F653CAE5DB198FB45E19B9E3A860,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.092{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SAMPLES\SOLVSAMP.XLSMD5=8A54C32B5338611ECE0C12DF99D6BF8D,SHA256=A25A3D60E4D873D6323CAA9FB24D61D811C4A39AA664BD03E6A087175790B761,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.092{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\WSIDBR98.POCMD5=DEC73A77BC032FEC7DF468F0E512E3EA,SHA256=C8E69DCDF44015D24E6BE9AD88B3810D236E927E05D4D7708486D512F846BCF1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.092{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\WPULQT98.POCMD5=7027A8D18C6BAEBBC5CFDE79E2AD9F39,SHA256=0A9F86F61C6A58EBF8811FD4D2B58649E153B58318CFEC23E25F3C339AC70936,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.092{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=296BE2BF2E81B5AF0CEADE4B474D2CB0,SHA256=32587DEAFE82ECF5491A6257548164F8F096BCDB247C1B531D49C42C0C34E82F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.092{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\WORDREP.XMLMD5=EFA610B5933A322FCF6DEB8E8B1CC601,SHA256=CC37505CB80BF8C22B87FE22ED23689E54A70103A7C339945F656C94191D86B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.092{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\WORDREP.DPVMD5=38CE01DC728C8AD8BCD948775E668EF8,SHA256=EBF350E3BA1D98FBC1B4D8E8253ED0C8FF22001EE9DA7AAB31365823DFE1B6B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.076{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\WITHCOMP.XMLMD5=EC3C551AB673A15CDF6494ACB2E74096,SHA256=217226B48B560036202D79D3BA25FE6A8CC1D17B48496D4E4B6588DCE1FD4507,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.076{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\WITHCOMP.DPVMD5=A7A02C293B3E485D423C451BC067D261,SHA256=EAEE239FCD5AC42CB8C2751A01E150ECA688C6B17534CE9931A747928DE50261,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.076{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\WEBPAGE.XMLMD5=1CA75BCE3CC678BF65A9291FC63B01F7,SHA256=EC60A1DACA7ECC75232D96AE9FA8B4FD34EEA51C70A93A0DBE484BDA1FD5FA29,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.076{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\WEBPAGE.DPVMD5=1A378FC8CA972241EC041CB3AA8790F7,SHA256=124FC537F82D4072263BDF12ED53795BF7741E3B0AB484799E8F5D44A3EB0F50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.061{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\WEBLINK.POCMD5=D10EF1E62EFC87AEDC9CC80035AB2104,SHA256=1548457C7ED33E4D8A9F3B195FBC1F0024DFF54A3AE6B5C01F143020EA0B0FE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.061{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\WEBHOME.POCMD5=50701887465720708D3074BD9A9B4647,SHA256=D6121F7F9BAD6359DA820C8F6832EF338801DBC87D7138F79279EE69790E9C76,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.061{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\WEBHED98.POCMD5=1569FEF0F156DEE83051A47A07096CB0,SHA256=CD4337E8B9CED337B59A7D7DFC5CD9D59963BAC2536B28F6A0EE8B6CF66FFF19,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.045{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\WEBEMAIL.POCMD5=34196193788981FB9DCE5D90D70E4C63,SHA256=477953119BD894AF52E2D3591D367F7F3A23CB7A80BAD02F6747931A79E35F99,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.045{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\WEBCALSO.POCMD5=8DB65B3B4E1A6D8E33A1734CE28E8A0D,SHA256=74BFFEC39EB73BEE91C35A8BE9D63D63827EF897689A50DA96335DA95E2FAECA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.045{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\WEB11.POCMD5=66AA4022E2ED02A514F730A3F3893530,SHA256=73312280A9088B9B23B8A557251291E1366D9D4283C04B56B836964CA7CF4C93,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.029{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\WCOMP98.POCMD5=F6F0E51293A3899811B2A69E983E7928,SHA256=B4ED3D2117FF3942E0DB6089F146A76BEF7FF0B64FAEEA9DA77FB4188C083B08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.014{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\TOC98.POCMD5=DA8EF320EB94DF855823C96FABFC4177,SHA256=6BC4BC3329740B32F5F165A3645A0F2475FBBEAAC860F5C5034D6896F0DDD2BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.014{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\TEAROFF.POCMD5=FB451743BD6152F5058EFE16E6B86B2C,SHA256=599C8733174A44045A0B5568FB0C9CFD93E8BB6C0F3E0911F3FD5D959E367A30,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.014{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\STRBRST.POCMD5=915FBF1C2A0D10A8C61440F02F9FC379,SHA256=B0FB0DE891E7D714A9DF37497D8622177195E6B00AD5DAA9DF3959C84C418E19,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.014{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\STORYVERTBB.POCMD5=04A9CF532C55AD45A658EB2C83F2A81F,SHA256=457DAEEE92BB597747185F583E0A102C284C40E823A1954A12992282DEC4ED55,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:26.014{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\STORYVERTBB.DPVMD5=9368288DCEA5DFDDD3A67C0F4340C99B,SHA256=FD4AC2E111B5DB7199771FB5022688DE7ACF50EAB674ED69BBF778C467C27767,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.998{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\STORYBB.POCMD5=97C71020EE2ADC6F785155E68EF6631C,SHA256=216D861F8DC0F12294443D9C0ADF68D2A2AEDBB6C5DC366217BC801ECA883683,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.998{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\STORYBB.DPVMD5=987D9DADD614CD1FD79F8D9336260CC1,SHA256=EF44765950B4C4EEF99FF5B15BC71407F251FB4B174E9AD347605B0736F81105,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.998{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\SNIPE.POCMD5=749FE47E1CB73E74AE8BB90156E20020,SHA256=41577BF40AE6276BD1D31A3E5446600A7EDE86CDA07CADD2A94FAE0B415BA333,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.998{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\SIGNHM.POCMD5=A5BC049AEB56A07FDA9B494276A8A4CA,SHA256=E9CDC04CE94F2C33240971551E818ED19AFF8FEE3F95AEA41625C58C23AF27D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000328694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.998{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBWIZ\SIGN98.POCMD5=2F03986F937ACA11FF0832B969B6307B,SHA256=56A61FBCCF153B20673B5246E9C62016EC955082CFB77E53D6D7B94E75DF067D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.993{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings7.638e1b9a.chunk.jsMD5=3E70F8663D8AB79F66D1E5C992C202F2,SHA256=E13CC553AE1DF344DF2CAF93CE51B77D9C39D84C4DA086A3C3F4BDCD80B7BFAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.993{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings69.177f76f0.chunk.jsMD5=D54BBF24F699797D43DE5221A2360F4E,SHA256=0E63229D409554FFC3E5045BDEFCDEA73B85548FE2898798BA8EAF6D2F07E9C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.993{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings68.f11f7e3b.chunk.jsMD5=B952F01DD9C53424A8CB5A8BB63A7934,SHA256=C7203480A294C4DFA3E018898158ADD48B52A043CA53A0EF20291ABAB201E275,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.993{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings67.7271eea0.chunk.jsMD5=1F924A3F202DC55A4C7E84F3D877D7A6,SHA256=AFA5F40C3EAF6AEBA0FA74F7F9D4974160695DBA758F5736102985B0F90FC710,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.993{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings66.6f96d0b7.chunk.jsMD5=7899AC9B93CECD9A02CF9ABE55B00A8B,SHA256=53412DBCD8C8EE56A6CA16262381EEFD736E7427183EBC27B052786E7C09DE6D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.993{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings65.2bd42c0f.chunk.jsMD5=44BED0B37C0CD2FFF78EB0FB51BBF693,SHA256=938A45EAD23006C4522C8382D1EB514F31C7ACF19D37093EE84A83E2DCCA1076,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.977{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings64.cce90dc5.chunk.jsMD5=4E94382EEC66AAC598DB04FD710578B5,SHA256=2EB01C195F5ADA522A6443D7F8657210EC2327B1A74CEA574BF100A0424A0CAE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.977{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings63.3feb7f1a.chunk.jsMD5=ABC7F88370EA70FC36A21C103070E4B2,SHA256=5844795EA24D4F04F7DE79A7B9594053AF7F79AA25184FD4E8FA95EEE160932B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.977{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings62.4abbb4a4.chunk.jsMD5=C38B1F9649502DCCE4A39F720081CE65,SHA256=5190BC44FC946EA21CD9167E8A64669C3CFAA27C6206562F2277DF8B7BC98503,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.977{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings61.53ddd599.chunk.jsMD5=0A512844993D490D09531D9C66A34462,SHA256=05BDD54264D453A0703A19D8E0E180FB5DE752AB9948CBE9E772E172FE838FAF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.977{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings60.652138fc.chunk.jsMD5=2228A9D96D7AA155415751FD0E588ADA,SHA256=74EBC24AEBD5480D6A58FE5C00751B18FF8BC6792A745A081B68680F3488E801,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.977{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings6.39288ec7.chunk.jsMD5=A1A0BBBC787BEA25BC9E96B6B4F60DB4,SHA256=2F47618A263C2B526C08C21B3476EF638861A93AC606579E0343943F6DBA6151,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.977{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings59.00d1753d.chunk.jsMD5=138FDC64B581EA10E4F6D7500299B521,SHA256=750873FD09663C3FDB673EE211EBE2AC30D49CD374DF28AF1073B1C8B2451DB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.977{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings58.9e305d2c.chunk.jsMD5=D32B703A9D6D0FEAF9631BBF2E0CEE33,SHA256=8EB92D179B8F57DECBED38FACCB946630FBC4E22694B6F81D8C69117B38A5E41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.977{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings57.a2df6d97.chunk.jsMD5=0669DF31BBA2F53E8F9E70AC37985D4E,SHA256=FA2B697B674B92D51C05C028A557486C189C065C768C70A54BC3E0371F8DA561,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.977{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings56.4c6f4341.chunk.jsMD5=EC99B5C6A2E2DE2901CF8DF5F44741B8,SHA256=777FCAFC26E1FC43CB5A1120C518689688C57652398147D0E12C3422049ADDD2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.977{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings55.9fef1947.chunk.jsMD5=537450E104BEFEE784823EF3EE38A1C6,SHA256=1349DB5AA8F7B9B4E4D921CF6E34189F1640EBA7BEC1DED9CAC96C44A9A8BEC3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.977{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings54.7f7565fe.chunk.jsMD5=55A8FA21580F670E7B6BB7E527F1C76D,SHA256=5849077CC0BF0E41E1CE669CC2BD14D1245BA1D4A786E75EEE8CDC7336A7B812,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.977{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings53.727cded7.chunk.jsMD5=E51F97E78A1453F1F1981117C6259DE6,SHA256=B2B3FB1EF66F67D475A8D40D0EA87DA3571929AC009999357C02F6253A68D286,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.977{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings52.ee0ac3a2.chunk.jsMD5=71C2CC2B9554C143A35303E4B8317B1D,SHA256=1C77CA573F2430EDE0AEE544536396CAB7AB5030F5DD7982E32788938087F3AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.977{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings51.6a56406a.chunk.jsMD5=9B3A18289980340C2AA5CF8F2548CA79,SHA256=8F8B83C8D88FDEA689E0FE827A62BA7EC025677640CDD510DC032D0EDE85F9E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.977{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings50.0680e42e.chunk.jsMD5=23F4106059B196245A85C6980C3C8188,SHA256=14A566EFFCA86CBB06E95D7AE5E2B9773D9CC2E3B50BDD05F797F82537844D63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.977{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings5.56db52d4.chunk.jsMD5=DE65474C9C73E8B9779DF8D221B9E146,SHA256=B53E8BA9BFEB8203996085CA1B247E2AF79CFB8D165A150BAFFC7CF38A1A0D43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.977{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings49.26dd6e6c.chunk.jsMD5=14E87857A05DCF1EBC210F60143B5C66,SHA256=8C5CDF5AD198D614FB0D7FB369CA5A93BD2CCE017828227B210833587112D1D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.977{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings48.dd07a755.chunk.jsMD5=409FCC9D347893FE3AE98623E375CA10,SHA256=0C569C82220276E5C6A145153B8D236DA0240D0143C9BF933FCF54722E5E531E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.977{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings47.9e509ebc.chunk.jsMD5=E406E335E7AA48A6464053AA65B3F890,SHA256=444EAB9A428FD11CBC6642173D77A5210571E3CFA170219B6E1946333F363CD5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.977{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings46.624c00ea.chunk.jsMD5=2D9D986BAC0699BA22054D41B1C2B810,SHA256=C4DB6632B193B7F4152BE210472090FD0D10C7CD495F9803DFAD530C87DB3738,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.961{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings45.581977df.chunk.jsMD5=EB4F0405C20CF6735FF73BCD5DD17994,SHA256=D8E39E48F5EBC33D7ED6DB6A2B47F80D9747524B16C4D877E81E0AB6653BDC9E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.961{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings44.4abf1c47.chunk.jsMD5=FD5763EF3E42BBEAAAADD82D5FD71D54,SHA256=39722280A77B7EFDB2F33144BF2ABAD3DE070C247B63D47985CDAC6E1EFC2809,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.961{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings43.03350cc9.chunk.jsMD5=38266A93F2600010D8ADBBF313993F02,SHA256=D784C75707E97675A0D7394C4172ED9A64ABB3DA395C83F534E9ABCF3159BE3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.961{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings42.5c2c0655.chunk.jsMD5=9A6FEF530DA63887073C3B9BECCCFB06,SHA256=814AFB9A406F5A848450A0D4D2B0A29968A453F4916D2388D041D6F1B23A68CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.961{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings41.512fcb3a.chunk.jsMD5=152DE36781118DD6665860214AFE3290,SHA256=DADFE483B0521E630D24FE6D4512199D0D39279F9626151A78E12A6FC5475145,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.961{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings40.a3cf5420.chunk.jsMD5=6D2ADD42E251BE0E2C4E02992E072BC7,SHA256=079E3DCAE4B7D147385E5020FAEFA0A65BEF6714861EAEDFB58DF7975CACA316,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.961{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings4.7c3978c3.chunk.jsMD5=03B7BFA7E357C3658CFE0FF20C36BF03,SHA256=446A9372B98EF112E0C15C5DE0A7A0FE5485013457158DE456BD760170AF791C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.961{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings39.c2916d05.chunk.jsMD5=AC77E5F3DD1DBF81BF0B075658C9EE1A,SHA256=7C157D808CC877980C71CB99A0E83E15481FCB3585712730A4D8FFB124F4F212,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.961{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings38.d7ace9c7.chunk.jsMD5=7165AF5A138034B792B6AA2B11FBB717,SHA256=EBAFAC14BF9AAC1A95B49D4E5576CDF6174233D393BB64418EEF0D08853CFAB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.961{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings37.abe514fc.chunk.jsMD5=0317DF6741BCA7467291D1E95EB73608,SHA256=BCCB43E2AB73E8B7D08BB8C0EAC81EC2C7B513DD5DD5C1A40AF02B2FC4D0B94B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.961{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings36.f1df452d.chunk.jsMD5=5E1A3E2387B79EA0E463AC275499991B,SHA256=17627707A9050BC062DFDCC74790E7475657ED25E699A5A74192BE092F9692F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.961{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings35.ce8269be.chunk.jsMD5=1BE8B5FCF2AA84AB27171031A5DA78F2,SHA256=0FEEEAF404228084E1CF66678657A0AE8969B9FD1E69207531A4B8F23FE050DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.961{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings34.cd60e4dc.chunk.jsMD5=C62E083ACD8FC50F7124606A89EDF204,SHA256=5994D05433EC38B2BDF70AC9D040A8563A9132633D6AC3EED7DC37F7572FF8E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.961{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings33.5baada47.chunk.jsMD5=3F0C5681100DDBC026C8D32FAC24C6B6,SHA256=E7B799140C09478A4666111AF508FBEF46E64035449BDDCD6B7D09DDB690A58B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.961{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings32.347f763f.chunk.jsMD5=3486E6BB8849E63F1122AB57B1F58FEB,SHA256=BDFC54739B23D8A01E4EAFF310495ED090538C63A76937B245E975DE9DBEE0AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.961{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings31.934c5a77.chunk.jsMD5=13AD98CDC7E0D52B50FCD701B69E7A2F,SHA256=755E232CADF5F858E861A953C8D14E118BBD19ED66F3C83848A0A74B2C6DBF69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.961{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings30.041c7380.chunk.jsMD5=AEABE07D59021D3E3A91432453834872,SHA256=CBCD26A4E0ECE15B1838D4388D7E923DAD197A488205A4BEF1EC3D6AA7157D73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.961{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings3.baaa67b9.chunk.jsMD5=EBAFB8EBB6E35A6C06F4B110585EACE9,SHA256=8D935917971138067E17E19DFE8F6426C52A31993B4F50AB6A3CF4FD3A1884AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.961{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings29.c4f5f527.chunk.jsMD5=B6888991217530D23B737A210AF3C519,SHA256=BBD0BD3BD01911C19A15FC93F5AFDE64B505E02515DDEED623EBCB25F44DAD82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.961{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings28.da30f60e.chunk.jsMD5=A090DE60A9954F4BB3593953B44AA9AB,SHA256=58475D2387200F50D8A8DF6225BEA66B8D73F79B1B96AF619516989576D0D65D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.946{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings27.05c4eed6.chunk.jsMD5=7D9C4CB43FABB88EA78BB57DC946D480,SHA256=4C7563B66941A4028E99C8881A0C38169DC689862D3ED767ACE7DDA7BAB98A4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.946{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings26.68a9eb64.chunk.jsMD5=A34B5259D13193DCA9EA3F4C54B650CB,SHA256=02581EA80B1C1BFD53159CA50377B583D2338A6D8F6954E2159E96F1CA867609,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.946{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings25.04bd1c3b.chunk.jsMD5=B5C9E9B007A186C4C88449F1C109D5A9,SHA256=085B5A23CEBDCF63F3D3CF864D59A1D87FD3D3001D67397CD13B1D496C36AF93,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.946{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings24.8045ce8c.chunk.jsMD5=CE0EB0B00D69325560138267709781D4,SHA256=0D13A6AF9814F8AD32E1C2025261B1CB524C13634CD8B63BC8B59142A6F05139,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.946{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings23.97e550a0.chunk.jsMD5=107FF79D093F197BD177A074B5847E63,SHA256=15EDD91CED836D5B8BD4869C78CA137B4C8B2F583330D11105219D257A7B63CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.946{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings22.26964ad2.chunk.jsMD5=7B50FD11CE30209675F5D66F4182A19F,SHA256=A2097FAB79F14E3E1EB21851E61779BCEE2E346DAB7C1232EA8A17F8BA1B5065,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.946{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings21.529f6258.chunk.jsMD5=9295FE3BE1553649ECA520F2E72B205A,SHA256=56EDD733CCC4D03CF43D755574FD302434694D82265588C85BD8BFE09F748827,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.946{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings20.97a1a201.chunk.jsMD5=9C23D1C44DE7D83B2132018ADFF2BEDC,SHA256=236452D00D46837C1FEC349DE64DBADAB8C849E1D5E2429BDA1768C8B646B7EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.946{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings2.150807bb.chunk.jsMD5=7690516BB28E6D27F2A41757ADBAABAF,SHA256=0639F9591DAA71B2C09C40323F5672EA6F87C3ACD63FA76CEC769AEDF6A1D825,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.946{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings19.5098e4e5.chunk.jsMD5=9037C0E46FCCE84320813BDB56873ADD,SHA256=348CC0FF055D28D4368F783EDC51C38D5503FFD3E00EAD12E66E3853765F3836,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.946{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings18.b9df6bfb.chunk.jsMD5=9B35A8AE36063482607872FC4FB4AB49,SHA256=50C87EBC339DDB1901210E8C3A8C7767BB4D2D0AF5E5304D6066D545661DE250,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.946{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings17.cf0526e5.chunk.jsMD5=36F27C02BD65938D316D25A3DA6209F0,SHA256=A5339FB3DA96F44502CD7E6EED83ED716A819B0B3BF96F2D4E78072978B621F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.946{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings16.d2507e29.chunk.jsMD5=8C794C60B6A10D8C7C591011C2DFD3A3,SHA256=D001E34590EDA07E86979FA974667C295C92F403F06E456EBC086E6470B13D22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.946{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings15.5672bc64.chunk.jsMD5=64FE745186542AF900B52B814D77DA0E,SHA256=0092B89B77CF034D3F8F8D2435DDE17ACD3BF260CA5642C09511B8AF9AB93281,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.946{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings14.32a2e25c.chunk.jsMD5=97F7C5358BDC6A659FCFBD5A42B2AFAC,SHA256=1BABDE2A01584976C7A4704C9F205B23F3193860CCD94A8D6737DB3B21816430,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.946{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings13.52d071aa.chunk.jsMD5=5D67834AD7E7337D55B94E032C52E8E8,SHA256=F5C14C07009773617701AD37192D8EE6E058153B0B3EB651F6FD7D5D61BE02F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.946{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings12.34fd1457.chunk.jsMD5=64C99A1F9F0D497B0128727A5D9181BB,SHA256=CD1598CC1F269ED86ECC66B6F62CE45DCD6CA7F9AD366E12AF6C7C8043E691F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.946{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings11.e06cf772.chunk.jsMD5=1C6BD38469C268DBDB3200B995133A3A,SHA256=549E22D6C591E45422A85F26DA750545D06A2069C9CA55841E6FEE1350F6E8D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.946{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings10.af3a0709.chunk.jsMD5=7ABD268373B414802E41A53E5559652D,SHA256=4977E6AE16068EB0A8D068F70C79E47EA3721CC58327C5D24E02D97558FBBCB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.946{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings1.581f1efd.chunk.jsMD5=FE1847F0C56BF9C7C96CDAFCE2481186,SHA256=CF8933D07CF634483EBCED853A6C203700E3190EEDF8A7A1C67D267F7063C5C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.946{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings0.e283515d.chunk.jsMD5=EF5EB2C970B59BDF06381525AF39F8FE,SHA256=EA64C373595A7A261AE4C876F3A0E22C72BAE6097D08AA1C12897C5247FF44A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.930{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\FluidFramework-HashFallback.af775831.chunk.js.LICENSE.txtMD5=7558EEE8A78FCBC7E5FC6614055D4989,SHA256=0DFE60E0EA98B0472C47DDD8216E4FF51AB0057558FCEE7E6EBC76F86FEDFC1D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.930{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\FluidFramework-HashFallback.af775831.chunk.jsMD5=2D3AD9739C2AEC0BA65884FF530F5311,SHA256=974F030875B4BAC454F3F76BFE65EB7E9341A2BF649685FA6D13C027031F8D74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.930{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\catalogCodeLoaderFactory.3e79cbe7.chunk.jsMD5=CEC4E1002F46531F40F246D1BFBA66D4,SHA256=3220C7FE1E44EDE4920E516C16BC960650D161593D3CC2C4D04F38DE2C10398F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.930{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\4.356cfef7.chunk.js.LICENSE.txtMD5=C47FB89F944FC413937F1D857DF6495A,SHA256=168297DCDEF5665E04D02B268FFC0DDDD7D99D2F74382A7BAA0590EDBECC6343,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.930{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\4.356cfef7.chunk.jsMD5=41A0555E66695DDD7E071009F992E159,SHA256=A1935B61C063A8F6ACD38EB1AF9CC6B5F64DDA9649586706F981E497BA73A99B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.930{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\365.c0f29028.chunk.jsMD5=A20AD7F6B38BC35501F2DFC65C7F8846,SHA256=927401701D83BF2ED794043013E2E249359ECAE6B2EA83AD35C42E402E469849,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.930{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\364.eebdb004.chunk.jsMD5=C8E8ABDD73F4E2CC0C5554121A8081D1,SHA256=27821FDEE02968A33D6DCDC542670A672946DA2C318B0E92746B7959CEA08797,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.930{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\363.215980bc.chunk.jsMD5=57A8F3308C867AF0C743696EA02B2DFB,SHA256=5EBCF52006F3D7EAE3E6ED756510CDFBDD676464D9D6C78464AC88C57BEBC757,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.930{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\362.1ed3a4a4.chunk.jsMD5=7BC55565789F3B2AF4207E5E32DFEF6E,SHA256=F64427B21FFEB1372F65D657EFA7B4932D25E2B30A5F56905A45ACF687E25847,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.930{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\361.5c31117d.chunk.jsMD5=E864D52353D73E5D30294ED8C652A969,SHA256=EA5670493CEC031C73587D063A222E805AFA5ED33C86D0D5F795E4DA1B58996F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.930{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\360.135fb846.chunk.jsMD5=0458887C102C1BDDA0338E207241A590,SHA256=E4F4DC8CAE97E989D78151B1F49B87E92A9A2B8CEED68C256DAC5B6C1456BF94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.930{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\359.0e5caeb4.chunk.jsMD5=419941B5BB0FE071034F08EC542FEBAF,SHA256=81EDC2787CE045B24FA0B1BAA0746695CFDD9A4894D6C340CFBFFBE93461001B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.930{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\358.0ececb54.chunk.jsMD5=F26A279232C1CB48D7F30A2662CC89D9,SHA256=725B71BD06E36979B4C2EA483DE1A7147D3E85D65FBE046308244DD20CFBEA54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.930{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\357.5d52595d.chunk.jsMD5=4021096F442D13F1580BFA618C66CDF4,SHA256=FAAEBEE74D5C67623F26BD4BF70BB59A802BDC6F63B72C76C166CB54072DDB01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.930{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\356.496918a9.chunk.jsMD5=D78934537D9B75DFD2C6F074E26C28A7,SHA256=0F3932ABABB7D2C55A19F72CA2DD5B85433BE276AB3347F137BA6FC49BEA0E56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.930{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\355.ff0c6a93.chunk.jsMD5=6C854842AAB0BA1359BE5AE12CB0F0B2,SHA256=B003CC461ED38DDFD5E37C3445465D398E2E035D6624327E72072A6716346F84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.930{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\354.2bbad41f.chunk.jsMD5=6AEF973BB1180DFCCAA85A3F1D34378A,SHA256=4229BF0E5B3E4F0C7A12F5D4E95F29E37872540821C68467715CA1E4CA691879,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.930{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\353.9b4dd348.chunk.jsMD5=6026A752E34C1D88F2888978B3E9B526,SHA256=4CA4019FDE4C7BD31C8C0057D025066C6696FC2A481710F64F20D788D068987B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.930{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\352.9492c9d5.chunk.jsMD5=CD23F10CD12549E57F9E997E23C3831B,SHA256=5E459F7D8707D37C551AD2C2B3BB8A5B9A493282931A8378BDD1EC02CE6A5E85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.914{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\351.c2e2ed91.chunk.jsMD5=C93C3404CA79929FB09B76D4E890DB7F,SHA256=63C0E301A50C26DFED444115C7FACCBD3BAC9000B887AA1E86FCE7443572346A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.914{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\350.10909431.chunk.jsMD5=574E0B515B2D0588AEABA2D6C091EC94,SHA256=B4B50E7D79F36CF56C0CCF104ECB1C848D5ECBE5D6F093BAB45164B4FC20B167,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.914{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\349.873f5839.chunk.jsMD5=AA1AFFE338E2882790F02F13CDA37E10,SHA256=A79BC92BBF3A7D2524D91B4AA7E0134ED430FA0B9E73DCCC14FE3B80C9E008CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.914{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\348.e27eba70.chunk.jsMD5=7ADB2C8D0C7CC56888F7F5A45DA67E7F,SHA256=70A9E2A51AC2686A1659562749442507A547498AA6E6E870AA448666AFCE90E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.914{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\347.607f5acd.chunk.jsMD5=38BE7BA241862548FBAC3BFF1A3E172C,SHA256=0395D61C2AEB573B2FE3D5A934BE6D21CC16F2130E5FA1167A5E9F4789968CAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.914{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\346.dafda669.chunk.jsMD5=A2104BF6460E9A152507411E3999C4C2,SHA256=2A2B3FDB4C4A8A6DCE8594036B252A5D37B0B03505CF798D022A6319A2B37CF9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.914{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\345.7d903a42.chunk.jsMD5=6B5071CACEBAD6DE73AF37FF516C70EA,SHA256=1F92DC3EC8B8AB28231700D0D0A7601A195579A9BCAB4BF33318BFBBDF7DBA89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.914{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\344.5bbb74cd.chunk.jsMD5=BA070AED89F49330985930AF73D30F8F,SHA256=F107913583FAA64158F78F6142855C48007B6B209155EBA702BD7E03D1E0FBE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.914{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\343.029870d6.chunk.jsMD5=23C9B384CF91CA92F1CF6DEF2EFCDD11,SHA256=5B9FBDE88DDDE649586E4D459364880D0BCDEF650AD43A0AB8210CB0AB378CF9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.914{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\342.9829357d.chunk.jsMD5=2A7AB3C7EA4634192819F91DC582C0AC,SHA256=D5EC4AE34E95EAF7173A35240924C6063B13E49656F8B3FD22FAADCF13DF5588,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.914{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\341.925885f3.chunk.jsMD5=84E83BEBED08DC4AC9A587049735AC86,SHA256=7588CFC9858DB27440C876D5E8A2D916E6B0724328A8F433CC3D50551B767A39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.914{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\340.3fddc9f7.chunk.jsMD5=87E1676EB045545E92B35AF4AF3738B3,SHA256=1327C368F0CECBE568655B66E9810D0A44034527DB2A54A6DD0D1797FE91EFF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.914{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\339.6cace5e5.chunk.jsMD5=17D248A4C7A02CC319DCCF04726804F6,SHA256=F1373747A427B29B5F771262E262025CCDE55A415E8B5FCAAECE0E4A929722EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.914{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\338.ccae00d7.chunk.jsMD5=B46E6B916EE8E1F3A12E4E1BE20C4F20,SHA256=8B64CA366CE1439D3976F1F1BE32BE36954C8F0EB3A73EE85DE27E5D10434BBC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.914{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\337.b41fabcc.chunk.jsMD5=294703DAAC0A61A76DEC0ACBAF588EB2,SHA256=C31A8B6CBA200BCF1E46CCCFFCDEDAF0FFC9BC1DCFCEF0999DBF21E983A31861,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.914{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\336.6e63b85c.chunk.jsMD5=1598139396ED2EEDBC84FFF9219E2E2B,SHA256=56569814BEDD3A3F9F8ADC090E3348868835CE2B19587A4A67AA2306CB422D62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.914{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\335.ac484a16.chunk.jsMD5=77B9242BCE74C713880B68D0BDA2E42D,SHA256=F6EF6BD5B18B7909A5A8ACAB27E4DD93DD52C644C49809466FEF0FF359612A80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.914{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\334.2ba7721c.chunk.jsMD5=9AA53BCC2B7E0C3E4D19C38C763EFAE4,SHA256=9DFB92B978F518B57FDACB5E864E0C3CF10D28463AD98C7D7A9F670CD9A63C6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.914{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\333.9f83afba.chunk.jsMD5=2EE098A41318D8FF2CC5C7180C4B746F,SHA256=034C916BDD40A9A576CDF03A74872BB518484C0C21CE65EB9CFAB27ACE66BA81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.914{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\332.90425e90.chunk.jsMD5=768CD2CC2053FBA6923E0A894B65E597,SHA256=E15FA98997F96559D1CF0C95137196BCF5CADE7A67FB84FA36415415BE2DF7EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.914{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\331.3f5c917b.chunk.jsMD5=EFC700AA41B579AFA877FD6E1196AAB0,SHA256=76A3B2F9C86AA18977532BD944F5570B0439EC960289151216589DFE84FA343E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.914{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\330.71cb5e34.chunk.jsMD5=350E174DB14C1AF44BF9335FAFF25434,SHA256=7BBE5C9D824B5610CB4E8D056B69BB9F700361998AC9C114BECB896E24CC064F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.899{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\329.d77ad984.chunk.jsMD5=573CE406D8AF48C40D2C3B1931A836E0,SHA256=59000E901DD058EC36CD436B39454E81C2FF6F9025472E39BF45CF0FB6B27ECD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.899{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\328.64c5ebec.chunk.jsMD5=8262FAD3A6F525D8D39AEDDFE1FD1887,SHA256=AE239D07B5CEE07CBFA353342F9118E3154D9B7ADC3EB85842271191B46F552A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.899{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\327.80e37f67.chunk.jsMD5=0F500108A60B4C783565B5F93FB9E4C1,SHA256=B23439F4969259F624EC0DCFD6A851E3B274180798AC3CBEF1CEE35FB48C2513,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.899{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\326.6fd5b9fc.chunk.jsMD5=C75BB81B758BCDA1F6E69395D8A07FD5,SHA256=922925C8C9CABBE4744D8C7BFF5F322BA0C7EA6B77C72D2A41C1DB0E208539A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.899{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\325.6ac5a23a.chunk.jsMD5=692A1A757116FC26BD5F222AFE96F780,SHA256=98630766147AEDC219FDF2F2BB08162992D4478F4C26C11B4E76FD835FE3404D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.899{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\324.547c31a6.chunk.jsMD5=9304453480DC3867AB811BDE603DFFD7,SHA256=B1433C0B33C9F0676A1248B591B8E265EFCCBA60E97174F79883360E1247E3AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.899{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\323.77886d3f.chunk.jsMD5=BEC8DDD3E4659F4013428110A458FED8,SHA256=B0F44D146A9FA7FFC7FEF11791B83EEEA7BD43989B2830E561887F01FB187F1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.899{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\322.e089a492.chunk.jsMD5=B22646F4CDA56ED025AB3C539C774FAC,SHA256=A5B4187BD27ADEEDBAAAF6D069ABCAC3051668FDA66BACD35FC984CAC839777D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.899{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\321.74e0dd6f.chunk.jsMD5=89B34B39DAB6B594DC20BC7E6D4E2027,SHA256=7DC3D82CF559A7670F89FF0A452E143B81D5264EEB48FA8A2183B823DF5B087E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.899{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\320.91ecd8b7.chunk.jsMD5=93646A53FECA27E5B1B5416DFD5F4F11,SHA256=62171F9D01B0214F674E3F5C7DB1275D83F9B56571337573DD0747AC11A936CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.899{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\319.25b9c7d5.chunk.jsMD5=CA0B95869C2493EC966659C510C110B6,SHA256=6FF1B26B486CCA8FCAB57B1ED436B28FBC290DF20BAAFF1D1573E117D732524A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.899{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\318.6ddce577.chunk.jsMD5=21FF756A822ED0DA6988FF0479695B7B,SHA256=6C3D096122C8661DCE104F8E094F29B86E00C3C16BE05EE2FF0F63CA1A78673E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.899{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\317.b68589a1.chunk.jsMD5=79F725DC5AE0A23BEF4F1E5DD69D791A,SHA256=DAEFD9E88636B1440899702FC140439CDBF028DCBE8B619C9F4100408CAB3C03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.899{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\316.7d894b53.chunk.jsMD5=516F00CFD4FCBF946C20174949D834C0,SHA256=9B1066F31A541C6C3A02FC4AF152E307D9FF1C5B57E47FF1CD89F20FF1F2A81B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.899{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\315.7e6dc1ec.chunk.jsMD5=E611125FD52B0E752F1DB044C6E1BCC2,SHA256=D90A62D6F97BA2E15A75E9FDC3A2146FF21D22CE8FB6E0D6A49560453F46AAA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.899{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\314.21371787.chunk.jsMD5=B92BE4AB815825FC2F6972B770B2CC6C,SHA256=14C486137C3DC9516856F4A7C4D1F0D9225E2D1FBF5265F17DFA78F7B6A7E10B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.899{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\313.3a114b37.chunk.jsMD5=D25D51BE191335506DC5DA6E94B1A837,SHA256=AAB9A1FAE43D2FEEA47626551C167F365E59E0146D3E70634A92169669218139,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.899{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\312.9a5c6ed9.chunk.jsMD5=00F25D9BEA0F8D755E22405E3EC5D67D,SHA256=94DCC99760C93B4FF3949BF48D323E5289A97613353B5EA440AF8F8998FA8EA8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.884{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\311.a4f3f4eb.chunk.jsMD5=8C788B16B9ACE892B70E93BEA60AD245,SHA256=2E723F6D9A3AB1CD66E8258051017AF6152828A5F00EF246E4A034F5D1E74CA2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.884{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\310.7ff856be.chunk.jsMD5=9F9252D378252C29EEF22F709F7C29B9,SHA256=C130F1E81606985C9A53F98236235AC1E180E3D0B2FA769C0522FA188684B269,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.884{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\309.dea70c7c.chunk.jsMD5=1BAECEE07A06176E2AB8F6DDB93DD2C3,SHA256=299DD9A20532B445332996774410CB452BDDE2A244FFDDFD248B6B1B85869E71,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.884{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\308.ff594ac3.chunk.jsMD5=612C0BEBD70DCDEEFB3BBE368DB3DF19,SHA256=45C909453C472CF7381B21A699336DE97DF489159EDF7C9E2AE34240CB927147,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.884{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\307.d30671b1.chunk.jsMD5=BEBD5155DE266E5636E0B33890505F5C,SHA256=805A4EB4C88997F745CDC0970783364442B95E8C364CDE807D24D9204E9AFCF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.884{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\306.d5be6e05.chunk.jsMD5=C88706F2D73431516165AE86024C8F53,SHA256=FD65C5F40E65FB2CAD721B509CB4C79373786D6F9F01502CA539DE75AC667121,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\305.250f68a4.chunk.jsMD5=A9183D6A592E33760BABE83CFA34E012,SHA256=4F1161BE6AA5E7F57FD465F56F4DD7FBB20BB43A1DC217568CB1E35B4789599B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\304.d9c3c1f3.chunk.jsMD5=6688031E1DB3644E36C2AE9AE9C0A671,SHA256=AEACC24CD687E70295DD61F50E14680F252A75549715817372A4CC6D45F0C7A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\303.34930e29.chunk.jsMD5=BABF12BD344EFD3AACBB2C0042D7086B,SHA256=8FC244260058DD78EBD2D15CA5C26C7A9FE4457A7ADD71DDF03A2578BEFB361D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\302.82402d09.chunk.jsMD5=2170D81B79CC8286B0F70E993EF25FCC,SHA256=C21B7D3233E30865D5EB68512F2779E9238AC20DAEA9FBADC4453BECA076C568,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\301.23b0a2af.chunk.jsMD5=336FB2548BC2AE79C0E12A25566ACE16,SHA256=3F0B5C86C1217EBC7977FBF2D83FB40FE253D8894DBD1564B47D5C4C98E1D4E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\300.eea865ef.chunk.jsMD5=8BB30A5053D557562597A7E2F5D92A24,SHA256=4B57BD055E2A9B7E96365A42AE0AE69F7A23A819F82AEE645E797F6E6D009FF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\3.95bc578f.chunk.jsMD5=0FFBC56A83103C057050944ADFF0F782,SHA256=CB29FDE9F32A030B645703A3BF6ABB14C5699AF967086AB20398A45831BF3C7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\299.5a86aca1.chunk.jsMD5=CB23A2C7E0BF296FFBFAE3F8619AB898,SHA256=8F7B0877362D626420087C9685BE044511F2E55F8B3A726D8AC2622351DCBF74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\298.bc0fae80.chunk.jsMD5=A74EA803E9940DC2E10BC27F585273AF,SHA256=C3F5A50E0595ECB8DECDD3E49AA58FBD4BB218453933B4F185065209D37CC285,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\297.1cbd7258.chunk.jsMD5=C0080874144D6735DB713D24F4055356,SHA256=65C2ABA3947F550CC0538FB4D74ADCD9B2D4B3BCCB2384CCAB34DF000B80EE2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\296.fe50c9f1.chunk.jsMD5=03CCE637C3A0B2AEE4FCFE1701506EE7,SHA256=26260A94667FC1AD2D6F3847EF9B1CFF2EB51CF74CB3CB29E282666B118BAB41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\295.991892d5.chunk.jsMD5=EE4EA4C18702766E6A28A826ABB24CA0,SHA256=9D53E0456AAB3476F17297ACF69E652358BD29AD18B0DC09E6F67ECCC03356B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\294.088861cb.chunk.jsMD5=A1A5995F876B8EB1CE5088208F4359FE,SHA256=5EF3E42130239C5B1D5DB64EF96611FC114082022740FA5CEBE64B9E6B10EB4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\293.9c543096.chunk.jsMD5=C9038E2924D633B523756B0F021701C5,SHA256=9442D9BEACA417A696FF9D0A3CAF5ECC8881F7A1E022027C8668F9266AD482F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\292.e93e449b.chunk.jsMD5=E922F49716644C4804530F3070275002,SHA256=684C5F83E888CA0B39FAC8AF75AE586898705B9DEFC79E4B5045641306EAB013,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\291.f02b5840.chunk.jsMD5=AFCC39FC3B7E487FDC625831432F6BCD,SHA256=CA0A03AF7ED64AAAE61C0C1F8D6F613134DBD1A937CC9EF65CC86CDDA9548C6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\290.5429c2fa.chunk.jsMD5=35737B1E833F75AF2A1F75EEE42D1DA4,SHA256=47C0E1E378ADB372B4BD1EABEF5A2519660185C086D03C575BC707CED8DDBDC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\289.83667702.chunk.jsMD5=1328278440E659DB95F8AD3A0F12C0A0,SHA256=FAC8875976D40313ACDC21DA25EBD66E0EA4B18F2B5E3C8B1F65389CF5EE991A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\288.0d6894b5.chunk.jsMD5=69EC238B79D3D8E1C7EF81A46299DE82,SHA256=2EC2C24C3BB768FA8D97412FCBED4351A6BC1F82DAC4D9BC4D6410DE81D93A06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\287.e9ac1d47.chunk.jsMD5=A0048467535BDF18B77DF4B8B784F251,SHA256=C679EA2704C24ECEA36C3D1DC2CCC1A997338122C54ED4DDD16A335541B5C509,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\286.08012bb9.chunk.jsMD5=C0911FA2E45F12273015C6FA72F3C551,SHA256=50779A40C6257DE191ED6BBFD23D17E6D8C5844CFF2F109DE30A75AF0CFA999C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\285.fa424402.chunk.jsMD5=371B0BD03B02B5C03A0A3DB59389FBA1,SHA256=E194DD7C5DADED507C6E7D55772EA377D575CC7C04470B05C90EEB32B5A7CC0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\284.380e134a.chunk.jsMD5=6DCD2C6B0C928CB57EC83FA7E95D9DDF,SHA256=B448FFB1CE45196DECAE0933E95F353D8B72165B1B1D7EE33B2EEBA1F4AC8FEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\283.a2fc6fa3.chunk.jsMD5=262BD8AC46E797C0EEBA87666C82B123,SHA256=26E41A2AD7D9B2C69B5A6C2CCE7A0399CA33E2C60E0DB34690D3AABF2DDE76DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.868{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\282.27dc64ed.chunk.jsMD5=A2F4406FC5DDD0D63A5E68B4617D26AC,SHA256=E2C8D65965CBB1D39B1CF32955CDE6ABC8BA31745B4C3AF83E388BF5969DE814,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.868{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\281.63afcd03.chunk.jsMD5=AD60FD02BD4D04350B4A22738F4C6E90,SHA256=7E894D6A49B5A3A41AA1122F7B78374A30564BCB310E05DFEB4C1A88E25A24F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.865{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\280.9658df9d.chunk.jsMD5=FB73D1B1B290B2BC7B1507DEE03EF06E,SHA256=A47293DC13D3905BE59051094582DA1B053C9EFA7C147DB0992D0339F60187A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.863{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\279.6d9ef096.chunk.jsMD5=72368151C130A41F12997A12509A8767,SHA256=FC4A466F1911BE603952887B5A03732679077EF3E2BDFD5F5F0FDB66115A43AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.859{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\278.fd855ef7.chunk.jsMD5=B8FCA68B7F88FEAE137B75334904BD33,SHA256=56E5E9463A50F0812755E4C1B01DE4301D7C9A14ED8F72DA81B52D626398F35B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.857{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\277.9b1c4bfe.chunk.js.LICENSE.txtMD5=849BCD6E758C5F10019D2119656915B5,SHA256=C7A9927330DB86FCBC5D48D7AEDBAE1C81459F95A952BFA8EA6819196D4A0C37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.857{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\277.9b1c4bfe.chunk.jsMD5=A630B1FD7E6811DBB8B3437595B6114F,SHA256=FD6D613A2A9344B206836C0DAFC4D6136E01BEA9FF16E6623E59FCD842B3EC42,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.853{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\276.a766222e.chunk.jsMD5=E17B36E3CF0674C3A7E93F31C80EE32D,SHA256=C2227ED7D116D91A5F3E21659B40A2953C663DB3DD2F1DDA2B0EAC869A31EEB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.852{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\275.9d9d450c.chunk.jsMD5=4AB8FC03B80CD65DDF3C22F4AA7B106B,SHA256=F7C61851586CB93EA5182A052AB05AC8692E370D2B1C5AA9CD6D5F8894EF38BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.850{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\274.989559be.chunk.jsMD5=02337322BDCF7DA278DF5E12AC3C97A3,SHA256=AED2C3ECDDD14C8F304CF9236ED16A610E9C4698A6F960683CE1FE6E71D9A965,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.848{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\273.014f5a9c.chunk.js.LICENSE.txtMD5=ADADB56030877FB0B278EE2074DC9E44,SHA256=9E9D6D359CCF3C760014EF0E2C90D2FE07DC7B85BF01269DBFB84BA5F7CE2B22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.846{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\273.014f5a9c.chunk.jsMD5=D9A463DC26C85913166D95985CD04C46,SHA256=777119CDD7027D40003290F5085E3EEC504D6D60F7E3463D436B71A841F8010B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.840{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\272.409bc465.chunk.js.LICENSE.txtMD5=ADADB56030877FB0B278EE2074DC9E44,SHA256=9E9D6D359CCF3C760014EF0E2C90D2FE07DC7B85BF01269DBFB84BA5F7CE2B22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.839{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\272.409bc465.chunk.jsMD5=723976CE7C858E8B987038C22551DD91,SHA256=41D5BA3ECAA6415C4CF37F6E8191A2F88C4E20E769A4562071B3A2ADFD628E96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.837{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\271.271de555.chunk.js.LICENSE.txtMD5=857350BF225DE6163ED47691B1D0E94E,SHA256=F7B97950028D747466FB083F418AE8E0287812526DCC056C8559714886CBF73F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.836{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\271.271de555.chunk.jsMD5=2FDAF530F6B9456286EC6233CE407E35,SHA256=C103A15BC3B58AC090182C450A3E439EB6FD65C0C49E008642F82F67C0766CAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.826{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\270.e7fe39ff.chunk.js.LICENSE.txtMD5=8471EA953D79F47A5F45FDB619CE7B91,SHA256=B785C754C5F54BC8372DC437E7C58CDF43142B7D947005728BC74D9179202F74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.825{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\270.e7fe39ff.chunk.jsMD5=CFB8FDEE59BB0AF1D6B896D264C86CD1,SHA256=12D3E67909457A2FA8E0374ED02D4166A83A3067CD16C71747FF3AEBC32B6FFF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.812{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\2.27310396.chunk.js.LICENSE.txtMD5=570D362D673DAB785E62D2B8563E1118,SHA256=C9AA0100A25B270A6A1305AAD74AF4343D51203116138D9293BD0367C7C23FA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.811{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\2.27310396.chunk.jsMD5=1269FBBDD1FAF66BC4F688FA60427173,SHA256=A68DEF8BEA14E59C8FFE906DC9481A2FB55A502AC51A44AE7853BAF00D3CBBD1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.805{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\1.64b22c9c.chunk.jsMD5=76C4FFC46CCD4E0767AB1B8AE8A0B8C1,SHA256=1D6AB43B40CD70516704262D7E05B1FEC8A044027BF5BE9FDA4F30AAB6EF2AC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.803{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\0.4d0ec8d7.chunk.jsMD5=94CF122DF3DCA72937D75D407CA5C91B,SHA256=AA6EFFE5DC6795E579FB625C9D22702C6737FB5FC2FB6B94E417479E5C4237B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.789{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\@telemetry\AshaUtils.065aa466.chunk.jsMD5=77EC3D1EDE38E43267B6301ACF5E67C4,SHA256=A95EB0500B98AAEC6C855ABFE7EDF06E40F0F784F59085F2C527585297A65586,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.784{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\css\main.ee9b8b6e.chunk.cssMD5=A77172AF8373D93A0947A38071C2FC4B,SHA256=309723B5ABCEA20DBE16BC8DBAF32091E8605FDD0EAF9DB656E8F87CFBEE29CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.782{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000083\StoreLogo.pngMD5=3B41150E4CB804AA1B26CCA06DC509C8,SHA256=EA757E4A70287F2A5AD3C5388ED2342BFAD38CA41969EA23C84D8CD499839D9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.781{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000083\manifest.xmlMD5=A3B37FAB49109C3ACFECAC17A266C46C,SHA256=0B8D7959617730D4D9129F0DF18205549F0E8D7E7CD792A29F75481D7F7451A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.776{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000083\index.win32.bundleMD5=C0D746439DE8BEC88D0E971DD32D9B12,SHA256=B862C961AC8B15316458645AEFBF79F647B8909F60D8A8656E646E100C61C388,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.773{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=210111AA4B3F468F458EE177EB4F56AC,SHA256=2FB30C8B1E707C6B598722A6D3FC4C47B78A4BBD015A9A94CCDDC62A9A6F0B0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.743{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000083\catalog.jsonMD5=FFCADAAB4E236E43D7C6B5E218A69BBC,SHA256=CEDC30885B74C1D3B1651FD9BB21010C7DE0837712A560EDDC136CBC6EBDDED4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.743{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000083\app.jsonMD5=0B51E528D57603E7BA349C1BAA905C55,SHA256=73A522C757B5AA855D3F6BB518DA3AADCC9078B2C899619828D278262A1CD1BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.742{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000079\manifest.xmlMD5=9B58F2ADD1227687A101884595351F34,SHA256=82E31F06C6835E4CE77D92F873D917E3BAF4117DB221C85E7E6CC08866A7627A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.742{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000079\icon-32.pngMD5=5FA599B595C8FBDDCD225BC0A807F80F,SHA256=0C316674A37301F9ACD5AAD771EE33BC09488246559A0FD41259A63BFBCF863F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.740{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000079\assets\icon-32.pngMD5=5FA599B595C8FBDDCD225BC0A807F80F,SHA256=0C316674A37301F9ACD5AAD771EE33BC09488246559A0FD41259A63BFBCF863F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.739{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000076\manifest.xmlMD5=AF9B8EA2672590628ACDF636BC1BD703,SHA256=4BE998EE237D84EC03771E844D9B06C8CAF19AF9A7B1E89E3269DBA44065EA13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.738{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000076\icon-32.pngMD5=C2FBEA186D7C7429DE537EF4C729B487,SHA256=F8D5370015E6E9FA85F4BB9BB948267C0E84B2AA206FC091F64EF954DE081CF2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.737{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000076\assets\icon-32.pngMD5=C2FBEA186D7C7429DE537EF4C729B487,SHA256=F8D5370015E6E9FA85F4BB9BB948267C0E84B2AA206FC091F64EF954DE081CF2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.737{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000072\manifest.xmlMD5=1E1F62F9E8EEC649F569BE7717990910,SHA256=535A9642AED37DE4DB3C37A812DCC26D3574A425719A3AC4311821EA7D6A4865,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.735{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000072\icon-32.pngMD5=ED271E2037E37169796D803273686C24,SHA256=92C4A357E93AE9B4BB272BD648C2288E19FEE387E75CE8C8D53232270EAAA791,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.734{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000072\assets\icon-32.pngMD5=ED271E2037E37169796D803273686C24,SHA256=92C4A357E93AE9B4BB272BD648C2288E19FEE387E75CE8C8D53232270EAAA791,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.733{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\subcenter.win32.bundle.LICENSE.txtMD5=BDF3CAF469DB19C5CFFB3523AFC1926B,SHA256=F52C2783E37A4E9A3EAD42F20E3FDDE4550CAD92A9C5926C91045491C75E8EA3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.733{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FF83CEAE6D3A4100440DBBDD8F259211,SHA256=319DD7EB1865F9202521687D8E4A75BB1D5FDD6D85F0050D61F8D5946D9B7906,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.733{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\subcenter.win32.bundleMD5=BFF8A9A99227B82932AEABB018852DBB,SHA256=6E2E3D23B28DFD1820FB254C0D94A0A2AF76872E5A992A4BE2481213FEFC6DE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.723{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\strings.resjsonMD5=06964D36757F949E151BEA9795B1EE23,SHA256=40DDC4E3182316014C2DA2C5F459B3C5E2F6532620B86F8BDC6D6E5DA12F47F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.721{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\msft.pngMD5=5FE8FD609BC9EFD7DECBF88656366937,SHA256=E7ACA25F45E0DD7EE6E35E7C2F67347FF79B002266948538CAC635C0F59C2177,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.720{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\manifest.xmlMD5=81C60FBDA90BBC883C7012828EB6F831,SHA256=87930D99F1B762818DB984CFE3AE063865D56DA70E31ACCCE92BB1F212F7FC90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.719{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\catalog.jsonMD5=A37A3841C74DB7B24793E60E47A4F75C,SHA256=F358B64CBF2138453E7A1413BAC6EFC28BDCFAA4AC74329028E93F9D9067836B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.718{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\app.jsonMD5=481253C75E6D314C1D888EA18E624CFF,SHA256=92FFE17920BDA235F27D7D1C8CFA478F6825BD30B86BA1B575A3A8AAEAF3CEB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.710{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\word-support@2x.pngMD5=474F4F6916D949BB4E4141905AC58A7A,SHA256=3C86D817C366977DEE9845F485F0847CC3D7940CF8AF45060D353811BA8F3E8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.708{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\word-support.pngMD5=82C96D82B6F1944EC92DB16C070CD406,SHA256=3CBEABFA841BDEBF7D54C8658DF2DA80D32EA7A75E89471709708F6AB9643EA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.706{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\word-support-dark@2x.pngMD5=F1AD5B5EACBAA97CE08D11FF859A8E68,SHA256=D244662145D01E1F0E3E2CD16EE0764CA6B79EE1C5977C3B6EF1EC77448D663A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.703{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\word-support-dark.pngMD5=56778DA559ECB206B09698D78E72E89E,SHA256=698ADD7161CBEC6A92C8BA88554E4ECD73971A67C0BC1161E5927272D4DF2AFB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.701{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\union-app@2x.pngMD5=B29F5FA8C8DD46383E1E51880ADB772A,SHA256=6B088A80DAB8EC48F61691ECACCA33C96FEB9724E1AD0EFA734118C4F9D41463,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.698{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\union-app.pngMD5=63AFE185C65C9C9A586D6195CB84D69E,SHA256=5A0183E0D73610840AFEFC16F4F4D2BC63AC64B778016BEE6AD151A7EFEAF6D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.696{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\union-app-promo@2x.pngMD5=1F129F1E30AE9EF763D534D42C98C4C1,SHA256=8F0E8A641AC77BCD98195136B2213666C4E6CE31F9F1A596CE5788D717463089,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.694{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\union-app-promo.pngMD5=4770ACD790B2523C30CBEE5A9DB48456,SHA256=E7F84A20B0C339070651553AE7520D766F48D8CF4ACD839D4B70695145C55BF2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.693{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\union-app-promo-hc@2x.pngMD5=FCE121D97ABA19A6CE04B36E8FB0D015,SHA256=8836465646194821298F6445F1C5965170CD82D32EA250831452AAE01B599C1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.690{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\union-app-promo-hc.pngMD5=0F4B06E7D14D92ADA324A2DCF9EC0E3A,SHA256=C01624C2EC68F56F965269D1640CFB7DF4F70383204D8AD7FDF7EF88881C0284,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.689{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\union-app-promo-dark@2x.pngMD5=369D2FC150A053D043FB8A40F14CE1DC,SHA256=4658D16133722AC7C6981C21332C3974DA21B55E515F34863BE64C39473B1C4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.687{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\union-app-promo-dark.pngMD5=B33E8071A305D145514755C69C625AB2,SHA256=D6A505448E5ED11A55E517222337E5225AA17A76C9E857CAA7D569606A8061BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.685{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\union-app-dark@2x.pngMD5=329EDEF872721F668ED716B3B459BDAD,SHA256=F966CB16D9F49065C03BF5703DF842DEA63D0102910C608AEA447339B42572F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.683{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\union-app-dark.pngMD5=FD8488B7DC21E678B62E1734938296B8,SHA256=99943734512318A6744D8C902E608857AC6CFC1C5D6C06BFF3DC25C1E9459B9B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.681{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\teams-free@2x.pngMD5=0206073556D4E19A4EB90D0EF42CD1BB,SHA256=E343D12DF5376DA57D951A6EE68B277E3C752D3C6F3F38BB1E5B3E5975B073AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.678{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\teams-free.pngMD5=C8ACD3F07F9F4E43F41D0F90040575B2,SHA256=D923C63224155E00F7FFC0F61E933EE8F5182700041F47ABA37C46DB36C4DCCF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.677{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\teams-free-dark@2x.pngMD5=FAA4335D035AE7B6530512D7755E2C72,SHA256=97C721937769604D6EE60D148F8E06833081BECB9CBF89F3ACDB6607FFEAA462,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.674{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\teams-free-dark.pngMD5=A5A98FE042DB343077FCF854987425F2,SHA256=49A075277F12E59C0897C45138C2F6FD543B5691CD0DE8A36D44709A399712EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.673{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\sub-share@2x.pngMD5=C7C255EC7050E9A38197BF3997B65272,SHA256=F6DB9FD9D58C53748FF909A82594E1141285591871DB5B2E4A9D2ADF95B6FE59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.671{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\sub-share.pngMD5=A5ADEA4CA561DFAEA8074E22AA4285A1,SHA256=2D709CED69E2F92B6CFDC922E18D45EB70D2A0517518BD18261593B0554D3989,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.670{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\sub-share-dark@2x.pngMD5=F3D2B4A8B611803DF02E0F50A2B4BC37,SHA256=CB84F90A06838AA89AAC0F115519857A918267BF53ED435A4D07E650DCD1A279,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.668{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\sub-share-dark.pngMD5=79C1F8ACAA64B799208E6EDE8574C3A1,SHA256=69146819249B470FB8463C7C4C028CDD0011A72BC30A5A46FD243DBE7A464659,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.667{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\read-aloud@2x.pngMD5=7F1E8BC9FC29D20E84C7BFA5F28BCDBD,SHA256=C6F8957B7333C8A4EBF9BEFB7A7108792A756028603278465DEC603D78769701,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.664{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\read-aloud.pngMD5=A740B32B65C559C4FA75B8F2B254B971,SHA256=01F6C5DE8578B64258234EE2A7B2594B59DA7593DEB4663FC005648B3194829B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.663{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\premium-templates@2x.pngMD5=ADAFC7DE001D783E80822DE9234767AA,SHA256=ABFE414B6E14427D1BA0E87E2ADDE39AA63FC061F78404C48FC45843A6C051FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.661{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\premium-templates.pngMD5=BE1A31814281D4711724479DB56175C6,SHA256=AA97DFCA27D383B82430685FF5647E605878A070BCC170DEB95053902266B74B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.660{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\premium-templates-promo@2x.pngMD5=02ACF19FF340B6F279A38EEABB418075,SHA256=AE555BB68F6F6CA79D5D0C29D15847041ECAB75937038715E00CF7BBD7A2662F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.659{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\premium-templates-promo.pngMD5=A7FB79E45AEA7893BFC7622EA559FEA7,SHA256=8DB989D7173DF702D82888990CA4661159E2B45772345D8F759636A0E20F40D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.658{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\premium-templates-promo-hc@2x.pngMD5=82CFB4DA4F05091A57A2202F840B6814,SHA256=6F33C5219A62FF1CE2D9CF6012F836884F3CD82D3B08C59B98519E18C55316CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.657{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\premium-templates-promo-hc.pngMD5=87A872C412067427532BBB44991EBC6F,SHA256=147906013C6100277587082A30F200FAAB74D36F0E3F9838106CB0C8F9B073CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.656{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\premium-templates-promo-dark@2x.pngMD5=18A1E9237118725C8AC7DABD547FFDC7,SHA256=F8D6BE924BE3AF6BD601462BBFD774F8EEA9C626D023592C195B0842D3444793,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.653{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\premium-templates-promo-dark.pngMD5=70359DC25B06CEDE9C72C14F032F7E3A,SHA256=544211EBE105C80C05B0D7EF355202BD8ED8C6B40D66D15DAABCB8143F584A06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.652{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\premium-templates-dark@2x.pngMD5=62EC6CD03533A8BA87D86DB742D2AF2F,SHA256=0492AC318837C3FFB145C576B8BAD4E71EE491BF492DEFA3C6EE3326BCDF6351,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.650{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\premium-templates-dark.pngMD5=280CE329E62A22396766F5984FCFBAA1,SHA256=FDCDC816C5ACCB8A2E9161BDE9148A747AA589BD45551A61AB07FB39C774F5B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.645{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\premium-content@2x.pngMD5=46D6D2F2A9FB406ACE1A2B890A454E4D,SHA256=13DA238291A9B4110B5CB975AD6D7930CFB46ACA783CEFF81D96173D51D913D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.640{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\premium-content.pngMD5=CCD188216A2E17174C1598D7E3B6D292,SHA256=C03F1A8F2BBB4FCCA5B6371439ECA49424D43B9AE59F8E1E6265263D4C633A70,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.638{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\premium-content-dark@2x.pngMD5=09E52B9B1A0243D9BA9657A4F4A3DDC7,SHA256=21D5B25443F108F51EAAE795C62268D7F6150F386BE7C54B100BF4D0BDCA8C24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.633{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\premium-content-dark.pngMD5=B3D48B9A9A4E127B05BA2B4D287D30D6,SHA256=D490B5C05653C81662E2C709C87656A1E55E20EF58ADE72B50AB98150BD84315,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.629{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\powerpoint-support@2x.pngMD5=240004FC247F82DC9B709C84EB7A32F4,SHA256=12A2B46213325031FE008A48914BE51087ED46C05C8A240333FC41E56EF97702,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.626{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\powerpoint-support.pngMD5=57775AFBFD8CDFFB1F44CCFD54EFC4F7,SHA256=A6FA89F27B8A5D7572B3CD63CE8845B13A49C24DFC5E1C71C89F6EB612ACC1AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.624{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\powerpoint-support-dark.pngMD5=70C0743322471323CCCB15B1CD76671A,SHA256=25142BFF056C3D56B0467E3161A6B2EE69EE3B28CEDF67EF2EB46AA0E572269D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.621{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\powerpoint-speaker-coach@2x.pngMD5=C2CE14859D78692DCAA0BF7CCE7088CC,SHA256=2988D447D0C4C5FE40D62DAEE076844428581DC92F3997DE5E6A96E4754954AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.618{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\powerpoint-speaker-coach.pngMD5=1E151C63B78BF23E27B3113B1EE02FD6,SHA256=37AB7ED8AE71F44F3A644E1F9B1BF6691135F472635DEBF9A0E5360189C30963,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.607{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\powerpoint-speaker-coach-dark@2x.pngMD5=040E771BBA8E7D33C30561084BEFE143,SHA256=1CFB8C511AEEDA31215C1F27810941B66993A3B50C17D2421BB81A0B2C43503D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.604{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\powerpoint-speaker-coach-dark.pngMD5=4ED739A230F8057E85D82DF481EF9902,SHA256=CCF271A2A248A90056F2F56C97CF357B252C148E828925878C88F6C171B06BBC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.603{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\outlook-support@2x.pngMD5=FD3A74A180C92C5CA8CA15A9A08696FD,SHA256=E58570AC7E725FE628192E6FEC8EC72F8AAC673B7F777F351299DB1E92218B1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.601{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\outlook-support.pngMD5=B9A03D672A13B8FB0A49CF8D8D215482,SHA256=F91AD9A37F6617E55F93B3B6E2339B5A4396FD1D299E4C4E097FFB9D3B8D5BA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.600{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\outlook-support-dark@2x.pngMD5=ACDB5865AAEBAD41535F84ED9E6CA893,SHA256=7360D331943AD0C8E88E055186743CA5588C857FD1DA64F4D7880D3DF8602F3A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.597{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\outlook-support-dark.pngMD5=404BE9707A4CDDFFE85FDDF644AAC83D,SHA256=A6D4BDF7BAEC15D8575CEECBBD8E4FA74FA401677B59B138B57D11EED3BB35F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.596{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\outlook-accounts@2x.pngMD5=FFE44F76145D0FDC53939562F7A223AA,SHA256=280CC43B786B0E90D1BC5F2887CA7D6002595AC91D1AEA05F665F2AAD6F55041,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.595{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\outlook-accounts.pngMD5=91870152616C63D81FED92185C0BCFFA,SHA256=76C8FECED6668A20D6151662644C999BCDB3B3EF8C71CE0D4FDCBDCAD7D34FBD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.594{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\outlook-accounts-dark@2x.pngMD5=7BC8A9A4184CB95E36FC3ED7CEDBECB2,SHA256=D4FD9B827ACD960C7AE85C369C53AE83A541CF53B7CA312965C7B9FFE3DD9E13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.593{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\outlook-accounts-dark.pngMD5=9B5BB34BA3D209EECA314BE04AAE8D3A,SHA256=1FF677477A70E3B725FEAF8F84893CD1BEE51BDAE40C82C642F45D2553C958A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.592{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\onedrive-mobile@2x.pngMD5=40C212A26ED2FB2CE6F8FD6553975D65,SHA256=A82B332136702F0ED892C5F5E7169FFCC5A885A0DAED8695F5BA2F33D5481C1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.576{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\onedrive-mobile.pngMD5=14B1D2DC3EE1B928EC4F21627B6FC750,SHA256=32BD9EAA88A85815E32D8B9A75EA7E5AC8F12B3B6CC6C26AB159145995B19B4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.576{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\onedrive-backup@2x.pngMD5=A88BE7D054ACD312441CD107B530862F,SHA256=98DA762E213AAA4348C6BCCE749DDCDADE320FCBB356A5BA2AC9564794970F7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.576{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\onedrive-backup.pngMD5=57B5C8DB285399E5E71585CB8954F1EA,SHA256=4CC8DDF4C22627E7BCEEF704C190ABFE2811D7D07877B7E46CA1A037FF43F9FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.576{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\onedrive-backup-dark@2x.pngMD5=A1582841C5A7A3EBE4FD73C349230E63,SHA256=BF93D86A905181DB4038614EBA70544AAFBDFD260A3DC2D3E4543AC55E951F81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.576{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\onedrive-backup-dark.pngMD5=C936A742BC25472010D447CE560946ED,SHA256=E98C732F3DAF8FFFE9F3BF0A2D7A1D90C20F4A375F4721CAA921F6825BA55E41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.576{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\od-password@2x.pngMD5=078E7E798A9E871D8D321EB8061FB3D3,SHA256=A26BE774AB25A3BEFD258D11BF7DF3AB847B41ED53A51BB97ACC6255F9520813,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.576{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\od-password.pngMD5=200FCE1E20C898CE91064DD28BAB3E05,SHA256=70C2AA12DB2F920D8169325E88343FD4AA66E80B805AFF552EE006BDA0D0BC01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.576{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\od-password-dark@2x.pngMD5=7A492FD6BC2CB0E64A32FAE71C59652A,SHA256=C8644F0780A8E080CBBF8CE20C841077E5C7EEF2283486F018CEB45B57A5DD24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.560{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\od-password-dark.pngMD5=19A9A2FE0237723124DC859AFF47D887,SHA256=4C183ADC6DCA0C4203EF19BAA8B6809C292CB61A5C76AF010DCE5D9E5EB86C7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.560{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\family-safety@2x.pngMD5=DAC0DEF6A26EA395B2A23DE26383E09E,SHA256=37E20FDDEF3CF707D7BFA570895B2A425AEC05420F61586EC4477AB495947E1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.560{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\family-safety.pngMD5=C3B27A2132E688F5F1DECBBCB1F99E4F,SHA256=BD8826E9C09089A85E6267F1DF13F21EA67A4459FD2ACE3842A1E1944499784A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.560{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\family-safety-dark@2x.pngMD5=9877DDB6EA91EDB4FD430C4FEF8B0F36,SHA256=F8567D3A5027B9D398E8A12EF877830D3DE2408A889C4A6B06441CF75CCB38C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.560{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\family-safety-dark.pngMD5=6D45D3ED3B2B9EDD2F148F1B75ED8AFA,SHA256=C7BB5221FD7D18DC9D967694B7D14D35BAA99981DFAA321E0B6DBE77F3659202,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.560{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\excel-support@2x.pngMD5=CC63612F2D2AC08DDA6E30FC4CB5D147,SHA256=25B12FEE33DB0757E63763DC97F17FC93136CED57586C36D8A58E494D9873A89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.560{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\excel-support.pngMD5=3B9FE072CF2CE6DEDCDE9593AE1C56EC,SHA256=2C59FB7C5674EF1C079EE4CD4FA87B14CEA1F5C6D3A6FE876680A51AA83CF395,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.560{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\excel-support-dark@2x.pngMD5=6039338BD7B8719A3AFB4D97F927E9A1,SHA256=7A59388E45121634F00AF870BEF915410F1A8D7EC889CD07CE8F51DDB6D1E5F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.560{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\excel-support-dark.pngMD5=4E713F3AFB53CC4DA3EC3847CA68F4E4,SHA256=FD5684FA17821284BE8267409ECB50707A7335634B753BB3C6209A11F1D76F3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.544{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\error.pngMD5=83E12680C8D7AB1269011BEAA4BDFDD5,SHA256=FF213C4EAD62DF57FF24062939AEF3CCE6FF103BB388DCEA9E350D56DC0AF083,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.544{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\editor@2x.pngMD5=83465E90DEE02DD0E43D6F92972FFD05,SHA256=68226CF31282C6BD4ABAE4C8A4C32409DC94C878F81C7068A9E981B65E01CCD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.544{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\editor.pngMD5=B6487326AB455EC5328B4CC680BB6A44,SHA256=3EAD9377ADC663882DC507A1B1C44C468E4CF112E004E211AD02A7C3964350C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.544{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\editor-dark@2x.pngMD5=1D5CD23B83A934BA8DC15BF86B5A271F,SHA256=FD71BFF118EB5241CBF2DC43DBA9073864D81EFD4ECEA3D7DF8373084EC9FAC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.544{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\editor-dark.pngMD5=1CC8E8022B958E0F41E1FBA17DB443AD,SHA256=3FBE1D9F292FC95B5789AA2CF98EAED159691DFF5A60FFF4E95E201210F259D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.544{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\editor-bx@2x.pngMD5=50377446FF41FD478F04252E3E72F9A3,SHA256=716E7146432744CAA65C1B7B90A1F4E9F338AEFB4F3C354E2CEC2AAE2451F0E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.529{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\editor-bx.pngMD5=45B60F2873B47A05ECD48A7A3B004E91,SHA256=8855B9F6B6F1F6A3D02A990ADB69E103727FAA2416065E0B97F33BECA130BF41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.529{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\edge@2x.pngMD5=2FE6E178140661834F9E6055519CF705,SHA256=E895DF7AFB5512ECECCCFDAA839A58C1BF3183DA17541205DD370FA0EDD5C610,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.529{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\edge.pngMD5=A68B01232483E488818B834A2F9A0727,SHA256=21A5CA756EF91462A889D9F76EFCEC592937F755EFBC0A1DD52C16B01C69FA15,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.529{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\dictate@2x.pngMD5=982EEC2B6E3D80AAE530524A882AF192,SHA256=C926887F0DCDF0148F161F262229FAD46581E5A50AE673BA2DD40F6056684ABA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.529{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\dictate.pngMD5=99984766B902342A00D3AA047CD8BE84,SHA256=6E8756ED81903C2CA8A2FE4EB03BE48DC38EDE869B3EF0A0418FB71E560D553B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.529{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\dictate-dark@2x.pngMD5=497FC24EAE2624BFF555C0705A9E65FC,SHA256=F7F4257660B8A865476AF76DA59B385652848CA75C446603B71183A1B509326D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.529{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\dictate-dark.pngMD5=D154D315C15033AF5B5A030B6ED68BF1,SHA256=C4643DE2965EE4A0D6CC4CA52E98FAD70A7767AF8666E8D801349A58DB3AB708,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.529{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\designer@2x.pngMD5=F420A5EC0E256B58D84FA970A75E6F20,SHA256=E2E4B28D5BEFC07B0ECD8CEBF741CCA2F08F6A9B99E54831A5776E45750AE1AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.529{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\designer.pngMD5=7C16EC3E8B0D9342C27C71AEA9578D1B,SHA256=9262686120576F3B4339BA6520DC0CCD5546BFCFAF648302BCAC6B2E7300B6B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.513{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\designer-hero@2x.pngMD5=C0BE69DC99B78613EFEB54AC99CE4CD5,SHA256=0BD80103944B516B60F84FE38B3A27BB8E7AB8A9F10A4E54FDC7338A80046131,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.513{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\designer-hero.pngMD5=9C6885CACB3062E44CDD942BAE1CDE2D,SHA256=0A81D58C22B2BE2DE1B61805FC6B002109BDBA99DB97F9D046823B2E895AC511,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.497{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\designer-hero-dark@2x.pngMD5=C59B9D667CBE494EED248F499846F187,SHA256=5F6A7ABF70B238D67DAE8E0CF930B9B46C065425F7B992EF3D5DCE6FC3327D78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.497{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\designer-hero-dark.pngMD5=C085AA69E7C6B680DC63A236BFE33217,SHA256=3C5B48E274749BC519910E56FE17AF882A9E7F406618EC61FADBDD68A79B04F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.482{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\designer-hero-badged@2x.pngMD5=830F15CA011E1ADBD5E077C019D7753A,SHA256=6022134C054C3CE8EC66BA4C570965E766E444229C86813CD2B04730D2A2F47C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.482{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\designer-hero-badged.pngMD5=F3CBA2E198F5B0CA86D47740B3D56969,SHA256=DB530F71E4F5DBF6A1FA9B7957D5051418A389A24E901DFB61A7569E4BE90F0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.466{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\designer-hero-badged-dark@2x.pngMD5=F2B54EE7C0C4C417A6D01F089BA13758,SHA256=7404E47C7706B1FE1B324419FC20BB106C0E480CABDF44089D97B4ADBD11ADF2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.466{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\designer-hero-badged-dark.pngMD5=293333FF912138C2085DC2DCD98F8FCB,SHA256=500D4EA1BB7348463CADC0D7D1D2C3259706945528CD1AB34C25AE64BBD9B8A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.451{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\designer-dark@2x.pngMD5=43C9A3672EF815908452C835889DE72C,SHA256=D9E5BA34E7709969F875103FC26EF6F7FCCB29C97A9409DD6623A77C8851AEC3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.451{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\designer-dark.pngMD5=4EDB6BCB59C19BBF1740F6889A8732B0,SHA256=F2ACBD3DBA5784DFFA34C814ECD3B0BF05D5B672DD3CE5DC315E20E8894603D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.451{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\chrome@2x.pngMD5=B9224053A3571D88CECE66B485C48108,SHA256=6C3A49DC6C845E1A0FE11BD76F0F5A3713705FE97A60057A69368C6D80790AD4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.451{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\chrome.pngMD5=645AAD86530C41BD39876E4DC3D78160,SHA256=6CADF2DA147B4D8497E10D11ACB82562C3CC540FDA81B8C033036383CEBF22CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.451{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\analyze@2x.pngMD5=9CF69B69EF946ED1C1A051F225AAA4ED,SHA256=250C392E1730FE6DA28DC429C81D83CC15DC227F5CFE11A620B05C02CBA814A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.451{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\analyze.pngMD5=DBC6D04DB5DEE761D2F83849F2B1894D,SHA256=CBA250DAB0009D2D85A8EB4C4CD929627453F4DEB959DE5791DC18B740E5C8D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.451{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\analyze-dark@2x.pngMD5=F8DF5E20F18CFD47CA704991185206E1,SHA256=461049DE38950E63034E86F3F1B36A62401C486EB0555BB03AAF5CD7185914F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.435{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000070\assets\src\assets\images\analyze-dark.pngMD5=ECEB442F709972FE85DC0BF9C4082C16,SHA256=A078C497B75AB36604BC584610B6CD3A5B1A5ADA1DF809FD1C456354283402A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.435{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000069\strings.resjsonMD5=CF4810C293AA13B28A73128225B49B36,SHA256=A732BC288AA1069867F816EC0F234925B345432F102A35F5DC1D3129CEA82FB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.435{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000069\msft.pngMD5=5FE8FD609BC9EFD7DECBF88656366937,SHA256=E7ACA25F45E0DD7EE6E35E7C2F67347FF79B002266948538CAC635C0F59C2177,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.435{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000069\manifest.xmlMD5=A2C2590B3A04236AE3EAF957F1264329,SHA256=839B9630C573AF8275D5EF93B9789FA6E9CAA9FA892CCC12A9DECD6873C3F1E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.435{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000069\licensing.win32.bundleMD5=1C0AE5C63F81BC93B94333471F022C48,SHA256=8B5F517AA18A351ECB57BE307F62F26372B5E586C13084DF2BFC7BED6AF155C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.419{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000069\catalog.jsonMD5=3E105CD83EA1D118C9F2D52E3F2F7B08,SHA256=64838067C2E815C069A13A03413D245DA6453F83B202820970B7D9F8C25B43C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.419{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000069\app.jsonMD5=53DF9D94A93CE9A0BE4BDC51970C5935,SHA256=DF27ADDC65DCFA56ECAFEFFF28209BF95ECBBE04FE0946A72BD894CDDA286FC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.419{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000068\manifest.xmlMD5=D55678C6AB5B6E852042778A134C621D,SHA256=0DF799511580EBACE82C0E29C9F54B81F69976B6C447D1F92BED9A2CCF7CE48F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.419{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000068\icon-32.pngMD5=0B11443DDF4E523EC72F13CB112EA4D3,SHA256=875581C407F81FF15FFC00A95600DC6358FC21C114AFBB1FC36EF543DACCD7D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.419{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01AB1818211D0044DD2E8A33D5555B1E,SHA256=9A712061D873CBB25298E7E189534E12F2284D1FC9DB41EA580CC72B0850CACA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.419{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000068\assets\icon-32.pngMD5=0B11443DDF4E523EC72F13CB112EA4D3,SHA256=875581C407F81FF15FFC00A95600DC6358FC21C114AFBB1FC36EF543DACCD7D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.404{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000067\StoreLogo.pngMD5=3B41150E4CB804AA1B26CCA06DC509C8,SHA256=EA757E4A70287F2A5AD3C5388ED2342BFAD38CA41969EA23C84D8CD499839D9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.404{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000067\manifest.xmlMD5=A2C1893F4B46345BB861FF3779CBAFF0,SHA256=DDAFA653724BFE09D1B197EAA85B57CBA6B4671C75452A3B62BA80A5435C07AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.404{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000067\index.win32.bundleMD5=F990A3881ADDC936CCE8A16220F54BBE,SHA256=E23B60E248DB6786A6A2DA3D2E89974302DD37F23E48AA00AB194C28426187F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.388{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000067\catalog.jsonMD5=FFCADAAB4E236E43D7C6B5E218A69BBC,SHA256=CEDC30885B74C1D3B1651FD9BB21010C7DE0837712A560EDDC136CBC6EBDDED4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.388{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000067\app.jsonMD5=D85BEA7609B50D26A9E2EC9A528E4E0F,SHA256=222E443BA79C55E8F72D3EF21759BCC94A48D8450137D9C82C56D321AA9B48D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.388{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000063\strings.resjsonMD5=F060A43C5B0088C445B8EAE913431A0F,SHA256=4E5417EEDE45B2C2E63B4259110768F312D83AA33A5A4251C4F3F8989D1125C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.388{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000063\StoreLogo.pngMD5=5FDC02DEA317B399D2EBBA270D815D42,SHA256=7CDAC1206C933B521CBE3A41E9F2425A8BCA4FDD59C98E2A5E5F48D410A7D925,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.388{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000063\manifest.xmlMD5=D28575A0A77510ABEBCC1B1AFEA4DEAF,SHA256=5706AEEFB0BA1E5CA91D3C0F0906CB31DA23F188CD6AB38BDCCB10B3A819F708,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.388{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000063\index.win32.bundle.tpn.txtMD5=8E894BC6431D9C7CF5C04974AA027107,SHA256=9074823F28C6124389B202B97706C95E15E47DB31D6E46C74A2C28CD923D6B78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.388{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000063\index.win32.bundleMD5=C09D038378F196FBF9A0646759C22665,SHA256=3B511925D1551E625A139C60762FC890AB9287B26FEDACC76EA802925DE183BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.388{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000063\catalog.jsonMD5=D353AC4314D7DFA7688091D5F516EA99,SHA256=514280DB7CE1DE172651A29938D6AA88195EE21BC2F4D22079DB8A3ACB3F38CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.388{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000063\app.jsonMD5=99774A0291AFB4A6242198DEE6E261FD,SHA256=706193A979BAE753C8EBE500973E4D91FFCF38E19AD6321C6BA5C648AA30B09D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.372{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000062\WritingAnalyticsStrings.resjsonMD5=FE9FC80AEAB2E3C4A2D04AE0448CF10C,SHA256=21E81B7EB914D9F7FB97EBE7FE144E98E70CCF12497829B72E3B618D8D698F5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.372{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000062\StoreLogo.pngMD5=3B41150E4CB804AA1B26CCA06DC509C8,SHA256=EA757E4A70287F2A5AD3C5388ED2342BFAD38CA41969EA23C84D8CD499839D9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.372{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000062\SimilarityStrings.resjsonMD5=DE6BD53B1AAB2DD11A4026CD5317918D,SHA256=5902C42A480DDD054AA07E0BE6BD6BAD12599E61C6ED0358D935ECA628B8E2BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.372{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000062\ProofingStrings.resjsonMD5=870F01E57E9CD3B298ABD438B8AC8201,SHA256=30515CC2F1B18EB9F4783BB1547B464F833973B4F8ABF5ACAB3BA08391E5032D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.372{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000062\PremiumPreviewStrings.resjsonMD5=4ED3E10D5012C38ED19CCFEB09477A78,SHA256=7397C3D85A1D18E760F9B3DE101247ADE86D2D3F04E35EA635B6F0F41139A9BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.372{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000062\MultilingualTagsStrings.resjsonMD5=3A2D62BEA2A1E0542EC076812ED0EFC7,SHA256=7D3976116C3957A78522689E6EB4CBAC263D6028F25AFEA96EC74F32F9EF2350,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.372{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000062\manifest.xmlMD5=F5F620957C13234C85154C96844C5A32,SHA256=A934A02D247A671BDD7CEEEAD8CBC30C7C73A664BFD771FF9BD10C7B9D16AAB7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.372{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000062\index.win32.bundle.LICENSE.txtMD5=7EC01595672F75E83FD81B41F132F4C1,SHA256=FDBC28C10F3D21976B4BC16464AD7C630538C0C3101347B5FD44AF9066F7022B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.372{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000062\index.win32.bundleMD5=914A96F57930FBC250F4334DF3CC9766,SHA256=2526A5A9F2C50A46116E7EC47722988F15114BF626C549DD3E376F09D587E1EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.357{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000062\GoalsStrings.resjsonMD5=ADC9087E466513A08B5A3888B4812235,SHA256=7CCB40A64988D64230F9BC43CAFAD7AEA7474D78EE6517F524B2E44F45579945,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.357{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000062\GiveFeedbackStrings.resjsonMD5=F81DDB0D6A4A6EB62DA9849DCD35FD4C,SHA256=CD0FF74BE648D686C072F3184EA97AF3942E2B7A1F0EC41B1EEE86710AD22279,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.357{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000062\DrillInPaneStrings.resjsonMD5=7A76208822C5D5BDAB75A75B461B1FC1,SHA256=9D5B6C73DC75F5C11283D7E78D0E0F86B32A57CF427E4F4273DC2F52D35F21B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.357{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000062\CritiqueCategoryStrings.resjsonMD5=A84F43C31D591AF5CF919F922421F6E5,SHA256=A6FCC58FC486063AEE03AF5367FA64204746EEC2CFD3DDD20A4646A56341CB7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.357{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000062\catalog.jsonMD5=DA2EE761643255758EC9B1CB176C9AF5,SHA256=6CB472429DD46746DF9361E23949B84A6879645F5890ED37A1DE6B6BAF4AE274,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.357{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A2333D6962FEA69CD0968AB8FEB4F30,SHA256=FA8688591AF4014B25D3341F83BA29BB5C08E107736795E378E43267954F8AEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.357{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000058\TrackChangesStrings.resjsonMD5=0DB15A665090F09BDB282A0C1420BC96,SHA256=703C86954650B20CC50CA74BED35E05778CD8752F97B75D5D9B5056032379905,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.357{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000058\TextFormattingStrings.resjsonMD5=E4F421815D585F2AED86FF05B644B41B,SHA256=187462B88CF271443BE47663D67245555E2B99E1873975ED9B9B6FE632410EBA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.341{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000058\StoreLogo.pngMD5=3B41150E4CB804AA1B26CCA06DC509C8,SHA256=EA757E4A70287F2A5AD3C5388ED2342BFAD38CA41969EA23C84D8CD499839D9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.341{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000058\SimilarityCheckerStrings.resjsonMD5=D1CDB840FA435CC664BDCABB362FDD52,SHA256=18F1BAEFEEF6892FB8071F34186BBC2139C84DE6FF49F6F87E99FD43F6DA7378,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.341{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000058\NeuralRewriteStrings.resjsonMD5=E43202D8044603539D60D1417A1EA866,SHA256=ADC02A8C2D6A316312A0552DF6D6194C84674BF51ED805A6498C340E92DD3AEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.341{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000058\manifest.xmlMD5=501103890F6C539F6E1450FB39782E63,SHA256=945E34DF89CC215A2BAE4EC8573A4DCF62D9881939A28901C2F71CFC03092414,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.341{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000058\InlineSuggestionsStrings.resjsonMD5=D1EC2E9F5DCA1DDFE09E4B102DF95395,SHA256=915BF12C09F15403B814BA64D33D981C4AFC8ADCF3AED1383DE8F6BFC125BBAE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.341{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000058\index.win32.bundleMD5=736FF23F737739FA503DFB2C60196441,SHA256=DD43D78B734BE18EC3A7DF04A327B0E1414288839DBFFCB0F1379233B92EE6B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.341{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000058\FeedbackStrings.resjsonMD5=CA99C3AF32371EB6AE1B1F78A01365A5,SHA256=C7020DBF5ADC508623F89C8384DA8AF59CBDFC834E53F136967F7C88C6717F94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.341{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000058\CritiqueStrings.resjsonMD5=60A09D7544F9C8B02307F8517ECA56C0,SHA256=C0BB599AF00E1D9DFE190E65F61227AC4BB0F0FD32A420285030B2D996E17534,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.341{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000058\CritiqueExplanationStrings.resjsonMD5=680A33C1DAB0C917606FF600208ED063,SHA256=AF5182A250564E42DED34A0545906946BA9B1F369926EED8578214D187C547B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.341{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000058\CommonStrings.resjsonMD5=995A761F613C667DA1AEF974EEB29CE5,SHA256=673C4ACE2B94766BC47675D9A95176B05CC37E62DF1CCD39CEA59F8A96CB3F6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.341{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000058\catalog.jsonMD5=E6DFC806723D7147C6DA0E09C8FE997D,SHA256=4D5F2AAE3C73B8A1DB66F24465CA5E7861F8E86E329A2BEA19B69CD97F0D3CF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.341{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000058\AutoReplaceStrings.resjsonMD5=0795B8F5BA0E99971A9B75766572F37A,SHA256=E805502E719EAD485F578B9EC4F6BD4DAE0A64ACA88907AB42131E314DED0497,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.341{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000054\urlmap.iniMD5=FBF815DFD4B662787E0BC6858C0C1E1E,SHA256=4B430B88C27CAF889DA27ADCE342580C6DCAA36C6E41A1E3577CAE9841EBC784,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.326{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000054\PowerBI.32x32.pngMD5=62A03429442300AFC131F2D5FB852515,SHA256=4EA8A72DCFB9875E4CCD44AA8685C1CB963F772D211C9369043A5CC31C228BE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.326{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000054\manifest.xmlMD5=5923C001CAA8037471653D4C1F00ED5A,SHA256=105CDDD927A9E132B14EB13C358320960ED3485AFEAEB06282C8B742B4631C5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.326{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000054\OfflineFiles\vendor.jsMD5=300A9147A354BD57A2D2F0AD5A991616,SHA256=7FB3B8D7B69EEB5CB03318646CB06B287C1C14EC89410151886C1CB4ECD57F87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.310{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000054\OfflineFiles\urlmap.iniMD5=FBF815DFD4B662787E0BC6858C0C1E1E,SHA256=4B430B88C27CAF889DA27ADCE342580C6DCAA36C6E41A1E3577CAE9841EBC784,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.310{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000054\OfflineFiles\taskpane.jsMD5=F09A3ED3CACABCB1088A999DFF2E9EF1,SHA256=1F1301CE772756F2268707A8CC0AD8DAB68CC53DC1E35C27B8EECB01A546E623,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.294{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000054\OfflineFiles\taskpane.htmlMD5=25B57286A598600982523206307170DE,SHA256=7352931FE4CF6CBC879CDD4B9C4A0CD56FC2BDE2B690923AE1A1FDFA5C2BB2B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.294{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000054\OfflineFiles\taskpane.cssMD5=5271E367C04D4A76F70E0DD3CB8ABC60,SHA256=882F799DF7A6351E6CCD2C7FDE7AFB08104DF8DFA330EDE13F19FB44DB27EC47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.294{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06A871CC2D767BF09F9908254E7EF74A,SHA256=7EDCB31D5BF6E97923EB1FB495CA108B6BEF77CA78F2F6FEB8C9BC2B7E0EAB2B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.294{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000054\OfflineFiles\PowerBI.80x80.pngMD5=0CE3635941E405062F60A402DEC14299,SHA256=85DD7E71D00535D8BE042254685768B7C891F2E5BA7E8409A71BD5C1018FE32F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.279{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000054\OfflineFiles\PowerBI.32x32.pngMD5=62A03429442300AFC131F2D5FB852515,SHA256=4EA8A72DCFB9875E4CCD44AA8685C1CB963F772D211C9369043A5CC31C228BE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.279{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000054\OfflineFiles\oteljs_agave.jsMD5=12252E7908CB98780A0BA03900013977,SHA256=61DA5FE4A6804AF2997E04F35FFF8867F616649B828B4A6AD67DF7D4FC836FA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.279{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000054\OfflineFiles\oteljs.jsMD5=3F49D39A70034A5522C6E7CE2DA60E48,SHA256=AF2BA5C36FD01BA63F5E2D6F698DBCE042AB7E6247D8509E9E741F0EA7D35E16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.279{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000054\OfflineFiles\office_strings.jsMD5=DFED23F4057984728C895F4879D5B201,SHA256=FD87A3A1A743CFEE034E227AA8F03456FBFA5BADD6912FF3C9866774E8A2F6A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.279{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000054\OfflineFiles\office.jsMD5=477C566A0215AC0819766A74BB65C896,SHA256=3C0A145B5D6586D9F5AFF3890DEBB9E7FA1E6E185445C83345597F0C5C235584,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.279{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000054\OfflineFiles\excel-win32-16.01.jsMD5=F065D40E5ACBCF3E61C9E225584A24C9,SHA256=04D6F424E259A542DC4CFEB3244613E641BB25A0DF66A8EA7748BDED534B4867,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.263{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\urlmap.iniMD5=C7B6E964B7D5A0B6ACBDCCD91650BA85,SHA256=D5FBEB95FAF7B9570EF1F491D1ED379A097929D258A273A35140E55527298130,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.263{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\manifest.xmlMD5=E20E25831F9C9750FE545DC1BC1630F7,SHA256=1B23C1AD1FB7E7D6A1A020508A9380ACF9B20D704EFC4EFA450A8C558FB12AD1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.247{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\icon-32.pngMD5=95EF187DADFAA5A8726CD087285C37F4,SHA256=F7BBECFB6EFAE634755F18662B5B19F13B6C4EEDBCC49366DFC3947771498C63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.247{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\OfflineFiles\word_4ce4a05b791a68198d52edc311e474b9.jsMD5=7F1D7118CB6CEA611DE19AFDB10CF887,SHA256=3FEECB1D175789B2868D840A527A6B0CFD89BD0A1A31C60668D26E45DC0D909C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.247{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\OfflineFiles\vendor_4e89cb1f69643a7c129b44e74d32fb21.jsMD5=F12C9B598A4E21D1C55843AFD3F057CF,SHA256=33652C33B021D563D16EAA49A6FDE72E34193EECE1860509631C126AB84688BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.232{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\OfflineFiles\urlmap.iniMD5=C7B6E964B7D5A0B6ACBDCCD91650BA85,SHA256=D5FBEB95FAF7B9570EF1F491D1ED379A097929D258A273A35140E55527298130,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.232{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\OfflineFiles\transcription-strings.min_943a67dea1a50e4903648f53b00656b5.jsMD5=2E10E8C68B4A4DE9478513CED557FD66,SHA256=0D924770FDF915CE39D6DB011FFD33B29A86329EF79955854C9A3A07749413A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.232{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\OfflineFiles\taskpane_onenote_e6f5c5bc1709af7051b0ef7bef47d33b.cssMD5=A430F6174E84D88A508F5DEA07862769,SHA256=A7B0E2D6A2B7EBAD5E82849263A3C3DBA87E2F34F348F925D7D753F1B6A9BE4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.232{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\OfflineFiles\taskpane_onenote_debug_1b8789437e078290bb043148fcdea8c7.htmlMD5=D6D0A0E47A27C905F09707A8196DAF71,SHA256=CAAC39914A73FFCAE7F238366516DDAB389180DC4F14B972F58F26504BA14622,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.232{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\OfflineFiles\taskpane_onenote_a4cd5ead157dfad4dccb1e0278238b69.htmlMD5=27C70204B136CA49911946CCABC2EB44,SHA256=50C449FD3AED41A5F053283FA6066DB101D5A8C8BA552E1CE196C365A43933CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.232{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\OfflineFiles\taskpane_996535a59d83003de3425b8b8f52171e.htmlMD5=EC6F47C48D5D7D8E5486526FEE1D351B,SHA256=2E809F94AF45D5DB40EF761FD71925C4D2C37F7E6B1D3B3E6D63AE3FCF876515,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.232{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\OfflineFiles\taskpane_2b13f7fbbe01433a571812d3ee3dd075.jsMD5=45DBC16B66A38078C26E1AEED3341E69,SHA256=0AE762AEC8BAA980C4EF645935C87F91451974B9FC796D62CDF52EAFA139752B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.216{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\OfflineFiles\taskpane_2af911ea3b0ae7136a06811b6e3b1941.cssMD5=83DF9C0F4AECFFC070D9ED91EF06F89B,SHA256=4A5B8CCF322DE2DFAA4BEB6AD0EDB98A3F1D5691C8255009CCAD321406498B32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.216{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\OfflineFiles\taskpane-v2_df5d6a1f5b829fb44de3a97531725e65.cssMD5=A619DF4061BA26615A79C0744E54D83B,SHA256=FC324F642DD4BDBCD6E23CA96AB615CC43920F9B3DF33FDD59C92F725726A36E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.216{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\OfflineFiles\taskpane-v2_1b37b071e59afa11433503615e1d552c.htmlMD5=3C35325DD41935DB0CA85FD101CAC80A,SHA256=C82785D478DE647881F68009226B92B0E3DDB0EB6A48235FB8A0DF9FF025CCC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.216{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\OfflineFiles\shimmer_f0ecf338c16347f360e69025840e10c1.htmlMD5=31F9EE409A1F8957D3098D4E05350B7F,SHA256=4A82F788EC62FDAC0AF6A15F206B6C68E7CA61CF82BE9AB54AED1D6966EF83BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.216{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\OfflineFiles\shimmer_250efe48ba604b5f4c9cc6b875205605.cssMD5=A8D9440140DD09D627BB5004B4455246,SHA256=9671A57B3793BF0C3002D719B29D149C03778AF9E9204F70ED8A0E9D20971789,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.216{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\OfflineFiles\shimmer-v2_949d5a6df2867e1b331ceb56d58760e9.cssMD5=CD33CA923766A778B4117A4246013D39,SHA256=CF3D73FCDD17E5A2C41F59004F7223202ADA66DA077EA8B1C46DCF890FFB0072,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.216{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\OfflineFiles\shimmer-v2_3bbcf55fc09dd5099714669d4c4c2dd7.htmlMD5=1CFEBF5F500D97667508170BA32FB48E,SHA256=63DC17815600D9BD46F41192451F4E16E1F8D0E2E28880B59E301E5074A68230,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.216{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\OfflineFiles\OneNote_7ecd596bdea910d7d5fa81fa61b08800.jsMD5=F8646AE18BA0226800FC07D37BA8AD48,SHA256=249B0F7BE2DC1B3CBD6C883CDE8D038C318DFD85A409F497609797EDCD4DAF71,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.201{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\OfflineFiles\office_strings_247f8f78dd7820085808b5e8fec39119.jsMD5=92A3DDF4C14AF9EB4DB2939A2B2712AC,SHA256=5B6D3F98F8A755878F226B38FDB1F7C31E67B456221F253B70F95AA331668594,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.201{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\OfflineFiles\office_2e97d65336bd5d3533e966e9de09077e.jsMD5=47709A144F2F56FC51207DB5339A8156,SHA256=D3A39543D6B7159B5321B8CD9B06B34E4DC24D19ED677CC61DDB6DD5D56DBE0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.201{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\OfflineFiles\font-awesome.min_cff276076075408b2a3fcb2054648bee.cssMD5=A0E784C4CA94C271B0338DFB02055BE6,SHA256=820E169CE24824066D9973FD4B6561AAE9DCD6DBEF6435DA905D5A1D6482997C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.201{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\OfflineFiles\fabric_bce4a7014773e0bee6feeafcc8f068ce.jsMD5=B2990C12E823558C6F8FE00A27C17EB3,SHA256=DA952C9DF59FF6CE8210333696424A2E84BDDA2FB274403711B702BF70CCF420,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.185{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\OfflineFiles\fabricmdl2icons-2.68_d33619bef4d1956597b2a8a88cad6fb5.woff2MD5=0CA20A97F688C550B0731CC09436CB64,SHA256=81BD9C6953694ABF461E6F47173B09535424D58F3764515D2D1A9F409594559A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.185{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\OfflineFiles\fabric.min_94d234d74ed3449a31fa3e9521910f6e.cssMD5=D211176C3419A4D5B9FFBB0AC44065FB,SHA256=9A78F4D82C2A27A889148A96B46A3D55C2682BC182AED580924E4D88F67A2948,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.185{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\config.jsonMD5=FFB5B55B113E4917E78D4C7EAE545EF5,SHA256=16FED731806EE9281293DE641AD6B36212ACE21E20F01F5B27537F996075AAA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.185{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\vendor.js.map.gzMD5=EA771E87D91A9EA12E4CE0A57B550FF5,SHA256=AF2F646A879DE7BCDC169C4075F59A7F644C924EB594E687C8B0E6AEBAD9E65C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.169{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\vendor.js.gzMD5=B1F93692FE56AE2D66C2313C3DAEDFCA,SHA256=BD5DD377B56BED4A7869248B31DB325CD5677E324C6885515D1F485EB24B6F41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.154{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\vendor.jsMD5=2D550547266F0013CAFB764A8CF24616,SHA256=DE6E2C000AC223CAEAE9D128EDCC420092A6A1B735DBF656EB0421FE7CC783A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.138{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\taskpane_onenote_debug.htmlMD5=D6D0A0E47A27C905F09707A8196DAF71,SHA256=CAAC39914A73FFCAE7F238366516DDAB389180DC4F14B972F58F26504BA14622,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.138{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\taskpane_onenote.htmlMD5=27C70204B136CA49911946CCABC2EB44,SHA256=50C449FD3AED41A5F053283FA6066DB101D5A8C8BA552E1CE196C365A43933CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.138{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\taskpane_onenote.css.gzMD5=F7636E56FF0EA99B3EC1C3223AF5D7C1,SHA256=402AC3D2310A342282D35DE5EFCF04DE55C9D6D0E0247C3C8CFB8BAA34244144,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.138{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\taskpane_onenote.cssMD5=A430F6174E84D88A508F5DEA07862769,SHA256=A7B0E2D6A2B7EBAD5E82849263A3C3DBA87E2F34F348F925D7D753F1B6A9BE4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.138{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\taskpanev2.js.map.gzMD5=C99428ABC42BC8DE85E3FC544C665C98,SHA256=5249A7AD7F0E484B152748331DA5D262FF8C7B9975F11B1CAB4A07A365F4B004,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.138{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\taskpanev2.js.gzMD5=2CF6D67470A464D57BACCD6F6E38B02B,SHA256=B6641F69B3662ADDC923BA69656733ED0E36B8C42CEA8ABDB5C18AB523C9A2F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.138{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\taskpanev2.jsMD5=20A0A27DE3AB76CACBB0475AEFD18AFC,SHA256=6DABFCD8479F1CA1C6B340461DDA5589856ADA00D92E47E1282716A46B77D0F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.124{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\taskpane.js.map.gzMD5=30BFBABFE929DD4FDEAFAFF2EF112013,SHA256=8C04CFB635AED3B0F94E3166D9AB3AF834C04B154699E6B02FD11E49F382B356,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.124{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\taskpane.js.gzMD5=5E7B8DDF1728D260F9DBE62D65E953ED,SHA256=682714953384B34770265D89FFE94015C78B7AE152CBD8775AD527EEC458AB21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.124{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\taskpane.jsMD5=2C1EF112F9E2269ABF68BF37764E6ED4,SHA256=283CF61FBC18EA108768BFAE81D4A25CE708C3C4D0DF019AF3BE44FEB7871A2D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.108{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\taskpane.htmlMD5=EC6F47C48D5D7D8E5486526FEE1D351B,SHA256=2E809F94AF45D5DB40EF761FD71925C4D2C37F7E6B1D3B3E6D63AE3FCF876515,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.108{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\taskpane.css.gzMD5=678363084B6EB2D37693A46FDBDA301F,SHA256=72535CB68A8F47AEA3387DE1267AD0D04AAA59E44A99A1C6C8394B0E30C46E48,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.108{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\taskpane.cssMD5=83DF9C0F4AECFFC070D9ED91EF06F89B,SHA256=4A5B8CCF322DE2DFAA4BEB6AD0EDB98A3F1D5691C8255009CCAD321406498B32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.108{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\taskpane-v2.htmlMD5=3C35325DD41935DB0CA85FD101CAC80A,SHA256=C82785D478DE647881F68009226B92B0E3DDB0EB6A48235FB8A0DF9FF025CCC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.108{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\taskpane-v2.css.gzMD5=1B6C878ED7E9F2443AA03E8394FD0E56,SHA256=3BF95578CACA0811790076E0FDC4422DC93E05FC95C26F32245E85EFC6938164,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.108{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\taskpane-v2.cssMD5=A619DF4061BA26615A79C0744E54D83B,SHA256=FC324F642DD4BDBCD6E23CA96AB615CC43920F9B3DF33FDD59C92F725726A36E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.108{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\shimmer.html.gzMD5=D0683D15F3B381293A5D8A4EF33F0FCB,SHA256=A0E551FAD95521B32F9C8AB2C40C71E82FA0DB68B2C225EF69C8EE833ECCA32A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.108{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\shimmer.htmlMD5=31F9EE409A1F8957D3098D4E05350B7F,SHA256=4A82F788EC62FDAC0AF6A15F206B6C68E7CA61CF82BE9AB54AED1D6966EF83BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.108{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\shimmer.css.gzMD5=8D545C503B201D493BF5BF5752A017DE,SHA256=D1CFCEF97DC0F66490EDE6C57B6966677429BEE154F9FBDE552EC34DE4A1AF79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.108{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\shimmer.cssMD5=A8D9440140DD09D627BB5004B4455246,SHA256=9671A57B3793BF0C3002D719B29D149C03778AF9E9204F70ED8A0E9D20971789,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.108{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\shimmer-v2.html.gzMD5=1EB7C6F126A26658590BF2336E3B7383,SHA256=48120B7AE6AE62AD6F9BC9599D4FD113149A311F57783691DB18A6E5E522122B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.107{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\shimmer-v2.htmlMD5=1CFEBF5F500D97667508170BA32FB48E,SHA256=63DC17815600D9BD46F41192451F4E16E1F8D0E2E28880B59E301E5074A68230,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.091{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\shimmer-v2.css.gzMD5=8C9B0B5B63E3F681E5EB334CACF5F62E,SHA256=E59C11A158FC67AF96ECB2136759E49BC3708BA054B38C1CDACEEFCD743551BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.091{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\shimmer-v2.cssMD5=CD33CA923766A778B4117A4246013D39,SHA256=CF3D73FCDD17E5A2C41F59004F7223202ADA66DA077EA8B1C46DCF890FFB0072,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.091{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\login.html.gzMD5=457D12FAA0593D2C5016525CA26D7921,SHA256=7D26968E05C2FA562627C566FD4E56490D95ED23228762516142430498EF18BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.091{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\login.htmlMD5=2ED466471A36F9EF367BDC3A37EB030E,SHA256=9E42FF56D1F264B90BB7BEF533E6B61EC9F9ED968EEBFCABAE233DFFF75D116B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.091{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\fabric.js.map.gzMD5=DC26E0931783B1F05AC64F4DAD469A8B,SHA256=F82438181DCD3DABC699E9943E441E85292D0578BD5B4A8506D15B5773D185D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.091{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\fabric.js.gzMD5=067396AF61A994B3F60FC877922426EC,SHA256=90168C736C36EAD02E4C0B56451C5CC62D9921E1480EA5CF8F1D68F895D443EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.076{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\fabric.jsMD5=DCF78A21F779F6EF67D93C37BCF04E42,SHA256=95EC4DC103962DCFBE4A41AAA55D9ED14260325D2E38B0F81DEFADCDC13555CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.060{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\office-online-strings\en-US\transcription-strings.min.js.gzMD5=A667565B518DC4738F14CA180B5BF146,SHA256=554FB7095108D6BF2279530E4573B91DC05F2EEB865C99CE4010F66F268472A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.060{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\office-online-strings\en-US\transcription-strings.min.jsMD5=2E10E8C68B4A4DE9478513CED557FD66,SHA256=0D924770FDF915CE39D6DB011FFD33B29A86329EF79955854C9A3A07749413A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.060{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\assets\PlayIcon.svg.gzMD5=E6C3CC6F59428A63DF4835EB08128ADD,SHA256=F85645294DA7A195D373655F050A4E08295E003AF042261D0C0EB44036DC55F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.060{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\assets\PlayIcon.svgMD5=9FCC0EA0CB0D5764ED28C3D8ADF71AC6,SHA256=DAB956FCE6C0E7D7E41E0CA4EBD7FC90551273A9BE3365F2FF232F47C446B114,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.060{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\assets\ping_image.png.gzMD5=F5C5AC13A68BC41D92065B42CDCABD19,SHA256=F046328396ED4CA2E3F0EE368CBCFD93850B7F14217A4A462685AA461884B0E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.060{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\assets\ping_image.pngMD5=DB4EAE3B2B1A3DA7DB237FAB25C16B7E,SHA256=5808BB037B946C4BB7F3E6512BEA112F1F8CCDC4513D77FB6E3D0C50E844C529,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.060{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\assets\MicPermissionsDialogImage.svg.gzMD5=63E732A98A5DC359BBF1CC664285A397,SHA256=1B427F26B2BC5A9B657E876A2177429E8BA7FE78463B008714EAA317C5984DC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.060{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\assets\MicPermissionsDialogImage.svgMD5=A0DF48FCAF23DA80832F0AF53797CB66,SHA256=C36D0C603E4E86549681684BE61120F7B471AF02ED7CF7F783F3A287C325A30C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.044{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\assets\logo-filled.pngMD5=7F313C06A52DABE7267420021403D038,SHA256=08511DB3B1233EFC1C24CD65251E0AE7ACF2DE7BC9C4A777C96BE7E4841D75F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.044{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\assets\Illustration-Error.svg.gzMD5=1472DAF4F7407652391CF0089D5B40C3,SHA256=50C239F94A9C765B463A842A84ECA21A37A0483CE768B9DB923CF1A12C38BF0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.044{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\assets\Illustration-Error.svgMD5=F98A991E4BAA9310A3E84DC87DF269F8,SHA256=F9AFE0D9A9F76BDB875E4865ED9FF81DF26976353702B0E6E86EC2ED774A94B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.044{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\assets\icon-80.pngMD5=182672451F9EF549C36E9B339CACAA70,SHA256=3CC34FD69B23488040ABAA5D28F04446D0B7A96EBBFD845A57940DA731DD94BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.044{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\assets\icon-32.pngMD5=95EF187DADFAA5A8726CD087285C37F4,SHA256=F7BBECFB6EFAE634755F18662B5B19F13B6C4EEDBCC49366DFC3947771498C63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.044{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\assets\icon-16.png.gzMD5=F5C5AC13A68BC41D92065B42CDCABD19,SHA256=F046328396ED4CA2E3F0EE368CBCFD93850B7F14217A4A462685AA461884B0E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.044{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\assets\icon-16.pngMD5=DB4EAE3B2B1A3DA7DB237FAB25C16B7E,SHA256=5808BB037B946C4BB7F3E6512BEA112F1F8CCDC4513D77FB6E3D0C50E844C529,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.044{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\assets\Dots.svg.gzMD5=226F3D189A104A51D3002BCF1EAA6BAF,SHA256=B0D3BF8F7A6E4309FF7E70F8D56564AA801D978C24B17173B0B2FEA052A3E817,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.044{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\assets\Dots.svgMD5=355DB4E50D0508B54CB0022FDB3323A5,SHA256=C460ACC2154046912F4F2F6F7A7FA6C6F339A1F2A01E3C268B9A4EF91A8F24A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.044{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\assets\Bahnschrift.woffMD5=14DD47B081BCEF84017F98A652716C05,SHA256=F883E3C879D50314A31AFFB621960E9FB683D8545FFB0F1EB8D6FE7DE9CEEE72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.044{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\assets\addhero.16.svg.gzMD5=1F1F627A66BAE0075BBCD4A87E8F025E,SHA256=BC7EB523C3468E8CBE393DD9DC0B4988CE1B9AFA90039BF1AE0B04BA05854EA1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.044{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\assets\addhero.16.svgMD5=28C6A6D856DF5D86CC10F9DB419F54D0,SHA256=C294B3C11B87D967CE603EB59BFCAB902E79A4605766F5E24222E29527FBE7B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.044{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000051\dist\en-us_web\assets\fonts\Bahnschrift.woffMD5=14DD47B081BCEF84017F98A652716C05,SHA256=F883E3C879D50314A31AFFB621960E9FB683D8545FFB0F1EB8D6FE7DE9CEEE72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.029{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000050\urlmap.iniMD5=A4F2DF17F1585BCF689D976BB8B6A4ED,SHA256=F4B781E239FC8BCC1CC73DC2DAA4EF30EDC95001F6AEE5519BCDCECB831CFA8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.029{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000050\manifest.xmlMD5=7C668EFF431AD4878F793044537A8AD9,SHA256=91DD2BD723482CD74AA7C37EC2BA006106919DD8D1BF46A26304D30BFF96B369,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.029{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000050\icon-56.pngMD5=3D822AFB812B2E9C1389DC0E8BC944C9,SHA256=CDB59E26A8BC63EDD14614882A32A1CBCECBB8F8FC4BC6EC05E47B06F257FB89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.029{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000050\OfflineFiles\vendor_fb183a5d6d2a3ca73bea6bcc8c7355cc.jsMD5=3548A94FE3DDEC7C762CB1043AE203AB,SHA256=774259B7ECA6154B8D6E54CF5CEAB65DE25F0C940AFFC3547586D154F2FD59B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.013{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000050\OfflineFiles\urlmap.iniMD5=A4F2DF17F1585BCF689D976BB8B6A4ED,SHA256=F4B781E239FC8BCC1CC73DC2DAA4EF30EDC95001F6AEE5519BCDCECB831CFA8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.013{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000050\OfflineFiles\taskpane_948452c586a5d37abcc3e821238c9618.htmlMD5=8B80CB6B4C54E80D7C03BD9BE4150DC7,SHA256=99760DBF3EB456FAB0D1ACDDE82DE6E23EACA90D4B9DC9A7845E3B60272CBA0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.013{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000050\OfflineFiles\taskpane_61795584e2fc8675c7b4d5c35393329e.jsMD5=784C20F9422A0154A94B25D7FC1163F4,SHA256=185D50BB4627BB8B08502FCC04D29B85584C015B2DAAC1E064731C9E96C7988B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000447981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:27.786{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F081B9325C5B2026EE5205E43425782,SHA256=F4E64F7F81FF69BD3325BA367EFB4494EE718F439C9A45894F7BB272D13C2876,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.876{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\BIPLAT.DLLMD5=039C7E148A56E40E0FC41D02EDE5F4E3,SHA256=BE34916D879A6B865EFF5AE5343602E34AEF3206A1A0FA406E46038E8EBA1A50,IMPHASH=43100C884709B151F54166B6757FF513truefalse - insufficient disk space 23542300x8000000000000000329871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.864{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\bdcmetadataresource.xsdMD5=27B409BC5E400FC72A057D958AAA70DB,SHA256=453B02419AB5BDE385AF81D6CB738317A21DB197F7694876071DD27F9D57B8B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.863{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\bdcmetadata.xsdMD5=2241BEE1541CA64D578684A352B1A747,SHA256=91926B18AA0430E45F6B2A26F0A36774D15B45F993E659D4F8D6599F961E97F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.862{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AutoHelper.dllMD5=3AF24F2A83AEAA5F64E81481B8F614E7,SHA256=50217C53B356B06DB41399BC3849AFCDEE6B2E9B4EB99C49E2447CA91C4758C7,IMPHASH=9F232E678E9552FB5046B21DD6D05200truefalse - insufficient disk space 23542300x8000000000000000329868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.858{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\authService.jsMD5=8706A3B1CC1053AC6F0ACD6F9EBA603E,SHA256=60F6E1F8DCD9DAA186965978509883FB182A2745B0B3DE9D19D20D3AC59D19F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.852{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AUDIOSEARCHSAPIFE.DLLMD5=BFABC686D276D8E1A2B69DBB095C50FD,SHA256=8B51CE6BE5AB2FC92AD15662244DFA6F1682815EEF07C788A1A91F47FAC001D9,IMPHASH=16FCE47A2A84CAEBA61D6003176D8C4Btruefalse - insufficient disk space 23542300x8000000000000000329866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.824{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AUDIOSEARCHMAIN.DLLMD5=5509F05DBF3D9B9CF42963A25CD1994B,SHA256=F80134060AE2BDB8F382B71DE6F64E190858A4844190A7E4638126407AC77325,IMPHASH=6C3A443A04CEE057495DBB56246D4D0Btruefalse - insufficient disk space 23542300x8000000000000000329865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.807{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AUDIOSEARCHLTS.DLLMD5=3BA722B4C8F7388531DAD5A81B93825F,SHA256=F6F38576B4637A9B492C92F248E7F4FC27A31A8F7FAD150F99F8BC7A286FD1FE,IMPHASH=E9965067729BB92B8D29191962E091E6truefalse - insufficient disk space 23542300x8000000000000000329864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.803{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\atl110.dllMD5=FE00086A2FC935AF640C7F302C12FE89,SHA256=873D57E5CD660D49B403780685E91B6E3BC9E65B6E59435E0C5A5DFA1DE0422C,IMPHASH=8CA7AED35B720AAC9EC88ED55BAD59B3truefalse - insufficient disk space 23542300x8000000000000000329863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.797{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\appshvw.dllMD5=B26507F45B1AEA6E41BE967428EBD8E5,SHA256=FB674651BB992D15188A061CE81C8D5299B35ECCA3ECA9E9B1CDDE1C15AE22C5,IMPHASH=3ACA6110E9E6B421F81A32FCA9CB5F43truefalse - insufficient disk space 23542300x8000000000000000329862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.746{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\appshcom.dllMD5=D6C29FE33BE8CD5C778D677658B290C7,SHA256=58DDCAD9122B64D9191B0C5E46EE858B6C27D240F6CB4DFA9F8DD6EB777CB95C,IMPHASH=ACA922888CA7C3BC306B7A0D22EBAD55truefalse - insufficient disk space 23542300x8000000000000000329861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.737{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\appsharingmediaprovider.dllMD5=C280BEC3EE2E25E56038C9088675ED46,SHA256=5ADC81282061E83C1FCF47428A99F976FB55BC91A39893F3FBE58F7ADE0BD4D6,IMPHASH=96874A97D0E1242257ABB10C4A39470Ftruefalse - insufficient disk space 23542300x8000000000000000329860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.731{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AppSharingHookController64.exeMD5=8518140C234FE9AFC26319939022CCC9,SHA256=261B5C98114A508F8D9B9960C0FEDDA90F11B07DC1BDD28683BE9C14E8AEBD37,IMPHASH=109FA69E14C698CD5F6CC4E6EDA03E11truefalse - insufficient disk space 23542300x8000000000000000329859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.728{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AppSharingChromeHook64.dllMD5=4BC7E15EBBEB97BDC9B08204E247AF3C,SHA256=A2179EE03384EB25899500005C968E152415FF0FD22B5C288233C7BE4095CCEA,IMPHASH=8AA2B97AAF48668049B3002771F10EE2truefalse - insufficient disk space 23542300x8000000000000000329858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.724{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Appshapi.dllMD5=074018784980B1FBF0243DE3430442F0,SHA256=01AE8D94797B8E69A1C11B0D4B484DBE65F415886643A7C3E142DD1FBD0E54CB,IMPHASH=E5DF7F1018FB0168D3BC4F790067CCF8truefalse - insufficient disk space 23542300x8000000000000000329857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.686{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-utility-l1-1-0.dllMD5=F440DC5623419E013D07DD1FCD197156,SHA256=BBA068F29609630E8C6547F1E9219E11077426C4F1E4A93B712BFBA11A149358,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000329856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.685{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-time-l1-1-0.dllMD5=05AF3F787A38ED1974FF3BDA3D752E69,SHA256=F4163CBC464A82FCE47442447351265A287561C8D64ECC2F2F97F5E73BCB4347,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000329855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.684{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-string-l1-1-0.dllMD5=3A96F417129D6E26232DC64E8FEE89A0,SHA256=01E3C0AA24CE9F8D62753702DF5D7A827C390AF5E2B76D1F1A5B96C777FD1A4E,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000329854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.682{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-stdio-l1-1-0.dllMD5=53E23E326C11191A57DDF7ADA5AA3C17,SHA256=293C76A26FBC0C86DCF5906DD9D9DDC77A5609EA8C191E88BDC907C03B80A3A5,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000329853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.681{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-runtime-l1-1-0.dllMD5=C25321FE3A7244736383842A7C2C199F,SHA256=BF55134F17B93D8AC4D8159A952BEE17CB0C925F5256AA7F747C13E5F2D00661,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000329852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.679{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-process-l1-1-0.dllMD5=E18FD20E089CB2C2C58556575828BE36,SHA256=B06B2D8C944BFF73BD5A4AAD1CAD6A4D724633E7BD6C6B9E236E35A99B1D35F2,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000329851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.678{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-private-l1-1-0.dllMD5=B4BE272187CB85E719DFB5BF48BB9B1B,SHA256=CCAF41E616B9A872D35C8083CBF8FDC14371FA3EF159FE699514643C26A4EBF3,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000329850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.675{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-multibyte-l1-1-0.dllMD5=FF4DE9CE85C4B01312DF6E3CDD81B0FF,SHA256=D7E676B9F1E162957D0549AB0B91E2CD754643490B0654BF9A86AA1E77CB3C37,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000329849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.674{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-math-l1-1-0.dllMD5=877C5FF146078466FF4370F3C0F02100,SHA256=9B05A43FDC185497E8C2CEA3C6B9EB0D74327BD70913A298A6E8AF64514190E8,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000329848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.671{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-locale-l1-1-0.dllMD5=0D50A16C2B3EC10B4D4E80FFEB0C1074,SHA256=FAB41A942F623590402E4150A29D0F6F918EE096DBA1E8B320ADE3EC286C7475,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000329847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.670{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-heap-l1-1-0.dllMD5=5D409D47F9AEBD6015F7C71D526028C3,SHA256=7050043B0362C928AA63DD7800E5B123C775425EBA21A5C57CBC052EBC1B0BA2,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000329846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.667{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-filesystem-l1-1-0.dllMD5=D76F73BE5B6A2B5E2FA47BC39ECCDFE5,SHA256=6C86E40C956EB6A77313FA8DD9C46579C5421FA890043F724C004A66796D37A6,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000329845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.665{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-environment-l1-1-0.dllMD5=FE93C3825A95B48C27775664DC54CAE4,SHA256=C4ED8F65C5A0DBF325482A69AB9F8CBD8C97D6120B87CE90AC4CBA54AC7D377A,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000329844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.664{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-convert-l1-1-0.dllMD5=AFC20D2EF1F6042F34006D01BFE82777,SHA256=CD5256B2FB46DEAA440950E4A68466B2B0FF61F28888383094182561738D10A9,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000329843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.662{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-conio-l1-1-0.dllMD5=E3D0F4E97F07033C1FEAF72362BBB367,SHA256=3067981026FAD83882F211BFE32210CE17F89C6A15916C13E62069E00D5A19E3,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000329842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.661{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-core-xstate-l2-1-0.dllMD5=42DC903598FF9D2BFB92D3F1F1563A92,SHA256=583BE047AA83CCE2E8950F5F550DABC5F7CB5957860316E3F409BFAFB10B963C,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000329841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.659{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-core-timezone-l1-1-0.dllMD5=BDD63EA2508C27B43E6D52B10DA16915,SHA256=7D4252AB1B79C5801B58A08CE16EFD3B30D8235733028E5823F3709BD0A98BCF,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000329840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.643{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-core-synch-l1-2-0.dllMD5=B9BC664A451424342A73A8B12918F88D,SHA256=0C5C4DFEA72595FB7AE410F8FA8DA983B53A83CE81AEA144FA20CAB613E641B7,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000329839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.643{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-core-processthreads-l1-1-1.dllMD5=247061D7C5542286AEDDADE76897F404,SHA256=CCB974C24DDFA7446278CA55FC8B236D0605D2CAAF273DB8390D1813FC70CD5B,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000329838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.643{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-core-localization-l1-2-0.dllMD5=6B4F2CA3EFCEB2C21E93F92CDC150A9D,SHA256=B39A515B9E48FC6589703D45E14DCEA2273A02D7FA6F2E1D17985C0228D32564,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000329837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.643{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-core-file-l2-1-0.dllMD5=ADB3471F89E47CD93B6854D629906809,SHA256=355633A84DB0816AB6A340A086FB41C65854C313BD08D427A17389C42A1E5B69,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000329836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.643{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-core-file-l1-2-0.dllMD5=19DF2B0F78DC3D8C470E836BAE85E1FF,SHA256=BD9E07BBC62CE82DBC30C23069A17FBFA17F1C26A9C19E50FE754D494E6CD0B1,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000329835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.643{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\amRenderer.jsMD5=510DC3B9F3E67D7A81FE76D05BA45513,SHA256=8B067C3514D580110549D93AABC735A520F5BC9FF49C38EE032275C43ED536EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.627{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AdeModule.dllMD5=562311B43987780914D2628890DD55E8,SHA256=50AEE47D8D0DDDCAE3E3E201B4955CD10004FA93CBA278962918750AB01E1829,IMPHASH=EC49BE61653CFE88D16F0DF1C2F5976Ftruefalse - insufficient disk space 23542300x8000000000000000329833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.627{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ACEDAO.DLLMD5=26DD9A7906EC7403C57343E72B81EBE2,SHA256=6E24054AB2B4057777C5606F8F18E1A505D8F920D2AB254995D822D90249607D,IMPHASH=0091811BAD9E6CA4BA444906F4C9ECD5truefalse - insufficient disk space 23542300x8000000000000000329832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.611{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ACCWIZ.DLLMD5=BBA0C9C4E9F85B5D5F6A930754F09129,SHA256=17DF8150927FAD5EF8D33C942F8EB49B94F7572CA7046118187CF24C382F80EA,IMPHASH=9CC7734520C32CB01429B583AB4E1C72truefalse - insufficient disk space 23542300x8000000000000000329831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.611{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ACCICONS.EXEMD5=C974104BE26032CDAFF4116A53C9F1A0,SHA256=E7D34273643DA90688C8D2FCA1515426FF84B01987687B838FC03CAA8A75C5AD,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000329830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.564{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\TextInputIntelligence\en-us\punctuation.jsonMD5=3113F73B77492D7E86DB4E6B8638B7B2,SHA256=214662B9C49F6ED82B293833A233F257BA96B41414B0C9764C15D94DF41961E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.564{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\TextInputIntelligence\en-us\ime.jsonMD5=29AA3B4E788AC5EF14A94F85EB16BB56,SHA256=86D52FB2D1976A02A87225DABC3D20EFCACA8BF71D12466CCC80670668725ED9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.549{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\TextInputIntelligence\en-us\filterConfig.jsonMD5=FBFD800C4045C352691E5613AF799B2C,SHA256=CE41677BB7B217CFEEC7649F2158D60453BA1AB9B65CC8A6F4F0D1941DBA12AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.549{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\TextInputIntelligence\en-us\filter.binMD5=B8D2FA1C04D937AE3398B722478BE8D2,SHA256=A889A6BE32E94D31E08D9FF67F9E13B2256A0577AB3E843352F746C72E9D3C30,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.549{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\TextInputIntelligence\en-us\en_US.lmMD5=630072B9D8EE264AFD6642626C60F95F,SHA256=A26D6D083C04E6422F1ADFB4C47FB6205EADCEE578FDFE1D29824173130C09B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.503{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\TextInputIntelligence\en-us\charactermap.jsonMD5=3C0ECCB14E50793BD9AC0C2E4CA5ADEB,SHA256=6D0FC6920706A66CA6E9E76B25DF0FF8A545BDCB58A5BEC2E6380C6A37EA14E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.503{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\TextInputIntelligence\en-us\.configMD5=62ECCEBBB7FB149F780361BEB1B720D8,SHA256=8D6F668B30BBF2FF6CFD160D9F8E824DA1499DB7319877A9B65779C3001D70D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.503{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\TextInputIntelligence\en-us\prefilter\filter_token.binMD5=12614ED6675C9721B1400B1BB6C33C47,SHA256=406BEBF3F1E738C30967C19616E5CA808FC09F4F108F7F04E6EFBC6AB6F6ABF3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.503{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\TextInputIntelligence\en-us\prefilter\filter_phrase.binMD5=342F9D73C72B613C51D5E86BFF44556D,SHA256=A3DC68812883D637C4430C38FB855645C640C11656FE6C7C65C4BB108BEDC006,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.503{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\TextInputIntelligence\en-us\prefilter\filterConfig.jsonMD5=D931C3A3B0318665CCD1BC448BCF7404,SHA256=D4DB3B2D8FC44BCD0C4C9AC46BFF059694ACB3EA4121F151FF08E9E7E0DF3E69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.503{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SkypeSrv\SKYPESERVER.TLBMD5=D220C3541B2E08B4FBC54401A9E3A917,SHA256=6777DE7653E13BF7B82DE6F86873114748B703E212480FFD5A3537C97DC4684B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.503{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SkypeSrv\SKYPESERVER.EXEMD5=40E68924CC7FCB2F32338F98C94537AE,SHA256=2EBCEEA145339C80F80D2B4AD4AE23E1DC3613EE806D90F042C1963DC6B1A76B,IMPHASH=F96A1E9D62407072245323BAD4016A9Dtruefalse - insufficient disk space 23542300x8000000000000000329818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.486{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SkypeSrv\SFBAPPSDK.DLLMD5=F23D4BF8D6C250F4B20B58F8073E0F4A,SHA256=DB3410DDC4F58647B131FB2666727CE1D8C61C93DF47632DA4D906029FDDF24D,IMPHASH=8FA01D11BC27EAE3BECBF5C9AC227862truefalse - insufficient disk space 23542300x8000000000000000329817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.361{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SkypeSrv\MSO20SKYPEWIN32.DLLMD5=D895AAB8A35EBACD8C90024DBA7E4A09,SHA256=848E34A217D4777F97678704C3630545F1E56BBF02311100AD023F79FF7F38B8,IMPHASH=06B74978F7BAA85F55AA57A08A5E7A30truefalse - insufficient disk space 23542300x8000000000000000329816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.346{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\sdxs.xmlMD5=9D31C35BDCA1BE6C457835A00E327440,SHA256=7D8D15331F7661DA478BE7A8D1DF7B86506E0A8314F1607F590D08FF8E646C90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.346{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000104\strings.resjsonMD5=63CCAFDB83DFF1FF5F6DBA24755CCD64,SHA256=6178BAEF4DFED66E1D22DDD8426010168D9FD1BBEED1D2344D41C00434128561,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.346{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000104\StoreLogo.pngMD5=3B41150E4CB804AA1B26CCA06DC509C8,SHA256=EA757E4A70287F2A5AD3C5388ED2342BFAD38CA41969EA23C84D8CD499839D9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.346{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000104\manifest.xmlMD5=0CA9DA0E5ACED273F3FABA306ADC41C6,SHA256=C49E783739FC71220F30F00C296752990709A78B09ADE1D567E2123FC0E83969,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.346{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000104\index.win32.bundle.LICENSE.txtMD5=7B3516806A7F4483AC17B2ADA5B247CA,SHA256=03EBF59709AE217D43A4D275303CCA0CC5AFEDFFDDE9C8C794638212FB6185D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.346{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000104\index.win32.bundleMD5=6B34917C1C0040A13E3E2356C29DE617,SHA256=467341A64DBFB5F6190EA8BB7A9F69BB799D4C6F4BA3DB90FE271AAAA24B0870,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.330{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000104\catalog.jsonMD5=71F09713DDE0650629E767D2F63026CE,SHA256=6EC1DC4866357FFC625A1A88E225EB0A7A9835FEEA67F82AD2A2268535A903B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.330{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000104\app.jsonMD5=4C17BC82A6A2BC7C2190E2AF4670AE17,SHA256=1AE067C42041FE6B430EAB8FB150D9EC47E137F405A007B1EB75EB514CEE07AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.330{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000104\UserActivityUX\strings.resjsonMD5=57644372D4AEABD236BE3963233BD713,SHA256=718039E42609B9B5CA9C1E0751774FF86249AC35CE502DA9C17FBD0DA00AE5CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.330{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000101\unified_consent_ui.win32.bundleMD5=6ECB1CABAF03A13E62C9100E39D71323,SHA256=778720E8B24894E6114C61861C0A5FAA76E8EA081E89E8937BACC75C7DAEF76E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.330{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000101\tester.win32.bundleMD5=33DA9F243C79BA549154521E3BD55560,SHA256=C45F8E62C69E3824D44FA947DDD23881B8326A6C68579C5A545953DEE6761880,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.314{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000101\StoreLogo.pngMD5=3B41150E4CB804AA1B26CCA06DC509C8,SHA256=EA757E4A70287F2A5AD3C5388ED2342BFAD38CA41969EA23C84D8CD499839D9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.314{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000101\manifest.xmlMD5=9ECC6EA0F97E87C7F1D0EA89AD772416,SHA256=7F2101AF39C502F95B9AABF19EE7B0DBC371FA26E8220449A92403C5F5AA7462,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.314{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000101\catalog.jsonMD5=536F7F5C5FD75AF7D23E917ED43E1518,SHA256=185086A3C94DF78981C3E7C87421EFCD16667F5B0811CB47996D9ACF60209F67,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.314{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000101\app.jsonMD5=826BD20A3E4A67919B0EA6A3EF892115,SHA256=B9CA73E3DB6352213E31AA23D5C77F1E5187D4D32451A5E27B0F9C83BFAEE7C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.314{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000101\assets\assets\MicrosoftLogo.pngMD5=93C1ECFDFC747881977E7369F2C1AECE,SHA256=4531E1319C84882E00ADE1EF668F860ED3B1358411C9F5895FA987469A0ED31E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.314{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000101\assets\assets\Illustration.pngMD5=D7C1437625F23E59C3DA5F68B78D8E43,SHA256=99F4C3F9406CB6D9E82665E67470FA2948CA5D84D49EF703FB972EBA15700D37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.314{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000099\manifest.xmlMD5=0C4CA2A1D1C96966293A3224180C6804,SHA256=9AC22B76A334E047043E52A18A8C4C50C347DD680FF76F5F4DA5C93A11AF4F2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.314{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000099\index.win32.bundleMD5=C0171D82BE86B71CE028FBB69D876A4E,SHA256=1958CA90C79D6FA868645409194A28A77E43B458D861AF2BE18B3737732B2829,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.299{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000099\assets\CatchUpAssets\icons\ActivityGlyph.82.82.pngMD5=08DF3311A4C605A4939AC08F934ADE19,SHA256=14DF897670FF9EC187BBEE4CFC09F79D170578BEDCD477AF0C79F54AE448CCA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.299{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000098\StoreLogo.pngMD5=3B41150E4CB804AA1B26CCA06DC509C8,SHA256=EA757E4A70287F2A5AD3C5388ED2342BFAD38CA41969EA23C84D8CD499839D9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.299{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000098\manifest.xmlMD5=57CE8ECD106645C6207F5F39BE6FBD15,SHA256=A74BE51B93AC6031726B35C47228E9CEFB8CE5322B7D5C632131C266F7907E9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.299{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000098\index.win32.bundleMD5=E10450E28E9CAC966FEA1B00CB08EF69,SHA256=6E8153EBE4AABDB37E12C56DB49D9ED79E9443D84B0A0D7A34696D7865EFB391,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.283{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000098\catalog.jsonMD5=FFCADAAB4E236E43D7C6B5E218A69BBC,SHA256=CEDC30885B74C1D3B1651FD9BB21010C7DE0837712A560EDDC136CBC6EBDDED4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.283{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000098\app.jsonMD5=9A31FFA0F926F20EE4AB5EFA9B812F24,SHA256=A780E3031AD81FCB8D3A5549C00E28155F04192D5C339D362D73EAE1060D1C0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.283{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000088\strings.resjsonMD5=DC735F6BBF58EDA23D6AB8897BABC7A8,SHA256=FFE81514BC48C4F051C2BDBDCF81F974FC476CAA71D7CB4865E78A888477866C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.283{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000088\StoreLogo.pngMD5=5FDC02DEA317B399D2EBBA270D815D42,SHA256=7CDAC1206C933B521CBE3A41E9F2425A8BCA4FDD59C98E2A5E5F48D410A7D925,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.283{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000088\manifest.xmlMD5=960F17256CF0835ACC505C2688ED61C8,SHA256=BA891AD64B589BD9F7C9DFA930360A764736C3047FDF50E9CC5897B87F0D70D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.283{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000088\index.win32.bundle.LICENSE.txtMD5=7B3516806A7F4483AC17B2ADA5B247CA,SHA256=03EBF59709AE217D43A4D275303CCA0CC5AFEDFFDDE9C8C794638212FB6185D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.283{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000088\index.win32.bundleMD5=04E219C6FEEE7A9E83B8EA6F0E8431DD,SHA256=2AA052D6737C213367E70E0E805B045B6C0989A9A72852A96C56C3D41846BBCA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.268{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000088\catalog.jsonMD5=71F09713DDE0650629E767D2F63026CE,SHA256=6EC1DC4866357FFC625A1A88E225EB0A7A9835FEEA67F82AD2A2268535A903B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.268{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000088\app.jsonMD5=38CB7D349799FC411F77B41DA553320F,SHA256=F45E5C6A589786858ABB53FE02F1AE06285FDFF4D28073A80AC31ADD0D885A25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.268{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000088\UserActivityUX\strings.resjsonMD5=57644372D4AEABD236BE3963233BD713,SHA256=718039E42609B9B5CA9C1E0751774FF86249AC35CE502DA9C17FBD0DA00AE5CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.268{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000087\StoreLogo.pngMD5=3B41150E4CB804AA1B26CCA06DC509C8,SHA256=EA757E4A70287F2A5AD3C5388ED2342BFAD38CA41969EA23C84D8CD499839D9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.268{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000087\manifest.xmlMD5=2C69B65ABCE8B17894632A47AD89EC64,SHA256=3457EA6483A20A2B0E3EF4C66510681BC313FE3DCD096DEF2CEBACA59B663602,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.252{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000087\index.win32.bundleMD5=FE3BD8A55C15679C108BDA48DB0FE6C6,SHA256=893402E0887B389B24B5CD7C45C4D476750437FD94CDFFC229B9E22E6B3BEA2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.252{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000087\catalog.jsonMD5=FFCADAAB4E236E43D7C6B5E218A69BBC,SHA256=CEDC30885B74C1D3B1651FD9BB21010C7DE0837712A560EDDC136CBC6EBDDED4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.252{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000087\app.jsonMD5=E32250AE99833E16467FD8551CAB3833,SHA256=B40E569E02ACF99571D9E04A674D1B8D8C4F439D5DFB917EE07A1552610FB8F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.252{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\urlmap.iniMD5=54B88B8F498543B1650961764D35E462,SHA256=01995FAFACD0E12F6798EF65B88E5D00F686B07A5EF6E6564A015015CFB9BA54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.236{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\manifest.xmlMD5=77913500140CA77FFA0DA12F669E9413,SHA256=F8852D49CF72615434BEA1650AF50A1893AD45D7117881378F70A0D50D8A0F14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.236{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\icon.pngMD5=7A49114E729D7A58DF849097E38DE02D,SHA256=CC588B29D17625C317DA71DB500CF423A5B803AB2C36414E0911183C9A58BE58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.236{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\urlmap.iniMD5=54B88B8F498543B1650961764D35E462,SHA256=01995FAFACD0E12F6798EF65B88E5D00F686B07A5EF6E6564A015015CFB9BA54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.236{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\robots.txtMD5=61C27D2CD39A713F7829422C3D9EDCC7,SHA256=E5AB0D231EEB01B4A982D1C79A6729CAC9797AD15A69247E4F28BA6AFC149B4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.236{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\manifest.jsonMD5=7703D9C46E3453F8F98E430EFEB3BD62,SHA256=888AFB1274AAB2B2CCBFAB2AF46FE60C4666765B49E21E616C08E690DC11FC37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.236{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\index.htmlMD5=19A7247DCC5764FA1B6B3A5C5771C2BB,SHA256=EA5F68BE27B11F94F5652B1C5D19D13FB0FC69FFE8B5B7DF3FCB3443298AAE88,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.236{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\build.txtMD5=76894B7AC9B36359B53E93EBB88FD926,SHA256=16271214F3D190D6520BDFEB7B6DECAE52F1F597972673BEBB61B3E22562E676,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.236{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\asset-manifest.jsonMD5=A7F39AF8492E3D777FC0DED31EC7C26F,SHA256=EEFF20836979F5C3330451B2E11DF912F24663B35170F158584899756B1147D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.221{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\shareCallout.7c6f2bd6.chunk.jsMD5=CB5A175989CF0F287319C1FE7820025F,SHA256=BB7CC6C1DCEDC4F77BBE0C4C30EBC17D369263C613A972B9AA209A4C2DC16E89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.221{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\runtime-main.91d52571.jsMD5=1738F2A8A559CA1A260E9074C7FF571D,SHA256=35CE6ADAF5BD2095FC59A58D5BD389B198DB08EB8AD7DE0DB2ABE9BA73A7A561,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.221{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\main.c60a88fb.chunk.jsMD5=6F3D8F109ED811BC2C7B078722B2F174,SHA256=5FDEEEC4897ED8A152BA4B9A2DC8BA7026D635B7C7B217FAB094FEEFC5DD75FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.221{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings9.9751471a.chunk.jsMD5=1A8633516753100ED48E168183C78AA3,SHA256=4FD10FC8EA71B593FFDD74B33BA6EC2A43095645B1B3424E3889A549C0C7A2F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.221{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings85.a4a3c971.chunk.jsMD5=806D54BD2D42A6E54A6FA51488ACB3C2,SHA256=C1632BF2730DCA2C43D5FF0BCFD8CA6F034083BB27B5EF80F5C4A1FA08A952FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.221{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings84.6948c98c.chunk.jsMD5=1E8B14B08C429CF6F010F1DE2DD1BF03,SHA256=9B2AA88CBD7678535812423716DE1C521D0A8C85BAD00331FFE9B81136BAC5B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.205{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings83.6eb058e2.chunk.jsMD5=143E0C7866F0478246991058E9D2943E,SHA256=47ACDAA65C059693C1146645F98E2D2FBEC677AB5400119D22710103D7782DAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.205{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings82.0ec1cb35.chunk.jsMD5=B4D8879320C5C54C6367800EE9E18E20,SHA256=E106D576C31DC6013AFE790546C62FF89F05C0684B4A8BF5D873DC6E11345DE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.205{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings81.f6d3df51.chunk.jsMD5=05E991E5977A90AB230F40D2E6131E7E,SHA256=23CC2DE0EFE1B2506274DD596F181BF6B621D04231263D0A094DB3E953F41389,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.205{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings80.61ec338e.chunk.jsMD5=58E2FE6F6DF41C47BAEC931453D88CEF,SHA256=A31F32F544D56946C73E0A3E5E07B80F0D41CFDB5F81CF794876B89E6C546BF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.205{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings8.192de4d4.chunk.jsMD5=52E8255AF14297515EDAED9A50EFD2D9,SHA256=8B2EA97419E6464E4C60528F74CC7C76933474F62A691540AE7C2122B85B16BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.205{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings79.282a4b7c.chunk.jsMD5=CAE6AB344100F3C671C925A03134827D,SHA256=F520D8EA8D991CA53F69A9A2A42A823139542ED88F349FC197727A4D56BE3260,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.205{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings78.9c3e62a4.chunk.jsMD5=FB852D3589086C4CC22D4F1295FE3C01,SHA256=1336AEC41A4840F58A82C7182E4BE40C147807DB674A6B95FE67E8D8BBC79B35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.205{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings77.4d246a26.chunk.jsMD5=E3BCB0501F89F1A4E2D18D3BCA403141,SHA256=B3E1C931A043765A9AEF8C3FD5A727D3B1F583D35A5ED5A28AEAD8A17F04492E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.205{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings76.cbcea520.chunk.jsMD5=EC66CF00456C88857B6ECEB44F9C8C3F,SHA256=7AFE4A4423A65B8E1A94C4C99C5E121107ECE3CCC625CE03FB417298C6641A09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.205{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings75.09c758b9.chunk.jsMD5=F4DAD72B600B0E30D8419BBD3596A650,SHA256=4C40C72B9D6B33A54F7809454F75110A67DB25B412F66DD889DAE0542FCC38B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.205{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings74.c6d959b3.chunk.jsMD5=71C15CBA9278EBCA62D788D3F623BE6C,SHA256=BD6AAEEF934EC2BAE91416512F268249925C114DBC754C13264633D69BC91DC3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.205{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BBC404499AED18BD5B746A16D5B0CC0,SHA256=43FC3E3C8C3279F7E8927F383AD6E6417FFB7FD01F8A282BD098C80139E28EDC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.205{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings73.5989095b.chunk.jsMD5=73EBFCCBB22ED3A2EC197404D0604DE1,SHA256=8C1B006EA44DC0CFAAB7A607579FBAB0CABB18F7F5DBD4F3C444F00942B60BD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.205{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings72.4dedf86c.chunk.jsMD5=6377E0396FD720C67849FEBAF366E2C3,SHA256=CDAA9738B9F14F10E3A3BF95EEDB2C7A083B38B9B3BBA29483FEABACC15519DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.205{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=271CF78CC0CD1621349C7A19723A8616,SHA256=FBE3F56F0EF2B948FEFCBA6488B5F57525143AF66FA332C455B1DECD825347BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.205{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings71.44d69632.chunk.jsMD5=B4487111281C3760D354B27787372AAE,SHA256=2301454478688621BA9C2AE382A32887E831364F60F064D56B2E30D38C51E06F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.205{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings70.32ec9bab.chunk.jsMD5=6EDCD70898B7F3FE28235E52AE7C72F3,SHA256=A2E659A8BFF6E5F480C7E07D6A1FF1D9B8AF6692D67A54DC42857FD6FFD0DE1D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.190{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings7.2e59842a.chunk.jsMD5=C107301B14CD8DA6F3AA3C233BBACB72,SHA256=64467F31F902E5C04C1A30E39312D0A08FE55522C331264BD4FFDB7009B2ADF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.190{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings69.436e54d0.chunk.jsMD5=BAC6CB1FF662E3273D98ECB048C4E7C4,SHA256=56A213F99C8C3B16395F7E4CCE4F422C713A797CF77365C31D056E8ED74CDB1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.190{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings68.16df942b.chunk.jsMD5=06206440F3F4CC0A43802AD7AC9D7573,SHA256=FBF4F5D6A4EE094D5624BCBC94D879DAF6E528CB7879D27FA51362D1360E7E5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.190{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings67.7f139787.chunk.jsMD5=3A0BC837106E21C73ADCF09C077F7F8D,SHA256=AC9A8B1C139A18EE7231ADD29D79EF6BAFA30A53CEE021450398CB2E516820B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.190{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings66.c6aa3743.chunk.jsMD5=D3BBB39DB24FB0D301408A89E89178B6,SHA256=91AE359E6B3F6BF2785EB4548554EA482854E7D86C9C1E8D61605B4BB26CABFE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.190{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings65.31c466f4.chunk.jsMD5=8BCE59139F302EF1EE857F31292AE89A,SHA256=8BA41A9AA9A5A3BE88A3F1F98986898673EAB3247F9B3B0B3B97CF7E19170D2B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.190{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings64.224cca22.chunk.jsMD5=004FA16E8A1494768751160AC2CAF635,SHA256=09686913EF52935E226DD9DA24CFBC28F45F110819E40C84B115319E241E052B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.190{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings63.360067d7.chunk.jsMD5=E19D66023E44FE9A3E77F839B90FC47F,SHA256=6705040F006006DE65C82C0E89BE2EAAAFC820FC5F23E082C205D689DA72EFEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.190{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings62.5a8977ac.chunk.jsMD5=E6E6E8793155EB1E3D2E9F457DE95646,SHA256=897149621701577AC631D0EFE9CB2FC3472E75A71EF872A6C66B9B6D5E1090B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.190{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings61.6fe3caf1.chunk.jsMD5=6925A9F4955DF3CF5CCAAD4B878EB50C,SHA256=387717BB148E3F0FDF3FDFC188F76E893DE7AD3C4D167FEFE662AB55B3C1B843,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.190{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings60.982f1914.chunk.jsMD5=046403600E1D8174B57B1149F774853C,SHA256=2C16DA4405F670F0D93140F0CDC7C198D2E85473EED66F82C34C1627B6DF7BAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.190{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings6.2fe8b972.chunk.jsMD5=C67A6A5DE6755B9DB0DF823D1608CF52,SHA256=A41CB7198C140BDAF370CC9A2D385EE57230CCD5B960F165411293C1B33FCCE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.174{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings59.040f8f25.chunk.jsMD5=D4FC80D415CBE1528CEF1E7F1376082E,SHA256=7959A2623424CC6E02C9611E9D6036AFEF9DA199A4E67C5C5DA0264325F2D363,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.174{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings58.b8ab8e56.chunk.jsMD5=38B21D86888B0660FCD57DD5D025F683,SHA256=A2090BBBA18E3222113C63E9224D5820D77E75FC17A14EA1EAB1E180EA49CBDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.174{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings57.a05e8282.chunk.jsMD5=548737C925430230F031160FC65F92D2,SHA256=C82F333FBB9FF98D61EB3F9B11AFFD432054A72F611319C145FB42EE3420FF03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.174{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings56.03db78aa.chunk.jsMD5=20D083F375D18858589BDC20CC6D8000,SHA256=2360576F04E954DCA243871F1553A629F7124524E14575EB3F27901151583398,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.174{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings55.e5412523.chunk.jsMD5=2CCE20C89424C9E2F5534E1AA5F761D8,SHA256=ED6D4DAF533D7E4835C73E5EBD62F6F4EE901CFC5CF25B7411480082E361B4D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.174{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings54.1c22b73a.chunk.jsMD5=DA30658CDE38256A385DA5E7874ECDE4,SHA256=A8A0B004A63BEAA617E1724354E70CFFFBBDCF39D9889220F28FDA2AD82CFF42,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.174{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings53.ae7d22cd.chunk.jsMD5=4EF4EB15117E7FCAA5102EAEC2ECBBB9,SHA256=41CA4569D82607C2905AD851EF3E41DA08CDB72914933E1F2408DAF89C6EC8AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.174{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings52.4edcf8e3.chunk.jsMD5=8FDE193FCED6790AD7A0D58C2CED2CDD,SHA256=FF81077597B28C216D85C794FAB53A0D5FC76C16A9E695662A542664154553DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.174{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings51.6fb94235.chunk.jsMD5=18C1B7A8C65A3ECC85AAD786D35E90AF,SHA256=9131534954A8A21063C61826D89BE4AD862BD1F1E2F87E55CF8D717985993526,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.174{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings50.8e2333bf.chunk.jsMD5=9ADDC7F5D84164F863683F8794BEBCB4,SHA256=810B624D3A19EC10742640A419F91725985CA5AB58DD519D22C83166C607CBD4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.174{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings5.2f958be7.chunk.jsMD5=A84922AF97F9007F29C496229E190E4B,SHA256=8F010800BFD366A5CEDEA498E6220C263719542CCC9C5CB2D0F95E3265A280E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.174{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings49.2921f74b.chunk.jsMD5=382E0E8E8D822A05FB883D169D02DE21,SHA256=509D9DAB8BBD2410123FA2EDDB8D6CDD0AD8692DEF3BB93B437BB6132CC86E1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.174{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings48.7435b483.chunk.jsMD5=BDBC4FB66ED44B67487FE87187AA7488,SHA256=8DF96CB90FD57EAE342930CB30FC052DF5A855B0EDFDF64071605A81BCA4FDBE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.174{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings47.a6f8f38f.chunk.jsMD5=E28D68964A058ECE0C1CEB585836295B,SHA256=6787FF75A2683B549F9A1340FCE675E22672E249332E843D13C0439C9B932ACD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.174{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings46.d890f1c8.chunk.jsMD5=F4F36630F48C78AEEB465C831961D3C0,SHA256=C732F07A8C30435305439E713FDCC794A2AB55AFE65CB02CDBD766F505B8D2FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.158{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings45.e48eb096.chunk.jsMD5=B9209A40626B6E2E727AA7629D7B6781,SHA256=BBC7B3BEF4029C8BF88499030A0E70B5ABF6B58260D041BA1694BB5293553928,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.158{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings44.e94dad19.chunk.jsMD5=D260C87CE6A9C5F4DDD5B8181D25E59B,SHA256=18391DC702C4C563DDBC782B97322C79443CCD1A0B91E48CFBFDDCACFB277071,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.158{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings43.69b01836.chunk.jsMD5=16AA5CC1309B768A9D81F2D0CAE5554F,SHA256=319D55C5B179816E7B4AB2D10480AEE8D6794E50FEBB05FFEFA12497B6EA7E58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.158{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings42.1b5edcea.chunk.jsMD5=E9A995189ABE4531BB656BC543A2D1FD,SHA256=F645B05116DC860E9B4295FE1FCF69896C55174496A78B2DDFA72C20401B449A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.158{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings41.081fec2f.chunk.jsMD5=D517B6BFEDC3B04D300C8C5939A38BA5,SHA256=B82512605CC6CD2DBDEE404C53E5DEF42FB73AA541AA7345DDE0FD460C374852,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.158{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings40.35f20482.chunk.jsMD5=A872BF47A08762B0506361DE8997BCF8,SHA256=EFD391045D027928051525D252CB1FD12BBE422D05450F8433AEC7CF0F6912A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.158{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings4.2d3cfcdf.chunk.jsMD5=85C33C775BFD26D01AF4107DE7F5EB4F,SHA256=8B04E96B1800DCF500A91FEC7A0B4BA5EDCC43762BDCD32B978A12CF1B15E2FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.158{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings39.4664b1df.chunk.jsMD5=FAD6A9FE8E262C080376DC1A05697FEA,SHA256=73BC5369ECDB74D1B1EDA1B057BA7E7385E6A174569C2B968F74E1F1272B2F33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.158{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings38.cdb91bd9.chunk.jsMD5=C2014F91BA8B300AB7B86F616E05B90A,SHA256=057A25607D69E70E90A64211AC899C4FEEF1007A5D21B49274E2EE3A20AB2F0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.158{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings37.7d7fc7b2.chunk.jsMD5=4E2AF78548BF73B845159B02A2C6E921,SHA256=7E904C4CC70FB8044C017DE3D520517C7AEC28C51A73E4F62EE7D780AEF7BCA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.158{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings36.cb420a28.chunk.jsMD5=833056729839CC6A926E5C094F41E3FD,SHA256=3FCDEFC1DFC524857D884B59D1852E66091BBCF17DD1CD6EFC8AB7FBB7707497,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.158{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings35.63f48b3b.chunk.jsMD5=777F0D40EC4C1443829E58D29C3CF64F,SHA256=129C83E094AEB0748B4329B8395B3DA6265E3C809F9E6AC4C75515C75EF7811E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.158{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings34.cb2822c4.chunk.jsMD5=7ABE5FEC17A6C01B1D5D9AC0A23D4F6A,SHA256=3506D9198BA7DCB59D6E713DBEE701529FD75F0C22017D541D04A86DE262E28A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.158{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings33.f7ffc155.chunk.jsMD5=9E97B0CA3723F37E37D59085312A3B2A,SHA256=FF1B8F700FDAD73508BE005E48BAC7793E521251552336A1208961F967CF489A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.158{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings32.15c2c990.chunk.jsMD5=D11261976A5C1B84F89626169E4EA6BC,SHA256=F1F8E1218FD68D47CC884BC46CD40A37BFA5781FD32B31A778003A4F3CEC291D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.158{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings31.ce778919.chunk.jsMD5=43084A02682DA30CD19E3E811436BB17,SHA256=464ECD5D2216F5D4D6F5A0B6FB0B406BC62BE97EA9399048B35D9263081F9302,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.158{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings30.dc0ac2aa.chunk.jsMD5=621137B388E6A4B35C1560C5C92CD74A,SHA256=C1CDB9A2B506FEB35C97B88A29BB820319DAF59B2E42ECCB8596F53749D18A4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.143{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings3.32ee047e.chunk.jsMD5=62CC51E900740C3B424DD07F27C0AB61,SHA256=48753D475B39306F3230B206978932F0B45A625882429D3F272DABB2D4AC4AF3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.143{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings29.8e8e619a.chunk.jsMD5=F5199CB4EEB0117E9C7EA169A9EFF550,SHA256=222B12539295A670C91030CADF30D2C8AB082486FF26AD1D4F38C68149CA631E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.143{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings28.8e4983d2.chunk.jsMD5=D4A17673CE04AE5D6B1B74E3D365F1E3,SHA256=2C879260A6165B6842C1BBDA413E6F7EADB6C0351E6D2780C710347DE9FAAB4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.143{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings27.3a2a2def.chunk.jsMD5=0BE771A7DFF113ED82945B73CF662E6F,SHA256=4861F803CE315023AA64B486B890594ECED0C1D5F1AD4D8CE7CC952BCC00B449,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.143{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings26.f5ed5bd0.chunk.jsMD5=9454FDB07B9DC66CB6AD41EDCF894D7F,SHA256=C535242D1D8B0F75E1A8010F37CCC21B3A5C3A71FC3A3E8CA1840446FF177B13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.143{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings25.e616967e.chunk.jsMD5=56934224A58411CCDA45FB05CCBF9909,SHA256=B4D52A6910FDC3D92739408072CABF9C298CC9943EBE7C6BE5A29C2E74B573A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.143{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings24.12aab05c.chunk.jsMD5=271562524E9718AA1E3538A207EED925,SHA256=E6BD0948E0ADE8E8C0B7C4684E7A745CD88A2407E080F326852F95E0EDEA2C57,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.143{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings23.38116bf7.chunk.jsMD5=8157ED6D5C844B5F6954840350D0593A,SHA256=E594D98E63AB776272578A01A0E64AEA3B448EA79F808ECC2BC2DFF67E8F2B7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.143{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings22.f757d783.chunk.jsMD5=2A54031AB6AB994EAA88519DF93F1A65,SHA256=00730C8ADFEC5A773FAD4DD1F76361D31FFE9D7DF79452DD7E32DF0811040CD9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.143{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings21.3666540c.chunk.jsMD5=BC1DE5F00ADDF27B0DDE6DECF3D8184B,SHA256=F300E6A61EA59BC5B121848FDF96A1D2FAFF38C686AC6B2DFDA9AD3FBFCCFA31,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.143{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings20.92dda362.chunk.jsMD5=171EDAAB8DAFDCA58C879E065575941B,SHA256=FBADB38E38BDD9141BB4CC4C28FBEE0DEEFC922D1F3317BBF95232B98C4DEB28,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.143{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings2.89493f7c.chunk.jsMD5=FC3FE9C822F77D2DBBA06700C730D9BF,SHA256=28FB8BC774BFE24E2DD9826D26FD2DD79E2D6EFA71BC5638B393CCB9462B4AFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.143{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings19.a777a4f7.chunk.jsMD5=9992CE5DA96AE70A574E37DB2D683CD6,SHA256=EB08AF72A621C2925B08663CBEEEE58947ACF7EA63C8564DA1119ADF6951D8B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.143{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings18.3d89cc09.chunk.jsMD5=18ED8E2C40229D83B33BF0BF31BA5B74,SHA256=2BB8ADC8E12A880CE8BD85B7FA5D5D6D5D4DC487590EBC34F00CB5CAE75B2408,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.143{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings17.0d63c360.chunk.jsMD5=23F5E3ED5C22E0801709D0EB8725A4A9,SHA256=1105EDE53D5F99A4DB72CDE6DB46CF11D633CAD30AD599440189B8D42E68D130,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.143{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings16.18b5efcb.chunk.jsMD5=E384C45153C5766064699EAE619D4119,SHA256=16A82A6DC5D4E9759763AB9A82D31A15F220E6C6DBD1A31A3C4AAA72F9BD598E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.143{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings15.4250af7a.chunk.jsMD5=682AA7C38FB2AF42F3CBCC28D652F1CB,SHA256=310555B9C062E6533B1F41E3A8B07067EC0E3B28D01817B8DF11F80550B2DE49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.127{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings14.c2597563.chunk.jsMD5=763DD4D06227C17E2F43EF0DFC1B685F,SHA256=3FB0EA09598CA695D5082BB8B03236C9F4E878B8EC47131956255425823182B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.127{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings13.cae604fa.chunk.jsMD5=AFF8F3B4616E964021E74070DE3F2F5A,SHA256=25232531A5588A07BE24490B4965E0C727E46830FC65C9CE32DD4C126C0E0757,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.127{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings12.3fe9429c.chunk.jsMD5=6413C75045044A435B81B6EA8D700321,SHA256=F50DB36E071D3016D73F560CFDB4E3D420F42F7D16B9B633F9C237C60FBF8BF9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.127{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings11.3f97debf.chunk.jsMD5=BAE94C1010C15E2306C594F455EBBF97,SHA256=1889C7B7847A652FC30B24EA444BE8272C0564A746F21B8602014A2F52D29B17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.127{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings10.97db7998.chunk.jsMD5=1A44DA520D2999ECD2AC65CA4910050E,SHA256=1A2A5AC510BD7B3E4682A9C6556E8F20923D960BE3A34957ADD2387A0B7D25C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.127{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings1.172f26ca.chunk.jsMD5=86131CCF307F001324AEE52C21685C3C,SHA256=B9BBB8BB0142F658E80DC7F009826890F1341C4F48AD72A419742C0A9421AEB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.127{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\InformationProtectionStrings0.4de47085.chunk.jsMD5=0249860165E9FDD1FA743374680F7C14,SHA256=A4BDEFA9E50F858A7702564964949058F949374B354535DE0A5C08D509474265,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.127{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings9.97ced1bb.chunk.jsMD5=7FC1DF8C03098EA2F1BE994640AAB4BB,SHA256=32383CAC4D66F620C02E93236B47DDF3FBA47E00F95A1CA18441EB5A4D9FDD49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.127{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings86.92eedfe3.chunk.jsMD5=541857E081F2830BBD62BE752A67A410,SHA256=081BC3F911ED5246D2FD4D918DE78F47D62C276C368A4BB144A3E75BE0B37E61,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.127{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings85.41850808.chunk.jsMD5=4806015BB2D1AE96B936C6AB73738A13,SHA256=AAB1F8F9BF8297F87F6049D0BEE56D728806BAAC7036E190576E3D65AE4FD132,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.127{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings84.5aad944a.chunk.jsMD5=66FD96BA043BB8EB106DC94BA951F63F,SHA256=689B7FCB64118711BCB560A6135EE1071C7340D515375D370A2AD8F9AF7F2940,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.127{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings83.aa16252f.chunk.jsMD5=F8DEC7B5D8EAC67E4314FBD99F8312AC,SHA256=1E6C0107586AFD6394B90AC9D2441EB1C7D1780BCE995BFDCCE6193CAF915912,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.127{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings82.a4b4502c.chunk.jsMD5=E171B0D2E44DC872FB1CEF59785B6BB4,SHA256=DDBFF24571CF8D2CDCF576883E2791902194A161BC12B1F38BC93C0E47FCC58F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.127{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings81.ec1491d1.chunk.jsMD5=BAE9096ED9B8922F0DF6382A7F2B812B,SHA256=F3FEF43E442715C5B1D02B4A71BA912C91177BB1242F80D64C9A34D3DDE8F4D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.112{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings80.4e9ff9fa.chunk.jsMD5=3FFD7478A62B0BB286A21E600732E9F0,SHA256=AF68DC2930D3B9550FBA672D6A99ED7F67F7DFDD5D13D90493DA0ECC65BBB34D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.112{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings8.6a59dc1a.chunk.jsMD5=D493F57693F16301054AE097381C5B0E,SHA256=0DD6F7D4A7B7DDD2C4EED1567F71C9B20623C0E914C55F73AAD40E5089C97BAE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.112{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings79.2b04e212.chunk.jsMD5=BC32656764459F5D1F802C0D03EADFDB,SHA256=443C2F30F9C523220F5728E8C93F26ED39A1684EA53BAD9ED93DCB07DAAEC558,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.112{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings78.edf25c29.chunk.jsMD5=9480D9512AEF8C8C3E977857269C01AB,SHA256=67CE7D671EC08EBAF97C28E84B869C5169BD0EC8731EDEF2AA6AC146F1CD287C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.112{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings77.4652bd32.chunk.jsMD5=63EB2F21EB13F55D671F493F43755FC1,SHA256=E1BB43DE7F4EF9162530037DA94D65EA6B7A335808371F0F4C8FA2DFD9BD0757,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.112{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings76.cd1c1bae.chunk.jsMD5=EE38AEE8162D9780D579ED5DD4054948,SHA256=C1DF61B630D4416744419E429752E178269B025BE38AB459573E12E7C15A092D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.112{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings75.fdc4a1df.chunk.jsMD5=670DCE09D6C8BDDBBD919B6B884E90B0,SHA256=3D55637B7BE7B84212BF7B43FCEE2FF8113E316A5462B2D0AF52CB0AC89B9E03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.112{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings74.f203a381.chunk.jsMD5=F49C9137D801BBF137FB5A5BE475332A,SHA256=5DE86BEC1A47B03ABAB868BD7A3681BE93C75D3AB1E05D7B45601B2CA3DDA71E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.112{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings73.e31e3cb1.chunk.jsMD5=65C6D46EF520D93720C561D5155D2903,SHA256=3B631284153033009E00141711B3CFF786909DCD38937A976B487B97133AF779,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.112{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings72.4508bb90.chunk.jsMD5=FA73C7AD1FDF67215F4BE23923DD5AD6,SHA256=8A92646AB831E4548F38BFDF9E6B9A075CBA6438FB54E0D1D60F6CF11275B967,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.097{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings71.a51e8ae2.chunk.jsMD5=59F91ED142B7A13FD42F53C40B29B51B,SHA256=F68B9AE2819433324DF6E2D8B5122055BE6EAFFEBF9329064D93E60ABC050185,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.097{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings70.7b5e2e6c.chunk.jsMD5=CE27AE5697B8B49F73215CCD1DD01212,SHA256=951FC5532FB913FBC9908CE53037FB95EE84563329C8C2237BA652B5A2A500EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.097{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings7.5f5fbf8c.chunk.jsMD5=2D6EC4BC652153465EAEDBFA2CB4807D,SHA256=21F063D93C66744E4A2FC4F5EA388CB8AF348722D923F5A42D162529CE6D7BD5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.097{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings69.ea0ef584.chunk.jsMD5=9C111A55403A324E458CE7A59E96F992,SHA256=C6F152BBDA8B28985F16CFC5F5A234105F6ABCE77C1E61BF02D7C35B590C430B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.097{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings68.1c59415a.chunk.jsMD5=8CEBEFEFABBDA405F939025F1E89302A,SHA256=38520B70ACD53738E1A7695B4B1DF392CAA06C535FCDC2B5AC1D81A54E498F3A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.097{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings67.60b0c966.chunk.jsMD5=1899B2B741DB1FFEEFCAB8BED388C246,SHA256=0DA7563F7ADD2CCA8A4EDCAC63F401358B8314626AB160B23DBFEA20F2B7ECAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.097{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings66.d74859f4.chunk.jsMD5=B9A2230CD78256608FAB501CE4866CC5,SHA256=9E0FAB920D3715163F6C120EE8340040F83CAFDFA747F7392CF500F68811303D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.097{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings65.9ed1face.chunk.jsMD5=E42CF9FB03A37D902589E1CFE6202545,SHA256=5F9490E29E545663BA73BED332F7BAD5D40091E97F6BEEBD52891878D075C377,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.097{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings64.3d4872af.chunk.jsMD5=3CB2725AEBA87DB8439E91111A884375,SHA256=3818778B6487CF63A7EBDCEAAE7AA01DE5408C91925EFCE19E4E7A80BDAF9E40,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.097{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings63.1f97b072.chunk.jsMD5=81EA7FFE7155052D9432FA4625DF6D62,SHA256=E110CE81DE094FD93662279416B670FE7521BDC8FE72BEAA3F0DEC03BF0E8694,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.097{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings62.2ec800ad.chunk.jsMD5=A4CD681F71CC68EF2BDBB0232E012746,SHA256=05738BA6A0091188C1D2B199529804E38ED69494FC3DF15009F0C70C647A5BDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.096{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings61.c4e25fc0.chunk.jsMD5=92349AFB89F4805F952119BFE5F91E79,SHA256=47D6448E6A1D104985C6CB553B3EA6800BF91B8B149140103CECAA471075FAFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.094{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings60.f9a94ae8.chunk.jsMD5=B08943421B36477105135DB2F98FE77C,SHA256=2726635FF798259E589EE7D86BDB53110C15328CD24EF2A4369A796D31752A5B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.092{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings6.349e90b5.chunk.jsMD5=920C9CC28E24241F3A8E34F63E15D842,SHA256=4180F715992C7B704E144D74EADB7C0565900C51F2760D396B3F6930ADCA0AEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000329647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:25.343{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50997-false10.0.1.12-8000- 23542300x8000000000000000329646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.088{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings59.299875d4.chunk.jsMD5=B750CA0615872F9D2658F28C60042FD3,SHA256=2566E84F8DD4540F4C37A855802F898E9658D2901A0A22E56046ADA966AFB393,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.087{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings58.78ab02f6.chunk.jsMD5=AAC77C86ABB3A557C864BDB823914058,SHA256=1CE712841EBAA26DA922731BD60B0C2D7CC6A93132E0927C6F6573CEE551F8D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.086{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings57.5c390317.chunk.jsMD5=2CCFFF74DF6AE28A81646C66C55EE732,SHA256=B2A3935472A0C654F99DD4266AD5EA2B1B5C467195AFCC038C5369EEA439F058,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.085{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings56.c41132a4.chunk.jsMD5=350DE7BF774F27052C8B8142BE5643A6,SHA256=3C2B742FA86F0D0BD8573EF78C7BC203860A72718DE585F46872B98614F786CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.084{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings55.335c6170.chunk.jsMD5=36911563DB78AA7E06AE45D87C5433AF,SHA256=1FE902C866ED5B3B880D781ED422A87F219D51D0D7F3505D3A8997C1FA07DD23,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.083{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings54.517bfdfa.chunk.jsMD5=9AE773863C77598BB00A48D40E011EED,SHA256=569F3A83DA2C69B8D8F7A134601C4EB95F19D41C39DDC75FEB6AC26A4E160387,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.081{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings53.87b66c67.chunk.jsMD5=809775F7DAE8659A1DDB190BA4927150,SHA256=0DF930176AFBD7A4CFBA586582D68DD447FAC8BF5B344D44B016B3CE97CB8438,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.080{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings52.3c8a6980.chunk.jsMD5=53A6BB7E4B624381ADB7A06DBD3DDA30,SHA256=500B353A2B9BD7C89D9C1500E3D3153924D6960A18E77C7E59D7B4DB3EE8C7D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.078{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings51.abe0f3b2.chunk.jsMD5=E1D28D7EB57FAF5142DF9102192C8C57,SHA256=1D972AA272B835FA967BC7A2EDED32ABC2919AE1115584DDCC07A62A4DC62209,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.077{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings50.1bc92436.chunk.jsMD5=54AC9A5BADEEE397AE6411F7F9C3297D,SHA256=42F9E4DFDCBF48E348F53D805017C0F39168854D4BDAB566F597BE10F38AA1DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.075{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings5.dadd1fba.chunk.jsMD5=EA7D665BBEE4B0FCF9EB22C7D7DB3462,SHA256=7BEFC2EA0F750C5BA2DD42DB4C919012FB7C4438A216F9328DE71868C23E0D12,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.073{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings49.ebb9c817.chunk.jsMD5=21E494FD1758566928C6E6D6972871BE,SHA256=FFEADF997E3EBE3847634F7C53B4BFB8ED6B615F7FE33DF7BBC50A97D06B6CE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.072{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings48.051e1c9d.chunk.jsMD5=81365749A7EFC425898D19A01F08294A,SHA256=838AC2C38A708DCCFEAA1BC2861913E5B99B985C5E64E2430BF18EDDE66BDF2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.071{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings47.ce197afd.chunk.jsMD5=50E95450E54C4D65FE122194081B0716,SHA256=8454177DCFA01334C1D6871EC60F170636C875D54E98307E89E07643333DD732,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.069{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings46.47602e1a.chunk.jsMD5=A1E8FE713A5345E696EE84D6D55216C8,SHA256=288C8493785951C2F4694E85AFD66D54D6FC3CC20C8B53EBF15BFF18FE4A8400,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.067{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings45.10582fd4.chunk.jsMD5=F2E0612BE70CCCBD1BF026AAF937495B,SHA256=F6266F6486A57A9EF4422779B69900D60EE2375F6ACC1C0CF6FC279B4BB2D2D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.066{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings44.d3a1a0ac.chunk.jsMD5=9D46FA39FDB1B66FCC9344E0AEB9E47D,SHA256=10D00044939C2173F71A6BC367D788E15EC5EE5032587BCDC951B68B76D76160,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.065{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings43.64e0bac5.chunk.jsMD5=66D7E1233D6165E374136281F6FA1B16,SHA256=238179AE20043081EB3849937CAEE14B59F7F4064C1B8BAF4014BD21D84C55D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.063{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings42.ecc74602.chunk.jsMD5=3FEBB8C0D6F8111CC4F047986D2233D3,SHA256=C46B672B8491013BDDCB21CBC39E8E181C2F20CB343C2162D8DC0C37AFCA72CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.061{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings41.d1d5ca19.chunk.jsMD5=13B65DB18A8C970B5397B31DC7F19EF9,SHA256=BE3D30791680D725CD7071F69715855EB8352A54634F8B8583C1C9E653C7A324,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.060{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings40.336e918a.chunk.jsMD5=CB4207DAF5F0C58BAE97BA6475657BB3,SHA256=2AE51691B9B450E532FF80A53D225DF909C105DF3CF29192A44CFCDE41A76D73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.058{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings4.520e40dd.chunk.jsMD5=BDAD8CE4F14DACE8E4B2E4CCA22299FC,SHA256=BF386786721727EB4882E8D8FAC180DC89FBB43A9639FE2787BC97AD7F349E0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.057{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings39.a647275b.chunk.jsMD5=47CB1F7E1EA36CFB572D129AB77B8678,SHA256=9FBC1D7A08742FE65AACD0FA6E6DA58736E6915C908CDE012BE46591060C5D6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.056{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings38.cc4c9655.chunk.jsMD5=9B8E93E684452C35F252848F0B94793C,SHA256=FD6CB965D927E734CD93AC3B0BAEEC2E372749119EA91D9540D8E0E98F461756,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.055{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings37.a419639c.chunk.jsMD5=364F929DE49C4921C9D1C75B4E15BD45,SHA256=BD37DB74A2AD3517E9D20779BF0788E149FA0EAD44A7CC2675F26C4204D2E6F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.054{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings36.04613186.chunk.jsMD5=23B7806E9A26F298EBD2A03F074FA95C,SHA256=C8ABDB9576366691CE487C04AFC9A74238B732FA4729FEB36D32F1B53273E216,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.053{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings35.d0ee54a5.chunk.jsMD5=127E8B6D79C6C661AB4B50BC880B3245,SHA256=EA0B26C8FCE6BFD4BB359B17C8E8E970DA7FEEA0335251B01236FDC655A57F86,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.052{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings34.05b055d2.chunk.jsMD5=F64D1498045CA5ADDB10C43DE37A1746,SHA256=FCBFC399B2998510FC577286CDABF3850D37633096AFE991F63C3AC63C4455BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.051{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings33.09cb9c80.chunk.jsMD5=2A7150196A9C4437D25D64FE21F26E3D,SHA256=2338BAA8CCA15ED85C77E803087A614D2F084330FBF9CA46B66FA05F90D7F5AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.050{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings32.902a37a1.chunk.jsMD5=BC32F0CDD82CEA434947A29279A0CD83,SHA256=FD265B405CCED130AC41FA9ABF4BEE98A72ADDEA822C61C646395DFA7A108A37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.049{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings31.d0116676.chunk.jsMD5=81E23427EFAA95E2666C26534FFC12B1,SHA256=9776777C601829D43D5CC40D9A17E696618336D1DE48483714AE37568CBB37A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.047{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings30.e393fc52.chunk.jsMD5=441DED4DBBEDE94FF03904C90D8D4EFE,SHA256=FA1B23323A7F67556CE26E2D35E8EFAB20ED2B550D9ADFE3EFF43A3FD85880A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.046{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings3.684dbb63.chunk.jsMD5=414EB160670D734D72BEC18E12BCD11F,SHA256=F2F9D58B14C0024284F46A4A300EC2DF89C233B58B72248AC23F3736040B1F33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.045{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings29.6875a8c2.chunk.jsMD5=59B9546DA2B3E2F0C751BD0666526367,SHA256=70E21BD1F69454E9567B42002C104EA03477D17FAE8EC85B61618B79877E0B35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.044{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings28.69405242.chunk.jsMD5=A43AA753F6938483E6EAF580E330B3A6,SHA256=7ADE4DAF8EDA0C211900F7D973E6CC6ADC7E4A94A1F01F38D2A98D81F1BFAD23,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.043{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings27.55bc10f7.chunk.jsMD5=C2E6F14E499D42194A2537121338A695,SHA256=9AFF019CA219EE167AE13177D9843CC725B25BABDA9DEF56887A4A8D963B0DE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.042{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings26.57c2ff8e.chunk.jsMD5=BB4474EA299E5CFDFFA45336F4670D6A,SHA256=0FD448C38E609485A3EBA7D13E78608D3DB16C3A97ABA728F021D7779B285EF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.041{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings25.9fc05f89.chunk.jsMD5=9898681DAB02D48D82A53026F4E607BB,SHA256=96B91EF41B3FA0EDC477A3BF5B01872AEFC680A36797F6B7A2A4564F1A9B58BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.040{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings24.d5fc4f53.chunk.jsMD5=7B69C69A711B093A81246CBFA5B1C797,SHA256=0E74CD3A61EB331E88951D5833B0DBF80342E93309C912823C7A410744DC39F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.024{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings23.95062997.chunk.jsMD5=A1F44ADD88AC0EC5BEFEF2AE755552E2,SHA256=8DDF1C9D59D8DB1DFCA9D32452A5CBF6A9AB440EF9897886A8CA5D4FE10703DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.024{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings22.66040d24.chunk.jsMD5=F4AFCBFF68CF6992E1BC0F463ECD7411,SHA256=43DC51A692AD70062819B92AF7F6821A82C742C88081D5D2EF8998D5E94B2A96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.024{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings21.e866b43e.chunk.jsMD5=71A99DD02F343986B262A1657E452428,SHA256=DDF0A364EE9B3CDBFAFEE1939A54DD735AC532F0695D9CA9CD77B22863E439D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.024{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings20.9f875cd8.chunk.jsMD5=1D9CDD9775919524B6980C0F3B2C354C,SHA256=7D72EAF263A2F15E3C3071A8659C6D462C23018B94C838603A9936A103505414,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.024{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings2.dd23d09a.chunk.jsMD5=C257E12DC2753815D57AB9F28232FA41,SHA256=1C2FAD0276BBEF5F0E6278DB5AEE994BF0D7D29CE1B7D09FCA0E1DB9D8717FA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.024{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings19.3d0ab4ca.chunk.jsMD5=17D4DE87F4F89EF1D222ADE2A7A613FB,SHA256=00AB7E82E973361BB0A5CE593C3DCBB730430433FB21AC228272EFB6171186B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.024{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings18.17c36986.chunk.jsMD5=DFDE3414A407FA9A5E3091FD349AD247,SHA256=9CEDBA765EA32E26DF5AAB9085FF4BE4CBD820BAE9E2DBC7627310E3F31CC8F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.024{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings17.2166e22c.chunk.jsMD5=27971888F83888365ED0AC4D4F9D9A2E,SHA256=2AB95FA3141CE0BFD58979195250F9DB5DB5334BBAC2C6D597111B9603FA2C07,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.024{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings16.083440ba.chunk.jsMD5=DD7BE23A6243B5837693B8D387E5D294,SHA256=A410A6A04960D61AAEAB6204A7CB78E61C7BD0BE1981BB78F92676D79AF13A8F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.024{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings15.bd41c790.chunk.jsMD5=7453B424D44B466A3BE242CE6E79225A,SHA256=B2F3AB257BA34220086E42407883BC3C58ECE7A2AF5D3972DA98CB968E624715,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.024{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings14.6a68a6d2.chunk.jsMD5=770F9C95FAE4A3BC24EC4D61A4332BCE,SHA256=79E4CB5B39EE4EECCD7A26172E9148F226BA64761F88AFD1E89AD5D6B4BE9F09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.024{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings13.1750a1ee.chunk.jsMD5=DF5506E906B21D92EFB4DEDEDE9A3F91,SHA256=B8A27D7A3D877ECE732BF1571C3CB19133F7981381ABB672A2855BBA6B8FFD46,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.024{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings12.a0aa7760.chunk.jsMD5=847EAD51F2EA4706405D573CE963A3B2,SHA256=26705FC439FE1B7C0E685A2BC321FD6AA7BC91EC857E71A669D097FEF2273C20,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.024{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings11.cf5a19c2.chunk.jsMD5=4D987FCE604606E9B4746AB4FBE45560,SHA256=5F6069FCB90AAADC288103437F29AC876D1474BB65B2C4AEBE7F676CFAD9CC37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.008{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings10.0ca33e69.chunk.jsMD5=4E87E43DED19AADCE11EB503749EAF87,SHA256=A926B40408AD8C814D573CE2174A99BF1B5DA4329156FA0D7E311BEBC90A758E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.008{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings1.1be7df3b.chunk.jsMD5=8BA9B14CA36377A0CA802E6F4CE26814,SHA256=1B28E9FE83136655A66562AEC8F6196D4CB5C9E22ACE1501726E45776E4720E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.008{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostUxStrings0.5f1eda35.chunk.jsMD5=D935C2F872B78CC21243BEFBF3B75D9F,SHA256=676BFEA0F394EA4E21319A1B670B6C062388B658DC1606E639A7B054C6C7926C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.008{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings9.bddd27f2.chunk.jsMD5=D3AFCC4CE5D0DB78F4385C95F4A91B68,SHA256=B4FBF2B9F902A78E5B2A326620732F3EA815828D6C34A75F2FCC91560BE3929A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.008{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings85.0b972d58.chunk.jsMD5=D9552BE1374214D5B2E05E74A74E2D61,SHA256=68E231C55E6A0B77BBD3BED2321C6BC3A22E8CFAF7778F4A99706DC93EBDF098,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.008{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings84.fda6dd41.chunk.jsMD5=7575E02E0723A13B983FCAB5F6FEA769,SHA256=56CFF33AB577E89EF6BBC573D202232B3446488244DB90788668810796CDA8A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.008{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings83.45ddb35b.chunk.jsMD5=AFE7749744925F2C42E0C0E62FFA376F,SHA256=AD26FD8BA4F0CAFF61124268DF271F6E279E3DD0B3D4D80BD4C8BD43B2AD6B54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.008{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings82.c3a11bb6.chunk.jsMD5=CAFDC3E9A24A0C3E870DB4DFB55676DD,SHA256=AE4F047CCFB5BACA64F10E8B65C4E752A35AEC1936AA64BAFEFF01FF94B84F65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.008{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings81.8eb669b6.chunk.jsMD5=80C351203E383D74A0FBC68D6A2A47C3,SHA256=E937D5C029D8A52D81B0A81DDECDC57E95CCABAE4E87BE46FC372FAF0F805BAF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:28.008{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings80.6628da07.chunk.jsMD5=0338BCC02F4CB9351CE802586AD3C225,SHA256=4A2EBC23C01DB1A94E23B3E9D29D76E3870A5627A57CDB77AF1A314B4EF6AA99,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.993{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings8.b1982dcb.chunk.jsMD5=A73AA8286ED678EB44343C268B6E6755,SHA256=D58861678C32C4FDA8E9B999E8B2CE64B44897795FA876BD95CE06DD4801B70C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.993{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings79.0aa728f2.chunk.jsMD5=93822340E659E353C7CF3E97A6F06B93,SHA256=B0B3021F23A41FD73274B67EAFF8AC224DB47D1FA8C39EF01DF8EB2142F98F72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.993{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings78.694f0774.chunk.jsMD5=3FB642A5A3F171BA9A015C6A495FC630,SHA256=BD3F5FE0059C23C30E76A8713F330C7598E5C5B7C1856512942DB0B34FCE4F08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.993{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings77.7d0d924f.chunk.jsMD5=9F80D4C80E1641931AC77231D6079C3A,SHA256=1BD3613A41DF33F7646A9B46DA4828DEA760EEC8361D5AE490E4BDF6AFBCAE1D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.993{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings76.7681e87a.chunk.jsMD5=914D0ACB4F75AA375B9F40078B4E0D51,SHA256=CA94B39694385E64C22E3427D5DD708A5343F26F2B366CBC3561BF69471E4D49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.993{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings75.c209a55b.chunk.jsMD5=61922D6F54B7EBC761E26B456D485302,SHA256=CDF161A74E9A04032CDAC8066DC7D6707F7664F7226D048F357D37BBA98AE8DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.993{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings74.70f16305.chunk.jsMD5=0ADF8DCCD4B3043B63021057C573971B,SHA256=D069A18B18A17056C722866D835B351084133AB8AE3CD9AC0FAEB6609F814302,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.993{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings73.adb9da58.chunk.jsMD5=4CCA4BBFE4A0D0B8D281D38E1B6FBCD6,SHA256=CB33ED3C45907FCF5D64B93B094F67C7B5A2BA295C66D3CB608E01BF9C97CF4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.993{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings72.ae7f4f0f.chunk.jsMD5=D50C99C9E78CABC59F7255A3F33B8C6B,SHA256=84530D2D604C0F1DEFA2FB191CF94D0E3C2F4EDD5C4B0645A8274C3D871386A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.993{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings71.f64601c7.chunk.jsMD5=97E4CF6A266D5583B1D7C2882DDEB720,SHA256=852BC2D310C8DEAFB1B67DB9850AA892095C7D9F1C3D4A8E9F5DFE8670524E3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:27.993{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxs\FA000000084\fluidhost\static\js\hostDefaultsStrings70.02ca9512.chunk.jsMD5=012D08DE55669D992C06062062F71850,SHA256=CB4A0933ADFC66716A71A520023AF93CA04AC3A8DD93D83B80F3A7B36C838407,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000447982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:28.878{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28DA8CA536E1A02E49D0AD88199CE09F,SHA256=2EAB1C5F81724DDA708256B0A7CDBD4A1581705D2AD39A0299080C6876EC0FB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:29.378{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\excel-udf-host.win32.new.bundleMD5=37E76885FA6A967DC5A7E84AFB326BCC,SHA256=BE3E59FA645A45C15D3A053C7EFF056B71B1428598B12977A00DF39C520C2274,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:29.362{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\excel-udf-host.win32.bundleMD5=F5823BE43F9E3E6D4B4C6DAC80998C20,SHA256=BD9C4DFC338F683164AA6E7EE3D9C526D3FCDF0479DCEF19BD17F30D70817E4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:29.362{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ENVELOPE.DLLMD5=2C4BF9AC0578FEB06626C927ECD81F67,SHA256=4B13B2DCD098B93F0E2BFE51A64C3F41B9ED0301C44F5D6C6DCB34EBD5C89EE7,IMPHASH=03BA28DC7DC3735155541081437904DEtruefalse - insufficient disk space 23542300x8000000000000000329893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:29.362{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\EntityPicker.dllMD5=3B3B59FE0B23DED23C17251BCDE7ED02,SHA256=2C3152885C025E63ED9F47A49C54021F3C33DF41C37A0730B4846A84B92B6063,IMPHASH=060EA567D97FBB9594718DBD494D6575truefalse - insufficient disk space 23542300x8000000000000000329892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:29.346{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\EntityDataHandler.dllMD5=FDB9A5E8D3137C2148863B5EC9725DA0,SHA256=62F07A3E70700507778CC05DA242230D22D66DE9E558284B14922CAB9D2880C7,IMPHASH=84C2899CE623F822F477A7CFA5BC8DD9truefalse - insufficient disk space 23542300x8000000000000000329891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:29.346{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\EMSMDB32.DLLMD5=2F03291D74108A1AFBF5DF8E8777CBBB,SHA256=64CF3C56505B8B8FE9E5DC901FF0564FA57F6ED42D992112DE0B695AAD827A99,IMPHASH=86249E6580A73575AAC7AE87213FFC34truefalse - insufficient disk space 23542300x8000000000000000329890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:29.268{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\EMABLT32.DLLMD5=314C228FF59F8D1D9AFDA9E83B594C26,SHA256=636D9568B54D1C258ACF7406B4DC55405EC3DA8EC06244E1B4BE2685A39D38A3,IMPHASH=88F79405B6EFF57DD7ACF16523D547C2truefalse - insufficient disk space 23542300x8000000000000000329889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:29.268{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\DLGSETP.DLLMD5=8399490D762EFE0F7F863628522684AF,SHA256=A84AE97EA69BDFB45E1ACBF711EA8E511B5069109AE81CE05537AD8F14721C07,IMPHASH=6A98D6751B7AB3D8C3C86B490EAC9FEFtruefalse - insufficient disk space 23542300x8000000000000000329888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:29.253{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\DIFF_MATCH_PATCH_WIN32.DLLMD5=7442DD0E5491F8E4E957F464A2BEB956,SHA256=1D7D2DCABA8CFC66EC8909982239B9C260E011F70585629880F9628A52A6F007,IMPHASH=9AF387F4B4286D9C94E553CB7A4BB504truefalse - insufficient disk space 23542300x8000000000000000329887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:29.253{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\DBGHELP.DLLMD5=05C35BB1ECCD48074FE43FA7AD5AEDE5,SHA256=2CEF144C25E0AF97F53DEC368D299D06F9B2D5BE0FB057D77B8E18CF618350A7,IMPHASH=5C256C275E3EB107999F286EFC9FC131truefalse - insufficient disk space 23542300x8000000000000000329886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:29.237{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\DBGCORE.DLLMD5=2F65B44ADCEBA96E045A0B45FDDE5352,SHA256=EF66084434E77A1FE45001085949A8F20E873431EB6016856C55BD0DA7C3D6AE,IMPHASH=1931C583747A3AFF6555664A0BEA87DDtruefalse - insufficient disk space 23542300x8000000000000000329885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:29.221{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Custom.propdescMD5=FF4E7C50EF8D79478C07DE965C15D97B,SHA256=FF3187DD37533BAF89C73F66CB4635D6327692745418620B252957B86C33FD89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:29.221{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CSS7DATA000C.DLLMD5=48156D6299C03825E8B0B93504A1B10F,SHA256=9EA08E2D4E47BBBBB0C141E0949CCF0D25078DD65DB9336BF5AF702381128782,IMPHASH=ABEAF887797685E51B5FB1F4C9281E34truefalse - insufficient disk space 23542300x8000000000000000329883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:29.206{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CSS7DATA000A.DLLMD5=44E14BF84E917400B46838DFCE05A4D5,SHA256=CA2CBE03D3A69BA1124956E6D04CC4EA72A38EC7832ABA4CCA5DBC83F5304558,IMPHASH=34AE1E3D08CEC9EAC9A64955D6218BDCtruefalse - insufficient disk space 23542300x8000000000000000329882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:29.206{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CSS7DATA0009.DLLMD5=CA7786586004D2D55DC695ECB40B08F0,SHA256=79ED26A73D363B60F70E6DED10BD801CCAE3D58CACED57BEB7420EBA03073AA6,IMPHASH=76B88A6D7573769DE4A840354693859Ftruefalse - insufficient disk space 23542300x8000000000000000329881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:29.190{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\csi.dllMD5=87D467122D3506980CDA15193DDBA138,SHA256=14C8B5B09B4F317A485FBDABBF10C046F46A3B90E3FAA5CD2B8EC9FAE3E8D176,IMPHASH=A0D559FCE1591D5C2BD7FC857031BFEAtruefalse - insufficient disk space 23542300x8000000000000000329880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:29.097{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\cpprestsdk.dllMD5=82E82EBE6DFF0FC52AFBEC0A198C52C8,SHA256=5DCDC5DDDE419083F2F2A0FF1F9CB4E462D7913C93A7B27F179DDB497D317F70,IMPHASH=6A63EE02ED57B1D123DE31FD247F391Etruefalse - insufficient disk space 23542300x8000000000000000329879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:29.065{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Cpprest141_2_10.DLLMD5=09E1D49B9B102D7EA0C530098CAE7E57,SHA256=9AB67184668442CB43FF35415461AD80228959BEC39C6017B8DFAB91039577EC,IMPHASH=6471177CCD4C7B952B1B0333988E3777truefalse - insufficient disk space 23542300x8000000000000000329878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:29.065{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CONTAB32.DLLMD5=9743069F1BABA12FBF3A370C6DD4C101,SHA256=D87B32BF374AB0682FFA207ADC625D34573A1203E4017F021F966634CBB7FF30,IMPHASH=B8809EBFE3E902ED6D037C72D61F4C0Btruefalse - insufficient disk space 23542300x8000000000000000329877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:29.049{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\concrt140.dllMD5=D1BA293F1D7BD7B38DB8953821D42E9B,SHA256=B3FDB569B567C2B82369C1DBBAC1B6C5BBD74B5E03D2357491985BE064DFEFF7,IMPHASH=5F9B23BD4B0029001F687A1AD625BE31truefalse - insufficient disk space 23542300x8000000000000000329876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:29.049{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CommunicatorContentBinApp.xapMD5=6CE331BCB7125DC7E026F93DCBB10E13,SHA256=B2DE487FF84D520BA51E299FB44E879A1B924C63F538D47B3A006D53AC9AE032,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:29.034{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CNFNOT32.EXEMD5=9769B8980D624345AC24F7410814C4FC,SHA256=80CD3892019E8AB4465BE617A7D5670F1F9C6E3C54A59CAC24EB8F1F947F8F02,IMPHASH=CACA75BC7C30161187865C5490B70EDEtruefalse - insufficient disk space 23542300x8000000000000000329874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:29.034{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CLVIEW.EXEMD5=65D2A30619947BFCF91588CF9C77457A,SHA256=25B93CF2E6EC0F20BB344B4A0BF7D849DE5F469669951AEA30F806E5C4C97BD7,IMPHASH=08ABE27A910F6A34935BF032FF0BF8ACtruefalse - insufficient disk space 23542300x8000000000000000329873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:29.018{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CHART.DLLMD5=975C725D12FF09B9494A0F9EC6F0E77E,SHA256=24EC093C2F2E8F0CA84CF2C66A97AF77982535722506713E5AE404A2EEA12425,IMPHASH=F3EC1F7E2438B07C15EDED91C1E51CD6truefalse - insufficient disk space 354300x8000000000000000447983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:25.905{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52701-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000329934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:30.988{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\JitV.dllMD5=5271CA3ACF62310283211CBF3974D261,SHA256=71A53391366B9D1F16837035934E6320ED76D12C968E415D8B98846A44E736FA,IMPHASH=6CEBFBCD9DCD387161173B63820FDA94truefalse - insufficient disk space 23542300x8000000000000000329933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:30.988{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\IVY.DLLMD5=D826A40FAD60E491AACFC4478C8292D0,SHA256=82011DA38CD8593CF6C410D90B730E02F750B225F871E535319E0947AA16B4F7,IMPHASH=66FA6310C6E3D927022D7CE5228F068Ctruefalse - insufficient disk space 23542300x8000000000000000329932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:30.956{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\INTLDATE.DLLMD5=D7C0820A304F4F98AE7FC7BAA12C4095,SHA256=CFCF86D4208CEAF6035E7B5F0E63674A019E457BC1ECB1BED2E3DFDC8C9BA15D,IMPHASH=5F715337DCFDD17BBB9694B3D2811CCBtruefalse - insufficient disk space 23542300x8000000000000000329931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:30.941{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Interceptor.tlbMD5=6878D34A6CBA765CD81005A3B00EF707,SHA256=DE314DAE411D0188EBAEF88F9AB4609AD1F1BF910EF9A1D42E93754BA4612C80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:30.941{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Interceptor.dllMD5=E4291A78A4CAA9C46D4A672404561ADB,SHA256=01D2BA374BAFBEE8EC5C395CC4EF07498430C92CE354A988EE25C6759A8F4471,IMPHASH=8282C31C004663F8737B8555F1D86CBAtruefalse - insufficient disk space 23542300x8000000000000000329929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:30.925{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\InstallerMainShell.tlbMD5=3E2019020F3EDE610D06BC7FFEB1D15F,SHA256=CA3AEE055676BFE9193B657C7455D474173886B1C32D8CFD736FCB6DAFF0FE75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:30.925{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\INKCOMMENT.DLLMD5=2326D8D87FDDE8BCF769C7A692AEAB4F,SHA256=865BD0394EAD0A1B17865EE577F4BD00D3EF13364510A9FD3B9A516A02512349,IMPHASH=10F756351759820DAF14CB4C355C76BCtruefalse - insufficient disk space 23542300x8000000000000000329927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:30.925{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\IGX.DLLMD5=862C3B26D72B4F0764150433E4FE225E,SHA256=98D209D0ABDE584D972C16C74C4DB8941011703BCE092C6BAD71A285532478C4,IMPHASH=EDC3722FBBC6B7ED5FD2E00FEC26D976truefalse - insufficient disk space 23542300x8000000000000000329926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:30.894{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=219C85E83190385E80D1A7EC3609D99E,SHA256=4738AE0CA64E27C283C07058EA728EE81B942990977DDFAA88237CAA15430506,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:30.878{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B00F2B6A76FA264AC1893B93C097A273,SHA256=F6FCCBF66E9B0961D62D2B5E1F6EF2131C0B80D05DAD6A7EAB0D0912256021C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:30.816{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\IEContentService.exeMD5=2F0B69DAE24A40B64569E7636889259C,SHA256=B3F01AA7A1CE13019AE43725BCA6134E6ED2467B56273CBF8008292368BF6290,IMPHASH=D07BCACBD8932A30A702B9F20D88E793truefalse - insufficient disk space 23542300x8000000000000000329923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:30.800{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\IEAWSDC.DLLMD5=4D5736DFC815A1A6C9AE443DF7A57FD1,SHA256=1B44E5543A8A3CD38390851340C6DF1CEFF7A6615701530D3CF451379F2FE36D,IMPHASH=906C760D7FC89A0E5170B22EAF45D59Ftruefalse - insufficient disk space 23542300x8000000000000000329922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:30.800{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Httpproxy.DLLMD5=91551E4C612EC6927C203A378F7B0F24,SHA256=47A86C39C357A5EFFDF59A1B00718CC59D19B2EBF0ABB12AF3E74C1814FC96DE,IMPHASH=3ED9A5B38D82DAA3D28DC8DB14126F45truefalse - insufficient disk space 23542300x8000000000000000329921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:30.784{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\HeaderPatterns.xmlMD5=8AB5D0B5E28A7980AE9CA122E53C8AF0,SHA256=2D3B3C6CB53400BC52724F507765C2615857714C9AF776DC67724F14AFBFC82E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:30.784{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\GRAPH.ICOMD5=58F5AC079150EECE385C296FFB565A16,SHA256=69C12CB174CCBBF92B9C39532B576703BC058C7FD3E58F28BB723621F64D687D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:30.784{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Graph.exe.manifestMD5=7E17F50610A8DABF778C8E85BE6732E7,SHA256=E6931444D54811A4FCB103DCE9696C174D5D5C790CE8C8B147259CFA6FDB4F73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:30.784{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\GRAPH.EXEMD5=B778CD7B722A566F5FB8F380AECFB9D7,SHA256=81933BBF5D0685F9B80B92139EB43B37A30EA99ED3A00F7ABE2F43133C8EFD67,IMPHASH=D2896EF6AE2FD1EFDA3C0D19B0FFDEE7truefalse - insufficient disk space 23542300x8000000000000000329917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:30.739{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\GKWord.dllMD5=FD12F83F80F4CD65AA4750FDB090F0C4,SHA256=1EBD6F433B7868757D44182CBC4E47FBB9DBF2917BCA646CDFE8454E36B4CE89,IMPHASH=72DB77715B7FC13866FE74E5ED344976truefalse - insufficient disk space 23542300x8000000000000000329916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:30.701{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\GKPowerPoint.dllMD5=26BDB3F2291BEE7CA3147C7F3570AD7E,SHA256=770A7F5D108CD689619365E50679285E4BC7E22AE8EA085796CDA50E5EC0C117,IMPHASH=A7D3C9508CC11391EBEC95D0835FCDF5truefalse - insufficient disk space 23542300x8000000000000000329915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:30.664{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\GKExcel.dllMD5=B10CF43D829877B1E9BBFA1A317C5F5D,SHA256=0AD92C79F9FE1417CB0046454726405C485B8C5E63510FEB71E29B6CC91705CF,IMPHASH=410262A758E11A883EB50F621C02BB96truefalse - insufficient disk space 23542300x8000000000000000329914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:30.601{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\GFX.DLLMD5=B7C3325F839A4B628BAB49A52496F714,SHA256=DA936052932342813F3E1CB255296CACFB4384086DA902667F03ABA45D943914,IMPHASH=FF010EE8DC1B0AE63BAD87CCB05BD396truefalse - insufficient disk space 23542300x8000000000000000329913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:30.539{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\flat_officeFontsPreview.ttfMD5=223C778C0F523A926D4AB55E9E9774C1,SHA256=FE8EEF60CB59D4369A956AF3D48E00681E3003F0F7CB966702041101248FAC55,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:30.539{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\FilterModule.dllMD5=CD4C9D605D186B0EE1C3BECE93D222ED,SHA256=883C90C869C9459BAB05C0A7AEAAD25D05BD15B48D36D669168562CA3E7E8520,IMPHASH=CFB3CAB1C0397A67C80B55D28F8C3BC1truefalse - insufficient disk space 23542300x8000000000000000329911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:30.523{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ExtensibleApp.xapMD5=42711D2F00FD081E237EB1CD1F7D2B1D,SHA256=B50FB1A4BC5A77911CCD0B18C13255B3FBFAD7A4E605EA1C9891A2EA306F4D33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:30.523{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\EXSEC32.DLLMD5=C9AC4A561AEC716A71D81D76130D72C4,SHA256=120F4E7CBE319F99F56DD01C8B2DA1300F05C040F10AB885A6EFD3907C33B5A2,IMPHASH=87BC819099D3B314A1CFD9AA145B4A01truefalse - insufficient disk space 23542300x8000000000000000329909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:30.508{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ExcelInterProviderRanker.binMD5=D4CD9289C489309764F1F2C982AAAF8E,SHA256=C4B44B55C88110047A170BF0483ACA7F163CB967D60D9F8668CB9CD98D634A96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:30.508{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ExcelFloatieXLEditTextModel.binMD5=504D640A9E3D7BF31FB5616243C0BBE0,SHA256=37D5ACEB3E69B44BA78D5941DCE309B5D5197DCBC65814B0226A1A4BBE1C9657,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:30.492{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ExcelFloatieTextModel.binMD5=844D7A4173E5706173AE14047D542080,SHA256=F7EC6BA9E8EBDE61B0482B2285B46A6640CD7915590BE3AFDFD924EFA2A98647,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:30.492{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ExcelCtxUIFormulaBarModel.binMD5=CF638D6EF9781FE8B55973753222058F,SHA256=EFDF382DC1E818F9260B0F52CF42E2838301843907481B1A7417C56749B7B378,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:30.476{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ExcelCtxUICellModel.binMD5=92C2F3875DC59C5EDE031DE960939C1B,SHA256=0D702E6E47255DBCA78DC56CE90F0BB0B9601615D859690EB13E3719E22C58C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:30.476{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ExcelCtxUICellLayoutModel.binMD5=0BC827CEB20A635F5DEF2381F820C529,SHA256=193890D277885E579AFD418B7E013B99DF5DE9CF97C4AFA7BFD60CDED87FAB95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:30.461{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ExcelCombinedFloatieModel.binMD5=398DD84EA4D4BFB3B64D3E1D90A97CD6,SHA256=D8C8B378E854BE4F33461F169F07695C73A5090CD0EA169ACC07C2096F48ACA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:30.445{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\excelcnvpxy.dllMD5=5B58FC0DDE7F0E796107E974C745AE06,SHA256=9C3E4E20D9A40176561069BDD3B57660F988DD445169B2F28A4C6766FD2E813A,IMPHASH=C5B9121E9C28864C0F13BD6EBF65A054truefalse - insufficient disk space 23542300x8000000000000000329901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:30.445{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\excelcnv.exe.manifestMD5=995BE83D132F5DB1F821301081B4D609,SHA256=AC75ACACD6BB3EAF0329B2C363FC27DB590A56ADEECBF55FB42287707859344C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:30.445{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\excelcnv.exeMD5=972D05469F868E261A69817C237DB96B,SHA256=E337D0C2AD0B7736AE74845487031B37A14586E972AE18B0FEABFCB61AEFF79D,IMPHASH=6BF34146B829F7483835AADC59A97ED7truefalse - insufficient disk space 23542300x8000000000000000329899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:29.992{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\EXCEL.VisualElementsManifest.xmlMD5=0D5CBB46753F4B7BBC87132D1EDB3F6E,SHA256=99CD9080624DD82CEB6F11A2994EEB551F8C871ED0A0E27A425CF4D2F6CBFB1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:29.992{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\excel.exe.manifestMD5=9178C3EAD58DECA246F4B4226E74BB94,SHA256=17E1F0A17547EBE4DCAA7895B268CB35E364453497D6498C4785ADAB88B25581,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:29.992{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\EXCEL.EXEMD5=6DD6E94C52B829DCD61EBC30304DAD26,SHA256=366D3E7C19334FF0A50BD3F5C854412D99E868A51FCBA8C60D48B9E5CB647C82,IMPHASH=F39368ADBCDCF3C6294D6ACF0822BCAAtruefalse - insufficient disk space 23542300x8000000000000000447984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:30.086{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20CAE25CC959C8975D839148986E0D63,SHA256=25CC5E992AD1B1679A6981842796F40BC3529109E96367FB6C595940932380C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:31.868{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\lyncDesktopViewModel.dllMD5=7461EAEBD196E7ECEAD7D71FE34A1586,SHA256=B7538F10166400AFA92921C3513EE87F33173653A8D1413AD4D3AADD36A1A091,IMPHASH=833A2E0F9AD28FC9877C9C60F1041168truefalse - insufficient disk space 23542300x8000000000000000329943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:31.721{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LyncDesktopSmartBitmapResources.dllMD5=98A71908DA7F9C8A7880001AA66C4B5A,SHA256=4EBCD96A79E90EF9DEE0F8E8E1FE38F25D95C7C8C3717548D34FF1FD639C55C7,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000329942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:31.519{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95BC4EC8C4F292951BB3AF16998C13C8,SHA256=8EC23C58E149C68A729720A369F8A519317A840E4E687ECED066692B16996B50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:31.503{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=357986FDF6C0B84FAE5A35A95A14869E,SHA256=387740B6ABEFE3C89E0984134CF802446E97A6669607C2F90257775639AAE11F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:31.285{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\lync99.exeMD5=58BDA704A5757FB4CEF85E0768C704BD,SHA256=0CFA8E6CADDBAFCE4D1668FBCFCBE10CB044CB3DB6A1505BC382BD73F327278D,IMPHASH=025F4570D37957921137A491DE8E5951truefalse - insufficient disk space 23542300x8000000000000000329939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:31.269{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Lync2013_Third_Party_Notices.txtMD5=B676D02B436D28C27995C932F5E034C3,SHA256=2A59AE24694D01D50CD6B5D091E4152678757CEE1D6E8565E4F5EC0E6AD4B121,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:31.269{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\lync.icoMD5=0465E28CE866C584259405708CC4EA84,SHA256=38F3C06CB942C9FA1F2DB4C5A041A3A5AF4ACD604F1E182944C296A4AA9E2EBD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:31.269{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LYNC.EXE.MANIFESTMD5=A22B6D2588A3A10FCDA1C721A0570E19,SHA256=BBC991021A02101783F47EC2FDEEACF025854E79FB3118D522544550CF1CB7CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:31.269{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\lync.exeMD5=C952AE874619DBF9DA4B29119D753837,SHA256=96AA6DCB150B641F2CCF98129044260253557E6099ED190865D1E5FA1879E2EB,IMPHASH=E5A517C3FF2AD4D0767D6071070E1331truefalse - insufficient disk space 23542300x8000000000000000329935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:31.003{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\lpklegal.txtMD5=3B1BB6749A9477F25B5DA6E7C8C3E4A3,SHA256=B9AF08A71D3D922177F94514345AC507CA1AA9D30BFC9CF4E7E09E233E1B6736,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000447985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:31.184{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EC9FD33743448401C08ACB43F372366,SHA256=1DB2AA780D4F66C686595BB00A0193F5E255BB312C1665D5CE432D0FB4B0E84D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000330035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.951{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.951{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.951{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.951{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.951{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.951{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.951{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.951{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.951{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.951{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.951{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.951{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.951{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.951{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.951{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.951{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.951{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.951{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.951{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.951{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.951{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.951{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.951{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.951{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.951{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.951{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.951{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.951{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.951{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.951{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.951{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000330004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.857{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOCR.DLLMD5=6D7F8F3AA9B3ED3D50BE58CC97A89951,SHA256=ECB80A1427E38AFFE9D01B2B3CC58B8A55DEA1505F518FA969B2AFFAB343DB33,IMPHASH=13D8DBF10ABD6296A8CA238BADA9C4FDtruefalse - insufficient disk space 23542300x8000000000000000330003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.842{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msoasb.exe.manifestMD5=0EDEF786FC6040BC0DF05D4A16AB0165,SHA256=361FF22EBDA2976E3FF486ADEC9B7E10D77F5CF47B296EE1C5E166D4C29A9702,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.842{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msoasb.exeMD5=CB1477EBBEDAF2886E44965479F8973E,SHA256=A972B6F097FCA24200E5B694A10676C28BCD4FB3F0680A5D1775B57DB4740AF2,IMPHASH=51007BFDD2569F467010720E09CEE0E6truefalse - insufficient disk space 23542300x8000000000000000330001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.827{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOARIANEXT.DLLMD5=D4319A00FD502CE0AE1BC860CEF9FAAF,SHA256=6671A5FC4180A309EC0E7CF571D482536624A5E618C770488FCBB62C9D1862B8,IMPHASH=B781081738FD8F0F3F50AC9339F5C8A7truefalse - insufficient disk space 23542300x8000000000000000330000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.827{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOARIACAPI.DLLMD5=6F64DD605A26D26E9195877315435546,SHA256=3D7F9463D2366817403DC9705018C8C8AA30137BCA20E3222885A8BDDB9DD092,IMPHASH=B14E768760072E31418E18EDC2139F31truefalse - insufficient disk space 23542300x8000000000000000329999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.827{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOARIA.DLLMD5=75564977CF8CDC2E5C96F103C86EB9CB,SHA256=63A32E010AB8629FB4C824FCF1369BB5E1559E985DAE268E9B14F0F72E5251BB,IMPHASH=3C62E64F4FA55D0D5EC0369D6C8E4DD7truefalse - insufficient disk space 23542300x8000000000000000329998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.817{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msoadfsb.exeMD5=08CF6F10CB98B4E72A5D80D3032D1058,SHA256=567231764F5D9BF93D1FBD76F4554CE22E85BEEC45BA1C906654A9D32DBE4E90,IMPHASH=A3AACA080CEC7446BB6F9B114A2286E1truefalse - insufficient disk space 23542300x8000000000000000329997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.775{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOADFPS.DLLMD5=D684FDFC8D7C40214454C86B8519E643,SHA256=DD0EA8C4D4CE77825F533192C17869662EDDE942C5B6D79B8EEA1528E64E600D,IMPHASH=854B79A571F9C1008CEEF0E5A95B7995truefalse - insufficient disk space 23542300x8000000000000000329996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.775{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSO0127.ACLMD5=710C7F4F02BC6A59916C5933DCCABC09,SHA256=1C4C88388E54D9DFC18F4040DC9F16C07E6C65FDB808B21376496E409967BD52,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.775{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSO.FRAMEPROTOCOLWIN32.DLLMD5=F19B5D908180DAD49CED0FBA8449348E,SHA256=960DF2CC469138EB7A3654303841617D59DBDE85F265149A460D88074D255407,IMPHASH=C1053471D8EDD62162C9BD4D0AF80C68truefalse - insufficient disk space 23542300x8000000000000000329994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.759{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msix.dllMD5=8322D420490A1ECCD2B2CD93557F91F4,SHA256=97667DD7CD528E0BC26E90C42BB877D92A0B3DF8CEE63C25569B2AC6CC070F8D,IMPHASH=9E49C5E4B116FDE878586F791AB485C7truefalse - insufficient disk space 23542300x8000000000000000329993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.759{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msfad.dllMD5=1D6F1AC4E1F15ECBBBE7C3C053D0F8F8,SHA256=57C46A8F2290BB0892950949C5B6E7B04FEDF04C733A966E78A298C253873C31,IMPHASH=E8D4AA3028A32023D40ACB3C11766457truefalse - insufficient disk space 23542300x8000000000000000329992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.743{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mset7tkjp.dllMD5=7ACB4B88C1B490348DA857F7B7CFB8BD,SHA256=95D97B247099C42D0650100A3A0731F32FFAD735FC7CE56AA5C70CFB9C77A088,IMPHASH=8B6A9B6EC76945158330CDAA9E126D3Atruefalse - insufficient disk space 23542300x8000000000000000329991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.728{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mset7tk.dllMD5=148B5E905C1223D1F1C6D2247505CB1B,SHA256=084DC02A4EE21223E5F5BEABFF133F0B43D084300F26AC00C7CBF29F5F6268CD,IMPHASH=71ACECB9087E2812914003A9938F3C5Etruefalse - insufficient disk space 23542300x8000000000000000329990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.728{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mset7jp.kicMD5=7EBC7A6B7EF05099B13BDBF9B43057C5,SHA256=B4C6ACD95E5C1EF6B44341F53DAA4A008AF1CE18166198741B5E8F0B04422D0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.696{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mset7ge.kicMD5=D9C132D286E06E10E90E3C7DBA2F3DA3,SHA256=045560F6AB5E7BF19485D91B8D4C87AC9903C3A7D21C1F7B78385D09085E7936,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.665{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mset7fr.kicMD5=F65A4820FD347AE56A4BC3B5CEE438AA,SHA256=56BF5CB0DE386F8CAE3A8B1A02AC5D07D43938D1E1CD74470F4A46B229F33337,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.635{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mset7es.kicMD5=9A9454DAB84AA98C34425BB5649B1188,SHA256=954BD77BBC74A05B7AF59F31E8B4FC7AB2A2713F338901B7B1244CD7F0AEF077,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.618{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mset7en.kicMD5=D99939E3CF79AD40C03CCC9BE2B8A92C,SHA256=F31F55D08362C73B2117051253B1FDDE43A6735991FCC563E2A0E21C0D86168E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.603{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mset7db.kicMD5=8E0B47B1992779E12B86561D6A88886E,SHA256=6DE0823DC2D66E11245DEBCE59DC5880E15378A137E2D42A96CB7329D6B40064,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.587{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC12C5DC07F3FA70A8760584D66A5641,SHA256=0672C5DC52C99C237E027FFB7B77E6BE8387206C9A6D810777FFEC444B9DFF89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.571{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mset7.dllMD5=96D3AC81038850A7AD63BDF8AFF192B7,SHA256=896444DDE7E4D8658BECC2BFDBFE02F33515CC68F3B03746C03607FE72F83E34,IMPHASH=643F45E19DF7BD0A865DE1C0C6390906truefalse - insufficient disk space 23542300x8000000000000000329982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.556{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mscss7wre_fr.dubMD5=30F321400894DE3BD7906648C0214AE2,SHA256=91D5E66C542320618A4C9E8BD5D5711B148BCCB0DED5C2BFB1E6014543EF36C8,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000329981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.556{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mscss7wre_es.dubMD5=693D5D2B03E7CBD61E9073660F201FCF,SHA256=8944FBFC8E3192EC49BB2F3DC695A75830100F7A281206D6682605B5D0A6B29D,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000329980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.556{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mscss7wre_en.dubMD5=CBA327A3E728C40297EA30AA3380E0D4,SHA256=7C9757B1AC12F385F6C0AC0E2DBEFE1452D7BF4D57DB616036EB7E67AE388C92,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000329979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.556{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mscss7fr.dllMD5=9268E857870201AD112A4251F86001DC,SHA256=CA9C79FE96EAC4543F41F1278E2D5DDD8E10E155185C83ADD76FB34E75A197B9,IMPHASH=E8B11F7F3B724329DC3DED1F83C1EDD8truefalse - insufficient disk space 23542300x8000000000000000329978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.540{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mscss7es.dllMD5=C91EECB17C1A1646CD51773FD04246F4,SHA256=BDCF38D62A730CC441D2E533179DB7B81FDCF79A78E65EA7353BA753300A366C,IMPHASH=E8B11F7F3B724329DC3DED1F83C1EDD8truefalse - insufficient disk space 23542300x8000000000000000329977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.525{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mscss7en.dllMD5=3ABC5771301DEB1684809FBB46649092,SHA256=3AAFA9EFA17021969A9747A70EA8F30BA5D34699C7B43E0B2E413B65FF4E3BC7,IMPHASH=E8B11F7F3B724329DC3DED1F83C1EDD8truefalse - insufficient disk space 23542300x8000000000000000329976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.525{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mscss7cm_fr.dubMD5=3F51A727BEBDC58FB90024C155B271FF,SHA256=68F5C3F9457EF664894C26B4D54B6AE17008DDAE9379F67E6F6C01473DDD7567,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000329975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.525{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mscss7cm_es.dubMD5=4D44758BFDC95E635D5E5400EACA0001,SHA256=387F90E53C5BFC839A4A911D0CB9699B57EA33D2140F77E71E8F57B5D04608F0,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000329974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.525{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mscss7cm_en.dubMD5=AEEC30F8357C277B46574714D515A415,SHA256=B2EAB9D7CE8E516601C5AA6B7A566A56669049CF664FC1225CDB8A512791EAC1,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000329973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.525{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSBARCODE.DLLMD5=10781658BFEAEE494A2EB06E73902FC2,SHA256=09B485AC547A8EF969799549DC82C2174A3B04BECD2867B9D275CD0162F9E002,IMPHASH=54FC252E90B74EECB1B628D91468F6C4truefalse - insufficient disk space 23542300x8000000000000000329972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.509{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSAEXP30.DLLMD5=3B46082AB0B5E2F9124BF9B2A71D8D94,SHA256=DFF757DE40100E9F288AAC0973CAAD0AF36103028FF1C93EC110226D7BA8009E,IMPHASH=C26FC860D3868799F8CC6F010A4E62CCtruefalse - insufficient disk space 23542300x8000000000000000329971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.509{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSACCESS.VisualElementsManifest.xmlMD5=79A8BFC6DF0E6E7D1B7A816F3A4559D4,SHA256=CD15DC0E3B8488725DB38D9E5177458CF411EA99761E50434A00E795A941EB69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.509{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msaccess.exe.manifestMD5=E7C5260A6E239A0BF2BD2DF756BBEAFD,SHA256=FDBCFF1756951DC0308A431C89A32DCCFEF3DEEFB6EC6639EE1A54CA1669C1AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.509{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSACCESS.EXEMD5=3634A228E047C55F4758B021C46BBFA8,SHA256=2A591D0EAA9D2E81836DB8831879F6AEC424CA354EACC61FCE619DD752AEA135,IMPHASH=B7FAE2D5611671F83422DB1DE2885B5Ftruefalse - insufficient disk space 23542300x8000000000000000329968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.306{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSACC.OLBMD5=6E7692CE0D5F72224F3FF33E5A76AF24,SHA256=1D480DB79AD0E4DBDEC670A560213E411257F2972969FCFEDE357EFFBD0C326D,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000329967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.306{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MORPH9.DLLMD5=9FF83BA4D873B396BD2FFEA2744DC00D,SHA256=C3259A2305F6E74976E2508500A44B7DCD800952F57E5832E2C3A7CAC95E6C6F,IMPHASH=C3AE57F444B43D7430AA6865160E64D4truefalse - insufficient disk space 23542300x8000000000000000329966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.290{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MML2OMML.XSLMD5=BC083C752B20867ADB7DF8FF301C15E8,SHA256=5558E69D8BD6534927C4176BD5D5032D0D4BDC17BDAAB7DE580CA41E996A609B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.290{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MLCFG32.CPLMD5=888A21F8359C76EAC320C308ECD945EF,SHA256=36CC667EAD35A1D70C45F402A43BBA4D8E6F4DB62A5F584279631915BFC90E64,IMPHASH=F266943EEBB3CF320C5354EFEE1CC6ECtruefalse - insufficient disk space 23542300x8000000000000000329964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.275{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\misc.exeMD5=A559FB6CDF9E11E0A4D30E72F41B3BC5,SHA256=ABBD8FF72BA1AEDBBA88691D541715CD7252B3FB69568C09AC11833C500EAF9D,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000329963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.259{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MINSBROAMINGPROXY.DLLMD5=C57F22C32553CD379C14FB6C9E780542,SHA256=7B76699DD7CA9509CF6B013741414007DBE099391CB4A53C5DF162242732FBF5,IMPHASH=D852651852646E84F1328DA1BAB7CE77truefalse - insufficient disk space 23542300x8000000000000000329962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.259{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MINSBPROXY.DLLMD5=EE54857AC95E1C84E281100553B5DAE7,SHA256=113D0D2D698EEFDEA365531729CEF85734422C94047D7E6306ABA2D759DE2766,IMPHASH=D852651852646E84F1328DA1BAB7CE77truefalse - insufficient disk space 23542300x8000000000000000329961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.259{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MIMEDIR.DLLMD5=E872A0BE43FB7F0909DD19A4769BE9D6,SHA256=40961A105BFC5849B4EC3ADAFA351AF0AB2D71E56563B1C88A5E19FD914C466D,IMPHASH=4FF08AA7F37EB381E08ED35B95BAB522truefalse - insufficient disk space 23542300x8000000000000000329960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.259{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Microsoft.Office.PolicyTips.dllMD5=E23E4FBB6FBC8DD41140D57C00097A6B,SHA256=499BF68B5FD76C84D4156F74523E2E880E73F1FF8140526A28B3B097DE4C1A34,IMPHASH=274625C89E25BFACBCD37ECAD88A1511truefalse - insufficient disk space 23542300x8000000000000000329959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.243{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Microsoft.Lync.Utilities.zipMD5=DB44A76056EF9C0EAD119BFEA7C19AF7,SHA256=91191D72C5E555AA11046FC67808397195D238F11FEA313D160C49732D7E9935,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.243{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Microsoft.Lync.Utilities.Controls.zipMD5=7BD0343DB77E4ECB81FA0D44278D7D41,SHA256=005FB8C314477631A0B45458F5105703C9651D3AF4FF3483A93BDAC3DB4B1E41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.243{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Microsoft.Lync.Model.zipMD5=3E0F59FE6FD5423413636610359991CF,SHA256=8F6FA7B412468E46293391F42B9AB93AE53745A7B66757230F417D21EE7FBE9B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.228{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Microsoft.Ink.Recognition.DLLMD5=CA0961E5981D48ED0E48133BF224D8F9,SHA256=D3954C4683289C93BC4C88ED5685AD8B57C891C1A82830F6A1F44C8830233F5C,IMPHASH=1C5541A3204CA25CFB7D0C743CF3CAF7truefalse - insufficient disk space 23542300x8000000000000000329955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.228{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mfc140u.dllMD5=587C85228848E52AAFB3863FF1A6F2B8,SHA256=BFE1547439BEBFBB7A46F292BDEDD8213315E98D778D969225D2EBE2D93FE297,IMPHASH=B4F070F0028C97D4B44509B262314B3Dtruefalse - insufficient disk space 23542300x8000000000000000329954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.165{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MeetingJoinAxOC.dllMD5=DFF1CA21194AF5EC7F777007DA85B4F9,SHA256=F8205F11C3C86ACC1950D106B3D099B5C73C242BF8A0EFDEEB95BD254FC6BA02,IMPHASH=4E45073A9F0668916A2A0E5EFE3D69F8truefalse - insufficient disk space 23542300x8000000000000000329953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.165{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mce_office.dllMD5=D600B7E793F3C7708DDCF1198C7E0D7B,SHA256=3F6827102B2F6B2B8E6B206C9FB9591DE56A66CC602CDCE38992195993E628DB,IMPHASH=ECCD7161CDF192B48FF124B0DB44EFA4truefalse - insufficient disk space 23542300x8000000000000000329952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.104{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\McePerfCtr.manMD5=5057E2BD27A1DDCBABC7BB51F39D5607,SHA256=C9C198207956EA4E4568D13B0FEB8AB8623539B50F3B061BD06DFABA571CEEA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.104{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mce.dllMD5=366D59DC86E5F484B9D1B9D748D8F983,SHA256=9976AC83DD5ECF1CC8A2313B942CF3E3309586B1F8155DA851448BC6CBD9DCD4,IMPHASH=6A059D345DAE9CC4A80F24B19B9D85BEtruefalse - insufficient disk space 23542300x8000000000000000329950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.087{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MAPISHELL.DLLMD5=5D954DC43EF0A2074F943A588877E725,SHA256=4A9A8E8407184E937AC94B639D2ABCCBAB2AD25CDC66A5EB394F57EB3173A2E7,IMPHASH=94EB0FFB655B369797FC1D581030E469truefalse - insufficient disk space 23542300x8000000000000000329949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.071{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MAPIPH.DLLMD5=798F33B9711671E4CDD1B47171606865,SHA256=58852F22F63622993EAF0D579231DABB34E60D75A91EFF44D2D798D4A2C5028F,IMPHASH=F4D9B0732D6BFEA74ED19F5E7C756DE7truefalse - insufficient disk space 23542300x8000000000000000329948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.071{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MANIFEST.XMLMD5=0ADF7941B8353413387F25895CA3B233,SHA256=EA7B087EDBBBBF29376A198635E2FDB9D5985CFC3B46FC5C50088E92BCEEC25A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000329947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.071{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\lyncModelProxy.dllMD5=07C1D33F59B78676FA7A52400EEDB6C4,SHA256=EA8B6C6D4023FCF628B8FD64ABD4BC2D580E3A7D4C2F5F71CF700DCED3485F50,IMPHASH=79C387E1EA024D24BC14E9AB3C51A4BCtruefalse - insufficient disk space 23542300x8000000000000000329946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.040{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\lynchtmlconvpxy.dllMD5=DF48C4B2A67C1B415D3E8C65E149C40C,SHA256=C23C66390849159E8C078287ADFB6A61334FB29A5A175125A977679B3D56F239,IMPHASH=ADEB239F43607E5A2457F810D257C200truefalse - insufficient disk space 23542300x8000000000000000329945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:32.040{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\lynchtmlconv.exeMD5=3FB3FFAE037E686784A974C5330CD8AA,SHA256=AE33D2F14147CCFD62FB9892821920BA5924006813B0F22E5ED3093EB3BAB43F,IMPHASH=97A9241F0D5177BD42FDA0C10CAD2883truefalse - insufficient disk space 23542300x8000000000000000447986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:32.279{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B277BF3F90EC06825474698585B9CD57,SHA256=56310A9832243EC1DC145CBE101E43A9D1FEBE3AFAE1221025EFA6828962C996,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:33.964{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSYUBIN7.DLLMD5=2514B2D80CEA4CFC213A9ABDE9E08311,SHA256=A55B923533E6E6E6082FFC6F0E67C89A99E6A6F60AB3D9B02E6468BCB922097C,IMPHASH=00D1B6C6A304568655960152C15409BEtruefalse - insufficient disk space 23542300x8000000000000000330072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:33.964{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSWORD.OLBMD5=D07301FF2CF96A0422D12C845FB7F58F,SHA256=3CBE42E950ED4C0DFAE0BA2075C70A4E8E46F32875FEDCAE5CA73794FD743DF1,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:33.949{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msvcr120.dllMD5=49FB6E786B2F9DF8812E0E317CED55CB,SHA256=9461F2E4ADD5C650102ACDE0C62377FF86D9B19FC20D0003F326CCD474E8B7B9,IMPHASH=8F18E22935EF8B336E246EE763FBEC97truefalse - insufficient disk space 23542300x8000000000000000330070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:33.933{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msvcr110.dllMD5=7C3B449F661D99A9B1033A14033D2987,SHA256=AE996EDB9B050677C4F82D56092EFDC75F0ADDC97A14E2C46753E2DB3F6BD732,IMPHASH=2D8550B19D324144E95B49AAE32A0DCAtruefalse - insufficient disk space 23542300x8000000000000000330069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:33.917{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSVCP140_APP.DLLMD5=6FB5A8B31B38B7C5A158201BDD343B74,SHA256=B67DDFFD73AF5FAAF4C1BA590BA966C260880FE154E07CFCE3C4E5CB5B0E86AB,IMPHASH=E5BF45AB1D834FCCC96842C6063C5D04truefalse - insufficient disk space 23542300x8000000000000000330068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:33.902{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msvcp140.dllMD5=CB75D6437418AFE1A7B52ACF75730FF1,SHA256=7C4CE9D6BFCD6D9DB4EEF4E75ECDCF5A8E5320106E80F1ECA617439FA43F33E8,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1truefalse - insufficient disk space 23542300x8000000000000000330067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:33.902{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msvcp120.dllMD5=8C8D1140787DA60A343DD11C1CDF4992,SHA256=6AA1ECE9DD340D05AEC43248592A78B70D21959DE8727F506D21A3A962348583,IMPHASH=D0A59246EAB41D54812CD63C2326E1F1truefalse - insufficient disk space 23542300x8000000000000000330066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:33.886{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msvcp110.dllMD5=7CAA1B97A3311EB5A695E3C9028616E7,SHA256=27F394AE01D12F851F1DEE3632DEE3C5AFA1D267F7A96321D35FD43105B035AD,IMPHASH=AC5237467F598A9A5B370A14ECCC4DC8truefalse - insufficient disk space 23542300x8000000000000000330065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:33.872{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSRTEDIT.DLLMD5=E8EC4D47ADF1A5CA139EEB202EEFDD3E,SHA256=FDD812D265CC3CD69BBBC814FEDECCA5AAAB0FF77DB5A820DE96A5E1CEBF9142,IMPHASH=94BADCC3065D1E2EEF1FCA70CEDDAB30truefalse - insufficient disk space 23542300x8000000000000000330064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:33.872{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSQRY32.EXEMD5=46A8CB968A85D7F5695C3AC9EF43DBCB,SHA256=FC7B6222EB5021B0CF10C21F260C39C22A2CAEE11F85CB81C764625AD40900B9,IMPHASH=26CC43C12973296332A0B93132796B3Dtruefalse - insufficient disk space 23542300x8000000000000000330063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:33.856{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSPUB.VisualElementsManifest.xmlMD5=6BE78F94B5DE1E4A6BFDD0D1F07DB74D,SHA256=E7BB4DCCA5941C96370DB96BA81438027518F112F978CE3121EE0785ADE1CF3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:33.856{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSPUB.TLBMD5=FFE7A1EF61DC9C2C4CB74B88BA843E30,SHA256=E736F95723FA13E7A8465E245AF0C79169015D89BE06B62BE510E4F3930DA8F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:33.852{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mspub.exe.manifestMD5=626499117F52CE5CB784FFA702EE56C7,SHA256=FD21DF1B572BB5D4DE33946D2A6D683685000EE2CC8D899591A07F43B85E303C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:33.851{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSPUB.EXEMD5=02C99DEC49BF2C2769574C1D30B4DB8B,SHA256=DCE80BA49E7C98222243D5DB65F8A65400184B1BF4F1ABD5C66EDB94E18F3094,IMPHASH=22C016F805063872933F20159FD6C765truefalse - insufficient disk space 23542300x8000000000000000330059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:33.702{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSPST32.DLLMD5=13F980E7CD1C09BAF06B32E3E1E955EB,SHA256=7E02360CAE2BDC4D915B50E0F3712E25F6FC3EB89B441BE165884DAD14F77C47,IMPHASH=D683FE3740358EC6A33A2632EB5CCD1Atruefalse - insufficient disk space 23542300x8000000000000000330058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:33.671{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msproof7.dllMD5=092546D53B346B5B4514FFDCC59CC4A9,SHA256=F649609F2413265EBFF63E32A59E69D17F9C4B162AA3450B923A66EC28B16A5D,IMPHASH=0814FE63939BFEB98D80DBBAFD9037ABtruefalse - insufficient disk space 23542300x8000000000000000330057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:33.656{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSPPT.OLBMD5=6B36943F6C7AFBC1A553677063097E91,SHA256=267B22305B9CF4896A88440AA5873F67E345CB7BBC894FDE6EB147DD12477979,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:33.656{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOUTL.OLBMD5=ABC6758E8BBB0FA0BE9DC27E65A76329,SHA256=0555A15B3F44C25C70015691109CC923C6FA3D7A3FE389156843B4A595B38C89,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:33.640{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msoutilstat.etw.manMD5=C1E8B625377C75454266F9D172D2F77D,SHA256=7847E5BA06CA0A834454A3C62EC343DCAA4339E6EF2ED5BD42E460ADE5331628,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:33.640{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msotelemetry.dllMD5=6E06F6511ACB52D4DA8613CE3670E040,SHA256=3F7086B8C5C853E5F85037AC4EC6A816C86C8F4640CDAF22FBFD65D2A33ADCAE,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:33.640{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msotdaddin.dllMD5=FCEAEB3C9BB1956A6D510534DD1250BF,SHA256=4573F8FDF9BBA83158FB2184DD435C6ED72AFBCF72213ABDAC29570BEDDBE11C,IMPHASH=C65C7608C6E1117C83C3AB72AD199431truefalse - insufficient disk space 23542300x8000000000000000330052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:33.624{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msotd.exeMD5=179E7173E0DC04AA1C60ABEC218A788E,SHA256=BAB201F003D3A1373E06099ED68466699072E78AE9314A59E23C996F4E307C6D,IMPHASH=5A1458C72D55357CAC40F450D0E17F80truefalse - insufficient disk space 23542300x8000000000000000330051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:33.624{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOSVG.DLLMD5=0521E141813D306DB3F64202E22CC7E9,SHA256=21FE95AE5330984315A14B1605E3A0986C008B061D17D50CAB8EDE46738B90CA,IMPHASH=16FCBF498EB94D86E1EC3C1E0D928D19truefalse - insufficient disk space 23542300x8000000000000000330050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:33.609{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOSTYLE.DLLMD5=10C3E891761436DDC89515F2CEB5BCC9,SHA256=5F33799563E272ABD80C58F47B29277D67163972B9EB7A245B63D7E6720A62C2,IMPHASH=7506B80334EE078A570C61E2BB3B89FBtruefalse - insufficient disk space 23542300x8000000000000000330049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:33.609{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOSREC.EXEMD5=D6875EDD6B4870DA58DCC409B23456C5,SHA256=9C5070575DE830AC8F1B33C7F6CE911348B97343F392E181D76544D0A9C0FF6F,IMPHASH=4FF4E22F43FB27C93A893A5917E1692Ftruefalse - insufficient disk space 23542300x8000000000000000330048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:33.593{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOSPECTRE.DLLMD5=9D3C06383ACEEE541B533DDFA0258781,SHA256=F161E38A63DBCBAF0BC79AA34FB9BD5C64B319CA43CAA716C57FCC398A4AE41B,IMPHASH=DD27ECA70C5A75464DAD42AA0490DA79truefalse - insufficient disk space 23542300x8000000000000000330047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:33.593{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39800989A9974B62B195EA09F9B0BC86,SHA256=B780AD4256083E5C5AABC5DFBBF8F1664B2E28A81C057B8E497D74B906700A82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:33.421{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOSB.DLLMD5=134CAD180C86B86B2BF1329C4B9DCF23,SHA256=C73492E414329C277BABA6D29DAF4543BE4B56B6AB5FCD1FB88824764827A863,IMPHASH=84D0A43FA78747E8EC1F52D08F01CB6Btruefalse - insufficient disk space 23542300x8000000000000000330045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:33.406{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msoianetutil.dllMD5=2BFFAA32430D8AAC47F2B36CA0A0DEFE,SHA256=17784437A68EA604344B170E2E84D286D4AF74A5B01A8EB86354D5920E5A219A,IMPHASH=EDE8D78424EBBF4094854B613BC1F03Ftruefalse - insufficient disk space 23542300x8000000000000000330044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:33.406{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msoia.exeMD5=5B63172C90B069D7D4371C6A681FF715,SHA256=BCEDDF965046A7C176C941DE8A3F839C0221280581A30DAF41A0574D353C7D0E,IMPHASH=886FB473362420D3696C54E811E03992truefalse - insufficient disk space 23542300x8000000000000000330043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:33.312{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOHTMED.EXEMD5=160A32E65212E7750AB86C18F978292E,SHA256=A8C1F034E63974B4B1DD18D9FE6B5183FC52DC250356731E45EDB6C6E9A973ED,IMPHASH=1E910AAE09C9BC5D307BF00D92238B4Btruefalse - insufficient disk space 23542300x8000000000000000330042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:33.312{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOHEVI.DLLMD5=5DDA5329C0AB25BB4FC61BDF8FFC8FBF,SHA256=F9C6EC9A5CDC7428B46366031BC466E647535B0A83365FF40D93B1672E0488F9,IMPHASH=1D943865CF59664C8567E13CF936B57Atruefalse - insufficient disk space 23542300x8000000000000000330041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:33.296{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOHEV.DLLMD5=57D246D7BB394E18327EF41AD088A9E7,SHA256=68DDA8ED9E327B81C1A33FEE5A2B1FA3E95090C5F2642E1784C098628E93BE21,IMPHASH=B63EE955F9544896181F3E191E19EFBFtruefalse - insufficient disk space 23542300x8000000000000000330040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:33.281{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msoev.exeMD5=A12F36DA7C9412605C1BBD3BAB4467E4,SHA256=F284697CDFA127FA95DE703478EAB1A656E34439D6D4EA64B2C23EFB2B2B99FA,IMPHASH=5A1458C72D55357CAC40F450D0E17F80truefalse - insufficient disk space 23542300x8000000000000000330039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:33.281{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msoetwres.dllMD5=8BD1ACFA110DD4E0CBC09372423048ED,SHA256=99BA3BA98D17FBB6436E9730EE6C0A1062DC7EE25190A09D25588AC3183EC629,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:33.281{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOCRRES.ORPMD5=1337603C99A01BA5379B324B6F5429CF,SHA256=CA2FEE4A3D7A823D4E6FEF6E20AE5D2DF41FACECD2F86BF5FDB1EA03899D839F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:33.281{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B03EE841FFA516A3A70F7658FA7B0799,SHA256=00A5E51E9D1AB072A382DD08C63578AD4A8FB1A7F4AC2548185A2A09076FCE86,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000330036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:30.380{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50998-false10.0.1.12-8000- 23542300x8000000000000000447987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:33.356{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE5052AFF35E03B5ACF09C2E2CCB4B1,SHA256=A473AF29AE6D2E517DB62AE020E8E4F407D493ADC17BB4698BA1B91BA27E9064,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:31.767{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52702-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000447989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:34.455{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D05873BED32D954BAA73C97FF810AD35,SHA256=0CA3801DA45A94858E160275A3AAA5C2D4D48A83A125F6A4FBC1C286F10D7E4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.970{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OFFSYMSB.TTFMD5=03423C781C5E2BAD6E30CDE16A727535,SHA256=EEF13FAD912A76F9359BC8BE7D327D92F50F49030199E7022BF3D7516FD66FF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.938{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OFFSYML.TTFMD5=F64C9F744C0CE95CB886725DD3B46856,SHA256=EB711AC3DB90C885B0FB17BA5184F82BB04FA684F001061C556BC1377C782DE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.938{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OFFSYMK.TTFMD5=7BCF072C4F4DCDE1787C413C000F24AE,SHA256=202240248310C98C5E62692C5232F5A0D66D70DBC276553C3A7D98B07ABE7C05,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.938{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OFFSYMB.TTFMD5=93315D16698C6BBD8741469E83AF7090,SHA256=6B34E1583F82BA1048ACFD9303DF3CB8A6B5564D979377841CEE4657EF1AE208,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.907{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OFFSYM.TTFMD5=3B426FD0BBD534E5FF4A96676ED2E197,SHA256=8E3AD9F7DAED5EC21724972675AD8D9B02BBF6DFCD9A9F3FFBA27BA415E1663A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.891{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OFFRHD.DLLMD5=AF912075B08A2CD1CE7816033E6C2F1A,SHA256=2DC8DC5FA3C94ABC5848BA09B6CADE9A2449743CABF3BA9DB7F9C06709BF3B29,IMPHASH=C7A81EB697D3D6215CA86E72075548A8truefalse - insufficient disk space 23542300x8000000000000000330113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.891{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OfficeScrSanBroker.exeMD5=3A0B28BDE842DCE8582769B775DBA134,SHA256=7C94A8A2967ED2E98A7794D27135E31EC7856B4049820937338DF5FE6D134A3B,IMPHASH=B8F359ACE7D79F261887BA07CB0E66CAtruefalse - insufficient disk space 23542300x8000000000000000330112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.876{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OfficeScrBroker.exeMD5=23CEA1DB0493C1AC18C40F6F42D66C44,SHA256=1CFA01BE51661686FD16578361671258B20ED87F5F867F98B541E2F85AA25DBF,IMPHASH=4B89BF6E82EF687DAFE2B5FAC77EED2Etruefalse - insufficient disk space 23542300x8000000000000000330111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.861{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OfficeScr.dllMD5=B940C980B41D2D7B6F0EB540279FF20F,SHA256=1A1A782849697080324919B12E8976CA3C865930832512EB8ED41093D0375DCB,IMPHASH=02BDDC43CB1353E31410E21826489246truefalse - insufficient disk space 23542300x8000000000000000330110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.841{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OFFICEJS_WORD.DLLMD5=A4305F021B877559B246FEAE292BD394,SHA256=168525160C8690784373CC803EEEEBF62CED50B2513984A983A91F50FD0498CB,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.832{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OFFICEJS_EXCEL.DLLMD5=7BF7D6D3D4384242C78F3972230EF316,SHA256=F338CABA051D606386F292B742EB84EA3FCC58FBF35BE565C2A5BCFAAF600BDE,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.808{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OfficeJs_Core.DLLMD5=445AFE66FB2BD0A3FA1EC3726F6C257A,SHA256=98676FAAEF42A932250DD6D2857EF4E00AE8B566856C4E87928D06C71BFAC0D4,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.808{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\officeappguardwin32.exeMD5=63771712759D3FD430663D20DA5A09B6,SHA256=3EFDCD469B136A3D4D3D472FBB588E0A6A31C2E686C3583C9DA0821FC9000218,IMPHASH=1318981C137C0A55A876192636D24545truefalse - insufficient disk space 23542300x8000000000000000330106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.777{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBCTRAC.DLLMD5=CF25A38D09D7696C0F50DAD495B8EF23,SHA256=F7D6716EDC12D67896E06BF7DB191E92BD89E7B921FE0FFE99123D56A0CB8EB0,IMPHASH=DFEC85953EF7043F0BA5DA43BBB319ABtruefalse - insufficient disk space 23542300x8000000000000000330105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.777{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC32.DLLMD5=7BEBF56569B5DB0AE156583B54CC6D8B,SHA256=16710A70445C62EEC03247638D2C30838A641C4ECDBF24B507FD05F77EB46829,IMPHASH=DE1DFAF3032B0BD8E71B3EA09BAB0809truefalse - insufficient disk space 23542300x8000000000000000330104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.761{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OCSCLIENTWIN32.DLLMD5=E5BCD95E4431AF50443E6AC619D3B5C7,SHA256=258FA812662C0861A07E79393E32009F08BAAF9514AE88766ED9319D08E5A7BA,IMPHASH=CF8D25483C86F02F65EC87E16EF0D5E4truefalse - insufficient disk space 23542300x8000000000000000330103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.761{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C0E416A3AA585E493C4878986DA1E4F,SHA256=C88F99E6A34CA28659F6812E9E213D80D8EF5E710247CCB97B001837F8B85C41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.761{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OCSAEXT.dllMD5=AF4BF70AE8A73FEBC9CB5D126197050D,SHA256=C2EADFFF95DB8D0583AC5E8E7736A024868FCC753BF2393DAD09357E606119DF,IMPHASH=395C3DE403FF64BDB683635354584F9Ctruefalse - insufficient disk space 23542300x8000000000000000330101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.746{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ocrec.dllMD5=B8355642C1242FD4ABB72568AA7A4647,SHA256=29EF1C90F1FC662C0934A1A57E4945C50F7E06C4F9E4CA7902DB807242769A2B,IMPHASH=D846C4FFA4C704C514FA74BFD2EAFF9Dtruefalse - insufficient disk space 23542300x8000000000000000330100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.730{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OcPubMgr.exeMD5=25DFFE2C8D8D6322A0636D1EAE34D08E,SHA256=7233D055BF64B18FEF3C59C904EAA1858A1402B411CD17B8786FB52129BE5A6B,IMPHASH=836A62A8F9B671BC53E4F3DB1E918AE0truefalse - insufficient disk space 23542300x8000000000000000330099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.714{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ocppvwintl.dllMD5=1039A0881493A7932C81935CF1EB0678,SHA256=0766CF737261701A583A03D2FE20219E086DD9F0D1809D7A7C06EA1566BFA989,IMPHASH=430CD8A0E31CBCD64F2DDA38982100AFtruefalse - insufficient disk space 23542300x8000000000000000330098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.699{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ocpptview.dllMD5=C3005E52CC363F8D5B8F3D118A2F7D90,SHA256=36D42E77FF05327A690B39761796A6AE593B8820E01AC23B18C942462EA3E219,IMPHASH=DE008F0F722BB34BC5A7F9989899E532truefalse - insufficient disk space 23542300x8000000000000000330097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.668{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Ocomprivate.zipMD5=A7CD3228C806C3B050909546BAEDCE55,SHA256=2FDB22CD53BB291A84F177C79FA4F8F2DDDD846B60EA22A4487D57072BD92B76,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.668{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ocogl.dllMD5=A46BD6701E7FF19C19D281A3EE6A8E44,SHA256=162AC33EEC6560B9BEF823FDE19F704FE62E8E6EE4A28A65422C3325E1073D92,IMPHASH=3CA2B74AE5C2204E19B3A8C44FF5F4ADtruefalse - insufficient disk space 23542300x8000000000000000330095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.652{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OcOffice.dllMD5=3D7B26097F878D8487430B90F99F0CAC,SHA256=261B343DCAC5233D43D3863D4B3AF81930DBD5B64C3E153FFEAFD12ADAE3955B,IMPHASH=42A7BE0EB205D630B9C36EC12D511804truefalse - insufficient disk space 23542300x8000000000000000330094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.636{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ocmsptls.dllMD5=AFD437DACE978150232E56D1DAE91B4F,SHA256=61ACAD74A4036DA7136D9B53FAFE17ACEDB38526C4A83BFEF9CBF057DCF12626,IMPHASH=D5844023D54C3E6B9C6A0F291824DCCFtruefalse - insufficient disk space 23542300x8000000000000000330093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.621{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OCIntlDate.dllMD5=0A45A8F2DF18D0E5EC7AC3409E57DBB2,SHA256=917BDAAE9C2673FA01C86C3F46B78AAC4B646255C32C521BAA44C652D8CE18F0,IMPHASH=B1579AA7C72F039C7D6ED51BDA7A19DEtruefalse - insufficient disk space 23542300x8000000000000000330092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.605{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ocimport.dllMD5=04800F9245C0C63AF191B42A7CE18E27,SHA256=AF432EC75244BD28EB833D1375C6101D8159B8341A49DAF37487779E8AA70897,IMPHASH=4D535D5CFED626FEE0AED5282201F897truefalse - insufficient disk space 23542300x8000000000000000330091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.589{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OCHelper.dllMD5=822AC556ABD33414FDF2B563E9009C28,SHA256=E28335D3E9E235DCDACE833B9CDC0854BFC6E67FF2C4B8EF99C93D289DFCE3FA,IMPHASH=E916D8AA70743E6163945907294F125Atruefalse - insufficient disk space 23542300x8000000000000000330090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.589{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OARTODF.DLLMD5=DF56ABB96AC8481DA96A18A8BC5B8C54,SHA256=8714DE3B8B1258E87AB66B60C30E501284F1A3732DE757611EEEBC204F1AE6BD,IMPHASH=F7BE7CC0073C99A04A3D4362F843CD07truefalse - insufficient disk space 23542300x8000000000000000330089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.558{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OART.DLLMD5=828439BDF1AF5C6506971559D480BC7B,SHA256=0E5DAEC0B9ABCA9F6227D7E540F2BC605406C72FD82FC687FE772FF087DFB3D1,IMPHASH=DA3259463C10562E78FE9536143A1D5Atruefalse - insufficient disk space 23542300x8000000000000000330088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.402{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NPSPWRAP.DLLMD5=4BE0164C92FD51A50353560E93F6093E,SHA256=0E70495C06BABDB9A442DEF935701E475919C2C75461DA9E649FD72B0E8317B6,IMPHASH=3F41B9F9AC785031A962A8587B6498C4truefalse - insufficient disk space 23542300x8000000000000000330087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.402{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NL7Models0011.DLLMD5=63312BBFA5A74AEC4E2C89BCB03E3F5A,SHA256=4C3E474EAA3FCE125E462218827D0B1D912FB4C53E6C5A27FBD9AD9D142AF877,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.325{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NL7MODELS000C.dllMD5=833A50520901236D75A6A095BEE572AA,SHA256=7D9956525EB10C788480F0B40795C9FF9A3D4E258D1BF977337B9742A3BD259B,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.261{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NL7MODELS000A.dllMD5=C2257730F576976FA276057D55D4E7D3,SHA256=5150195184B4F48FBD147D41481A1E275386286B04F52F4057C09F0C1EA4DF45,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.199{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NL7MODELS0009.dllMD5=AB796C90438097592E6233618AB95A30,SHA256=F5047D3E5651E70FEA2BB138DB2BDB1679D7335635D948FD361D57B8F5D3CB75,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.136{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NL7Lexicons0011.DLLMD5=2CBEA3D4F9A42D8555C56BF0D5494060,SHA256=88D55DD7F87952601EC60AEC9145F96A51271BC554862B7830AD7F9E3DFE77F9,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.106{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NL7Data0011.DLLMD5=7C34E9BE7B0B1FFE13DCB5DE29C0B85A,SHA256=CD99C304F3D20CDA08DDD7640CD364CAA09EEBC29BDC79D1F85F449970D303BF,IMPHASH=EAEF080A15D9B5D38897592D6A81806Btruefalse - insufficient disk space 23542300x8000000000000000330081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.027{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NativeHostPollApp.xapMD5=A1D4551E5F41182B19EBD4413C0A2773,SHA256=7838DF9E160E7B342EDC1DE0A808E7A06532B59C49C69F475AF3BE4EAC04ECEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.027{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NativeHostAnnotationApp.xapMD5=CFE8A6B4AB80C45ABBD22397789B0C62,SHA256=7D0C7B1D5CDBF95545C0A1156A1C5CA1FE19F9EE6E7F1DAFD120BDB611DD29C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.027{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NAMECONTROLSERVER.EXEMD5=9DDCAD76356B55C9B9DDA7DE0E29B5E2,SHA256=6F832A2311F08E7C743CDDF88952910FE2EE7D280D84DA042B0BF5F4A2BA07AA,IMPHASH=E0A5683E83827A3D912A0B4C643AB529truefalse - insufficient disk space 23542300x8000000000000000330078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.011{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NAMECONTROLPROXY.DLLMD5=C02D4EB58C35D6A4D69EAA49265E6F8D,SHA256=A8EA2AA3A5DC6F0124CC61CBD1268E1CFD1ADB77381962F6720E8BB78023F279,IMPHASH=336EB7921D8066FA0436197339DE5750truefalse - insufficient disk space 23542300x8000000000000000330077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.011{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NAME.DLLMD5=5855381DAD8A1D1768BE4574B7BA8508,SHA256=539334BA7C2F11D50BC356D62B3352A0DB41EB8B47843485F682E0210F6A310E,IMPHASH=79B4A4DBF23C2843BE6F51B98FD3A699truefalse - insufficient disk space 23542300x8000000000000000330076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.011{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MYSL.ICOMD5=8F06D16F1AA61652E04A37FEA4FBF9B9,SHA256=37A9CF919C2E5AB77F3A371A44E1CED62E32B78C6CEC67A7C1BBD58989458142,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.011{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\muauth.cabMD5=14709A0DBA0501680EBF26433F66A8DB,SHA256=297C2D05B0F80C0D9CDDCA89ED49362122AA198F0311B570BABBB238829EA572,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.011{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSZIP.DICMD5=716ED688A0D9B29E3E4B2AB58F729A25,SHA256=C3C527FB9BD3EF8382FA6DF7FC243233C8BB22D21FAD2CFDF1A270A8C6A7E825,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000447988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:34.142{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:35.565{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31A0B814EE58EA801276186C062DD9EC,SHA256=4C517F64324AF6D5A004C5A400A8B9751683939E939B263077AF8D6C91663A86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.930{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OUTLFLTR.DLLMD5=BC129BDDD1D2B3A0FD4F2E0E09EA45E5,SHA256=217E2C6CDB392BC71D04EA9590B38234E8CBF9765F6A22793C00D2FB46A9D8F8,IMPHASH=CA01B631F699B020CE6BFE4928905DCBtruefalse - insufficient disk space 23542300x8000000000000000330160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.930{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OUTLFLTR.DATMD5=1DA7A808F13EB5BE33E0E869407B31F1,SHA256=8B77847E6C158781838E31961BA1CD4BF876BF24B69FABB129906EC0492792EF,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.892{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OUTLCTL.DLLMD5=AFBB20DAFA35D270C956658481C141B8,SHA256=1D2362A7C4DE8CE9126DA2EC61B564C51E0637243D08C366475035D5C41B5C81,IMPHASH=AD4FB9CB69417CC9AB6EDC35972CD94Etruefalse - insufficient disk space 23542300x8000000000000000330158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.887{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OSFUI.DLLMD5=4C9680C8BFF62B51D35BA37BE74A7E5C,SHA256=C72F2C23C31BB7F57D8C1B560CA46DD621D261B2239DC375FA7FE7D7670821C5,IMPHASH=1788098D9A5F7DD646128075991AD10Atruefalse - insufficient disk space 23542300x8000000000000000330157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.880{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EA95ADDBB0C993D4E0C85F75CEB09BF,SHA256=3D809524A44B7FD9DFBA9497F684EEF8353639C5AF1ECFDA5773DD13BF54BD75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.861{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OsfTaskengine.dllMD5=D367059E9775D7E6C7BEF6F500FCEF88,SHA256=68E9CFC11BB6FD1D049FAA12EBD32CB508353F3ECDAAE4E03D2242377BA89B33,IMPHASH=244023D0BFA3D5C7C6794EDF8E4C8E91truefalse - insufficient disk space 23542300x8000000000000000330155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.829{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OSFSHARED.DLLMD5=940C503FB97877F89F82FD6D6C5ED9DD,SHA256=59F69FC20300992A335110FB5685D9C51A71564728484162D822A23BE6DB9C05,IMPHASH=82E1DEE809B5CA409711F911211EAFAEtruefalse - insufficient disk space 23542300x8000000000000000330154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.814{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OSFROAMINGPROXY.DLLMD5=01DF128E260B79CB102BB8EA2058BC94,SHA256=0749BF2E4117A6CCC218DA0E6A643F25C37F924AF9E9A9A085A5C84242B14ED3,IMPHASH=D852651852646E84F1328DA1BAB7CE77truefalse - insufficient disk space 23542300x8000000000000000330153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.814{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OSFPROXY.DLLMD5=B04D55F2F2F2EC7A07416EEF8FE3BFD3,SHA256=4BEC4BC08ADE6F3B078BD8A62A0D97FA62653C74EB6E654D905CAA200E584D0E,IMPHASH=D852651852646E84F1328DA1BAB7CE77truefalse - insufficient disk space 23542300x8000000000000000330152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.814{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OSF.DLLMD5=358EC3D81BCE7E2ACC50EBF6065DC70A,SHA256=FDBFE14CDE4DCA7843571510E8B6A7C83FD4A3055310B3951BBC27D343F0A8BA,IMPHASH=E599C8589D00C1B92E2B712B526D5D64truefalse - insufficient disk space 23542300x8000000000000000330151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.767{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ORGCHART.EXEMD5=9E24E7396B5B4612F967227F70B3BBD1,SHA256=91D7BEA3EF2D94C5088760BABF1E9E62D4E959F2698FA327DF2B3C492EAB5E51,IMPHASH=B042992038A2A4A72ABA68CE8752DE18truefalse - insufficient disk space 23542300x8000000000000000330150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.751{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONWordAddin.dllMD5=A975D59CAA3D21398767E2746FCC32DA,SHA256=A1C15A193BD7F60A224E7CF49265731F529F63F3ED67362876D938728F7B484C,IMPHASH=E7A5CB9C89606B2606B9AAD4B8BE5F56truefalse - insufficient disk space 23542300x8000000000000000330149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.736{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONRES.DLLMD5=7F544EEED10E69A8A5913EB939F4E740,SHA256=7D13457CF0A77091D37FFEDE7C6AF180F797CD627647C7E7F1CC88C4634A3299,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.611{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONPPTAddin.dllMD5=BD8B3CD59F12E7BE55961661638197CE,SHA256=97F662135D68AC30ED4DF4A41ACDED92BB7A1CFA6E066EF248C4083DC191950B,IMPHASH=E23FCA1569BCF395526109670B335D3Dtruefalse - insufficient disk space 23542300x8000000000000000330147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.611{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\onmain.DLLMD5=2E01E1ABBE723AE513EE4D1FCB7D5A23,SHA256=9FE1E763429E2CC3EF20D2B80CF0937094F770E9D94EAF8098C00BAECC87774C,IMPHASH=997B91C735B6DF31809807707EB42F84truefalse - insufficient disk space 23542300x8000000000000000330146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.408{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONLNTCOMLIB.DLLMD5=6A1782CB35F86312205150D1C698C0A7,SHA256=B61E78C83DB48FC8DC3196AB596AC6CE2EE30DD35986C6E6092AC2D740DF3D77,IMPHASH=47042000ABDDADD6128C65DBDD1E6394truefalse - insufficient disk space 23542300x8000000000000000330145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.392{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONFILTER.DLLMD5=DEC61C805B90BE1576649EF02B248769,SHA256=2E3F43165CD18A6FECF6A39970BE837BA5D4EA640266327E1C19D8D77CB41641,IMPHASH=25571BB0402F0105B34BE19C73FB932Etruefalse - insufficient disk space 23542300x8000000000000000330144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.361{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONENOTEM.EXEMD5=F2B31A9947724C1C52A47BBEF21973AA,SHA256=EE68951E88EBD001EA43994E92C3B93BDAEC5B55B7B66873AB9247FD316E72BF,IMPHASH=4DC72FB7535187ABCCF9B3811FDDE73Dtruefalse - insufficient disk space 23542300x8000000000000000330143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.361{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONENOTE.VisualElementsManifest.xmlMD5=D9E1A8BA2CD88FB785FA830CEC39BBB3,SHA256=2BB3EBF154C29B9B7D9BD2370C0D7DBFC4D83CF66E5978D7125C2C14FFA6ADEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.361{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONENOTE.EXEMD5=40273B9F1F631FCC61C928D0895E9BB3,SHA256=7933A2F84B6689EA5D7ACB2CF93CCF61FBC512FB3417848EEC8125E722C8AB14,IMPHASH=374448B69CE5A6F2F7E1170A7F712247truefalse - insufficient disk space 23542300x8000000000000000330141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.329{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONECLIENTW32.DLLMD5=5D49577C7D205C1D407307DE91B5EAA7,SHA256=A039B3090191A4EA6DA4B949E878F796155FEAB188D54DF2B253272A7EA6F8EE,IMPHASH=40994F7DBB9DD44ED2FAD100D2A53AD2truefalse - insufficient disk space 23542300x8000000000000000330140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.314{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONBttnWD.dllMD5=4597DF82E08A0135B20806F357EB6CD1,SHA256=1179C4B786985E1F4791A38F04FF51554F5393D210727F3B256F14004DB412C8,IMPHASH=F31C4774A656973CB5EF4B5357098506truefalse - insufficient disk space 23542300x8000000000000000330139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.314{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONBttnPPT.dllMD5=90DD2ADB4F9AAD6422F35A4FEEF764A5,SHA256=46AE5789C64F5B5307C95F9C9F99ECB273C9AFF0C7B91FB7F590C80AAD1F4CFC,IMPHASH=D4A12B58E4DC481E12BF2A5A3FFECCEDtruefalse - insufficient disk space 23542300x8000000000000000330138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.298{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONBttnOL.dllMD5=217CB4F52B383337B5AE028A7D506A43,SHA256=86953136C0C7CF0A3DA9C48497DDAEE13D75E4769BD010E021ACA9F8B15BA38A,IMPHASH=3110E103545BCAB215DF06CD985CE1A4truefalse - insufficient disk space 23542300x8000000000000000330137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.283{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONBttnIELinkedNotes.dllMD5=5122EC9610681A989AB3CE916A9239E1,SHA256=DEA7CDD801B8431A26C032C9F5538C902BC5D80E4EB4D9C7D86C98FD155B9FB4,IMPHASH=68467D1796709C7A57A27F3C95597A28truefalse - insufficient disk space 23542300x8000000000000000330136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.267{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONBttnIE.dllMD5=2BD5DFCAC7A8247DBE4705861546D41F,SHA256=83B44ED54C60EF2560A18A036B8334366C8235FE76AC83EB7E7B55196C10675A,IMPHASH=48D924229AD023EAABB37D21103CCA19truefalse - insufficient disk space 23542300x8000000000000000330135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.252{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OMSXP32.DLLMD5=35FAA9BA5F467D24A8BDA455E38B5D73,SHA256=E57E3D85E1EDA6F3A5D31D30B262B43BC7FAB4DC9CD243F7A8CE65A09630C618,IMPHASH=D6158AA25A9B2A4B3831EEA238928506truefalse - insufficient disk space 23542300x8000000000000000330134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.252{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OMSMAIN.DLLMD5=65F9C3EEA1A4727AA52349C219D2ECD6,SHA256=5CA267EEF94C515AF140B3630E53915BA76369A1C7C330C2B7D9D092C2450F8D,IMPHASH=54714C20F22A6A87981EF4CFDB493543truefalse - insufficient disk space 23542300x8000000000000000330133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.252{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OMRAUT.DLLMD5=B75D91C82792D4129DE03BAD70D59F2E,SHA256=3BDD9546E0BB1C7C4465AEBE55D61BF027685EDF235623A69CCD90352CDA955B,IMPHASH=E63410E96E56CCA077B8A843883ABB61truefalse - insufficient disk space 23542300x8000000000000000330132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.220{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OMML2MML.XSLMD5=7BEAE90DD4EE3015A6E83C46584B0D5A,SHA256=FF1A71843461038E6178885231341E60FA0FEEF94D42FE2CEA94332DDD149DEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.220{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OMICAUT.DLLMD5=E71C8F9947B913CF16D0BA5D275DFDB9,SHA256=C4E53ADDFDCCDD075919DA3B3FB948DB5FF16837FDC71616603C5CDD9203243A,IMPHASH=01099A7A6206EAA2851DDA7E51DAC797truefalse - insufficient disk space 23542300x8000000000000000330130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.204{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\olReadingPane.jsMD5=95B9635D51ADA84FDA3709A590E64107,SHA256=16A490094FA4F55B6D588671F9F68567D7A896FCC479DEDFE42721A37137CE55,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.204{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OLMAPI32.DLLMD5=206559866A423EE713D0BBB78286E248,SHA256=220A2F8EC350E39F41A2B8DBECE61D19B4867A047DC27C0EA129CA56FAC07A7B,IMPHASH=2B5DA7ED57101DEF2DBF65D1273ED99Btruefalse - insufficient disk space 23542300x8000000000000000330128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.112{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OLKFSTUB.DLLMD5=B4DD3CD8501A63ADF5C04A17D1F7262B,SHA256=8B06A7D310E526C2D8EFDC4C57236F93713ED059131199D73CFC8FD92F7CFD0C,IMPHASH=0478AB87EAF4FF5AAEA4DE1604779EC6truefalse - insufficient disk space 23542300x8000000000000000330127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.112{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\olk-launchevent-host.win32.bundleMD5=698F7E23BC24A3C006A01001294F32AE,SHA256=11BBC0661BAB0EC7ABF1CD0D40C9539C2B64C60367E1A6496956F0524450E466,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.096{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OLCFG.EXEMD5=224EE4D2A7B52D96870B58F5C7C86D8B,SHA256=3FCC9D350FA24C5791122A14DC9641D6B324BE9C4204B00C8725686ADABD4E73,IMPHASH=D0E7C7A19FC8EA56BD5E5CB04EEACCFBtruefalse - insufficient disk space 23542300x8000000000000000330125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.096{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\olAppHost.jsMD5=2ACA87961C8F68D94168F6FB0DCDECDE,SHA256=D44DF42357F4403229DC903B5EDD5C09C913DFB4C25C1F12C6355C9F2FC88286,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.079{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OIMG.DLLMD5=4E0FBAFA1CB19E123CE747502B9DBA8E,SHA256=B19EBA0489A3ED5709D6C8B89E7028C58BCE7C06BE77BA82769F413033506006,IMPHASH=DC6CCBFA8209CEE1FD14A60E127D0A02truefalse - insufficient disk space 23542300x8000000000000000330123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.016{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OFFSYMXL.TTFMD5=F7074EA44AB8CBC837659FF0988ED5EC,SHA256=337A3600038FDCF592033D5C2027157F810A8D7F0F5FFE28A2669468C4CA8D8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.001{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OFFSYMXB.TTFMD5=D034F0D3DE577FD8D7BF32AA88805C78,SHA256=B3FFDE2858A760634883A0A8AA5E6E0AB1817510A7834B111B5A197B96D6896F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.001{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OFFSYMT.TTFMD5=2A15A32916C6E6E20FE3784A2704A8DC,SHA256=54C9F986CBDBF19D368849D70416193F0C93773FCEA174EE579B940F9B4099D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:34.985{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OFFSYMSL.TTFMD5=F5A9D6481AF8C8537FCB8F20EC20B5FE,SHA256=BEC37E5D27E6F34A9078F02F6E2693C4F23582A31FF5088C0DF7E0053D937392,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:36.966{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90F5766FDBEB87E759F0733ED4D29192,SHA256=209042F17C6F68AC3382805CE72DE2A8D9C6FBB53F5936ECD833450CD6075DC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:36.757{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PowerPointInterProviderRanker.binMD5=A8E112A3551CFD6380BDC0550A2C87C3,SHA256=F27EC364E94D5929D699F51AD4576ADFB90644926468497A045824D58307E55E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:36.741{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PowerPointCombinedFloatieModel.binMD5=F27089C0E936852D273873C9F82934C1,SHA256=B55CD63E69B92ACDA46744D9ACEAA7E8D94E78074866D249284776103A0B9426,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000447993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:36.682{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C9DFB60241553F606C4F1D9B9E111AB,SHA256=FB834B9F165863361E00955B4C7709ADB517B4C6845DFC1CD278288DF6D2723E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:32.826{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52703-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000330180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:36.726{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\POWERPNT.VisualElementsManifest.xmlMD5=9074C9F21A562F6D80E175CDEC8542F4,SHA256=230ECA32CD0DDD07320401605B32693E59BD38ED880352D0A97F05305BE1A9DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:36.726{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\powerpnt.exe.manifestMD5=DD688307E3D8A6B8F2F7040703C3907F,SHA256=7F546D842795ED953B8730948B460941BF0237B211A4D3FE369C5D81212F45E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:36.726{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\POWERPNT.EXEMD5=875C33A6B12539AB896A5BA9F5008D68,SHA256=6A1197C57C2DF61F418B1080E9B2605D4920940E9E06647D36447E3494E91E3E,IMPHASH=46EDF95C4DAF36AFE2DA382FBF1A844Etruefalse - insufficient disk space 23542300x8000000000000000330177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:36.710{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\pkeyconfig-office.xrm-msMD5=660927DD88B8F36B57CA64E9562C83F7,SHA256=1092F13FCC6B08AA2DC5FCAB54F5966724BB86598F0B1C2A88C3EB6A45A29666,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:36.694{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PerfBoost.exeMD5=27C1E3E6C7CB1943F536ACAFE80FF6C2,SHA256=E2F03AFB684CE7A3B019AB11C58B418C2EABCC67FBA4D30D1A658FDF833087E1,IMPHASH=B1C1054D7FBD8DD09AA881B94EBAAF91truefalse - insufficient disk space 23542300x8000000000000000330175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:36.679{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PEOPLEDATAHANDLER.DLLMD5=B544FC2536F5B525DC14FB518F2FC17E,SHA256=8487910D2D77BF63FB18F96A654BA7A4818C8BEB8166D41581854B6250C46EAE,IMPHASH=B8E329A1E7FB999E09EECF3EE6849C15truefalse - insufficient disk space 23542300x8000000000000000330174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:36.679{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PDFREFLOW.EXEMD5=298E4474EF37FA8C05C82D96EB74E85A,SHA256=457F534E5E39860CF47ADF246BE55D97FD291CC7D460D3657E581FFE611322D8,IMPHASH=624B48503A24BC4715ADF0B19E437689truefalse - insufficient disk space 23542300x8000000000000000330173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:36.538{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OWSSUPP.DLLMD5=1874CADA91B7DFB498B1DFE6679338A0,SHA256=60A055A25E0537591EE429E82CA93E5D9327AEA058E2FD3725E6948B5CA687C9,IMPHASH=34DACB686369FA0A0DAB6219A8E3FC4Dtruefalse - insufficient disk space 23542300x8000000000000000330172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:36.507{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OUTLVBS.DLLMD5=DA2E116647E85557DB60DF460894880A,SHA256=2C9F9D760A130268D3B3ED8B57D7ACB7025F49BD5C32881C6B52C9D749F100FB,IMPHASH=89D8AF45E9EF4E46555A1127C5BBC85Ctruefalse - insufficient disk space 23542300x8000000000000000330171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:36.507{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OUTLRPC.DLLMD5=66EE810928F38603BE5824E09E386E75,SHA256=68297D96766EBF6D0A9563F4BA9EBB7691652E5865DDCD6FC5806B451109E9AB,IMPHASH=8139BEC1ACDFBAF828035279C0BE8779truefalse - insufficient disk space 23542300x8000000000000000330170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:36.507{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OUTLPH.DLLMD5=1E7CCC5517A8AECE45FAF10AB891A808,SHA256=D73E7F180E1465EE09421794432883A2A4FCEF1C0C1C22F92B63CBB77380692C,IMPHASH=7543C201946DB5C335EB0B89044BBE94truefalse - insufficient disk space 23542300x8000000000000000330169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:36.491{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookWebHost.dllMD5=20282740179E51B8EAD696418A2B9D38,SHA256=C4BD50D25BA829D388BBCC3406FDE1312ED236E28EA66BF1BF2EAE94AF39B1FF,IMPHASH=76EAF420ACB9D5F241E35FCA3DBF0BA6truefalse - insufficient disk space 23542300x8000000000000000330168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:36.476{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookServicing.DLLMD5=9C3F55098AF4209DC6007DBB1D34A6C2,SHA256=A436AA847DE75F1E874538394257AE5834EA175CC716ABC61444F4D27BD2E9A5,IMPHASH=85D7ECF19CEAA33DE6A4E0B2FDA22FB9truefalse - insufficient disk space 23542300x8000000000000000330167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:36.476{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookExplorerTellMeZeroTermCommandModel.binMD5=0112B90AE00623955DA16185EB51A3C4,SHA256=FB68AA588112CD666CCDECAA655639D989591324EF379CFB10EFBC4BC85BB4B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:36.460{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OUTLOOK.VisualElementsManifest.xmlMD5=82A597049B38DB14792776F86CB9FB34,SHA256=65FAE90767A1F4CD771552C73A5907CFB71C03A02B5B57A9CDE4505986D5E896,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:36.460{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OUTLOOK.EXE.MANIFESTMD5=E7046749F80EB3D08176C56B8B5FD665,SHA256=04036CD5DAECAA54C6D9AECC05F3DBE647D22908726CBBB08EEF80400D0E39D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:36.460{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OUTLOOK.EXEMD5=61E5F49861D0BC2F947F4BCE19B33DF6,SHA256=A4EFBE4760BBD3E4BFE5FE33F6D54E9E02836C8C227A56C2119FD85F5FEA6F07,IMPHASH=A8A39E1819E929506F83030839CBCEDFtruefalse - insufficient disk space 23542300x8000000000000000330163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:36.054{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OUTLMIME.DLLMD5=EA7A95BB0CACE79EA7CB1D929268AF5E,SHA256=233AA090182874E0D0D4A4757A13657C0C07D54A07C7824F167A51A8617FB3F4,IMPHASH=DF72D5CBF4AE94EFDFF6BD99E6A3920Atruefalse - insufficient disk space 23542300x8000000000000000330162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:36.038{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OUTLLIBR.COMMON.DLLMD5=AFC1049152DFD645983F3CE743FAE4A0,SHA256=5BD15207D6F9CB170775B9EB15570D08CCC60D0D289534C9388C01B82AEA2FEA,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.988{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\System.Windows.Controls.Theming.Toolkit.zipMD5=B23995F0EBBD2EA8936CD30C3D33AF90,SHA256=219A6D055AAD7744C34E7305045FFB72406C47D39E5EEB761AEA60611DF3B3E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.969{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\STSLIST.DLLMD5=BF7F1BB3B0212E1E8EC7D4EE9BAA78E1,SHA256=432BF7E6B198470D2F64492D3A821C92F37B1DDD1533A05329E5F97EEBC51C2C,IMPHASH=615AFF160D2CD0027194E5F30F762306truefalse - insufficient disk space 23542300x8000000000000000330237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.923{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ssscreenvvs.dllMD5=0F44277B72570233BF5C03A99E071E18,SHA256=55A93AEC5FB3EFE7DAD77F7FD6904EF1365EB4B8889BB7A19E961F4C02ACCC17,IMPHASH=4EBE90DA525CB5B291096318D5B44866truefalse - insufficient disk space 23542300x8000000000000000330236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.923{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SOCIALPROVIDER.DLLMD5=D1EB13CEEDA6356C2534AA7B1FCECA5B,SHA256=CABCA2E66008086842F89794BEDC6EFF0DFF0D8CDD93948D7FC984FADD5EDD61,IMPHASH=F72F074229664EC1BE558EED9FFFE740truefalse - insufficient disk space 23542300x8000000000000000330235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.921{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SOCIALCONNECTOR.DLLMD5=0EDC987E58DA49D64B2773B00179A595,SHA256=65426CF1900489F4C539CEE83E3F8D6AAF00D7EDC0C4A8A5F9E26FED7D389EAD,IMPHASH=3B0426D2EE38A6ACC9537F65EDA167D8truefalse - insufficient disk space 23542300x8000000000000000330234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.906{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SOA.DLLMD5=53A21CE10353796EC0C4623FB3527E0E,SHA256=C01B5AE77FB2F7CD129062F02BD5221A30D2F5D2C95A280E81486C98B360EE27,IMPHASH=BA12E9B90CDE770797A7F0069A7F6F4Btruefalse - insufficient disk space 23542300x8000000000000000330233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.895{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SignalRClient.dllMD5=E785A0B63B6748392A2E07342D4A3CBD,SHA256=04D5F631B51CC85BC816033DFD10A74A3E8BB5872070BCFDAB2D8EF683E5992E,IMPHASH=414B43421EECBF7F2C602D4553F9F2A8truefalse - insufficient disk space 23542300x8000000000000000330232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.872{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SHAREPOINTPROVIDER.DLLMD5=8884769D04D67A4DFCDD37FE899AB878,SHA256=7B7D4C04D389E25A4CA0B19557846E3241D3ED3689E682908F193151E3384D69,IMPHASH=E527A29B76A98A8F89D6F4F711D78E9Ftruefalse - insufficient disk space 23542300x8000000000000000330231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.872{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SETLANG.EXEMD5=FBD013F04F383FFB3AF2F3BB2DC1A4C9,SHA256=17A19AF514A0BAB8E9180CAC84BB67D5E613047C72596C222507989DA150DC75,IMPHASH=39A8889461E617873FCB0D0549FA4BBDtruefalse - insufficient disk space 23542300x8000000000000000330230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.857{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SEQCHK10.DLLMD5=DE8E8A75E6BC1D0DD8CC8A9E28252B82,SHA256=8B07582A3BE89605FDCE08D67F303BF6FEFA264AE2510138F31C88348F6E8B0A,IMPHASH=DF51BB3C69751050E5DDAD5D6CF2DE7Ctruefalse - insufficient disk space 23542300x8000000000000000330229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.857{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SENDTO.DLLMD5=CB1A88883AD5BD38A4620A3577F87F82,SHA256=1FF69620AB6CA6A9CD096C34595F1AAF5CC98CBBFF70D79BBE80CF3A6B6FF75F,IMPHASH=E743ADC9A25C5067A5C646D4ABB64983truefalse - insufficient disk space 23542300x8000000000000000330228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.857{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SELFCERT.EXEMD5=A58B1B8501905C863DB421BC83284F04,SHA256=CE01B14C58DF3664DA98FF14D42BAD2E15B3AD1B0EEC55E03352776F39F87EBE,IMPHASH=8C207FD1E719E0129843AC3A290D7AD9truefalse - insufficient disk space 23542300x8000000000000000330227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.841{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SDXHelperBgt.exeMD5=757D2D00093D7BDFD956A55B61045C6B,SHA256=15A88B31B3C1A222B6DB3D1FB8B9C893D5276AEF24F768703BE67B717E413EA6,IMPHASH=2E3B1AE212A63BEE2CF57C793697AC66truefalse - insufficient disk space 23542300x8000000000000000330226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.841{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxhelper.exe.manifestMD5=2DE65A91A3073C261443D25ABF88BE6F,SHA256=F46945A40EA8FF803AC0CD56ED2D903D45250D2EEFE80760C82F10446781A15F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.841{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SDXHelper.exeMD5=623697C33FE7BCD0474DE2BBFE069957,SHA256=92A20C7887B63BEAD51F4A65208FE4BADEC5678E3F3A2E3E9440F423F3B2F82C,IMPHASH=3D528681DF3B5E9239FEC2486F65D4D9truefalse - insufficient disk space 23542300x8000000000000000330224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.841{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxbgt.dllMD5=7BD255DE84F24EEB5AE5DBA72B917E44,SHA256=640B3ACA6476F3A24696FE20B3773BFB78B603FB38C28711F84B852FA0127C97,IMPHASH=4F3851DAAC490ABACE7BDE00A4FB38DFtruefalse - insufficient disk space 23542300x8000000000000000330223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.841{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SCNPST64C.DLLMD5=E026966AEB169B42A06912B435FD3F3D,SHA256=DB08E67C76A63A39AC1415CDA32D27C00A14BDE05D514642241834F0773023C7,IMPHASH=AA61AEF67AE9E2C1F4011A6150DA96F0truefalse - insufficient disk space 23542300x8000000000000000330222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.826{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SCNPST64.DLLMD5=E665B35EE5AA1CF83099C89E36626E5C,SHA256=78899B5C4DC4DB4CAFFD0A023AF8C28EA9AD4C4F640046DF797E9F85EADBF134,IMPHASH=706CAF244336AA4491C3D92399812C1Dtruefalse - insufficient disk space 23542300x8000000000000000330221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.810{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SCNPST32.DLLMD5=06FDCC98B3BB5B57393664D6FE980711,SHA256=B8396E257044B1053DBBA006FA29E0DDCEBBEE0C9BC097397C1ECF0A03402221,IMPHASH=7ED051284A1D3EE1D08D4BC054454BCEtruefalse - insufficient disk space 23542300x8000000000000000330220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.794{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\scdec.dllMD5=58F9E501BAB7DAB5D3EEAB168090C224,SHA256=E45505BDD76640615C28BFFCE8416BD66EBA62A966BC9EB46057A9350F6580EF,IMPHASH=0B6822EB4BB8C3BB7BCFF2EA7EA6CAC2truefalse - insufficient disk space 23542300x8000000000000000330219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.794{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SCANPST.EXEMD5=D4DFC6D5936AC5771C8462DCA8D9804F,SHA256=E4C40B0572734CEF60A2B9CEB5749308C6B50ACB14D652B701DA1E744B3797C7,IMPHASH=7E59C13C403E2DD4C3509CAE0173954Dtruefalse - insufficient disk space 23542300x8000000000000000330218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.794{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SAEXT.DLLMD5=F0CFC2CBF1893D2C6A8842F2F59888B8,SHA256=A12D8F4A24023503ABA104825CB0FE31B89551C60E1C8492AB459A0FF1540B8C,IMPHASH=29FCEE5EBF4F539D9E00D60D84F3BC3Etruefalse - insufficient disk space 23542300x8000000000000000330217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.779{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\rtmvc1decmft.dllMD5=C27BD4C7854060EE225EC3FCE8757CC7,SHA256=7E6D5691EDDBC9C2470B93FB8C2612A02D1F177610517B1300210864D5FC4F86,IMPHASH=9787EBC09FF17DF2125A7F89511E388Ctruefalse - insufficient disk space 23542300x8000000000000000330216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.779{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\RTMPLTFM.dllMD5=BAAC7593AA9BFA9EA0925DBB63884292,SHA256=68B52C94E3EE7689136D54618ECDF3DF0721D79AED5438983BEDDC619FABC220,IMPHASH=90CD7BCC5B00DCD1838AF29F8AC186BCtruefalse - insufficient disk space 23542300x8000000000000000447994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:37.783{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54F10449DC0C8A85C03316F90EBFE80F,SHA256=BA4FB7C11073D26E7EA16A7989251ECE1AEDEB37902D7E6C469268B7CBD77962,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.669{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Rtmpal.dllMD5=F5F34A7D579D68A462E9B2A5A6F1D2BF,SHA256=8C08BF0101EA779ACEB9F64AD1B936A2845585D9BF5AF6391E9C610CE754ADEE,IMPHASH=BDFEBD198EBA8673372198AAA8E71DCAtruefalse - insufficient disk space 23542300x8000000000000000330214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.654{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Rtmmvrsplitter.dllMD5=D5804C19BBBD1094A5CF8C11A6A350D7,SHA256=974497F78C290E75038F6FD30901A65DE589BCA009C3169C49E54B5AC24611D7,IMPHASH=83AE66EAC50D695D3B231A3973BCAFDFtruefalse - insufficient disk space 23542300x8000000000000000330213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.654{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\rtmmvrhw.dllMD5=29C31CB8D4BC03E6FBA89F78932F20A0,SHA256=2D35AB64069CCCF65D75290C3CF923E689EDE6C3E95CF06A4929A54C3EDE41C1,IMPHASH=D632843235A6A0AB1893D673D16B318Atruefalse - insufficient disk space 23542300x8000000000000000330212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.654{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\rtmmvrcs.dllMD5=9B5DE90AD64E29FEFE9583EEBA04741C,SHA256=53275E70D6C5B121D7D08A0CD5B782D4A46116879B72A2C811C0FD181F134984,IMPHASH=009A826D7FEFB78CF2A5239EF2BE7FEDtruefalse - insufficient disk space 23542300x8000000000000000330211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.654{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Rtmmvras.dllMD5=3EFBC4015F4331F938256C3B2BBF5B5B,SHA256=0D3EEA5D69A50383603D6F6ACAC018A41D5AA66F1C856FCB4AF1E3D377C1F5F8,IMPHASH=A565AFB6B6B395634EA6900D719772A1truefalse - insufficient disk space 23542300x8000000000000000330210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.654{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Rtmmediamanager.dllMD5=7B355870F6662F59D5FC03C7503FE400,SHA256=8322C2892E1A7CE9A047F6DDD3FB812F90D16E3EE8369A6FC32FEEE9AE404B49,IMPHASH=3DA6D478D056812E298111A6FC5D46F3truefalse - insufficient disk space 23542300x8000000000000000330209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.638{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Rtmcodecs.dllMD5=49CCBC9CCD775D21B3CE42C006C2BFFF,SHA256=BD4C2197730305E9FFCBB43D72613E3A6102E11B3375371B9A364BD3AED43AE7,IMPHASH=7675F9185CC1B9959591399BEAFCD9DBtruefalse - insufficient disk space 23542300x8000000000000000330208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.591{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\RTC.DLLMD5=CE48673B71880B6F86B665CFF0C6BBED,SHA256=C4C9AFB75CC9CD9BEA4B842F35274722D4ACF45C30C143BDC32A87835325373E,IMPHASH=BBA6632874749D55B962BB7CA62C9AE1truefalse - insufficient disk space 23542300x8000000000000000330207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.544{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\RSWOP.ICMMD5=56FF7DD019EDAFCFAFAAE00E1FEAA245,SHA256=48D1CFDCCF06DABFECF0C2B535EACD8A5F49560F0182691CDD713B6389A30510,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.544{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\roottools.dllMD5=FD1EE5407B6F3E4E016797EC8981CFEA,SHA256=B92C8AD77B3890731500421D6BC4751E522FFABC585D889C85CCAE8C6B175C22,IMPHASH=71709DEE72111E556B3034DC99F56AD2truefalse - insufficient disk space 23542300x8000000000000000330205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.513{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Resources.priMD5=F4DFA5024FFCE8B666FE85F4D1AAF646,SHA256=31EC93F60CE144E101FE417831F25653E3CC481382CD07F88AA90B22E7B9F408,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.513{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\REMINDER.WAVMD5=049A11EBF7EB573C59665BFDBC475DB7,SHA256=DDD77F14AA2B47C364C516FE5FC965377CEEC208B868FAFCF1CFFFC254B29A51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.513{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\REFEDIT.DLLMD5=B5A717B21C40E08DB618E5ABCF26BC6A,SHA256=7A5C7A4527E897B03FF3739D754EBB980672A6ED8BECC5AE3EE0B8DF0CF4ECF1,IMPHASH=CCBB1399C574D3FA2CEB4DD30B1FC9FDtruefalse - insufficient disk space 23542300x8000000000000000330202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.497{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\RECALL.DLLMD5=496353FFA2E85AE3B9EC2C6422293999,SHA256=85044CD760F08FA6FAE04D1907C5F8F04C374FB81DBA701EFDF8B5572DB28C97,IMPHASH=B5A4918C3856096DD9A68F19D3E792CFtruefalse - insufficient disk space 23542300x8000000000000000330201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.497{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\react-native-win32.dllMD5=624DBB1ACD2045581B3FBABFF0B9F1C6,SHA256=3598BD4FE8D4403A93C2140542AC82A3924296402EB1667D8C600EA142928549,IMPHASH=A3F19F165C4B79855C577C923C0188EAtruefalse - insufficient disk space 23542300x8000000000000000330200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.466{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\react-native-sdk.dllMD5=354C9E1CA3B9AA96D194E5F1C22258AA,SHA256=CA3D43B8194FEBABB15584BE4813CF3FDA49D40CE29642581E58075D998ED14E,IMPHASH=45FE36BA724F7BF7E592B1DB7734E818truefalse - insufficient disk space 23542300x8000000000000000330199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.451{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\rdpqoemetrics.dllMD5=90E7E92F455ADEB975A4DE86E99C9E1C,SHA256=9A6BCEBC704E5C794AF3B306E3A77805A43A7E35059B2478FC9A981119FB6FC0,IMPHASH=A92835BE0C914FAA6FD9AFA77B9DFE92truefalse - insufficient disk space 23542300x8000000000000000330198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.451{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBTRAP.DLLMD5=9323929F4B0CBBD54E546735B43B5D11,SHA256=D1BB5626E0AF6E5A7FAC095EC247BA3082B59C594901969A48195B3861847F5E,IMPHASH=1336E593103AC0586E45D6CD022A867Ctruefalse - insufficient disk space 23542300x8000000000000000330197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.451{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBCONV.DLLMD5=7834F77ADF80D73ABDC616B2AB54FDEA,SHA256=509B2108EE6CE6FFBCBBDF6ADB4C92F3A37F194F569C0667C7146FB1DBC8A182,IMPHASH=E1E8F6D0169709784BF07A6B833F2C70truefalse - insufficient disk space 23542300x8000000000000000330196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.435{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUB6INTL.COMMON.DLLMD5=E94F0C26C59784FB770C515F691E8DD4,SHA256=CEE05255672194E169B09023D123C2752E3B32551134791F82482AD59895FC73,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.372{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PTXT9.DLLMD5=82DDC4126ECDABC6D0F1308ED48A0120,SHA256=81CB2CF766737FC365A0B1C0DA5C477B0471F2499036CEE82B3638C8AAAAC8D4,IMPHASH=8F1076EDE6ACB961BF80A3C534C4DF8Btruefalse - insufficient disk space 23542300x8000000000000000330194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.357{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PSTPRX32.DLLMD5=D969801D54C92FC817266B2156DC5868,SHA256=BCF9209156C82F6CFCB40BDAD7799F319757539ED81E505AC6A42C60578CE814,IMPHASH=0654DE129041CE68B9EA7E257F29908Atruefalse - insufficient disk space 23542300x8000000000000000330193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.341{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Psom.dllMD5=7005B95BE93BA4D7F9D8B638B7FA6AA3,SHA256=63FDEB338383169CD54B7A8F17B5E8FF78BD6E1639D58EC14C94177A697E1758,IMPHASH=A3CC74FF72B1F15A8E64DDCB302A4A3Atruefalse - insufficient disk space 23542300x8000000000000000330192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.326{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PRTF9.DLLMD5=3726FDB8E9472400A5B8025D1207CC8D,SHA256=6D182A343EA0127AF3680A7F9DBB77BC54415F369726879D4A43605071BDF015,IMPHASH=6E2DF4B392A763A7F5AB218CC80F54BDtruefalse - insufficient disk space 23542300x8000000000000000330191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.310{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\protocolhandler.exeMD5=0DC8045212E28F553E0484CD995AF12D,SHA256=E4DA16DF43FC983E8E6B5F063B1EB135F72F73BD3BBEEC86360BE818520E8866,IMPHASH=BD6FE053E8A37B55BA5694E0D6A29A22truefalse - insufficient disk space 23542300x8000000000000000330190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.185{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PropertyModelProxy.dllMD5=A534C8C91FEAF3A7A95A83B876CB93D2,SHA256=597289272A75452981B50851E5105D400B8587BF13408AB518F4B3E366D0CC93,IMPHASH=4ACC4EB4E9E42D7B4FA63EC0325646E5truefalse - insufficient disk space 23542300x8000000000000000330189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.169{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PropertyModel.dllMD5=620341EB870FB6809BC98DE1F4A4BB30,SHA256=63189214A5B3CC77C7A1CD88E61CA86B5BD1ED6B15A764D79E1F8DE0155B5088,IMPHASH=BD5DF9384673A0CA126A8501521E16AAtruefalse - insufficient disk space 23542300x8000000000000000330188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.154{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PPTICO.EXEMD5=17363EF13A7F5FC33154AA0AD8C835A3,SHA256=67F0990F4D6D430DAA7A40268EE3AF51545299062C4C215B07C25F1D535F02EF,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.108{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PPSLAX.DLLMD5=DEC6D2A5D7A55E7F51C67FFC6770AED0,SHA256=2AC23D8302F62C44EA7CFE325AC66AEA14D60E47FA875854FABB5A934754630E,IMPHASH=51D40B72D55DA18532D11F815EF547C0truefalse - insufficient disk space 23542300x8000000000000000330186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.108{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PPRESOURCES.DLLMD5=3FCEBC553D6B0F157C9D88FF4B70B477,SHA256=5B41A9948F11CE8B7D745393DA40978A16DDF2D0D374C7FFE40026AA212F283C,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.091{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PPINTL.COMMON.DLLMD5=40BF98F0908656819527782655677F4B,SHA256=E5F4B58DE15DD98B0CB218802196788BC65D4768AF2204603D47424D545AFDE3,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:37.060{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PPCORE.DLLMD5=A2A3D3F1F514201BA031652BC02979B9,SHA256=1F852C8B7ABEDBBFB9F848785C0B536488EB1F7EADA69DE5F3D7DCEB9457FBA7,IMPHASH=3737CD50F0A75940BE5172283BEE9D9Btruefalse - insufficient disk space 23542300x8000000000000000330266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:38.859{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\VVIEWDWG.DLLMD5=BF199A6AC27AD445D255D3B03B0BC2CB,SHA256=17D587FE8E9CB1AA72AE5FD32606D4A16FA70852AB7B02249DDAAE78537325F7,IMPHASH=2413B78B61EBB333F1FFA200334E9748truefalse - insufficient disk space 23542300x8000000000000000330265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:38.813{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000447995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:38.871{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3832DDF69231D5D816C4ACE474DECF8D,SHA256=82A837C12254ED81200B46F7427BE65F38C5F46B6C07ED8E8E5CEBEC85E1B812,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:38.766{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\VPREVIEW.EXEMD5=F6C81B25B28ABF186D382182F846FD0F,SHA256=58EEF51CA371C8BF03AC9BA579126FCC0107E6E99DEE0EB0158686373F205ED6,IMPHASH=1F0693FE52EC986736E17331E2E89D05truefalse - insufficient disk space 23542300x8000000000000000330263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:38.766{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\VISSHE.DLLMD5=208D0A700A7D1181E48833550B9D97B6,SHA256=83E1FFB767D5A3A73E66E02F87C77D959442BDD65278EC359731B9F3E54A0B9B,IMPHASH=5622310C974924E76DE7D24DAD6B4F1Atruefalse - insufficient disk space 23542300x8000000000000000330262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:38.750{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\VCRUNTIME140_APP.DLLMD5=92C768E88976CD8B9AA74575D442A1BE,SHA256=57898AC402F716883F0977CB6940C7752F0C6F833D13082D74399A9C084DA659,IMPHASH=C33ED74D88F3C03CE8DCE4AB589DD28Etruefalse - insufficient disk space 23542300x8000000000000000330261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:38.750{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\vcruntime140_1.dllMD5=7667B0883DE4667EC87C3B75BED84D84,SHA256=04E7CCBDCAD7CBAF0ED28692FB08EAB832C38AAD9071749037EE7A58F45E9D7D,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69truefalse - insufficient disk space 23542300x8000000000000000330260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:38.750{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\vcruntime140.dllMD5=11D9AC94E8CB17BD23DEA89F8E757F18,SHA256=E1D6F78A72836EA120BD27A33AE89CBDC3F3CA7D9D0231AAA3AAC91996D2FA4E,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302truefalse - insufficient disk space 23542300x8000000000000000330259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:38.750{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\VCCORLIB140_APP.DLLMD5=0794587D908DE9A5EE3F40DB0C8775A1,SHA256=0E7DAB2E793BFB281494B4A67802B21795F96C138BE043C6276B811213221FAC,IMPHASH=D83358D1708F2252F92437461E0568DEtruefalse - insufficient disk space 23542300x8000000000000000330258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:38.734{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\vccorlib140.dllMD5=7EF7EAB654DF53E087AC4703C9EA0B16,SHA256=13E568FDCDE1B7B7F2D1C97A474BDB8858F5AB761157F0FEA7201CCECF84B9B8,IMPHASH=D5EC94CA50152CC1E7188B825074FEF2truefalse - insufficient disk space 23542300x8000000000000000330257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:38.734{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\vccorlib110.dllMD5=2AEB4F8E2BD49FA46E7FCA142A1003A8,SHA256=F5F635C0CF8252B81C8283AE7063E5BDBC7D608EE8798EC6064707B489339D5D,IMPHASH=26901E30C69F9783330D2859D883C1CCtruefalse - insufficient disk space 23542300x8000000000000000330256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:38.719{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\v8jsi.dllMD5=FC42A8A77D5FECBCD9F9374D1211B407,SHA256=7D43064573211448E07E5DC947CA3B1A512675E47457B8289D35025A3D6BEC99,IMPHASH=8BF54CEBD330369A35B30D555CD66807truefalse - insufficient disk space 23542300x8000000000000000330255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:38.578{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\URLREDIR.DLLMD5=9B1D085A29B6AC9FB8415C73CAC8B72F,SHA256=FDA4FAE413C0DE5DA6051BA23E9308B48D014DA16919F4CD4BFC2E56DDB65F2E,IMPHASH=617E3A50A88188119297C51EC1EF89FBtruefalse - insufficient disk space 23542300x8000000000000000330254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:38.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\upe.dllMD5=5B39C4F7D608FBC27BD3250800FBE306,SHA256=12FF01991666D969B5BA10DBAE87CA79FA027A60475B1C40DB9D7F28E79E937A,IMPHASH=6AED618F629FF7545252CD0835D75FB5truefalse - insufficient disk space 23542300x8000000000000000330253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:38.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\UCRTBASE.DLLMD5=9CD0AFF3E05FCA90BF9A227C94669DF6,SHA256=FBED69A52FDCF571DD37FE4CC63CB86ED3732B5B998807F14968788027C00754,IMPHASH=1D85FB9CE80726BDA08CAF2946EF5F93truefalse - insufficient disk space 23542300x8000000000000000330252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:38.532{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Ucmp.dllMD5=6ED152673C0C0C283FB2BAB8943B2972,SHA256=A39DA726736611943782B48239DA7BB8AAFFC8906EF3895E261F4F9C753236B0,IMPHASH=07EBD435E7754233F04599ACEFF8C9B2truefalse - insufficient disk space 23542300x8000000000000000330251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:38.484{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\UCMAPI.EXE.MANIFESTMD5=4C229B2EFFCF7C01279D96F9B30BBD72,SHA256=98E4A36ED47D1C99A32394FDC445D01C71F5CC7D3CC385A96E62C82BC78A9E6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:38.484{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\UcMapi.exeMD5=52F230AABE58DACDE8AEDFBC7B289694,SHA256=F6A64537B7D05E516112CB11BC38654C72F1ECC77F5CC636DFF56CA0E3879839,IMPHASH=6D1C8CED669AD50FC0A101A8D97B0C2Ctruefalse - insufficient disk space 23542300x8000000000000000330249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:38.469{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\UccApi.dllMD5=E0589709774881BE50091BDDBC374065,SHA256=79E2CA7C904ECC4E9A07171AEEBABBB023EB6AAB63EBE6B1E565EC99228046ED,IMPHASH=250670D4383B3DEF81B1D389955823F9truefalse - insufficient disk space 23542300x8000000000000000330248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:38.375{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\UCAddin.dllMD5=B4967360D566086145296659D33AABA7,SHA256=287616878E8BF2D8DCE066D8F2476FAD4458D73041676CA6810C22D1A60F8FBF,IMPHASH=52EE43B6C8076104B51CE3CC035CF7DAtruefalse - insufficient disk space 23542300x8000000000000000330247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:38.359{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Uc.dllMD5=B7D4A67C3DFCAC0F1D84634ABD05EDAF,SHA256=48DE88BB99B08B8EC80045EA8CC525DF7DADB7AD8CB30241DA155E984517B6D0,IMPHASH=E420BFD900A2A911F46D6A7A1BA9A933truefalse - insufficient disk space 354300x8000000000000000330246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:35.430{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50999-false10.0.1.12-8000- 23542300x8000000000000000330245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:38.094{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36915C94FB269DCE4723FD08DC8886CC,SHA256=8D277A3CC2ED8A98029CC0CBCC57F2D302A23498B0D8E4B2EA393626B643F0D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:38.015{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\tmpod.dllMD5=7C60FBF4321B8016F0893ABFAEF11EAB,SHA256=28DDEB8BB981F9741DFB9F0448167D239E0C7E98C30D902B030062AB677A4423,IMPHASH=0E76970054AF6928928A8AE6F29CE0A0truefalse - insufficient disk space 23542300x8000000000000000330243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:38.015{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\TextConversionModule.dllMD5=A4880852055A4B436357FA2BB62090D3,SHA256=C960960D87651944FD8350833B0BCB545AA19BBC784BEE6952286F7E29F2C8AA,IMPHASH=0AA2666B082F89A718BF34460CECF9DEtruefalse - insufficient disk space 23542300x8000000000000000330242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:38.000{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\TellMeRuntime.dllMD5=27C7EFAF8AD1ACE87C8FE81E5122D7F4,SHA256=E3AA7334FCA6F2298DE266B39DA59FFBD84350DE3C939E19264BD1E0E38E073E,IMPHASH=46F3FFB719C5AA6EC7AB3081B0B10F0Ctruefalse - insufficient disk space 23542300x8000000000000000330241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:38.000{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\TecProxy.dllMD5=0305CF327E4E81854E7E51624897A0F8,SHA256=F1982296E4B40CDF124F2FD6045D074742678BC2018CEB8F5490F391D27A9442,IMPHASH=C0D7B520F2A3DD181DA804F12FBDFFD1truefalse - insufficient disk space 23542300x8000000000000000330240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:38.000{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Tec.dllMD5=4C340C959372553C4C3714815E13A172,SHA256=E7B06655A3896C12DDD32FC09F98F9C6370862AA0DA95AFDBF002001A3EF7A7E,IMPHASH=3FA13FBE5F49DB42B889C83194389961truefalse - insufficient disk space 23542300x8000000000000000448016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:39.922{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F470E6019FE803D446A1D7BA6724CC,SHA256=E12D0030AF36FFAD51BF3BACE1E40F98BC82BD42E673AF98BB87D209E69598C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:39.889{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\XLICONS.EXEMD5=0BEAFEA31BD6853749BB0D607BB59EF8,SHA256=A665E024E6B2B2814CD1F99B3095DB372AE52EFE87BD1C4BD60170CE0FA5486B,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:39.889{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D402EB49B756812D8A51F50A1A3A12C6,SHA256=882F5291B1F1BF766D154907F57F255517FDA11711F1DA3F97F557D916A2A7D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:39.842{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\XLCALL32.DLLMD5=6AFE59DC92C26B07714DD5C237C4417C,SHA256=3117873CD5F35C876F655D0B3FDA03032969380EA1B14D0BAB837234DEB7AD23,IMPHASH=B70F03489F6927FC13070CA1A92C291Atruefalse - insufficient disk space 23542300x8000000000000000330285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:39.842{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\WWLIB.DLLMD5=728A577C6F4C9693A7DE0D0E9EA8D17C,SHA256=0E4CB5EC5BD0805879666C09BE7CD5F743BE5A332035EE7809DE6BC626A01325,IMPHASH=B37B511BB3A366F9F6EA28C6D6A2C871truefalse - insufficient disk space 23542300x8000000000000000330284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:39.389{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\wordvisi.ttfMD5=A94ACFEA575E7E6EACBDE1A79EA43C2C,SHA256=23434E62C5281CF8515DB32008A3F9AC767CFC45A670F765399492897C45BC31,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:39.389{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\WordInterProviderRanker.binMD5=D417869BD8D8EE882404CB0A7C07C443,SHA256=40C8CBA69D6E7BFEECBF7E7CE096EA128BA8926899076C9FB1EE028BD979F395,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:39.373{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\WORDICON.EXEMD5=5ABC7FC31D3F6EB9DFF971398E8A95AA,SHA256=2D0814A2904CF2BD40B65080769DAED4DD13FFF017B0940BEFBCDA1AD91EDF5E,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:39.326{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\wordEtw.manMD5=5A7061C29C8BE143BF85D3380C15C266,SHA256=18C67F86332935A3C03BE856E886CD9310D64D5DA5E6334A0521D56D8E8B676B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:39.311{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Wordconv.exeMD5=330B92626548592536B3745B600BF48E,SHA256=ACF9A58906E1BDD78FDD4B66FACA65FDF8612BACBB9CDB00CD2CEF96E0321FA2,IMPHASH=41250A52A69569F026F861DFFFFCBFFDtruefalse - insufficient disk space 23542300x8000000000000000330279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:39.311{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\WordCombinedFloatieModel.binMD5=2031DE7AB45FE9F3514DBD6BA3A4F7EC,SHA256=6461C04DED231AA45A856A6C2258B581F7FB19CA2612179CE4053B72E95C1AFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:39.311{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Wordcnvr.dllMD5=B88CE94EA7F5F1DCCFD12A30AE35BB90,SHA256=85A6CE89B6512066AD989C481063C73AAF9291AE22804FC41CC06D575568616E,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:39.295{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Wordcnvpxy.cnvMD5=ABE856199C4EC87FA83C1848B31C34AB,SHA256=52124EE37E25AA9EB66BCD1C7240D835066C5E4494AF7A773274D27B761F831E,IMPHASH=04BEEF1CB3F40C73F0C492A42DC21FD6truefalse - insufficient disk space 23542300x8000000000000000330276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:39.279{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Wordcnv.dllMD5=13725801B27168D9D88D1AEF08936D68,SHA256=07ABBB3E885E18218476174EE26F36F2A753A750891826EDB8F0D0A317C85326,IMPHASH=40FCE11006F417A1ABD309128ED4CD83truefalse - insufficient disk space 23542300x8000000000000000330275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:39.232{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF2E226297693125899CF9A9A226FBF9,SHA256=894983CAFAC5A696E3516DB789484C762714929E74194EC7D30BB72AD53CC232,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:39.109{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\WINWORD.VisualElementsManifest.xmlMD5=11D9E526D4E1C06BE18795CEBC14B8E8,SHA256=3BFE25F1B95D97AD0221922C6669DC478DDD95EA4AB551C9D72BC3D629FC1E18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:39.109{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\WINWORD.EXEMD5=9C8E266B670CAAB8E2960F10827E60CD,SHA256=D2E821116801AC66409200516449B8476ED8496A7B85EAAA07AB51DD1B62323D,IMPHASH=EF259630987458939F79CE186A332DEBtruefalse - insufficient disk space 23542300x8000000000000000330272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:39.086{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\windowsspeakerrecosdk.dllMD5=D7AA48F1CECB2551AB52F02420301E8F,SHA256=C8A19927C73527AF0582DC31EAD021CE9F7CE0B4808801FC79A20E17B0466991,IMPHASH=9DDDAB09D28460F8FCA0A532CA00BF74truefalse - insufficient disk space 23542300x8000000000000000330271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:39.071{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Win32MsgQueue.dllMD5=9F68983043E7F64F816E3FBF12E9F38A,SHA256=1C045360DA2C61124CEF69B6B9D0091AC167B44B0DDDBF971133750445E91DEB,IMPHASH=622B8BBFA3B4D9DA0A947135EA94131Btruefalse - insufficient disk space 23542300x8000000000000000330270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:39.071{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\WebView2Loader.dllMD5=25AEEA790D9DC592E27651C258D4E979,SHA256=A8D76B0B6E8C87BB61AAD28A69F71994C963A2E70294D01EE8CA1EE9C73CA6AD,IMPHASH=DC9FBAFD0B96C0A640DF70F088BFD2B0truefalse - insufficient disk space 23542300x8000000000000000330269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:39.071{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\WebView2Host.dllMD5=CEE01EC8C879378ABDA16ED664FA37FD,SHA256=F903D4C2807DC8A01BBBCA9022E8D40DD1969189CDB6F30E13913CFD4A5F6256,IMPHASH=DF37DD7A7DB439F261334C83D518E9E8truefalse - insufficient disk space 23542300x8000000000000000330268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:39.071{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\WEBSANDBOX.DLLMD5=BEED8B2FE693DF80389C0216531499B8,SHA256=EB4FD088C438FD2FCC40DA5111CB169EB97C086C9A5FF436C0F0BBE86112560A,IMPHASH=D8C051EBA295E7BEF6C4FCA49DBD3CDFtruefalse - insufficient disk space 23542300x8000000000000000330267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:39.039{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\VVIEWER.DLLMD5=4D709D6C70A6E68475290B2073D584BD,SHA256=926E72CA2DB882C11920F52FF1685F4A444966AF91CD30EC755AC6FDA3F9AACC,IMPHASH=6839E6AC0FC6E7F08B4B5E2561A076C6truefalse - insufficient disk space 10341000x8000000000000000448015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:39.825{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:39.810{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:39.798{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:39.791{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:39.780{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:39.774{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 354300x8000000000000000448009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:36.810{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52704-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000448008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:39.714{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:39.690{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:39.649{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:39.629{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:39.612{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:39.580{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:39.550{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:39.511{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:39.484{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:39.452{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:39.433{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:39.348{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:39.342{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000330557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.995{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\LCALLIG.TTFMD5=23CB1A7D54469B3E8694A8BFE24235DC,SHA256=5C7E6C59E09C38C4E280504741BCFC051C95A9C931B3C92C03B7F2733F580622,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000330556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.991{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 23542300x8000000000000000330555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.991{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\LBRITEI.TTFMD5=0B98848F13A5064A6AD70B64B57B6295,SHA256=D347D9AE8A42C63ED7DC15BBA992D00EE9E606E0AC499A8022757C275855F612,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000330554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.990{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 23542300x8000000000000000330553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.987{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\LBRITEDI.TTFMD5=165F9F6FA7E111A2D7D7A47EE0D356EA,SHA256=B2D15815CE8F722E22885E67562A66F512F6412399D9400AC01FECD718D54839,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.984{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\LBRITED.TTFMD5=08E0DF984954C5BAA5BDD314187F43CD,SHA256=8012EB0EC90AB1B7A40EEC8987927D5764055E332BDB19AB5EEB3C1CF67987C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.981{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\LBRITE.TTFMD5=825A2395154F2A944B653BCB7839DD27,SHA256=736EB3BDC990636D283384CF6428B03A6632AE16E81DC72CD28AECD0CDADB017,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000330550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.979{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000330549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.978{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7803BA3E920F460F8FDAA0671FFD6665,SHA256=1C7ACA0172870747D9CA137EA7AD30472A70BCD323D56146ACDD2C3434254F4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.978{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\LATINWD.TTFMD5=B0A2D09878C1309345795EF79F40367F,SHA256=D64B9E6668069915AE217548B010BE1B52BE99BC923E88E148A83619B0102868,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.973{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\KUNSTLER.TTFMD5=564DDB14FBCB4963F390ED661A60CF1F,SHA256=8A9783E50F3BF892D958B7E61990D6CCAEE65DAAA0FFC246D3E1BD4FB0104B41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.970{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\JUICE___.TTFMD5=E7BED05C30089838608B1C37988D78E7,SHA256=EFEF0FA6138C648F9B5694F11D3372CF2733AE6126C91DBC7B2327C00546A699,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000330545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.968{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000330544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.967{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\JOKERMAN.TTFMD5=EEC0608FF80827A878D7DA11B3B71857,SHA256=D0D2D8EFDBF07DF506C87F9CADCD5052A6E446C99570177B1F98555661C6937C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.963{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\ITCKRIST.TTFMD5=A60FF8FB2AD06679257381C2EE3F15E0,SHA256=A298C30E23BEB222A016AFA24D4D8F389F30AC3B8BE6763F9F94199C3B11FF0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.960{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\ITCEDSCR.TTFMD5=CA6F91C0CAD2FE33614026D17117601D,SHA256=60C4F425563B12A6C0223D5C65212FFFB42F4B3D84789084AAE44C42F3416865,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.957{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\ITCBLKAD.TTFMD5=3FD720312D86FC1944351C0219148484,SHA256=2934319D3C6BA08A4477A3DC4F08695D4B926FC81A316F7A278E780AB5C9609D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000330540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.951{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000330539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.949{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\INFROMAN.TTFMD5=759E59B34646E12AC98AE13E4077D267,SHA256=EE066D11D2933638A5D00C242A24F2C9B8BD68BD3DDB3B334123F8EFCD539F03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000330538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.946{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000330537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.945{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\IMPRISHA.TTFMD5=B27D4AD5FD7F7C5044C7CBBF2DAD758D,SHA256=9DB1F3315D5C18572381F3880BD2C171FA1F49A1CD6E5F5F8D97CC1317911F06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.942{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\HTOWERTI.TTFMD5=4E123DC335F4C41671E597D37EDCAFFD,SHA256=8F7699A0FD02DE79D565FBD5205BE070B777B790F028C1FD7E6090E34ED81BDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.938{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\HTOWERT.TTFMD5=9E23421978544D8E00A00EB47740D280,SHA256=D5ED7DBD872AE77E6E30CADA5287DBAA1BA755F962D0672C5ED14BEA08F08422,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.935{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\HATTEN.TTFMD5=FB00DE748EFC6A476F3CC7B87A582AC9,SHA256=40E898E471FA4DE3CA09A6DFED961D00D6395AF20FE6CF1C6B83C795BEA04543,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.931{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\HARNGTON.TTFMD5=DA5337433104660E9E064EFA431E20C7,SHA256=F482F5760773767D798C64F470C08C140588E7B07510094497E7A89C3F2F319D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.927{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\HARLOWSI.TTFMD5=A59B318FFAB16DB77922CBE4762FC1AA,SHA256=A9488A827468A58C7BA78ABC284A949A27F7EF4BCB921674B354D926D1C216C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.925{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\GOUDYSTO.TTFMD5=A72A7FBCAA9A8D77295E466C12C1F749,SHA256=AB475061E2479350A315BF3F72D65AE9ACC37BEBEF4CF8DF979F8F6CED659216,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.923{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\GOUDOSI.TTFMD5=832E3CFB4368F895AC5805CB9FFF7898,SHA256=71D2D85781689DE6326A229AEBA2D143A5B3E8A4F0FC93B75AF197FB63BF05BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.920{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\GOUDOSB.TTFMD5=856DD110B08628F38F8FCFAFE6FAB19C,SHA256=F3CD0E13E4A0ED77522B1AB29061DA6658F449D1D89B56751CDCDEED86DA47E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.918{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\GOUDOS.TTFMD5=78D7BDC55148AAA3307A1E8AD735C40F,SHA256=380E2CD97160E14042CEA52FF785CA92D966E29F873CF2B93E1746F3A582EC74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.915{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\GOTHICI.TTFMD5=89D1D828DD7407E8E5FF6AA83CC5B294,SHA256=6CF57BE6F9D0BD60BD5DC6EEE7C11E87E5B19DF210156495A524B974185B9FB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.907{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\GOTHICBI.TTFMD5=ABD76D61050C97AB0E7BF2DB2D9BD5AD,SHA256=2DC5949D57D2E172601FB6F5093C1FBF15A463E29ED47C4C8FF2434BAF1C2B19,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.907{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BE00E09B2760DCC20A7D42BE4ECEAE2,SHA256=140694EE06F51FEEE86CC54692C7FC1E4256B2DF342637D13519B9FFD47BCC7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.903{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\GOTHICB.TTFMD5=BC420C1C2B98E2EE8B2A75C1CE1FE083,SHA256=90CB613B492874A560C0FF18A3402B1D24FB7E846DFF11295D5C4644D6C75E83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.899{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\GOTHIC.TTFMD5=CFCE6ABBBFF0099B15691345D8B94DCC,SHA256=3A9CBB5D75B2A2B0D22DC94571608E4E9DC7B88E825374985880C5722C1C9E5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.892{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\GLSNECB.TTFMD5=3507752E156A0AD7C77146F096DB0D0E,SHA256=F44727CFDEF37B028EA00283FEE7FFA09B821CE2BBBFA28D518EC48976468EA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000448021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:40.379{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:40.375{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:40.373{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:40.370{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:40.369{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000330521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.890{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\GLECB.TTFMD5=141449D91EA53B0C3F08600F47ECBC0C,SHA256=962EBE317BFBA70511C4F04CEB3A7160DEF7E3CE8CFCB035FDDCE7EF202FF9B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.886{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\GIL_____.TTFMD5=D084E51196D50DD6735FF8A6E4D6F4F2,SHA256=F6664B244192AB4CF3A58BB6A653700D1F345D03BB8879888BCEA1B6F8F3F97C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.879{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\GILSANUB.TTFMD5=860AFE3ED9DDFA8E430E7AFF2865A2B7,SHA256=A74B5E4489BB98A96FF5F727BF33DD922703D0F3069F4CE95AA2C5D7F92D2253,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.876{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\GILLUBCD.TTFMD5=A4AF6D9424CB97897352E04516A9AB99,SHA256=9C96A89A866BCC0B36D1D80F61EBB6BA9251CF9708E0060AC94546BE57DBD881,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.873{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\GILI____.TTFMD5=FA19359635D5FC6FC94E29F23AE9341D,SHA256=5B81F2B18D3B19BAA4CF151CD6EB6C49F8E0E58194FD0A02995CCCDEC803448E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.870{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\GILC____.TTFMD5=A33D986E9D883DC5B903033CEE84C0B9,SHA256=3216F7D3A15D3107A457B93B5537784108C3237B3FB2D16494D8ECEE0A22CBD4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.868{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\GILB____.TTFMD5=3F3B5DEE5276F99B6D5BFCF7E1A7BE52,SHA256=C95E47D509EADA17F78D730010A5BBB69F60A940C17DF6E4E7354C62262C1AB8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.865{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\GILBI___.TTFMD5=E5601D483DF85E0727075984CDDD19F1,SHA256=E79F9C1768515A1844BD889092ECEBF5C40F301E4415AD1238A8E2F09CE8543E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.861{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\GIGI.TTFMD5=50F152370EEE4AF8CD18B55D29F975AD,SHA256=CF70B1CF7B70913C7F2288F037FE376E159D9E35F0619A2B412E88D7F3F5CE3A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000330512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.860{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000330511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.855{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\GARAIT.TTFMD5=338C35B0D38148DB47B4C5D7E056ACB1,SHA256=9CDA64DABB9B2AEF5A810FE7ED231CA34C4CF42AE5A108C368AB6A21AF2C4CCF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.851{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\GARABD.TTFMD5=2B046114861E21D12AEC68A98E5A7C29,SHA256=76487D4B739FFEA6D64F86D0E6A19A8D0031DC67BA2FA2518BBC1818351543FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.845{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\GARA.TTFMD5=13BF8BED4897F08A18C3F708AB11E2FF,SHA256=6204F2ACE1A6C196B95B079F10DED04AF8F431CE8EB2CF3945ACC89B594C3728,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.839{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\GADUGIB.TTFMD5=428896FA5B8CCCECED61F4092A19BED9,SHA256=9FB9EAC21906DB8724424DB4D3C651CAD342651F3CC5B2FB96FB99640A930031,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.832{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\GADUGI.TTFMD5=ABC0BEF3FDD877ABE64AA81D035548A8,SHA256=927FB9474F1EEB09DEAEBF2BD1D2377ECA8C5FE6BBD15BC47EC9CFA92084D5C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000330506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.826{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000330505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.822{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\GABRIOLA.TTFMD5=9F6C62F1F041CA9F3D69AC76684314D0,SHA256=29EAA6D65D0F1508D2D550D5DDF4E7E3A4E23CF13B376FF93140A8A6115B2F82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000330504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.805{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000330503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.793{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000330502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.792{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\FTLTLT.TTFMD5=119860DC7345499955660C009993058E,SHA256=4FEEEAC17A284F6F45FC66BD28DA141E6BD904F291290C1214D25D06E7C542BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000330501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.788{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000330500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.788{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\FRSCRIPT.TTFMD5=C2F7638BE87032CD75A21EECEFFD56BD,SHA256=DDEDA8F737249E8A2AC17F3E0757525E20631375CBB8B78D99B1462A146CEF47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.785{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\FREESCPT.TTFMD5=B6B6C03D8E793ABF717F01172B04F7E1,SHA256=2E131823861483B966F87CA23063BA6F3C0CECF9AC5D785D71ED1710DAB477D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000330498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.783{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000330497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.781{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\FRAMDCN.TTFMD5=C379B03BB3FEEB76B9E05ED70791B22F,SHA256=1861E0824E53CA60A04EA1BC7BDB159131448FEC711ED079EBCCBF645DD345D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000330496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.779{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000330495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.777{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\FRAHVIT.TTFMD5=7292545B182C1E188FBD3DB9C4DFB680,SHA256=AC70B60F163536B2C0E2E2752262A6F8D1DB6AF43DA73D5CAAB855D369F1DA13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000330494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.772{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000330493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.772{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\FRAHV.TTFMD5=59E78317900DF124C3780E2334B0F77A,SHA256=D1A3A6E5937C5923D4138C1F622145F577AE2F97C7F2D0E899ECEC4D0412B839,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.765{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\FRADMIT.TTFMD5=A8454800D02829DD275E52EC3F068227,SHA256=478E980ECFB423400516403CF49587F5B2E6A6DFC2C41CFFCC51C109ADC24EE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000330491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.764{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000330490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.759{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\FRADMCN.TTFMD5=364D488301B62C1E63C04C545EB32315,SHA256=4AB0F4D87991CBDA91A625369E2804C4FB88969CDB1E4BD83B6BF37D07CF9CFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000330489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.753{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000330488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.753{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000330487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.751{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\FRADM.TTFMD5=082252176F1F4953CEA2A7E5E9F300F4,SHA256=CFD1BB2C9B0E8B624952288ACF9BDADAA64E52BC846E4720E2F0653359E5B8C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000330486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.750{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000330485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.749{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000330484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.747{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\FRABKIT.TTFMD5=5E4FEFF742753CABF0060596CB2A5D62,SHA256=2FC6FF3C5253DCA997C68D592E8CFA066B516A782D4B2747ACF297C6523F9306,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000330483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.746{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000330482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.742{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000330481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.742{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\FRABK.TTFMD5=E130D119682ECB567748343BF7F263B0,SHA256=9AD3D0E5EF31C4A9A98CB0E169E4E625286AA34C712ADD3E001C0100138730D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.737{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\FORTE.TTFMD5=60A6C051C1563A067DD7166123A58698,SHA256=7407F0814D04A4CC45127933DF1D6FFAB5C90E5E888D33A7279CD82C36426B30,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.735{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\FELIXTI.TTFMD5=0016F77F50D636D6EB6336A8A9D5D3D5,SHA256=662AC854D07237D7D6A2E1C0EFBA28C6166002AE8CBE0DF0F58C43F65B21C54D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.733{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\ERASMD.TTFMD5=00C37A78F957AB5B14C2C7AABDDACE19,SHA256=856137000A507908E4C289410917DB83D19DA88F6050AF71675211BA68E9E0B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.730{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\ERASLGHT.TTFMD5=47620DE5B73D9318A0542DD364FFB8FC,SHA256=D432C14B62C70F4777F9DB5901063B76D8DB88B27ACA46A5FB5B4A4C552C5C3A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.727{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\ERASDEMI.TTFMD5=9F7891F4F192F1E8360990FADCCCCAFB,SHA256=9633185651DBEC620C26F03E96E8D604A743C93D85E2B51E2F57C795A86CD642,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.724{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\ERASBD.TTFMD5=D5213044CFAD1E4F4B5D1F3138752A80,SHA256=88D1A747CEC854B6EFD25A2721F250C5623F61A818A6EA5E219408485FC9A3BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000330474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.723{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000330473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.722{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\ENGR.TTFMD5=F3D98212A5FD124474AE99EA8EAEDF54,SHA256=944DD47CC65586F54D83ED55D654C82B179111B2651E6E1D575C2F4BDA55085C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.720{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\ELEPHNTI.TTFMD5=6181D6A8937454D333ECFBAF1F8DA63E,SHA256=F9FF23ECB4DD03C511E5462D0B3563B733D4A924579D41C1DF8FCB68D647D2D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.716{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\ELEPHNT.TTFMD5=FC2CDC9B17DF077275E69B3103F6A30E,SHA256=327EE1DA1A144B1BD7970A8715DAF00159EE1D0A9A81AEB33DCBF02631ED56E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000330470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.715{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000330469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.714{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\DUBAI-REGULAR.TTFMD5=721B44EBFB0C75F8F78E5DC6FDC48DAF,SHA256=7A0BE62452C4A73B8F86F3B6C1B0915074C47FA40BB658255B3D0B1CDF6D2F2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000330468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.709{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000330467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.708{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\DUBAI-MEDIUM.TTFMD5=89656B3F0A9CB59E470F47C9B68D3660,SHA256=D460CC9F99A343531A93AE4D6DCAC016DD3BEFE64EAEF54FA9B7C4980DA951BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.703{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\DUBAI-LIGHT.TTFMD5=68C64C93560227615BB141B4402F39A4,SHA256=BD55D928275881A6ED2576C6B031D161C52F7E6F07EC396A75F00A00E6F6B51B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000330465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.703{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000330464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.696{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\DUBAI-BOLD.TTFMD5=889EEB6E8A80597B9A85D9667EC2D63B,SHA256=B4CE691C229DD0AD05D945354DEE37EC2F75E031A0C7ADA786BAEC55B88AE230,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.692{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\CURLZ___.TTFMD5=D2215729B1C20B9DC5E6230EB6497E6F,SHA256=CAF7D153D2860F395F846DB58032173C3F76B57F9368EC08382F728742CF5A5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000330462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.688{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000330461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.687{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\COPRGTL.TTFMD5=4E9A36A2C68BCFBE6EE3FFEE2EF8027E,SHA256=607520E814EBD77845CFB7824D0AFD47FFFF9EA4F335C8F2DB356D3C6396A99D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.684{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\COPRGTB.TTFMD5=C277B2C27239A1C8DE888444341D1C62,SHA256=F354B9E48583DD9CB2A60DCD79EAA787722396D768AAC0608D2AC0751D35BC3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.681{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\COOPBL.TTFMD5=8EB03871E6046162EFCE5F2CDF5FA849,SHA256=0518E37FD63C8B97D63A6CE678EACA254F0677AB94D420E99860772ECF348636,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.679{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\COLONNA.TTFMD5=470007A3390867B2B06B3E4883BC7230,SHA256=7DA22B3012C6071B7756F6D077ADA0CBEF49D66DCCB7667AB74C97B3748675D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.677{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\CHILLER.TTFMD5=B1B2E2DB2EEF02D230247A474D1D66A6,SHA256=64327EA7BCCC5583396D6796CBC535D27C0389906A36312E5811D9EC535C6A03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.673{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\CENTURY.TTFMD5=28806FBBD48444F22EDEE13BDDEEF650,SHA256=21BE61FF5289C2125DBB48E2A739FD4DD98C3E58B37ABFC22CC0412DD8376D95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.669{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\CENTAUR.TTFMD5=C73219B4E3994DD86E88720CBA0916FF,SHA256=1D9FEC6F9B2B72203EA56A4C7E3B40499984829FF99AE8AE53340FD8D5F07FCB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.664{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\CENSCBK.TTFMD5=47DA73E52C097234E8CC607631DDC910,SHA256=8209F9295B20A9C3D0F7E5163D7EF9946353E653C40F25E7EF9F905856EC246A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.659{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\CASTELAR.TTFMD5=0407ED4AEF00D4DB57F6001E710E0A85,SHA256=5D5DB8AE79E77ADCA68E52454088F3A456F363ACC9F577CC6DD08B18FA996BDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.658{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\CALISTI.TTFMD5=C63563FB94142E1D20DB1C00A8964EFD,SHA256=C7F699A3F94E57187ED36F1ACEBFE3E0460615BA368D14ED0AAB45272844C1D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.655{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\CALISTBI.TTFMD5=B8178488B4DECB255BD3094B320600AC,SHA256=9B9E45F016B013D92C3CAF1985DB22F85E39C8B1F208636F9AC21F9C135239CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.652{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\CALISTB.TTFMD5=D267423924483DDC3DBB9E4E94199D59,SHA256=1B3949401E310A5967A4C108BB9BE49E28E69F73095AD088F783035E8F22D28F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000330449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.650{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000330448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.649{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\CALIST.TTFMD5=58862B5F5172C3609C9B0CED6DA89B12,SHA256=F976B470E19FDE1971824107182927472CF67A08ACC42F8E2F23951312863A8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.646{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\CALIFR.TTFMD5=12C13307742D4E286B692CCE7EC65307,SHA256=A779C135081030298594EA50FCDF59BCF5CD341008137931E2FD0E68D4CA65D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000330446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.645{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000330445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.642{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\CALIFI.TTFMD5=4963FCD0C4739DD18AD5D5A9F39201B3,SHA256=56B5168F5B847CE0F3280076D6C0ED026681CE3C5141629F5D8EBA92DD1FCCCC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.640{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=278C0AE64B244611D85689309D1B336A,SHA256=D2AEE91F1074DD883E57ADAF40541DFE5DA1C06D765F40F7A761338FC3D91F71,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.638{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\CALIFB.TTFMD5=49500622E8D94B07ADDA1289DFE8D5BC,SHA256=9E23CBA751CDD44DD7466E019B38D29360CEE1ACA62BD4B75DFC5CCA93EA4B7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.635{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\CalibriLI.ttfMD5=3567D339A4859211316D2894F44EE97E,SHA256=93798D1047507741959132E544BFC4A071EF060A59B71C76C1A7B684944ACDAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000330441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.623{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000330440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.621{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\CalibriL.ttfMD5=8FF6C498C08FFB65CA6B586C0E5DBE7F,SHA256=853709C6521F9B211343A3E2B92C62A4A01074DED478B67FB88AD9D27C9F3E19,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.608{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\BSSYM7.TTFMD5=549DDDCECFD3E61F35F4FDE66019618F,SHA256=3BD67D5982D259580A6D032F375C3B80E58C4496FFD8858B377DD69123809819,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.607{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\BRUSHSCI.TTFMD5=240A8744EDC221DFD7467D2D17105FA0,SHA256=B77D119749B51C7AE5242DD093360D5B1C94117469E578CFDD2DE03FDC55EDA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.603{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\BROADW.TTFMD5=1061E922AC6D0F148514C785C4E46721,SHA256=A252B1E5D460F1E0E4781146186393E5B217AB379DB237C7BCB8D7C353943EDC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.601{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\BRLNSR.TTFMD5=FE2027C27B6A24505F548C6FD2E1076D,SHA256=0B6044C72E67AAAE9C2AE3C8B4BB06D066FDBC02779C68E3883984ACBBE24CB8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.595{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\BRLNSDB.TTFMD5=B6539B6D3432C623D8D4F9CC2A29589E,SHA256=4C50D832F4E1401E226566159735DAE932DD224D795AC57772061096117E4147,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.592{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\BRLNSB.TTFMD5=D725100FC87C3EE6F87BF66BA47E9432,SHA256=AD7D00C413FE11EC423FF5E2B63DA7D403049AB3BABF13D0B2AB34A43F4D4A55,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.589{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\BRITANIC.TTFMD5=E22ABE6DE548655066DF3522DA0FE4B3,SHA256=1AA27A3E349A8C8DAF466E0F89E94B0DC5B9CBE82E0D7A77E04D3DD6E1588E3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.586{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\BRADHITC.TTFMD5=0252223E8C36008B595F5E379AD5E524,SHA256=1F7AD9E753A88DA096121BD831A7DF72868AC48B8EDEFC8C96C7A73303F1575D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.581{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\BOOKOSI.TTFMD5=5D3E5403FE85DC7C6920A779D14E0C8A,SHA256=EC990C65DF2BA6EAD654BCB69F7F88BB76910B029F2EDF663710CAE3FDE5F7DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.573{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\BOOKOSBI.TTFMD5=E7542F998594B425B8728191C4D11D96,SHA256=2DE5E34DAF966BE8E165BD5604AC0714A7946EA2A0A08F86FF04E687ED54D8D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.569{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\BOOKOSB.TTFMD5=E6AD3E9485E85796A3EBB481164ABEE7,SHA256=EC95C7380AB7F92EBC75BBA6C56A80646FCB450EF6CCCC631852A8B97BE75C55,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.564{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\BOOKOS.TTFMD5=4267D8AA8711BB8C72CBEFB26066C9E0,SHA256=8F2DF7DBC1F2B790F6E6FDD24DBB6C2A96B6E554BA2031C3AB0FE34D322A1B3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.558{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\BOD_R.TTFMD5=6DAB0445C8D34FB318948E3CB7362D19,SHA256=17B06990413AB318B9E9F2C05D3816059F56D7A678F4712849A3318A9E5E7C7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.555{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\BOD_PSTC.TTFMD5=7699FAEBC41A8265A4EF97B92548839F,SHA256=D0EFCBB58042808781F33898DC0FBE5342DA22D813415A4DCB394872B1D19AFA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.550{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\BOD_I.TTFMD5=CEC8A6834241575DCAFBA6D7504D64B8,SHA256=960458B4C0851B8B9F1D047FE50F7FA01DDFBECAEC692521D262660882E9596A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.547{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\BOD_CR.TTFMD5=E3D5EC4C7E5F3041C277D5CF3D518C71,SHA256=0F1F746F293E547F8189783C49AEE22A8B839698F7493B5915CC5B432C65D843,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.544{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\BOD_CI.TTFMD5=1012DFD260BF0B2AD3918CEE622B0A0E,SHA256=37194E3C2D5B000443D23DC324B1367CBE2BE40F28C2A6C693E6051210432CA3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.542{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\BOD_CBI.TTFMD5=91BDF43645BF910C4E47619624605C18,SHA256=24FD78549262987502D83EA0BCE5B47A3A0AC85C3941921B241A73FCA08DD012,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.539{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\BOD_CB.TTFMD5=C84E3CD501BEE997A464F9CAAF9DBD18,SHA256=F307DE012E77219A25EF59ADA33820A3E33F6865C911ACDD97440C15058713FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.535{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\BOD_BLAR.TTFMD5=266447F91E71C4700D74AAB76FBC3870,SHA256=63261985FC00D6DB2DDA4F22DA039C70F3C4C90AA0F087FC1B7A8C9856F2B551,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.529{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\BOD_BLAI.TTFMD5=88223FEA14008BF33F1BD87CEDF7ABB2,SHA256=29854F6597CA7B46DB601C7A2EB28C13E31EE0541C7A5A499581FDEE8DA1B1D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.526{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\BOD_BI.TTFMD5=5BB67E55DE4EE82AFF5585B7BC7DF099,SHA256=9729E2AE73B15871DB606A18A48B8674CE2BAE35D76A511D3510C4A9DB2385EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.521{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\BOD_B.TTFMD5=78DBEC8A37F162877CDAAA6A09A5E95E,SHA256=051B0031DB491FA893FEDDD485B917B24A9D12F15A1E99E782C2420DA0A3FFB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.518{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\BKANT.TTFMD5=3EFD8E6A45B3F893F54399C6BF4ABA68,SHA256=C019F155A0004760F32079C22C29EF0DDD223D0C2C79E2487122E66D38A53B32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.513{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\BERNHC.TTFMD5=A552118CEEE33DFF8A6ACAB5D1C10B60,SHA256=8715897A451AA9E37353B6CCE5F5F3D853ECBE97DE87756838704EFF47C8CE86,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.511{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\BELLI.TTFMD5=BA1290CBCB6AAA574890480E1C6AAAE8,SHA256=17B6E7689E333FEA42B19D817427CECF95B86A340BB0AF5BABBA3AB25E6A1B40,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.508{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\BELLB.TTFMD5=F37324D3575C7132E330AF3C8F08DA17,SHA256=DCC8D42EEBBAB6822F736A7B99E1C9D6EE6861B247A19049BB33E5955D991DDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.505{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\BELL.TTFMD5=1C4AB54D66597DF75CA60FDCE4F7D5A1,SHA256=986A5B8BB70238E3C896E3113EF581DF26204131F72D59FC12D2DEEF7EF89E4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.502{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\BAUHS93.TTFMD5=BA85C44C8386C4AFE97A6A88B3A37442,SHA256=8AFB4DA281E19745D582814BDC66006BD56F43EB2FD0D2F88D854771472420B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000330410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.501{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000330409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.500{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\BASKVILL.TTFMD5=9ECEC61376083FD290B75D94FDACA380,SHA256=529C972A6D5C1992C76E908255F655F98989B74B146058C90555AF6D925A1715,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.498{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\ARLRDBD.TTFMD5=2D1068A7F51E1FC2C63D81165BF52422,SHA256=D9352E7D73711F006A27F44E71808A74FEC109E2342E680E054C4458569F0A94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.497{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\ARIALNI.TTFMD5=989670C4C82248BB6A8CEC3558212374,SHA256=FAF73AA7CE40B77AD19C09507A2263FE3F3CE9FA5642E8A1CD54FB3C9F52D599,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000330406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.493{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000330405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.490{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\ARIALNBI.TTFMD5=56E394B38FBF81AFB437BC00884544F8,SHA256=161B859EFD20C69DDEBB23012A49F4F2030D56A0C1B9BCFD4DF753217CE3E358,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.484{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\ARIALNB.TTFMD5=6DEBD7B47FBF196D9AEA1DC4235439BB,SHA256=6C4A4B643461DEF5411E0217B74A625DCF2FB681252EF5DA1DB0AF4EAE80AA7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.479{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\ARIALN.TTFMD5=D20BA4EAAF26B7033DA05FD59ED020AB,SHA256=CAD552553CF2A75AFCA01955751AAA115E2A64FD6C6EEA42E1FBD236630B7E0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000330402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.475{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000330401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.474{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\ANTQUAI.TTFMD5=23ED00385DAB0F612E66EB0D4AC947AB,SHA256=6B00590BD7A52A94E9E90E35A28C1D2FA03F83F458D2F2DFBCED70A9C1EA0C80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.470{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\ANTQUABI.TTFMD5=F351B29BA23C793C7D9B8C46ACDB2050,SHA256=BC546E3E96F8CDD9E6CF02EB5C8AC5551EF20EF4639FF701C338EA281F56FBD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.465{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\ANTQUAB.TTFMD5=714EAC0421A6BDD26E69255776F0FFED,SHA256=134A9F8ECF618660305D7D34B6905375C1D5D7838EA15CDB2789BA94317F4117,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.460{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\ALGER.TTFMD5=A9BC731EF79E8DFBA0A32016E5B39076,SHA256=D0B3B7CD48A047CDB7FA610D060807BE44FCA80F05CE4BF7557C4800F908E48A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.456{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\AGENCYR.TTFMD5=70777E6BD210190350F7C92395C1860F,SHA256=D672EB87A3787BDAF8F75DF50F9ADE864E2D5C9CDEC5B07CE6DE9D7D39433EA2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000330396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.456{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000330395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.453{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\AGENCYB.TTFMD5=596E78C7D8F0D85090A9AF4E8E19076C,SHA256=4FDE694CC486B55266F7561C685FBD9153EA0003F0C0C39FC744B132051D40C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.449{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Common AppData\Microsoft\OFFICE\SharePointTeamSite.icoMD5=B21349B09DD1DF8E99488747F83AE679,SHA256=DB6CF53323E305B55881E24EAC1A63BFC3AAD30DF2F8A37699480F70E66E5351,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.448{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Common AppData\Microsoft\OFFICE\SharePointPortalSite.icoMD5=10FAA114FB8813EE41B192924BE81668,SHA256=DD8075CB0AD654C15E7A8EE6BC9908164A0314672B9FAEB69BCC62E42CF3ED03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.446{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Common AppData\Microsoft\OFFICE\MySite.icoMD5=90F8D4CFA4A0B76A6299FEDF3391A061,SHA256=F358343F8D2239E316E12130EB0CB8EFBCB696705A82444EB46CEADF0D9A2650,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.445{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Common AppData\Microsoft\OFFICE\MySharePoints.icoMD5=20CFAC41BEC781705402FEA5D4189950,SHA256=D0A8A056D73C8CB1710D999BBE2A27176F31AB0D52469242F080C6D36D323CF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.441{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Common AppData\Microsoft\OFFICE\DocumentRepository.icoMD5=17CD612FC869D247280277B7797AFBCA,SHA256=D12CAE5B4E6BB2A7ADC77D52565038FBDA8E3DA919E3EE2890F9DC7159F47FD5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.439{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Common AppData\Microsoft\OFFICE\AssetLibrary.icoMD5=CA98EA80630E3F5F0DD4AB39BD25FFB5,SHA256=5D8E1D9C9D7D8A54B35B9DC70224E6D6FA19518977492B92D54F98ACE9EFC7A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.436{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\Presentation Designs\Maple.gifMD5=2F932ADC174AB0F538D6107550F8DBCE,SHA256=F719764884E5D8FDE201E46760013D5DC7A4544E93DC5B44F3991D18392A9788,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.434{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\Word 2010 look.dotxMD5=01333859D6F4E6459C50C12511CD178C,SHA256=3CBFC8E2A36F839181D476667BF72184A1CE0C73BE2E5B96C72650E0F5B67A9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.433{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\WidescreenPresentation.potxMD5=C4ADEE19E9F143D27C86647B215E7C89,SHA256=FBD2E9D2F75F3219F65F86D5C4CDC77358629A7977B86AE2C2A9EBEAF070DA82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.427{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\Training.potxMD5=5B85EC4FE68D5389F7E8AF586AEC55CF,SHA256=D369BBDA842EDEE056312050F67E64553C27ABD4E696D489AE97255345669F50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000330384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.408{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000330383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.398{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\TimelessResume.dotxMD5=8C05B1397DE7E423D4579DABA9718BCD,SHA256=BBC9F27D62BAA755CDEE88F8A4931A5C16B7ED34DF20DF9A8EE4E4ADA3CF81C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000330382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.396{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000330381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.395{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\TimelessReport.dotxMD5=11816E0613E774BB839AA48965F8073B,SHA256=7B29EFCF3FF126ADD282751649BA974BAD926A5834C1D13655DB1FD550AE8D10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.388{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\TimelessLetter.dotxMD5=0FACC193EAD6D87EEBB1971D8C89F6F9,SHA256=B008A3ED10E960776C8AD33D8B3B09234E95FCFEE3522E913AF9E425D5B6AD32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.387{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\TimeCard.xltxMD5=EECA5F49B56DDE0BB8487E0487405365,SHA256=8D4CA2D0ED920EE81D6F102091EDD06E9FE01F194C2942DF25D91EB2C6FA96B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.385{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\StudentReport.dotxMD5=56B5747732F1646BD9A7481F33ECF52F,SHA256=9C06594E9745FED9CB5BCC83EBFF658FA152822CF5AC8DCFC8952FFA69EE948E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.375{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\SalesReport.xltxMD5=F43F06AAB00DDB548BC5417E1F159B75,SHA256=FB0D5B968D5DB81D3243B42EA1A03A88B5D08C23536E27E78063DEC6A4A3F770,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.373{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\RedAndBlackReport.dotxMD5=0983B9779F75240B568258EB44BAFB2B,SHA256=3D9E16B417EA33BC59F6F5274EF36931A4CC28BB64214379E9B1949B3D05F902,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000330375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.372{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000330374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.371{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A1F24ED31F570E0AB24C53CBFE3CF5C,SHA256=B20146D7D09BDAF0EB95DD6CFD15C458BB2DE4A0DE59874A9D7BFABD26FCC8FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000330373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.359{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000330372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.350{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\RedAndBlackLetter.dotxMD5=CF34599BBAC039285942996D6E6C9318,SHA256=3AF77B8B28052D6223755FE813004B24EBE060C89C2D02E17024CC21B5C4E040,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.348{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\QuizShow.potxMD5=D7BE82228AF15500B3F6C4EBF6519ADE,SHA256=31B187069894C07117CBEBAC8F3A0F2EAC908E90FA79F740D62ACBD04F730CFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.345{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\Pitchbook.potxMD5=1F7ED3D47AA23E97C556AA35E7F23C27,SHA256=B717F65411AC9E26FCCB41D3229C1C49F8A73DF78EF1C5BB8B8A8F090ADBC936,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000330369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.342{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000330368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.340{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\PersonalMonthlyBudget.xltxMD5=B130EA91B066EB60869D23157EC9EE8B,SHA256=DA9E7C5E1E487F52192AA15BBD8E6782F5D91CDBD080776FC441CFCE3FC41EFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.338{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\OriginResume.DotxMD5=AC597B25FD8DD43EDB85756372612454,SHA256=B6966CBF3406E4AC228422CFE96F1BB2D4393657AFC0F1C825B22C7FFF6DE4F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000330366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:38.080{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51000-false10.0.1.12-8089- 23542300x8000000000000000330365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.334{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\OriginReport.DotxMD5=E717031A969928A6EFB2AEC4E192F91E,SHA256=4CD643178C58606C7FFEF180718098BB5B4F1C53F7D8B4F012BB58E6E3491D33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.326{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\OriginLetter.DotxMD5=EBAC913F422FE9D4BEFE805B35CD69F7,SHA256=AACFA286A06E6BDE809E1CC978DAFCD0F0A8152DD8F0393BD0DCDDCB6562F7AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000330363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.324{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000330362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.322{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\Office Word 2003 Look.dotxMD5=1E239237CBE20F92710C652BFB0B1545,SHA256=29055B9EC899281C7D9FC74B9AD38CCE6657D8FE797D026622C3737BDD31A194,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.320{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\MAIL.OFTMD5=AAF5B5326CBC3397A943A1484E502893,SHA256=72A7C1CF7081B36949737761E83CA37C06D22F8731DBF117FC5A3FD2526E8958,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.319{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\LoanAmortization.xltxMD5=9A7A1B52AF5EB4F872A2E8BDB3F24F8B,SHA256=754118AF18E2C4E6E672FD5D067467C59026576573892FD40CF6E1050DD4A057,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000330359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.316{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000330358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.316{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\ExpenseReport.xltxMD5=4027E34E8278D65D7D7816038FC78AE0,SHA256=442992542E5BB38B0EEE35534D2ECCAC5FCB283ECCB88512A04EDB1AA4F8F551,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.313{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\EssentialResume.dotxMD5=52272DA889EB0009CA6621C0C4ADBD37,SHA256=4FE15E621FAED617E60C6C54844CD48E476A9874DF4EF11FB7A2CEB8AF98AB98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.306{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\EssentialReport.dotxMD5=6E0F270CF2332EC84DCA2E1938B16461,SHA256=9F72157DCEC18501B152850DC94B4B54849520E3CAF5277B714F8EEBA77AA774,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.290{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\EssentialLetter.dotxMD5=1E35375DAD5939F95D66109AE855C942,SHA256=FDDA025ADEE441FD2A833ACEA54B13159F26A5523F7487F6E035F6E2DF4164EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.275{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\ContemporaryPhotoAlbum.potxMD5=0A6AF9FAE53C120D2A7A6DDB5DF01C81,SHA256=445246062A9C3AA7426B54ADF6F92A9CD3E27E2E3163D7EE49FB38873D2F43C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.275{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\ClassicPhotoAlbum.potxMD5=1AA0424959027CCD90A951BF6897D79C,SHA256=240D04118A31C15211BCACC0B05E0C29CB5F6361007B067ECFE3F5EC7698E6D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.259{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\ChronologicalResume.dotxMD5=91762855297F8B970C658442E73A2842,SHA256=C5A5F672E68F0AF008AB319361531B66469BA48EC914F7DA6CEB879608656944,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.243{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\ChronologicalLetter.dotxMD5=817FE47C4A024E9F86A5E7F3E330F917,SHA256=2BFB02992073595D904AE3739DFEA75D45BECBFA31FBB01EBD1F6D83EDA823A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.243{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\BloodPressureTracker.xltxMD5=8984147F3276D4A8A47AE57377A344ED,SHA256=C978CFCDBEC683C804DC77D5D7487912D1536DCCA79FDA56CBC21CBBA3AB4D39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.243{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\Blog.dotxMD5=9EB9F3280FBE22000627600198CC3226,SHA256=9991188FAF9393744973F58E9610A16502D7EFD5E9FCBE6C1D7C248C8A927E23,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.243{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\BillingStatement.xltxMD5=AA968A010F67E531491EDCD50791F5F0,SHA256=7E20E3E8BA071D9FD09CB0CE5F3C99A594F0962E0475C4D4D26B0193FE44148D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.243{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\ApothecaryResume.dotxMD5=8447AC806C29E3F1CD6552BE8B002FC1,SHA256=B09821F907CC7DA7C8A06EE80C0B19E40DB6C51409D10FB6BAE0D023FA22ACDF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.243{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\ApothecaryNewsletter.dotxMD5=BFA9DF30BF82E06A267678AFAA422DE1,SHA256=0FB1A6D7DC1CBA2276ACD00CE267ACABE119E425BE1670002923F950CDB4BC91,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.228{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\ApothecaryLetter.dotxMD5=426C6B00DCAB8093DA4D85291E41023E,SHA256=1BA826BD7FC21D7F027CD183D02C9512B80FD4EE07923E84CF5200AB58B04504,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.228{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\AdjacencyResume.dotxMD5=33321E5E6B8C6F9B5388A9481F9AC1B8,SHA256=1C4BA7E768734E6C06B0310F0106F6588CEFB0710259B15E94841E9096A56EED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.228{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\AdjacencyReport.dotxMD5=3182DBA17A814B72E35A9B6D5BA47F40,SHA256=DAA134ACC2DD76EE7A6CD7CDC6CB206A1D637FF67C78973EA24B19992665DA70,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.181{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\AdjacencyLetter.dotxMD5=76991653D1A7B6D829086F6EF9DEB0BD,SHA256=5FC72CE094AA191A9CB86E4CEFDDE9E5DED1A18BF2D463856B34CB10C8E6E1CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.181{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\ONENOTE\16\Stationery\PLANNERS.ONEMD5=9DAC60ECD44418EA3509C27AA8D51A15,SHA256=EAF14134A1A9FA38F56BD6B3C9480CAA4BF2256F8A6F1C314249F2A8AD484E94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.181{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\ONENOTE\16\Stationery\DESIGNER.ONEMD5=FB5D6F40010DCA83B640B5E27DE7CDE3,SHA256=5CFE30EB23F0F48CB09D6495D98174B2EF1EA6E042C9215F0A40131530C0D3DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.134{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\ONENOTE\16\Stationery\BUSINESS.ONEMD5=424F5E056E3CDC9E41913A8A4335C991,SHA256=0F3A0BC2885CFC4E3D817E867911B4885F29B0B5A71FC7D6A61DD21BDD524A65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.134{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\ONENOTE\16\Stationery\BLANK.ONEMD5=3348C2B7753249CEF8908F14D2C589AD,SHA256=8DCBA82F583CD44474F82C85E1A83D3C0E991332B236F5FBEC0E4731800805D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.134{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\ONENOTE\16\Stationery\ACADEMIC.ONEMD5=0918A08CC2C4492B84965F5AD24012D3,SHA256=8653262927F311F3195925368ACFD739E57E19093AAE98762BC9EA5E1F211638,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.119{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\GettingStarted16\SLINTL.DLLMD5=73ED8919240EC7C54B3524257B654053,SHA256=300313B91EC55EFA7FA5144FAFF771A6185AF0FC4E29CEF1C68D1B8051AC0599,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.119{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\Access\accessparts.xmlMD5=9D5FE483F69E44C87DE15DC0C8C1A8FE,SHA256=4F2D5CE7123FD3183EBCA7D239054464EB5AECAC32F8D0F8C5A4D980C4807E8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.104{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\Access\Part\Users.accdtMD5=9CACD96493CBDEE2D06F10E8783BE360,SHA256=83E0D5414330BB74FA05A5D2788697E997082629EA451E30020DFD5AAB1515EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.104{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\Access\Part\Tasks.accdtMD5=DAC563D20AC0EF78872666332D62E20E,SHA256=F6098B258E8BCF78A1D92256C117AC602DC365D450D256E369764E1E052A01CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.104{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\Access\Part\Tabs.accdtMD5=ACA652B364D3E5BDDF6465E77C57D3E7,SHA256=2241B0CD80FA64F9B957A23F5C24D0A016E6F2ED8F261ACE68FBE9C6DE06BC2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.104{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\Access\Part\Msgbox.accdtMD5=E122E18543ED524B7212A0E89F9DB6BD,SHA256=4C75E65D0643FEE511072BA8FDDC79663C94D32054D59C24200BE0B07607DDEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.104{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\Access\Part\Media.accdtMD5=B961EE75B87C3F4B69B0F7F247B94853,SHA256=9E3F25EE03140CE66A0F7A84F9D589621214F0B40BA11DEF2D395A026952843B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.104{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\Access\Part\List.accdtMD5=319E9D5409740A957662C9488A9A25D5,SHA256=25C3E4EA40A38D77C9799B50EEE2D114B3FFB980690DF9EF0B788B7808BA4389,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.103{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\Access\Part\Issues.accdtMD5=DE7AEA16302215AA08ADB0D2A4DA9106,SHA256=8B14365D5A471C41B1EF81A93EB6A6AFE2CCF7795C53ACF925FA8C75BD77394F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.087{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\Access\Part\Dialog.accdtMD5=6E894AEB61721CFAA245CD7803E70D50,SHA256=A7B5767F61C2CE8E6DFBC9A77F40FEA2143EB965897EF010C98089B089CB5F99,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.087{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\Access\Part\Details.accdtMD5=7E4D8479A0FC95EDF5AC8AAD2C87147B,SHA256=9A48BDFABFCC5A5EAAF96C82C526CBD07996E87F7EF69DE8BDF1ABA3F1077084,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.087{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\Access\Part\Contacts.accdtMD5=2C7E99EBFFBCD18A573C6D9257050320,SHA256=56796F0A12D8DD9469FB911B34A6DDC8F666A4F00817780B98D188C6FF724B6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.087{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\Access\Part\Comments.accdtMD5=7E167F79A81ABD088FE679EDF489C311,SHA256=1B91501E62205EA14D217E985514BF99A3B32AFFDE6015590A699DC435E76853,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.087{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\Access\Part\2 Top.accdtMD5=385B5EA13B97DB19D7F19C0E92DA7011,SHA256=3566F662375C9B0EA110455CA6AB77F53F8C656884770B954B3975D622CF47E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.087{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\Access\Part\2 Right.accdtMD5=4256F5A0F6B559E8BA2EDEDA8418B537,SHA256=EB3DB4EFED459D01391ABAF4DF3357142BCCD3C24BA46EE9A9CB29EE1070D105,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.087{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\Access\Part\1 Top.accdtMD5=9CC058D67C961DE8AE911BC08FA20083,SHA256=B67BF95C0B96143ED59EFF625C1D4E1F200F453BFE4E19C2422B0B298E7DCE67,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.087{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\Access\Part\1 Right.accdtMD5=17006254D1CDB6E355C88816F4CDD193,SHA256=BF6436E911653ED43E14B888CD92DF6A5EF0532ACC02B586DA6D43C519BF71BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.087{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\Access\DataType\Tags.accftMD5=01B027BAA855AB888E527F93F2863293,SHA256=46179DA7C540712F07BD76F23CE01D3C2D0D0CD47F648CDD333FC33780EBD6A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.087{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\Access\DataType\Status.accftMD5=82C794D5773C237DFAB0F2BE801EC3F5,SHA256=92DA93F4A6B7DBCA5E5C46CB7266E13F7226932AD83B8C5E3A82BA4A7BF41BEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.071{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\Access\DataType\Start End Dates.accftMD5=27EAC5F6A50A2BBFFF9880BA343ABC99,SHA256=BAAD159112615BFC0BB7673CA0B408587242ACA634A77286F01169E3C4A7F30A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.071{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\Access\DataType\Priority.accftMD5=996E04449FA17E5CAEA467DBF41E1169,SHA256=E91D88FF10B8A6288792E44360C141E5870FBD94E5F8F616488508B96BDD7BCA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.071{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\Access\DataType\Phone.accftMD5=A9BB8AF495C55E78258EC92FC8C0C664,SHA256=25CF81D2BCF4B3EA18407AA04DB576889BADB302206B33B96E1BC529AA9FFD26,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.071{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\Access\DataType\Payment Type.accftMD5=872A01D4C9E0EC68C4EB5D62A6B4E039,SHA256=3F3CDA238E2D052048C0065F5C5C5E6BDFEDBC066270A44770F7A7E042044A4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.071{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\Access\DataType\Name.accftMD5=5435D0E28DDFAA4F6E447D756AD6DFA4,SHA256=53B8B962BD8ED494622F6AF83CE41B1ED2CDDC6C2960F58176592A4054C57A3B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.071{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\Access\DataType\Category.accftMD5=47548D91CE30E783111E36764DA037DC,SHA256=95D0F140D7CF07521B177E9DB9702F4EF1B1B1065B7A5C28E5CA6D768F43EE79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.071{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\Access\DataType\Address.accftMD5=D251E345D39887F1136186AC0564FBA4,SHA256=47922D0A77275B887D9FE45076907150B89E599C936706684F7F871402813E27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.071{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Stationery\1033\TECHTOOL.HTMMD5=CF3DADFE83C8241F4A8D6344C2E5C407,SHA256=94F3CD01D4DB699A399B64FB2609F65A35A04734860BB55D3690665EEDCB0B5B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.071{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Stationery\1033\TECHTOOL.GIFMD5=716DC829C7C872BBB862E75DB8254008,SHA256=CBDBE57E6243F53B0AFD380FDAE001DD7CC7D7F9EA14F1C236F4B202E679917E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.071{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Stationery\1033\SEAMARBL.JPGMD5=35A12C47C321CB1FFC89C51A26DE6442,SHA256=3C2E969F619771C50743F3CBFD2AC45232E415D6DBA35DA9AB3E396A2AE082EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.071{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Stationery\1033\SEAMARBL.HTMMD5=28C2AD171AB8B37E5E9096DE7014401F,SHA256=945E2FCFF1E6F1F1D6C3EDD31C143060B0B08B6E0BFE8E2AA8FC6BEBC477E3C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.071{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Stationery\1033\PINELUMB.JPGMD5=13EE239821FBD6583551A20ACDA0AFA8,SHA256=F47BD5823032233EFE5741CF34A4AD8ABF4A7A756F62FCFC8E5E1B35CF3DAD87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.071{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Stationery\1033\PINELUMB.HTMMD5=09D581D17E721EBCC730165F2CEBE9D1,SHA256=49F83060C280075DD8BCD6ABB1B9AFF8E56D9E1F80D8544A692BAAC4D707E09D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.071{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Stationery\1033\PAWPRINT.HTMMD5=9129EB1D1575EAA8AE7DE690914DEDB1,SHA256=9EE2D13462273870CEE9EAC0D7F1CBAE50517002687FAEAB2BA9C741B7258E16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.071{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Stationery\1033\PAWPRINT.GIFMD5=E29AC8D99B6AF0C4E45E16EDED402BEB,SHA256=6568A775306FE92B1D0522831192DD3A00BE15E8CB1773988208F400722C2310,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.071{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Stationery\1033\OFFISUPP.HTMMD5=FF067CB2C24C2A5AFE0CD4CACB8D4187,SHA256=F6F0DF3DB1B5219A3DEE5E6D628D08BD443AAB04F57C1EBABFDA67123628077F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.071{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Stationery\1033\OFFISUPP.GIFMD5=3750D9CA974FBB77DAE536B5AF53391E,SHA256=A5175C8CC8E023C9F77E202999E1919DFB1C65B33BE909CAE40E5568693E6BB2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.056{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Stationery\1033\NOTEBOOK.JPGMD5=F05DB36EA7F31D5801DF60CFD75F8EF9,SHA256=A4318D89FA4632A1901E80D4C421C5FB75CD9EB063257D3BF76865EE898AEAEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.056{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Stationery\1033\NOTEBOOK.HTMMD5=2622DB49EB262B206F3BD65F44D3E1BC,SHA256=7E05874E3F6C5CCD9A498BEE2DF5D6B4032FEE97F6DE84B03844E46C87817F39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.056{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Stationery\1033\JUNGLE.HTMMD5=E9639F79EECEFDD8CA91D968E6E4B0EA,SHA256=5B40CCA39787F06312DB1B3117A2AAAE6CF2472E857CB01967C78CEA22A83B45,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.056{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Stationery\1033\JUNGLE.GIFMD5=F564A4B1C6965944C91C913631C8B4D1,SHA256=110FF187B02DFDB6C443008C71A9CD831A681560C148A38C8DA1E4F4324ED9A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.056{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Stationery\1033\JUDGESCH.HTMMD5=7B540514F06A36C2F3F3B2F4E3B0719A,SHA256=723971425D460AB7927DB53C061933CDF6F3DDAA26CD3127C81A1905FCFF481E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.056{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Stationery\1033\JUDGESCH.GIFMD5=91398899059B056AEA5C3555EE7702B6,SHA256=9377B655AE4CBD749C9E1D9ADA718A48916BC13FF7CCCA9F215667B84E22D7A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.056{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Stationery\1033\DADSHIRT.HTMMD5=59CECF1C8726502B8792018C73DFBC80,SHA256=B15CCB7D5E972519F5FD750F512B3A5A842F9C5B697A9C4755CCBB4BFC58EC09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.056{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Stationery\1033\DADSHIRT.GIFMD5=ECDBCE3CD14193CA8AB4EB39A46F8FBC,SHA256=261C61D1F49BDA7227367BF4E627E4C11A14DC801A9A194DE7CFDF405539C14D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.056{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Stationery\1033\CURRENCY.HTMMD5=579A2A4C6BD52DA5052BE4A7D6C2C04F,SHA256=1FC9016B2FE17847C9A2A6A11274EB77A127FF9B5F2091E5918B1D037F083291,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.056{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Stationery\1033\CURRENCY.GIFMD5=8B6605A800F307C7D1C18509AD9A3402,SHA256=B8C29437AB6055F0160DA3395E0E60C16512DAB343B59C8D0828D10F1B5AB4C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.056{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\XML2WORD.XSLMD5=8DF8CA82283292FAD23EABDA8DFA3991,SHA256=DB5065BFE501148D79DDF901BB1A666AC7784EE54C30D7942B741FE16A06B47A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:40.056{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\XLINTL32.COMMON.DLLMD5=CF2798DA885C63C35BC8B6886931D3DE,SHA256=47E2A6388B5F2F71A989740A28B5A86A00B8320DDB04D8FE686A2AED0C8EA2A7,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:41.999{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\OUTLOOK.TTFMD5=5A7765D47894BAC732F1ED9BEB1F7818,SHA256=1CC072157711F80296F3D013CEC95093FC1BE4E35A97406C46E76B14A97F41E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:41.998{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\ONYX.TTFMD5=119308FFFD98C2DF893660D9AEBD99C4,SHA256=BABA81B90B5102D1E1807AED3A4F38ED8F3D0E45C2B12B27152D8101C4DE21FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:41.995{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\OLDENGL.TTFMD5=527EA5851CA62A9A758A44DC39437EAE,SHA256=1D9D8D06AEC3DE7B9ABBCDAC2381F457D9D606B54F05E9B0E0187BF8565A1104,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:41.992{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\OCRAEXT.TTFMD5=2D814A09D668F730CC91D8D6E390DC08,SHA256=2B058A75FF9336C703E48B618EF759906DC9E37712E27698F74AA3EC0B949346,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:41.976{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\NIRMALAB.TTFMD5=4CBDA5FEDD79E2427AF59DAE638C4EE0,SHA256=5EFAC9DB13A3BBCC9498365455C29B7BD1DE3FD71C796F94D973E5A83397707A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:41.961{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\NIRMALA.TTFMD5=61D4DEFE4C6729A44016353C6B86AC69,SHA256=187391D0656AB581AEB403E4307D43EC5E888511124E6CA6B9E417767B3FCE39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:41.945{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\NIAGSOL.TTFMD5=DEEA7A74EA0E562B89EDCA5D89C75436,SHA256=EE5F2638432EFA7EA6273625AE2FE5DFA3D393AD0B51F8F5FB0F3D3C5AE65F6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:41.945{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\NIAGENG.TTFMD5=E5B38FC8A405B9DE2DA31804F25B66AF,SHA256=ECE195C4B0D53CE4EBAED656341708180ABFEBDDDADF219FB014A31E70410BDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:41.929{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\MTEXTRA.TTFMD5=E460DD03A6D32E5E70240BEBA929FB7E,SHA256=4B20E24F9FCAB717B90CE67EC59539B2B866ADF072B1DCAB71AF6EF34EA8CD78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:41.929{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\MTCORSVA.TTFMD5=B98F57AC686FC135914A844EC0CE8D49,SHA256=A6F6DACB871BE365AD93FE1AAB09332F768CD2AA35FDFCA8E0053A38F5A2662B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:41.929{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\MSYHBD.TTCMD5=754B8CA1A3BC662247A948ADCAA91459,SHA256=4E4C62999230F7B5497105FBAC586EC797B24D1C29C665EBC0B2B2037E838CF1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:41.087{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1B1A45642FE00FEF946AF48BBB1970B,SHA256=BF5EAAADF494D0C1A78442EC4C5F86B7FA169E392B5557431C765AF04DB153D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:41.742{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\MSYH.TTCMD5=5E42BCB1A2F001DEBC82305025461BC5,SHA256=34CB01A122F82B5AD76EE916DBB34AC35EDB2916B857AC6ED4C8593A759AD5AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:41.476{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\MSUIGHUR.TTFMD5=0723999DDC6B4B922EC011B475F07D9D,SHA256=1DA9B5ACE583A0A52E85280264D84917630FF6D600CAEA9A1B99CBD7E8B7C07F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:41.461{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\MSUIGHUB.TTFMD5=88DD96D6C1979C106E70C4347E4E9657,SHA256=8AB5DE475B91361575858E67CE5A55F22A60FC9DC54D4025DFE3504D805CBD22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:41.461{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\MSJHBD.TTCMD5=5D1A0D45E04EBE0EF8C7A44E1CA46B56,SHA256=CE47D64B9BB5A6452B0A5F8BAB2DABE20EB97D213D19695AC31EE05B2802AECF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:41.289{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\MSJH.TTCMD5=3132D56329D73980D5FD547EA7271A98,SHA256=D5F8CC33A9046A8D4832B6240DE683FF217F374E83CE573831808BE477DE321C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:41.069{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\MOD20.TTFMD5=60D6C0A842B685A53E5D767240B99774,SHA256=CD7C7867A456CEAE560D825CBEC1D95B3DE8CB62B00CE513DB6AFC293F243218,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:41.066{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\MISTRAL.TTFMD5=E66E26A6E3C218F7748DD0BD9CB034FF,SHA256=A03A3A71113D44D7BFB98E9720264F72A05BA112E191FB78EB08D11A3F41E500,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:41.062{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\MATURASC.TTFMD5=34A1156588649C61EA04538BAAEEF237,SHA256=E334BF287BDF4211FE5958C4926C8AD4DDD3F44F5FDCB2D9DCFA1394186D8132,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:41.060{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\MAIAN.TTFMD5=0141DF8C3436A6C3EB8BE69855E1EC0D,SHA256=8CD40AC425585EE56A4A98F19A1F646828CEC1E9565B4A0BFAB1D4CE9D7A81C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:41.057{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\MAGNETOB.TTFMD5=E564AB2A94B273E5648FF05697ECCAD2,SHA256=455964B4A07AF53205ED705E0F40778FF203F2C9E7C72A8BF2C4D7A3A834E895,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:41.055{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\LTYPEO.TTFMD5=B29730A7D6D05D4EF08787E2EADE3A2A,SHA256=980E0CE5A0F4C407E90C72A16DA2A259B7FC2A0EA48D1FAF048028B2735FA941,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:41.053{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\LTYPEBO.TTFMD5=CC19DEE449A8C883DB9888CA2A160AA4,SHA256=187F363E9C2E328409938B4413027FE8F0C55423913BA66EA66D3F0D7FD5C74E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:41.051{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\LTYPEB.TTFMD5=BF0963C761AB1C6419D7E90E392DEA13,SHA256=993B8AD78909D2B9D67EA0001112CAC238FB65C6B31F6729FDB0B86C24E2B8AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:41.049{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\LTYPE.TTFMD5=D6C215F188C6EB32AC517BED8BD4C868,SHA256=B700D1BC51A11C77CA7B119B0677A9CD4DC1E61FE43A7130BC2044CD7DC9B116,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:41.047{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\LSANSI.TTFMD5=29C1D76649D5D1FFDC1A3E8F48726BAC,SHA256=CA117345D190CDA8AD6C7A41AF1D6D43C475D0FDC99C97B8D325986309597F7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:41.044{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\LSANSDI.TTFMD5=9D846236FBBFAF646864313CA9AD8FA6,SHA256=EB2D865BDADBDD19DACD2AA6F1A0D4E93263B3DAC13DE536106286E809ABC238,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:41.041{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\LSANSD.TTFMD5=9F4C90054D13847235E1819B0FF97BD1,SHA256=76160CE9CD774532131CF4902B810A2D02C94F225DA238FF8C04E25875EB66C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:41.039{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\LSANS.TTFMD5=B6AA2B12D843F986BFCBDB2274C494CE,SHA256=EB3F949BA0F1368698E69396259E667D9FB913EBFDE3C742D493AAE5DD57141E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:41.037{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\LHANDW.TTFMD5=B9DB8F4E52615927FA7386CF391E38FE,SHA256=C5AB997A1C3E49CB0D34FA5A3F2C39934D39F2657DCA224FCB3B480768676501,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:41.035{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\LFAXI.TTFMD5=AC0EFE77CC81825FCDEFD7F07F025DE5,SHA256=27899B1624A2C13245CBFD28666090E3FE9CA17ECBA4CD6E19A615892F6C6DB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:41.032{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\LFAXDI.TTFMD5=752F1FA8D5FE3CD4079EFED344F5C459,SHA256=FD16AF41073406530C7633BBF6976C1AECAC1F4BC9D1882135CF58EC9B31DD07,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:41.020{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\LFAXD.TTFMD5=98026039604790C312C25C1C8DF5CBB4,SHA256=1A8DD16D0D1456923C5D3824943771E63EB67E6B8660E5C1C479674FBBBA163D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:41.007{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\LFAX.TTFMD5=113ECF48E1EAE740220B9827DF027F25,SHA256=25B23E0E8BA977DA78FD0F6C13B76E561756010A73CB5A8187DD817496E25FEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000330561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:41.006{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 23542300x8000000000000000330560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:41.003{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\LEELAWDB.TTFMD5=B09B497925AE99F5B58FB854E1056F5B,SHA256=436BB96F8BBB151E7634FCEA07794044A8565B013E505245322DAFA13E6C3EFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:41.000{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\LEELAWAD.TTFMD5=63921FE40D60C5BD6EFF14F10065BC18,SHA256=11E1960D6ACA5D6DE0FCBEDA530DBB3DEA8837D810596C54235B07A9FBE43F9E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000330558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:41.000{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 23542300x8000000000000000330760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.966{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.AnalysisServices.Common.dllMD5=133DE1E4CD7D51448041C1C5EF6F222C,SHA256=2D8CEE4541A33E26E7FE4236BC39ECE4D019F93F8485914DA50DB19005E29853,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000330759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.950{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\adal.dllMD5=DA46703D6C81C9B1480D05040EF4E71F,SHA256=271C8ABE34B5C20B9E03A0C05786FE86E18B3796D8996B8CA0CBB6FDF150B319,IMPHASH=156376CD4AA37B013970ABB5D0F9297Dtruefalse - insufficient disk space 23542300x8000000000000000330758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.935{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\1033\msmdsrvi_xl.rllMD5=809D3A31CEF7C578470DC942D092E685,SHA256=5E088372E89E8F281514FD80AC438E14ECDDC72985741F39362A5A758021C22F,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000448039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:42.990{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:42.979{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:42.977{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:42.975{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:42.973{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:42.972{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:42.970{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:42.455{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:42.454{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:42.452{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:42.442{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:42.435{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:42.357{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:42.357{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:42.357{45AAC21C-9B83-63D3-0B00-00000000BC02}632756C:\Windows\system32\lsass.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:42.344{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-3000-00000000BC02}2848C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000448023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:42.172{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA0E46A4BD4982C94EBB84C647F4A082,SHA256=0EAC7C0D910E3AFEA68AAE035814C10BEB7965BDD833ECEB7397AB1E452BCB30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.903{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\trdtv2r41.xslMD5=AFEBC8CDAFB90959800184887DC7F1AC,SHA256=C196C51D3A2D29369D24AFA80531ECAAE652C079E1A2B3F67247D90A9B92CFAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.903{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sybase.xslMD5=A16E716031AC4E6BDBD6F35A5AF6CB98,SHA256=A3CD6B7BFE0FF5CD9AFDAA2EEBB221A46E753EBF5EF410B65A14AE866E3D2AF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.903{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sqlpdw.xslMD5=8A573404F2B93CF45F19C5DB5CEA8230,SHA256=1389EDB75CFB19FB9D1C86ABFD9FEE7F69B5A46E5FF1ADCF6BE5F8E017669142,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.903{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sql90.xslMD5=00AB2E6AF317B027233584CA05B0AF78,SHA256=E0E9D0B9A0F40B597CC6381BF1EC8337E1DEB4CD6A121DF26816C508F85A4760,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.903{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sql70.xslMD5=677C55508FD93BFE1011659B6B85B17C,SHA256=4009EDE1F98F1AB1578C427F3CCB2C3259192A3A1AF14276B16C4448240A7C3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.903{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sql2000.xslMD5=3D6DBDBCC35A81D0FB9FC99B3B09D3A5,SHA256=C79059B62CBC069F855D5DA1E3CC8EBCFD1D20F2A3FCF4E7C089985E19B88097,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.888{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\orcl7.xslMD5=3053094B1445D6C292CC925F1B2E8506,SHA256=509A7E04DC2BB81FF781315AB182A738FFAB8AF059BD267D1D4B24A7498DB318,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.888{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\msjet.xslMD5=231AAB1CFA3C63327AD073DBB3D4371C,SHA256=CC200681625401A916F79EDA7BB6A179EE4BDE670A4AAD80FCB9C1167493EF03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.888{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\informix.xslMD5=F7380302CE9306A970E8602D74173066,SHA256=44BEF02DABBD62124A6310C2E73177F4ADFF4EABC6A10A4A73D3E0CF9BE55114,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.888{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\db2v0801.xslMD5=FE2B9A3979B7882D55A92B06E2EBE4AD,SHA256=C686C484CE89B8E05575F70334E2B563B54A094708F4F4F79BA215C67EE07EDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.888{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\as90.xslMD5=4B56DB7920F1DBD4ABC838AE3DB5B715,SHA256=521B163EADDB0EFBD741ABF553CB812594865EE0657AF9DFCD672DCA09BAB529,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.888{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\as80.xslMD5=3F180E80B895CF04EC5E99DD7B63445E,SHA256=CFD3F8C4BAA855CEB0E45C3254B2975EFD43498226844C5D5765041AEF89B52A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.888{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODFMD5=E15BF07E30EED315D23E3F1967821C25,SHA256=C6335AB8160E680B057E097B35496714242E611B0866C650CE11770CB4DDC3B1,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.857{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\xlsrvintl.dllMD5=A5DBA5C7ECC62AB26A4B81EE94731020,SHA256=15B3AE1BB21C346830F8DA6FFF68ABCDBB6B7178D2E8F512AF5896C6D2B540C6,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.857{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\README.HTMMD5=2DCE97A47186582DB5B0570E50A68FCF,SHA256=AE621361A77E30152EF836AE1CF68ACBB211E62D03D74ADF7877D0EA861C441E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.857{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmia64.msiMD5=BDDC373CEA2A06B785D527491D823BED,SHA256=5CEDC636DBCF892BD33B883F025C3A7CC2073D12FD37F86958CBBC68E37BB637,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.794{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmia32.msiMD5=D77CC182B8963FFA4E305A407A9C0B3A,SHA256=843A6868E91B1A3F748F64933915B1B876F9E8A4D473EB36B3188944A6E0B921,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.747{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp64.msiMD5=A56E19049FD1FEE5A4195C006F57720C,SHA256=79908C02B32A409B99A64E2ED09EA202144D18E64B9F9B49831ACE1C237F576F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.716{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp32.msiMD5=2DF4E229EE41D3CFAD83DB68EA262C07,SHA256=921EC5F474E609DC67F8F218E8F5A2D94E4613A340F7030F27065F86F61EBE7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.700{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3D7A6317A1DC81C16B4930121F504D5,SHA256=616CA9529D38FC8443EBCB228FCEBA05CBD7991D175A1E0ED83D36F8037B35BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.685{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\OSFINTL.DLLMD5=AA84A1E3720440CE02653060C3611A25,SHA256=40D6B5691046A556D9D098866E8135CF2BAA98FC3D04705EDA6095323EBA8B8F,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.685{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\MSSOAPR3.DLLMD5=5E9B31447C4C3A584AE5BE42689B705F,SHA256=D9F28C5C10F37C61AE2999770753F0D59748635A8EA6EA89D43E2D9F946C99A9,IMPHASH=31BCBD80AFE6E497045844053D47B8F2truefalse - insufficient disk space 23542300x8000000000000000330735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.685{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\msointl30.dllMD5=996968857D78898A488096C1EF3F8223,SHA256=0CA8BBA847FBE899FAB2AB04EE3A8619AEC535F9D53F6FD0532D9434EA236A35,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.669{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\MSOINTL.DLLMD5=A30C57A27CF090A25B5F1A560749D136,SHA256=19C71EBBC1226DEED6F50273A897E2AEA6F2314439EADBDA635F6CA3437AA460,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.653{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ADO210.CHMMD5=07F24DA6C320AB7B6DFE820FB68B676A,SHA256=B8D6E8020044E60B44C22C45D64B6C9EE13606C612EA0DA946EE05D0D01E4B41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.638{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ACEWSTR.DLLMD5=99D4B9494FC64B323E77474BB5550C08,SHA256=85FE5FA50C71B92EBE21B0CDDE7F33C8811C8F6F6033361D17AEB8A280954867,IMPHASH=66DD915FF6E46EABA4F5BA42255DCF4Atruefalse - insufficient disk space 23542300x8000000000000000330731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.622{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ACEODBCI.DLLMD5=884B9BA3278351B18BAB5A101EC4D731,SHA256=DACA14E33C7D34A6E1F34F66FE6C43B2E91B235ED027D93E00A509F03FC46F59,IMPHASH=D6158AA25A9B2A4B3831EEA238928506truefalse - insufficient disk space 23542300x8000000000000000330730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.622{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ACEINTL.DLLMD5=C66B855CF86F2D75B7A96DF52F824DEE,SHA256=982AB2BE91DC6B48B333DF135DECC489F721F0C95495425AAAE45846B0921AE3,IMPHASH=7A6DB5CC1F41833388A81BA889517C71truefalse - insufficient disk space 23542300x8000000000000000330729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.607{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\MSClientDataMgr\MSCDM.DLLMD5=089EC27CF6E09011FD8F89849BA5F836,SHA256=01BF2617EE7FF793C4F25E12835EA4A83222F4E268E333C7F024C8F5964CC3C2,IMPHASH=8501250FE9BE7432CFCCFB5E13256503truefalse - insufficient disk space 23542300x8000000000000000330728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.607{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\NamedUrls.HxKMD5=67D7183CF742812FE8F2466EEBDB114C,SHA256=7AC8AE8FBF69E7DCBA2DFC3B74C7F1EA9CA1FE85B73D0C096B8CF5D80E036931,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.607{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\msitss55.dllMD5=586E4AA5946904FB354BCA287D81DDAA,SHA256=6B2DF6A8DAE7B0CABF74E50FAE4C760CD5B0D647FE675FD7828DAE32425174EE,IMPHASH=6B9FB57FCECADC4C7B35B2F643C1A91Etruefalse - insufficient disk space 23542300x8000000000000000330726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.591{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\Keywords.HxKMD5=9543C1E9A5D5F39BCFBEBE1A07B76826,SHA256=ECAA81FF698AF2F4D795128D0D218B4171A69CC0C6A9BDCF52C92E0FC2454AD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.591{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\itircl55.dllMD5=B6B685591C4F9597AB82C568160BEF1C,SHA256=771C4229A9002E4E41EF117E1343BBEAAEB0290316B9378E152EB3AC91F4E065,IMPHASH=77CB908E8EA27047FBB35A6249106860truefalse - insufficient disk space 23542300x8000000000000000330724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.560{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\HxRuntime.HxSMD5=382C886FD239F3DF7E8B8D6958DF8F2C,SHA256=FE9702B0EC12B5D86A079F753C9E9CFE29F30714C34EB38904EA3D6A27A60961,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.560{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\hxds.dllMD5=C876209024D5BDF67BDB89E985CA99DA,SHA256=DFEB2A512475AE03B50240456C8A696F3B48358197B252141C845655DDE072B5,IMPHASH=196385789006E7A67BEC857EC2D701FEtruefalse - insufficient disk space 23542300x8000000000000000330722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.544{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\Hx.HxTMD5=868DEC059E20C7F28BA2805E6B047E44,SHA256=137BF5EC736BD430929690AFC8FC92E999C8CFE08A4235D599CD1FDEC9075762,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.544{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\Hx.HxCMD5=FC6F9E1FD2CD944DFFD548BAE8AB2FC3,SHA256=24F3D1D585A06151DDACBFB1EE9512F554348D1E2BD8F8E3BD1BCE3F0501F919,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.544{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\WPGIMP32.FLTMD5=730A6D0BF70C6BD4A33898BB16BDBB74,SHA256=7891675B818E87860B71F63F68CE65C5B3AD032F15492EFC9B74E3CB907DF7FD,IMPHASH=1675FC1D79DB999DB7EB8375C577E739truefalse - insufficient disk space 23542300x8000000000000000330719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.544{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\PNG32.FLTMD5=344F835D33C1BFF16B58CFA8A5B00204,SHA256=D228B39A8545A44A87A306DB88D9CE8D9195C7C30AD68B2BEE34502E36A8F659,IMPHASH=6812635F4A9F36A15A551160314B2A4Dtruefalse - insufficient disk space 23542300x8000000000000000330718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.528{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.WPGMD5=ED21686ACF6F81430B47AADD809139BF,SHA256=BEB31AF1581AF2866335BD0AD03D916B24C7BF6AEB707C703B6F40CFC8F0BCED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.528{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.PNGMD5=3A4407BE2AFBD8B0348459D72F94127D,SHA256=39D247AE0014A175EC24CE5207B08F4017328CB1AAE8916B046B5AC954899442,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.528{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.JPGMD5=A1B434EA0C57B8F8B234D7DDDFD67D5F,SHA256=FFB1A4DD4B6DA771D46DEF621CF71421051203606AA1D3B64B73E92606328ECB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.528{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.GIFMD5=6936F4EE421C9242C660DE4DFD7191B6,SHA256=827F3149A54C5BCD6FC435953DCA7A7806F76D6F9DA89409D8763859233DF933,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.528{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\JPEGIM32.FLTMD5=97F30642297488BDED1DA6B74FD8845B,SHA256=52082DC36F9DAA9F7F163E16967CE4F5DD50D147ABD658DEF826539DC777F1ED,IMPHASH=1485CC317CE5E985A2896593AA2C7D5Dtruefalse - insufficient disk space 23542300x8000000000000000330713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.528{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\GIFIMP32.FLTMD5=71E90A7AF0DF21CCB7AD0A8CCA02B3A1,SHA256=EBC07222F89589B6268D4223E7C15E0ADACAFE706A5D6E5746D89DAB7E7F78F7,IMPHASH=1B98FDDC61730E350D589CEF9B3935ACtruefalse - insufficient disk space 23542300x8000000000000000330712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.513{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\vcruntime140_1.dllMD5=7667B0883DE4667EC87C3B75BED84D84,SHA256=04E7CCBDCAD7CBAF0ED28692FB08EAB832C38AAD9071749037EE7A58F45E9D7D,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69truefalse - insufficient disk space 23542300x8000000000000000330711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.513{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\vcruntime140.dllMD5=11D9AC94E8CB17BD23DEA89F8E757F18,SHA256=E1D6F78A72836EA120BD27A33AE89CBDC3F3CA7D9D0231AAA3AAC91996D2FA4E,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302truefalse - insufficient disk space 23542300x8000000000000000330710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.513{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\vccorlib140.dllMD5=7EF7EAB654DF53E087AC4703C9EA0B16,SHA256=13E568FDCDE1B7B7F2D1C97A474BDB8858F5AB761157F0FEA7201CCECF84B9B8,IMPHASH=D5EC94CA50152CC1E7188B825074FEF2truefalse - insufficient disk space 23542300x8000000000000000330709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.513{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\ucrtbase.dllMD5=9CD0AFF3E05FCA90BF9A227C94669DF6,SHA256=FBED69A52FDCF571DD37FE4CC63CB86ED3732B5B998807F14968788027C00754,IMPHASH=1D85FB9CE80726BDA08CAF2946EF5F93truefalse - insufficient disk space 23542300x8000000000000000330708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.497{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\offfiltx.dllMD5=7C7925161594F2C05C5919A6CA4E74A2,SHA256=82D07C2EBB6186FF040FB3FDF4BEFC8A5CA7B8DB78CA4BF506E58EFF64685E73,IMPHASH=F980A78A33D6B2C7907C8254FED563DDtruefalse - insufficient disk space 23542300x8000000000000000330707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.466{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\odffilt.dllMD5=690AC6A745107901EE67A1DF6F5FCB88,SHA256=E499977F697D6B208539EA26FF0643867D361992234050BD523A7E2B058020DA,IMPHASH=2C964AC29A3D2FF9B884918970E707E2truefalse - insufficient disk space 23542300x8000000000000000330706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.450{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\msvcr120.dllMD5=49FB6E786B2F9DF8812E0E317CED55CB,SHA256=9461F2E4ADD5C650102ACDE0C62377FF86D9B19FC20D0003F326CCD474E8B7B9,IMPHASH=8F18E22935EF8B336E246EE763FBEC97truefalse - insufficient disk space 23542300x8000000000000000330705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.435{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\msvcp140.dllMD5=CB75D6437418AFE1A7B52ACF75730FF1,SHA256=7C4CE9D6BFCD6D9DB4EEF4E75ECDCF5A8E5320106E80F1ECA617439FA43F33E8,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1truefalse - insufficient disk space 23542300x8000000000000000330704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.419{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\msvcp120.dllMD5=8C8D1140787DA60A343DD11C1CDF4992,SHA256=6AA1ECE9DD340D05AEC43248592A78B70D21959DE8727F506D21A3A962348583,IMPHASH=D0A59246EAB41D54812CD63C2326E1F1truefalse - insufficient disk space 23542300x8000000000000000330703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.419{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\msgfilt.dllMD5=02E0D2A513B7F92965D822F5983EEEC4,SHA256=F013C0E2C9AF7198829F615FBE1D19FC36D5301654BFA57E0EF583C0DEE782FF,IMPHASH=1B8BC79B4931D6DF2B15647693E21930truefalse - insufficient disk space 23542300x8000000000000000330702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.403{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\mfc140u.dllMD5=587C85228848E52AAFB3863FF1A6F2B8,SHA256=BFE1547439BEBFBB7A46F292BDEDD8213315E98D778D969225D2EBE2D93FE297,IMPHASH=B4F070F0028C97D4B44509B262314B3Dtruefalse - insufficient disk space 23542300x8000000000000000330701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.357{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\concrt140.dllMD5=D1BA293F1D7BD7B38DB8953821D42E9B,SHA256=B3FDB569B567C2B82369C1DBBAC1B6C5BBD74B5E03D2357491985BE064DFEFF7,IMPHASH=5F9B23BD4B0029001F687A1AD625BE31truefalse - insufficient disk space 23542300x8000000000000000330700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.341{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-utility-l1-1-0.dllMD5=F440DC5623419E013D07DD1FCD197156,SHA256=BBA068F29609630E8C6547F1E9219E11077426C4F1E4A93B712BFBA11A149358,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.341{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-time-l1-1-0.dllMD5=05AF3F787A38ED1974FF3BDA3D752E69,SHA256=F4163CBC464A82FCE47442447351265A287561C8D64ECC2F2F97F5E73BCB4347,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.341{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-string-l1-1-0.dllMD5=3A96F417129D6E26232DC64E8FEE89A0,SHA256=01E3C0AA24CE9F8D62753702DF5D7A827C390AF5E2B76D1F1A5B96C777FD1A4E,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.341{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-stdio-l1-1-0.dllMD5=53E23E326C11191A57DDF7ADA5AA3C17,SHA256=293C76A26FBC0C86DCF5906DD9D9DDC77A5609EA8C191E88BDC907C03B80A3A5,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.341{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-runtime-l1-1-0.dllMD5=C25321FE3A7244736383842A7C2C199F,SHA256=BF55134F17B93D8AC4D8159A952BEE17CB0C925F5256AA7F747C13E5F2D00661,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.341{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-process-l1-1-0.dllMD5=E18FD20E089CB2C2C58556575828BE36,SHA256=B06B2D8C944BFF73BD5A4AAD1CAD6A4D724633E7BD6C6B9E236E35A99B1D35F2,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.341{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=639CC8C0B28DB73B3294078A8A6924CE,SHA256=F74AACF6AD9279E5F933421F70F7424CCC95647C254FBED530DCF37A43120E70,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.341{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-private-l1-1-0.dllMD5=B4BE272187CB85E719DFB5BF48BB9B1B,SHA256=CCAF41E616B9A872D35C8083CBF8FDC14371FA3EF159FE699514643C26A4EBF3,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.325{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-multibyte-l1-1-0.dllMD5=FF4DE9CE85C4B01312DF6E3CDD81B0FF,SHA256=D7E676B9F1E162957D0549AB0B91E2CD754643490B0654BF9A86AA1E77CB3C37,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.325{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-math-l1-1-0.dllMD5=877C5FF146078466FF4370F3C0F02100,SHA256=9B05A43FDC185497E8C2CEA3C6B9EB0D74327BD70913A298A6E8AF64514190E8,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.325{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-locale-l1-1-0.dllMD5=0D50A16C2B3EC10B4D4E80FFEB0C1074,SHA256=FAB41A942F623590402E4150A29D0F6F918EE096DBA1E8B320ADE3EC286C7475,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.325{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-heap-l1-1-0.dllMD5=5D409D47F9AEBD6015F7C71D526028C3,SHA256=7050043B0362C928AA63DD7800E5B123C775425EBA21A5C57CBC052EBC1B0BA2,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.325{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-filesystem-l1-1-0.dllMD5=D76F73BE5B6A2B5E2FA47BC39ECCDFE5,SHA256=6C86E40C956EB6A77313FA8DD9C46579C5421FA890043F724C004A66796D37A6,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.325{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-environment-l1-1-0.dllMD5=FE93C3825A95B48C27775664DC54CAE4,SHA256=C4ED8F65C5A0DBF325482A69AB9F8CBD8C97D6120B87CE90AC4CBA54AC7D377A,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.325{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-convert-l1-1-0.dllMD5=AFC20D2EF1F6042F34006D01BFE82777,SHA256=CD5256B2FB46DEAA440950E4A68466B2B0FF61F28888383094182561738D10A9,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.325{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-conio-l1-1-0.dllMD5=E3D0F4E97F07033C1FEAF72362BBB367,SHA256=3067981026FAD83882F211BFE32210CE17F89C6A15916C13E62069E00D5A19E3,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.325{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-core-xstate-l2-1-0.dllMD5=42DC903598FF9D2BFB92D3F1F1563A92,SHA256=583BE047AA83CCE2E8950F5F550DABC5F7CB5957860316E3F409BFAFB10B963C,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.325{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-core-timezone-l1-1-0.dllMD5=BDD63EA2508C27B43E6D52B10DA16915,SHA256=7D4252AB1B79C5801B58A08CE16EFD3B30D8235733028E5823F3709BD0A98BCF,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.325{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-core-synch-l1-2-0.dllMD5=B9BC664A451424342A73A8B12918F88D,SHA256=0C5C4DFEA72595FB7AE410F8FA8DA983B53A83CE81AEA144FA20CAB613E641B7,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.325{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-core-processthreads-l1-1-1.dllMD5=247061D7C5542286AEDDADE76897F404,SHA256=CCB974C24DDFA7446278CA55FC8B236D0605D2CAAF273DB8390D1813FC70CD5B,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.310{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-core-localization-l1-2-0.dllMD5=6B4F2CA3EFCEB2C21E93F92CDC150A9D,SHA256=B39A515B9E48FC6589703D45E14DCEA2273A02D7FA6F2E1D17985C0228D32564,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.310{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-core-file-l2-1-0.dllMD5=ADB3471F89E47CD93B6854D629906809,SHA256=355633A84DB0816AB6A340A086FB41C65854C313BD08D427A17389C42A1E5B69,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.310{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-core-file-l1-2-0.dllMD5=19DF2B0F78DC3D8C470E836BAE85E1FF,SHA256=BD9E07BBC62CE82DBC30C23069A17FBFA17F1C26A9C19E50FE754D494E6CD0B1,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.310{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\MSOEURO.DLLMD5=C87F654A108C1BDA5F79E04619845E73,SHA256=D32647E0C45F6A2E840C1FF8A498F750D48F85BC658AE4E3871D81C0DCED0D0C,IMPHASH=29D18E0C96B1B64C0465E1DE8AF7A5FEtruefalse - insufficient disk space 23542300x8000000000000000330676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.310{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\vcruntime140.dllMD5=31CE620CB32AC950D31E019E67EFC638,SHA256=1E0F8F7F13502F5CEE17232E9BEBCA7B44DD6EC29F1842BB61033044C65B2BBF,IMPHASH=B06D4116DA69A513992D529F84731E6Ftruefalse - insufficient disk space 23542300x8000000000000000330675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.310{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\vccorlib140.dllMD5=3A2C18EF2DF37EA41788F50042774C22,SHA256=EA85134227C8E5A23A63D60E6CDB2BC38F925427BA75426A3BE33212435E1741,IMPHASH=E2C243EAA5D873A145FCEF834080DE02truefalse - insufficient disk space 23542300x8000000000000000330674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.294{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\ucrtbase.dllMD5=BF5EE52BA36031A005B3D7B15F1CA090,SHA256=5A41249C27EF3253B690F95A0A86ABE2337C3405570602E7D8DFD7C3445FF923,IMPHASH=C060FE320860AA232972D941EF87C2A9truefalse - insufficient disk space 23542300x8000000000000000330673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.278{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\msvcr120.dllMD5=1A22AC29230FF06E278CF85992F48C86,SHA256=3A3F61F1D187142BBA9B37B318F6052A09743FF24FCDB3CEE478D1BC5C68D300,IMPHASH=AA8D086DEB6960B10F8791DF466A5610truefalse - insufficient disk space 23542300x8000000000000000330672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.263{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\msvcp140.dllMD5=0A0042FE544C91CD57BC2F7EF40BB974,SHA256=4190F0A1306257CED4975448794E1D42BE312E334FFCCFB4910A4A39CDE9DF57,IMPHASH=6042F1676A7711E459589EF169A5B501truefalse - insufficient disk space 23542300x8000000000000000330671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.263{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\msvcp120.dllMD5=E3244FDCEC84C99E4B60227EB3B70893,SHA256=81FBC2824E73F0D101D91854694A52E79DB0FFAADBB2A10DEAAF47B3B7F9B2B0,IMPHASH=6CCDA270A497A2C5A36A7F385CC9910Dtruefalse - insufficient disk space 23542300x8000000000000000330670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.247{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\mfc140u.dllMD5=51C91B404C701CC26B8B6DC7AACD8037,SHA256=9F60F7AF82BCEDC3C91D796F9C4442900BFF40A192E30EFC798AB9230AA9F0B7,IMPHASH=EFB56419C1BA206D8C70E3157D5C83A0truefalse - insufficient disk space 23542300x8000000000000000330669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.200{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\concrt140.dllMD5=EC5A86B5E7BDFFD50E022E431287273A,SHA256=290F577461B2D4197DB0B7D09341225C90CF066984F965E54C9FA4AA16BA6687,IMPHASH=F7E155027608DB4293A50332363A537Btruefalse - insufficient disk space 23542300x8000000000000000330668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.200{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-utility-l1-1-0.dllMD5=D6ABF5C056D80592F8E2439E195D61AC,SHA256=8858D883D180CEA63E3BF4A3F5BC9E0F9FA16C9A35A84C4EFE65308CEA13A364,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.200{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-time-l1-1-0.dllMD5=1FA7C2B81CDFD7ACE42A2A9A0781C946,SHA256=CAFDB772A1D7ACF0807478FDBA1E00FD101FC29C136547B37131F80D21DACFFD,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.185{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-string-l1-1-0.dllMD5=5E72659B38A2977984BBC23ED274F007,SHA256=44A4DB6080F6BDAE6151F60AE5DC420FAA3BE50902E88F8F14AD457DEC3FE4EA,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.185{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-stdio-l1-1-0.dllMD5=32D7B95B1BCE23DB9FBD0578053BA87F,SHA256=104A76B41CBD9A945DBA43A6FFA8C6DE99DB2105D4CE93A717729A9BD020F728,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.185{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-runtime-l1-1-0.dllMD5=AE3FA6BF777B0429B825FB6B028F8A48,SHA256=66B86ED0867FE22E80B9B737F3EE428BE71F5E98D36F774ABBF92E3AACA71BFB,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.185{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-process-l1-1-0.dllMD5=8F8A47617DFD829A63E3EC4AFF2718D9,SHA256=6D4A1AAD695A3451C2D3F564C7CC8D37192CD35539874DF6AE55E24847E51784,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.185{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-private-l1-1-0.dllMD5=1DD5666125B8734E92B1041139FA6C37,SHA256=D0FF5F6BB94961D4C17F0709297A6B5A5FA323C9AC82F4FE27187912B4B13CF3,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.185{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-multibyte-l1-1-0.dllMD5=809BC1010EAF714CD095189AF236CE2F,SHA256=B52F2B9DE19D12B0E727E13E3DDE93009E487BFB2DD97FD23952C7080949D97E,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.185{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-math-l1-1-0.dllMD5=D0D380AF839124368A96D6AA82C7C8AE,SHA256=06985D00BF4985024E95442702BBDB53C2127E99F16440424F3380A88883F1A5,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.185{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-locale-l1-1-0.dllMD5=E70D8FE9D21841202B4FD1CF55D37AC5,SHA256=E087F611B3659151DFB674728202944A7C0FE71710F280840E00A5C4B640632D,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.185{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-heap-l1-1-0.dllMD5=39D81596A7308E978D67AD6FDCCDD331,SHA256=3D109FD01F6684414D8A1D0D2F5E6C5B4E24DE952A0695884744A6CBD44A8EC7,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.185{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-filesystem-l1-1-0.dllMD5=AB8734C2328A46E7E9583BEFEB7085A2,SHA256=921B7CF74744C4336F976DB6750921B2A0960E8AA11268457F5ED27C0E13B2C8,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.185{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-environment-l1-1-0.dllMD5=45C54A21261180410091CEFB23F6A5AE,SHA256=2B0FEA07DB507B7266346EAB3CA7EDE3821876AADC519DAF059B130B85640918,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.185{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-convert-l1-1-0.dllMD5=5245F303E96166B8E625DD0A97E2D66A,SHA256=90A63611D9169A8CD7D030CD2B107B6E290E50E2BEBA6FA640A7497A8599AFF5,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.169{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-conio-l1-1-0.dllMD5=3B038338C1EB179D8EEE3883CF42BC3E,SHA256=C17786E9031062F56E4B205F394A795E11EF9367B922763DDF391F2ACAB2E979,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.169{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-core-xstate-l2-1-0.dllMD5=E20C50CB320A5718AE869D8EC4D460CA,SHA256=48C776F38EAED72CB05A993484F60CBFDF5AF59AEBC48E53481A997AE7DED8DC,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.169{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-core-timezone-l1-1-0.dllMD5=A20084F41B3F1C549D6625C790B72268,SHA256=0FA42237FD1140FD125C6EDB728D4C70AD0276C72FA96C2FAABF7F429FA7E8F1,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.169{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-core-synch-l1-2-0.dllMD5=F6B4D8D403D22EB87A60BF6E4A3E7041,SHA256=25687E95B65D0521F8C737DF301BF90DB8940E1C0758BB6EA5C217CF7D2F2270,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.169{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-core-processthreads-l1-1-1.dllMD5=C2EAD5FCCE95A04D31810768A3D44D57,SHA256=42A9A3D8A4A7C82CB6EC42C62D3A522DAA95BEB01ECB776AAC2BFD4AA1E58D62,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.169{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-core-localization-l1-2-0.dllMD5=3B9D034CA8A0345BC8F248927A86BF22,SHA256=A7AC7ECE5E626C0B4E32C13299E9A44C8C380C8981CE4965CBE4C83759D2F52D,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.169{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-core-file-l2-1-0.dllMD5=BFB08FB09E8D68673F2F0213C59E2B97,SHA256=6D5881719E9599BF10A4193C8E2DED2A38C10DE0BA8904F48C67F2DA6E84ED3E,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.169{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-core-file-l1-2-0.dllMD5=F6D1216E974FB76585FD350EBDC30648,SHA256=348B70E57AE0329AC40AC3D866B8E896B0B8FEF7E8809A09566F33AF55D33271,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.169{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\EEINTL.DLLMD5=F3E1265F2F72F0F30464C19FC0D9263D,SHA256=092167FB8180160D65AB2F79CC9FBA22EF91580AF15BE7BCDDB27AC5613F34DD,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.169{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXEMD5=D5DADDBB934257F3ABF53991F676983F,SHA256=66B067F22BA24D0D1FA1FA4DB35045E44FC5B30F0DAC25C0E986E7D577A249C8,IMPHASH=40F0915AC5E2AF5E95AF978FF7CD375Ctruefalse - insufficient disk space 23542300x8000000000000000330644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.153{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DBGHELP.DLLMD5=05C35BB1ECCD48074FE43FA7AD5AEDE5,SHA256=2CEF144C25E0AF97F53DEC368D299D06F9B2D5BE0FB057D77B8E18CF618350A7,IMPHASH=5C256C275E3EB107999F286EFC9FC131truefalse - insufficient disk space 23542300x8000000000000000330643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.138{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DBGCORE.DLLMD5=2F65B44ADCEBA96E045A0B45FDDE5352,SHA256=EF66084434E77A1FE45001085949A8F20E873431EB6016856C55BD0DA7C3D6AE,IMPHASH=1931C583747A3AFF6555664A0BEA87DDtruefalse - insufficient disk space 23542300x8000000000000000330642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.138{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\DESIGNER\MSADDNDR.OLBMD5=40A3CFCDC277675ADACDE5793C1992DB,SHA256=653F483F11C5F81E51199D920653A12C7B4595E92FF515554FF464DBCDB83B16,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.124{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\WINGDNG3.TTFMD5=9E2EE65661BEE40438D514FE592BFCF8,SHA256=AC9EE085920A3D8B076D5E0C61DC9DF42C4BAC28D1FC968344F9CEDDB3972F69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.124{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\WINGDNG2.TTFMD5=D6478DBC2E84B8DEF5DC115DCDA0B29D,SHA256=FA671B6FDDEDD57F158AB90B6AA6A7C33DB6F41AB620DB72B7AD1E57C38BDA5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.124{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\VLADIMIR.TTFMD5=01A1CDEBB8BF5B8573622FA6F689369C,SHA256=EDE635464683BA465C949D7DD6894F9DFF49A76229618CB0B73E0C85B93E4169,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.124{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\VIVALDII.TTFMD5=B90F6A78E5F287B5F110E5013A4772F5,SHA256=13CC1CC1ED4B8192F1840291863551AFA3D950F01110A8FC3127DCA744740A1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.124{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\VINERITC.TTFMD5=6B836DCAD1979649AAA53BC8187C9A0D,SHA256=2BBB4CAFA0C5767155971E7BC578483478351A36E55D035450E50B468422A962,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.108{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\TEMPSITC.TTFMD5=6E528EAF77E28EBCC849F9769839A5FB,SHA256=1B20B818BE881CF16E711DAF7E3C44BE66A93B581BCD7B580A4423F18595FB35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.108{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\TCM_____.TTFMD5=9B62DC86F936227B3F7B367BD0B6C05E,SHA256=10DF71CEF84AE0D7031D7FFA072B185343365BE0E59BEC4AC231E7C77811584B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.108{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\TCMI____.TTFMD5=D3AB0A606FD2FFBE8F8FA869F382986E,SHA256=3FFA539609563836DC5546F473F6E7A3B7E4C9F7BA5876522925A980AB87FD7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.108{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\TCCM____.TTFMD5=409241C7809719CDA95DF4A2B82F751E,SHA256=73655BC3A86553EA1D76DF8C8EED0E8D0DAEBC797ABA885CDE99833FFE9545DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.108{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\TCCEB.TTFMD5=45D8B517871A6913C74CDD20A7C9B726,SHA256=9E8A6AF516706030B8536B2EA6535664CD9BEA916FB15304556D8139A6945FF9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.108{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\TCCB____.TTFMD5=2C7B12085F974A5F257F80276B4C647A,SHA256=B068CD471C07907A772B6F39A415D33D6328D32D1EA0032BE9A717CB4B80B254,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.107{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\TCB_____.TTFMD5=5D246FE92931A92E7355FE67B5AD609F,SHA256=64DF8CE11B656BDDA3E35275B83DEC7C40FC8A0A73D8A921918FB99B538F62D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.092{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\TCBI____.TTFMD5=286113F7F49CC7F348402A12C2419ED9,SHA256=4FEE7243FFB931F65713DE0537A145F6AA1E7302C8398FEA68C4864D41E7FD98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.092{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\STENCIL.TTFMD5=9FCD24C35310AEEFF2C51D619A18315E,SHA256=5D53B38FA8FF33D15676CDCD78B261681BFDA861C449B4F7DDFD7574A5C11E18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.092{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\SNAP____.TTFMD5=96ECDC49467AA24E191B8EFE15A6701E,SHA256=B9E8A921CC54334132052F880FC1B8B236CB6F41B1CFA4618EA399014E6CEA4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.092{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\SHOWG.TTFMD5=D66FA62DABED66F2226A1B2D17DA0579,SHA256=80CD2486979C2C18F9DD59277C0FD800959AFA1CE23820DCF7BCE31F208647AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.092{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\SEGOEUISL.TTFMD5=073C54DEAB691DBA98BE14FE4FEA8278,SHA256=B1FDA74A72733DDE77A9B1837F1A96DAE29079366A069CC0785DCDAA5AACC3C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.076{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\SCRIPTBL.TTFMD5=E825587941CBB3FD56B4CD2B1172387A,SHA256=EBD9CA7DC28FEE37C942B4084F377711BA571DA5FD7154125ABF8F81C9628CE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.076{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\SCHLBKI.TTFMD5=16D4D38FCF14A66800F123AE987CA1AE,SHA256=73FF30499A0C673440E6DF6E134E0731E586112AB99A0553F7C4DBB28F84366A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.076{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\SCHLBKBI.TTFMD5=6A549D47526475D0E7EB0A09E15DEC61,SHA256=8DECCA6DF27BE6BB2BD15801DD9CDE62502BF4FB20EFD835038861455FFE763B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.060{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\SCHLBKB.TTFMD5=FE14BB3C81A590120618F17B80F4BCC8,SHA256=A13C13A72C0AAFC2BE6BAF52FD28B1745AF6F0FD5FBD365499C7298F4EE416A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.060{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\ROCKI.TTFMD5=E1A957BD6BD4DAB347B7F5BF97751543,SHA256=70AF64A5BC061505E7A1CB1CD691811768A7CC84E53D48FCB526DEB53F8C7A57,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.060{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\ROCKEB.TTFMD5=D12864F9BB6E6FBFC3086390A99E3646,SHA256=6C52077681D5D1831B9E8F6621DEB82DE960418D24FE39D8CDC88778FBB19E30,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.060{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\ROCKBI.TTFMD5=0FCAF7A1825173B1BCBA0124D287C52B,SHA256=C8A0F6976209CC198BC47EE287FD872FD86690F4D2893057E7EE92DD1235FB5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.060{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\ROCKB.TTFMD5=800BF3DD15BA06C3B2F5733D35C8E62E,SHA256=FC9FD442D2DCD719C88D42121D69F5DD9DDA02CC1C8AFA025D261EC28795468F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.060{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\ROCK.TTFMD5=FCCA3A4A6DF1AB46DD94C73F2E912FDE,SHA256=0C61E5CE8296A55761CDB9D350D4C990BE4CDA8890CC70F2ABDEDFC357F96D00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.045{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\ROCC____.TTFMD5=29D3F9298F21EB0EF3F4B236EDEEA6BF,SHA256=967465E783B62CE5FDFB10183753DDFA0BA6396036340FD3CC67F85187D57689,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.045{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\ROCCB___.TTFMD5=C77F2225063FD0A5185855499A1ED67E,SHA256=BDA7C484B491BB10914D668300C6560621DE1B091784010F2D4D239020B6E5BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.045{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\REFSPCL.TTFMD5=DA7D0632677782C7C4DD8B201CE85A8F,SHA256=0F9CD250887E38B99FF7111769D249DAEE8634C2C875F49C3599017BD2586AAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.045{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\REFSAN.TTFMD5=C8F34A4D8D6A866F095261F987A237A8,SHA256=26D345F357D8213475EFF6459CCF2DBC9D707E2F8C0445540F3BB183F717C0F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.045{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\RAVIE.TTFMD5=2AECA327AE0E8BA04BF305F13CB1D589,SHA256=7019D811B304287BE2223F1667E0989F862951CBBA660BDE13A86BB103D97B80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.031{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\RAGE.TTFMD5=C713FD0DF31CF4E5F8E4F09E92698C6D,SHA256=4E06CFA893F7E1E656709AC2CC240CF17CC82DA9FB8DF1AFBF689940E47C0CFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.031{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\PRISTINA.TTFMD5=67B76DC0172E6D8FF94B2C3F7F36C92F,SHA256=4BD22F9CFA8255C17EF5734964BDCEA39F0614C1975F9D495576A0110F5BF177,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.031{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\POORICH.TTFMD5=1646CDE4CB82668C6D24C9F33E67E4EA,SHA256=1A98BBB22C3097E418A263CA80B63AC1264E8CBD03D5F0A7143BC598297A387B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.031{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\PLAYBILL.TTFMD5=9488A34C8F32F727A43F41E0D016E673,SHA256=673E9F49ACE279C73711DD778037B5D435790BE236C9E5892609794B0BB4377F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.031{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\PER_____.TTFMD5=9DEE58374345F3DFEB49E1C6CC13CA09,SHA256=F8202C3426B5C54B192969351F15EA35288DE44E811E9514D923898214B94184,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.015{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\PERTILI.TTFMD5=A07574C03D9429038E2611BBA0E9C822,SHA256=5B90D215F586C91CBACEEE9E96D8840431E6B4713909DD47AB70084A067D0B10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.015{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\PERTIBD.TTFMD5=6044A98D98867449410C8D7CFEBB6375,SHA256=1024C55E896123DAD43B1A15F0C86640556B01E9348EB797E6D7C5A889178D6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.015{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\PERI____.TTFMD5=93DA3318761EA9993B45F2620C4CB985,SHA256=2F52EC437A22912EC82C06AFDDE46C6B1C7593B44025C4627901D353A965B161,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.015{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\PERB____.TTFMD5=AFB95001B7A95A9CD3D5A8486FE0E1E1,SHA256=8EB139CDEFF99C8297C95BF857D94DEF798116D02FDCF72CEFB88D43FE7A33D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.015{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\PERBI___.TTFMD5=C39EAC1AADDC57C5C2F97B5B3A1422C3,SHA256=F8346184D59314A919926DCFB60DA96421781AB19C2E04C2F76F0F82ACE8CEE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.015{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\PARCHM.TTFMD5=051B6962AEC44EBF6713B46FDCC8D75D,SHA256=5B4A73788F013C252EB5877A7974E5836EEFFC1189DD7319A219080FCC908F80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.011{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEB763F52CD5A5BA463015A26F13C84F,SHA256=4505695AD5D912AF91A9960E5833E85AF13EA4A45F88C2A225FF3129A2A8DC63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.010{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9070102A0853511CF05E85632547E961,SHA256=9E061502D932F503933E9385CC808046F7F7F93A839AB9FE20A06EBFF16B4471,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.009{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\PAPYRUS.TTFMD5=FFC718CD15E8CAAC3542AF07605BF386,SHA256=895FDEA742CDCCD53E8CE847A7D2D9C3DDBD7EBDBE0444E88246F0F9E4E2526D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:42.003{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Fonts\private\PALSCRI.TTFMD5=C3D5F019ECEB1A180BEF44A28D137048,SHA256=13093D9642D540CB5EFAD5CAD52AD703E11C0E1F5308BC23FF2CFD7737E7516C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:43.970{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\xmlrw_xl.dllMD5=0A2A5755C636DEAAFDCCF966A54AA6BE,SHA256=E1A892925DEE885E5A07C6998D6CEA2A56832E020E08E8426AE490F754BE0634,IMPHASH=9C2D03AB590F9DB409C8ECBB2409A95Etruefalse - insufficient disk space 23542300x8000000000000000330783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:43.970{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\xmlrwbin_xl.dllMD5=A86E0E527AC2197FD08003C9C1023F52,SHA256=DCE27BBBF3FD114F57599E7F7254A66525DCEBD236EA3695F278A6FCF2DB373B,IMPHASH=9C2D03AB590F9DB409C8ECBB2409A95Etruefalse - insufficient disk space 23542300x8000000000000000330782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:43.970{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\tmtransactions_xl.dllMD5=1F1429AD8DA80580D3E887D3C9324A29,SHA256=06CA5B98F025667F12409A1A182AA365CEFCAAA68A492DF6F39FA7D730497ACC,IMPHASH=D0CF4C45F78D80E95B7D3B5E0255E1C3truefalse - insufficient disk space 23542300x8000000000000000448047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:43.232{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE921FC1C063589827B50C050C82F05C,SHA256=58EF1D1B5CF680AE8BFD8C9AC264640AB1CAFD7AF0EC5158BB36EFECF74B788E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:43.939{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\tmpersistence_xl.dllMD5=F6753856E0D05EF9D8C7F118CDFC099E,SHA256=EF07DBF029655D3E74622EF2672647C951E11931F71B909773B4C803F93C08AB,IMPHASH=BAB7EF3250ACAB886C6619681ED10360truefalse - insufficient disk space 23542300x8000000000000000330780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:43.924{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\tmcachemgr_xl.dllMD5=593757E5399BF4E698DC0C8A50804BB9,SHA256=B5B341C6B190592F8906D708FED30584CF8088238B0A202CD08D9257455D863A,IMPHASH=7F1FC39B1756160BE7895C1D5F36C4D6truefalse - insufficient disk space 23542300x8000000000000000330779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:43.877{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\tmapi_xl.dllMD5=E73D197EE175DA50030F4B891867E766,SHA256=882097E961E23C61CA6DFEA9C86D83A4944C9E61FC7B7435E5B322BBB6E29DA5,IMPHASH=4CA8D393BAC6DBB76D9D3E5748A51BC3truefalse - insufficient disk space 23542300x8000000000000000330778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:43.830{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\System.Spatial.dllMD5=C33E5FB594711554F43FF98718522DB3,SHA256=EC6E61D51D70F7BCA922CB25E44FFD01D06FCB5A2A00FDBB6F5FF95698F01ACF,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000330777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:43.830{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\msolap_xl.dllMD5=DEDDC1AAAA1714E37A2636C97D17A6E0,SHA256=985DE782E9D8583D62C8A203401AEF314A90D0BB5F450D168583C22D4ADF87E5,IMPHASH=7E7488AB216BC4FDE994B3C59ACD5C47truefalse - insufficient disk space 23542300x8000000000000000330776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:43.736{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\msmgdsrv_xl.dllMD5=8EDBE0F861517952741622406E7D411F,SHA256=E959975AAC59FBD9E2BAA1062286993E694B695932714B1C4CB689A2A292C455,IMPHASH=AFE253D14FC29867B6523151559E9A40truefalse - insufficient disk space 23542300x8000000000000000330775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:43.658{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\msmdlocal_xl.dllMD5=34510CE45E2A46B118AC22A285207284,SHA256=E27B0BAEA850BEDF439C66375680C34FA0696DF2EDE0323E493A10E498892B53,IMPHASH=346BA8C418D343AC215C759AE757878Atruefalse - insufficient disk space 23542300x8000000000000000330774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:43.097{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.SqlServer.Configuration.SString.dllMD5=16D0542979498C5F28BC996040E1A8D6,SHA256=880E7F8506AD180B3B340ADC0D5EBB8D4D67287D3ABA84860BF99859F2F8373E,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000330773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:43.097{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Office.Excel.DataModel.dllMD5=21198BF0BA2D10E148E175DA347DE34E,SHA256=4368CE3B22E2372852E081A46A2D5E58A4471EA155E0FD78D93252F67E56977D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000330772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:43.097{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.Tabular.dllMD5=AC8EF31E9E8F055F7191C4BE73974B30,SHA256=2090838E2C6B94C7FA823FE918513EA479BD123FE9A31642F22E3BB0C140BCD2,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000330771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:43.089{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.SPClient.Interfaces.dllMD5=45F4D8BFCB4DE9C4C4C2423210B0AA69,SHA256=23DB64E6AEEAB48BBDFF44C50BFEAAD3B95189B04E8189722DABF3956E56BCD9,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000330770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:43.088{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.Amo.dllMD5=61F7B89121573708739730C3D055AEC7,SHA256=AD19BB3C73D91A00486F63594B3C2C4C57E080B4ACB7EE8D7FA3E20524542CFE,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000330769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:43.075{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.Amo.Core.dllMD5=2407E0CDC5F86364EFA9656A3C60529D,SHA256=0D41B1D79EFC4CF2DD94969131B4AB382689ACA2F862EA6F5A6B65723F709C0D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000330768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:43.056{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.AdomdClient.dllMD5=B81AB6C7AB5FDA482F3520B5E64CA7D6,SHA256=DECF79AFD61C3D9268962AFB37D11E8CCE6D5066E6A6365BF92B651C1AEB4A32,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000330767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:43.048{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=667FA01B4A4033BB3041789C11629D27,SHA256=43584FBC97F44E1D8FF0650C8F1207799F129CBCACB21D16D8ECCDE3FFD14AF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:43.040{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Data.Odata.dllMD5=69954936A09580F8E35CE98056D53B46,SHA256=B62E5552D5FD561B8C7A0B3058AF13714D93E7CC37A50EB901F65D9DA89EE666,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000330765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:43.026{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Data.Edm.dllMD5=F9499BE14D8C05200599CE3BD05E06AD,SHA256=E6B10DDA443EE164B37BECC1EE21B3877C1A01C5399843BBC9D09BCDCDE9BEBB,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000330764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:43.015{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Data.DataFeedClient.dllMD5=FD4AF7C9F6756F21486D6B43A140B8A6,SHA256=A9F93372506DC0F1BF26835CDB92DC1BF1D65C660D0F7F15CBB146D7EAA6DDAA,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000330763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:43.012{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Data.ConnectionUI.dllMD5=A1E4D4344104CA4D3484010A84B50E7B,SHA256=0DDD718A638790941969B634724D74ED8763C336BA7720377586A2E24B4E36E2,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000330762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:43.010{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Data.ConnectionUI.Dialog.dllMD5=9834A594316521380027C0F0D5F93E94,SHA256=9B0CAB434A6DD3B7BCA2D7E027F51987F9CE0B7A54D85CF44E37F6E7C6E06A2F,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000330761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:43.002{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.AnalysisServices.Excel.BackEnd.dllMD5=3C3A7E6D56F27E88F85D3AD162CFDBBC,SHA256=13819C3C4E267BFD889DADC237D9C2D99DAB24C4821C127D73D2D3A15EB71BDC,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 10341000x8000000000000000448046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:43.105{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:43.074{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:43.069{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:43.053{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:43.035{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:43.009{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:43.002{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000448048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:44.307{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E395BFDE4CB726DA13B9D521CB53768,SHA256=5641F26FA94039BA122015769650454EED2210863889174BDA8879BA9565F83B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000330815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:41.435{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51001-false10.0.1.12-8000- 23542300x8000000000000000330814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:44.438{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.SqlServer.Configuration.SString.dllMD5=8E428269A79373AE1EEF58826726A903,SHA256=A35696A35C2BDC1F56ABF282F13C547FF3148941003968B6B9C0EEFB6B7C8DBB,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000330813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:44.438{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Office.Excel.DataModel.dllMD5=BBC6FA0EED5079F593FD77DBF364BDBA,SHA256=70F86FF77186BEC091917ED7151913313512475BDFC5434D2C270C7A16E1B954,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000330812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:44.422{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Excel.Tabular.dllMD5=7F384B66993A08A9642B7A533D6DF38C,SHA256=CCCD51CDEB19EEA24DC812195E04749C9BAC28BF32F1C18580C3C0A652086564,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000330811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:44.407{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Excel.SPClient.Interfaces.dllMD5=29B836EAFEFE860F28FCA6E168FE562D,SHA256=91EB6CF7B7625EE088B24E7073EB17247D0E2E9BC251EC1E0D0CEC54DAC73FC6,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000330810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:44.407{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Excel.Amo.dllMD5=E94BE7D253770E6DA8EF25CCD5BFAB94,SHA256=F9FA88F225B7B59B0EE57FAF8BDCA2FBB483CABB5529CBEF17B358F01E9DC510,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000330809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:44.391{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Excel.Amo.Core.dllMD5=FF7D3B850B17A6B13ADB7D1E03B8D70C,SHA256=37262A2DB9BDC6CD68F0CEA000621106DE4DC2A96A6277CA9951398426BCBB6E,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000330808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:44.375{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Excel.AdomdClient.dllMD5=7918DB926A8171F9AC0D75E5C6795ED4,SHA256=F115C151FC9BC75ED51A676AC24BD06B2353D2DDD247364E4047C351ABD2AD8F,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000330807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:44.360{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Data.Odata.dllMD5=36C48D7E317E59DBFD74F44BB60F336B,SHA256=2A67522C39C625CCA92AF89E382CA43021A5DE2399D9B30CFC8EE42207DF24B2,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000330806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:44.344{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Data.Edm.dllMD5=216ADDF8F9CE110EED4B173391984B4F,SHA256=6688B05F222A9841F1BAF81D4DB4A711750C90DE8A023392A9815850A6E4AB0B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000330805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:44.328{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Data.DataFeedClient.dllMD5=32740C66EE035F1B3A9F21D0766FFFA3,SHA256=1BDD86740BD6732112C20388470FC18404D887F1C02EC0ED76FB6FB2DD6497E6,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000330804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:44.328{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Data.ConnectionUI.dllMD5=10F6439EEF7C1FA41FEFDBAF3A435124,SHA256=E00574ADEBF05843BC3F7666CB175484D241B9C075EB78D17D8D0A36C0D48346,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000330803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:44.328{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Data.ConnectionUI.Dialog.dllMD5=64E68DC5B4A18DD1A924E8676F81C42F,SHA256=47C610648A93209CAB38A420E57F8EABC029917B7ABB8A1FD4996760330F6336,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000330802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:44.328{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.AnalysisServices.Excel.BackEnd.dllMD5=630A2AEE52AAC8050E01AEB68FE44276,SHA256=E9DA992414851859AEB79F984E4EBFDD9D29E67374B7787FC332012F90A0CFCD,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000330801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:44.297{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.AnalysisServices.Common.dllMD5=133DE1E4CD7D51448041C1C5EF6F222C,SHA256=2D8CEE4541A33E26E7FE4236BC39ECE4D019F93F8485914DA50DB19005E29853,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000330800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:44.282{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\adal.dllMD5=3B46F47CF8A673F13B779F9A1B312504,SHA256=3E968E196827E629CCD6030A67C4D563389485CD7BDD541FD91F072861C86E2F,IMPHASH=0CA72982BAB70940FDE0377D81985A3Btruefalse - insufficient disk space 23542300x8000000000000000330799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:44.250{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Resources\1033\msmdsrvi_xl.rllMD5=2BE5198B8428AAA068DCAB9A9CF52DB3,SHA256=836FAA861D372E8D397BDA421D86A07F46C1B054B31C89B35B03B9A8471448AB,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:44.235{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Cartridges\trdtv2r41.xslMD5=5E88A4345095EBADB7CB823B62F2177D,SHA256=42C573E6234F3C250577B1B682F5B1F900C95DDD4EEEA2F09DCF41F795F3382C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:44.235{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Cartridges\sybase.xslMD5=F7874724269E873C93117768F2DBCEF0,SHA256=868B5C8BE98380C9C58A1B345C3E01E40BA68083B3D0DDC7E1D0294A2E92E968,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:44.235{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Cartridges\sqlpdw.xslMD5=A7C71B6EBA4A5F1EDC9ECF7E4F6E31BC,SHA256=2BDA2E3DD013BD941574D36A5D20680F6A723A8B68E088A32A875B618B342A08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:44.235{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Cartridges\sql90.xslMD5=423B72635EBF8F7F41960AA91B60BD6F,SHA256=B2EAC4DC85B29A7E996ECB039BF8BCC146D8D42BF11390F34A4A0437EB5D80C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:44.219{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Cartridges\sql70.xslMD5=325582F68A42FD7A862EEBA94CD48DA2,SHA256=AEADFAEB1C997FC4B637103CA5A3FB77297960894529F263EE8FB6D5DC09047D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:44.219{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Cartridges\sql2000.xslMD5=9520C32EBDA4605E4051648E6E99BA5F,SHA256=DF180CC3F2081A5AB2EF78762C9A9BD157A0324A68A9E74F5A628B64F54D36F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:44.219{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Cartridges\orcl7.xslMD5=CA885A8A458C81D9A8DDB18E3AE2F94A,SHA256=6F88C97E30D3899FE1380EA318827BDDD4C0B6D5F7E423D353500434877F297A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:44.219{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Cartridges\msjet.xslMD5=07817F87945C259A27537F904AC7D4CE,SHA256=4958924C76280F353FAA16E191B596867B454F5AF301CB1C420ED280CDBD4564,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:44.219{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Cartridges\informix.xslMD5=73BD58F92FCB451CE5A768A3673F7C15,SHA256=035A6200DB7617C9C3235DC2C975C42A2E6B398A3FE23561A3E61EF1BE2A124B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:44.219{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Cartridges\db2v0801.xslMD5=59EC54120AEDB8C6DCE67842A90EA53C,SHA256=20C39DB110FFED0588A52F3DCCDAC5C769B681A760E1EBE0B4D29F8BED5B7AF9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:44.219{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Cartridges\as90.xslMD5=7657CD6E4B01A396B99BAF6F5D52F222,SHA256=26C5A0FE600571F341FA4978A13723556E4953C28D4BFCB5D6D7BD041CDF07C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:44.219{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Cartridges\as80.xslMD5=F7764EDB7A6BC223E07DF8C3674159AD,SHA256=5D80A0A30D78431191F0A18DA67B53F6E805A53715C6C8D5BAABA3425950495F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:44.219{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\xmsrv_xl.dllMD5=C87F64703BD221F262DAE516B820CCC1,SHA256=37F9DF552B976E6502C9A2BD3B7697892331EFBF166CD889DB83599C1B5B3EBE,IMPHASH=67FD41D2224D6FC677E582F1F2EB9D29truefalse - insufficient disk space 23542300x8000000000000000330785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:44.034{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D002D2FF8B6DCD5152FCE350048767A,SHA256=7D4A24326212FB5358F6EFF6EDA1BCCF49F4C570ADE9D585CAC432110A8249A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000448058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:42.819{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52705-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000448057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:45.915{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B47D-63D3-CA03-00000000BC02}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:45.913{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:45.913{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:45.913{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:45.912{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:45.912{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B47D-63D3-CA03-00000000BC02}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000448051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:45.912{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B47D-63D3-CA03-00000000BC02}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000448050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:45.912{45AAC21C-B47D-63D3-CA03-00000000BC02}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000448049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:45.396{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFAD60BF8A8AB5EB3CB757E9F476393D,SHA256=E6093E58FC0FAD872F6D6C0CF591D8D733D9891BA2CF888457FCF9E77D40E7A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:45.984{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEEXCH.DLLMD5=B9E5DDB52A261842BA1CDA1F8E407315,SHA256=16E6CAD588F452F786A1E72FC7CBBBFD527D145537CA36ADCF4C0F4AACE07797,IMPHASH=E6387040F5EA04468E4E65A3A672229Etruefalse - insufficient disk space 23542300x8000000000000000330842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:45.984{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEES.DLLMD5=AD5350E2C2CF7F790C3DFA6DA34D070B,SHA256=6319308951D31AE87A834CB1235B88D0D5D08C04BBD14B77C1BBEC7D2B3A9CAE,IMPHASH=FEB92218590492378804B06CE152475Dtruefalse - insufficient disk space 23542300x8000000000000000330841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:45.968{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEERR.DLLMD5=38200B2DB4A5C23F07F1B24DDEEABC90,SHA256=0AB633FA4FCF37CFD9DB5C35E3E12DD46AA9E164511902FBA9DC63BB28785207,IMPHASH=35907C14F3DDC9884958138E10B73A3Dtruefalse - insufficient disk space 23542300x8000000000000000330840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:45.968{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEDAO.DLLMD5=26DD9A7906EC7403C57343E72B81EBE2,SHA256=6E24054AB2B4057777C5606F8F18E1A505D8F920D2AB254995D822D90249607D,IMPHASH=0091811BAD9E6CA4BA444906F4C9ECD5truefalse - insufficient disk space 23542300x8000000000000000330839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:45.953{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACECORE.DLLMD5=76C8EF78C4035936AC106787347545B8,SHA256=9F3584075984B539E1AE49128F72A8178DCC913B6FDC90B272D58905BF525334,IMPHASH=125C680968DCDB74F086E1BCC1ABEBAAtruefalse - insufficient disk space 23542300x8000000000000000330838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:45.922{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\WordCapabilities.jsonMD5=D6F811FFB03E5816D79FFE51734E2511,SHA256=6A53480D56F35F4BECE7277239B9C96336A81594B98418F14A72281DCC1C48C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:45.922{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\PowerPointCapabilities.jsonMD5=E4DD759F424B428EEB24CC6832F09783,SHA256=174AF427C1E645ECEB84E0C58E512C5C3CA9C4CF5B38B0D86F447BA487C9D19D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:45.922{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\ExcelCapabilities.jsonMD5=2EE026B011FB8C81B8878C04F11E2843,SHA256=818B2BBB6E35291A274A3AA89D052323E7C66BA9149BE00C8B0F0D8F1C2411C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:45.922{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\CommonCapabilities.jsonMD5=4FEE6C20C253FF852871CF0328A194D7,SHA256=23A8361B3A6E2215CB9608CA5B9BA50F4ADC3AA6C43EDEF21496B74AB981CCAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:45.922{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\SETUP.CHMMD5=DC5E517D29BF0971C80DF273B7D44652,SHA256=3BFF1157F879C8108F26A70AD294D6AFAE9128FD46837489574CBBFB323D2ECF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:45.922{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\PSS10R.CHMMD5=23982D66035CE41830C10FD8D76A2437,SHA256=667A1A936954AEBD0ED71AF608A6D9AFBE6DAF01A9F78C60813690EE1D46CA96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:45.922{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\PSS10O.CHMMD5=06BAB5B62F2A47089DF0E2DF4F044D68,SHA256=646B1F0D40ED68208D04E7FE9AF59BA9AE3CF0162A037672E913E4DD6897989F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:45.922{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\BRANDING.XMLMD5=E2D2A65F195647E8532E45B506050BB4,SHA256=912385C51535DA6335EDC5C5A8EB061F3120C32CE8D26506B723AD3A9DEA567B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:45.906{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\BRANDING.DLLMD5=744006FA12053A463D2A765B111EE742,SHA256=59A409AEC7F62C9074D91E695048DD62EEC20207023C2F8695F533C190E8DB5E,IMPHASH=D6158AA25A9B2A4B3831EEA238928506truefalse - insufficient disk space 23542300x8000000000000000330829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:45.906{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\LicensingEnforcement\UnlicensedAllowedSDXList.jsonMD5=8B59908E3DEEE6E3D9489A83B26BA5AF,SHA256=F0C97365615850C445F463972E4152F24445569EDC5E5FFFD948FF12991D3D40,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:45.906{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\en-us\oregres.dll.muiMD5=0EEC336BD82E71E4E111BB28F6824C81,SHA256=87D9B7E75668A6D3F1BACB0CF166EA11FD231227B9F7CB18D33CC56FE8823644,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:45.906{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\xmsrv_xl.dllMD5=6169820BBA84FF749992F4DC27BF7ADB,SHA256=1DB26374652D83B3CE0B36F28A30503F42C67F59979B4C8A5932175118C2FA8B,IMPHASH=F4242E41734FB46576E59374C32750D0truefalse - insufficient disk space 23542300x8000000000000000330826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:45.656{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\xmlrw_xl.dllMD5=C320FA7079DE2F8D59AF4C39025558C7,SHA256=5641392DE4ACB443CE6C23ACB0C682649A34740ED2A125366F2D5DF74BADF131,IMPHASH=1FF0EE6C59291003C7C25125B92B9FABtruefalse - insufficient disk space 23542300x8000000000000000330825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:45.640{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\xmlrwbin_xl.dllMD5=B11BA43F876B4AEC4CACCB4D3B66DB6D,SHA256=58410C0D10181908387E9EFCDDBF286C531CE738D19EA999ED7A5BA3C6ED7C14,IMPHASH=9E54CCC4DB31FA1F3F0DFBD27A4D2A5Atruefalse - insufficient disk space 23542300x8000000000000000330824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:45.640{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\tmtransactions_xl.dllMD5=7153D8A250BA27314FC0DC831ECD0A05,SHA256=6D2E1C5FC68816EC04D847932181386FBD80E3BC77B825270FDA5548380FD44D,IMPHASH=3BBD83142CACD31F640F5DC73FDDE13Ftruefalse - insufficient disk space 23542300x8000000000000000330823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:45.562{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\tmpersistence_xl.dllMD5=5EFA4ED0919C80255004DFACFED5850C,SHA256=7F35D58EE03A936C0E33185961D1F2D26269B43D19A7F42886B0B3287F45AFB8,IMPHASH=C8F410C242FE5DCC436E1C3F920D5737truefalse - insufficient disk space 23542300x8000000000000000330822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:45.547{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\tmcachemgr_xl.dllMD5=06490312C823749C347D5F347796B3A5,SHA256=1EEB54EB0B08C34943260EC1F2DDFF5EAAFC75F357CCCBBEEA62CDE8E4C66396,IMPHASH=BE378D1D9C87741C810526A0D300D389truefalse - insufficient disk space 23542300x8000000000000000330821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:45.500{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\tmapi_xl.dllMD5=1CDBBE49DA8B02F0104E5E20CADEB73E,SHA256=D9EC4AE06624B825A4F8CCA73417DF94F3A2AE816BAA077759C5FBE25216D17E,IMPHASH=A90EC512049459012005FCA583FA7F9Atruefalse - insufficient disk space 23542300x8000000000000000330820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:45.437{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\System.Spatial.dllMD5=2633C1868E085E5D64C479DAD9FD3C77,SHA256=1767195E6C577ADB165EA0E3BB79B518D9923E7F974BFFC5D705C2FDEA2A6CA7,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000330819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:45.437{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\msolap_xl.dllMD5=D6769C0C326B172F10B8C1A73DC305F5,SHA256=F7F11CFE50B62DB2F04C83E98FD030C428B7C2B2B329306BE90EA3DBAB6AFF27,IMPHASH=73F85B1879EEE47BBFB70C6AF6258F15truefalse - insufficient disk space 23542300x8000000000000000330818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:45.313{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\msmgdsrv_xl.dllMD5=4F04A88481BF52C2235F8E1D60D8928F,SHA256=0452022E9AD29BA57C9D2F40D9A055F9E1AA5163EBC85478E8BEBB1E7C6D43F7,IMPHASH=EC41EA582CF89EEABEA269ACC23A3FA1truefalse - insufficient disk space 23542300x8000000000000000330817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:45.250{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AE371EBD2D52D6DF7F8AF6978475D96,SHA256=86E62E579457AD31E636DEF8836E35F32984BF1071C22B5C0135138706A85CD5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:45.203{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\msmdlocal_xl.dllMD5=F366C9EBE3E789D5F68A3F4341CD035B,SHA256=A1B8F9D6F41B627F5DCF261A624F77E1EFB259EF27665E7DAE8FE39DA5508790,IMPHASH=043EE6F9E226E9A2FC854357A8E299AEtruefalse - insufficient disk space 23542300x8000000000000000448070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:46.962{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F467584846FFE2B4088C16AAFA0C3AF0,SHA256=F87E4F484670AA9C9F3D34B215BA727E96935A7846718152274C3C21C1044388,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000448069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:46.930{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=842D78A62EAD4619EBF0AD701CCF28B4,SHA256=935C037C3DA1C667EA73E176C4C44E2ADB86D7AF847F7EA4CEF076A578827398,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000448068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:46.827{45AAC21C-B47E-63D3-CB03-00000000BC02}56526060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:46.594{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B47E-63D3-CB03-00000000BC02}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:46.594{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:46.594{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:46.594{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:46.594{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:46.594{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B47E-63D3-CB03-00000000BC02}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000448061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:46.594{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B47E-63D3-CB03-00000000BC02}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000448060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:46.595{45AAC21C-B47E-63D3-CB03-00000000BC02}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000448059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:46.515{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA8DC52E589BEF49CAE7C1BD4A5220AF,SHA256=6D307853E763DD608B9309560DE3758E3165FC05825ECA90B910C0F2FCB145C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.952{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSO.DLLMD5=29FA408A95E9264B4CD8428F71D87FCE,SHA256=37DFA42F066A8D68C22DE8B6623E7E1890F519A4DB44C6C44A77EDEA479B361C,IMPHASH=A1AB6C22537AE6E0D02EEF6EA12A6D28truefalse - insufficient disk space 23542300x8000000000000000330898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.608{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\mlg.dllMD5=38E22ECC126579E8204C16D9E183A977,SHA256=5E99940A5FB8519DBA72CDFC58DD6D110A8A59FA47F37936F7F5E7BC8CCA34A3,IMPHASH=A35D58DC6EAE53DDDB2F5B89143DED0Ctruefalse - insufficient disk space 23542300x8000000000000000330897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.579{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\mfc140u.dllMD5=587C85228848E52AAFB3863FF1A6F2B8,SHA256=BFE1547439BEBFBB7A46F292BDEDD8213315E98D778D969225D2EBE2D93FE297,IMPHASH=B4F070F0028C97D4B44509B262314B3Dtruefalse - insufficient disk space 23542300x8000000000000000330896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.531{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\IACOM3.DLLMD5=B0B8308AFB3C19D5CA509E842F5FF17D,SHA256=F54255AE41E82A179DE56BADDF863489C75AE18BB79AE97C95D9C25BE5D6A64D,IMPHASH=CDFD67307DF314787E1ED8250318D705truefalse - insufficient disk space 23542300x8000000000000000330895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.484{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\IACOM2.DLLMD5=940DEE133507915772B3C71BC8A0157A,SHA256=0D62CCF9ED5FB1064CD73BE0305E9F08CB7A35C7DF39901148DB8204D7E3012E,IMPHASH=F84A62FC7D8C23DE7BAB09C2DE3AC982truefalse - insufficient disk space 23542300x8000000000000000330894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.453{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=212190D95991ECE1AE310568FC0816D8,SHA256=7E21F564D2FE38F2BF40A9D8D8C3330C0ED3063261E898E49343FCDE9F8EB57A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.453{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\HeartbeatConfig.xmlMD5=59F881B9ABF086EBCF9E73016A4E9A14,SHA256=D8906306438AC5FA23ED5ECD3764FBEBF94FC7748ECC96CC1C12BF8ECD7F67F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.453{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXEMD5=46BC9CBEB03F98A90519D12266C51496,SHA256=29017941C3DF2D65978D662C66A8F1941E3135EC074BFE92132FED1B85DD738B,IMPHASH=3EC82B3A946E0C156DB9A54EAA240A4Btruefalse - insufficient disk space 23542300x8000000000000000330891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.437{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\EXP_XPS.DLLMD5=5DE04808577A334840FD8E7795FBE8DA,SHA256=9104EC1C551A1C1350AF3B4D1F5E9279B6EF0AFF75085925108A0C29CE323DD8,IMPHASH=EDB0FEBC6C7D8B5225BC643E55FD2196truefalse - insufficient disk space 23542300x8000000000000000330890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.437{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\EXP_PDF.DLLMD5=03932845806D4AE0CE2BD5C26E7520D5,SHA256=800DD1AD2CB1BA4A0342D92E64DA2C1875A4F6CD00D5502CA217DFFFAE14F9A5,IMPHASH=33372612690F1EEBDBC95BEC2E1041B8truefalse - insufficient disk space 23542300x8000000000000000330889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.423{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\EXPSRV.DLLMD5=0959BD2DFF53836234E012624AFE587B,SHA256=77617CB30CE441B9D78750BCE6DBD919C382F600C0F6B863C75113A5845F00D8,IMPHASH=87975EF93EC12EB574182BC41964864Ftruefalse - insufficient disk space 23542300x8000000000000000330888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.423{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Csi.dllMD5=87D467122D3506980CDA15193DDBA138,SHA256=14C8B5B09B4F317A485FBDABBF10C046F46A3B90E3FAA5CD2B8EC9FAE3E8D176,IMPHASH=A0D559FCE1591D5C2BD7FC857031BFEAtruefalse - insufficient disk space 23542300x8000000000000000330887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.408{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67700D888D3EDC16AFAC9BFE59A1BA6D,SHA256=83EED5D1B43C35753420E1760F61F446E6A8344413789BB83E4831E8D37656E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.311{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\concrt140.dllMD5=D1BA293F1D7BD7B38DB8953821D42E9B,SHA256=B3FDB569B567C2B82369C1DBBAC1B6C5BBD74B5E03D2357491985BE064DFEFF7,IMPHASH=5F9B23BD4B0029001F687A1AD625BE31truefalse - insufficient disk space 23542300x8000000000000000330885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.311{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-utility-l1-1-0.dllMD5=F440DC5623419E013D07DD1FCD197156,SHA256=BBA068F29609630E8C6547F1E9219E11077426C4F1E4A93B712BFBA11A149358,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.311{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-time-l1-1-0.dllMD5=05AF3F787A38ED1974FF3BDA3D752E69,SHA256=F4163CBC464A82FCE47442447351265A287561C8D64ECC2F2F97F5E73BCB4347,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.311{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-string-l1-1-0.dllMD5=3A96F417129D6E26232DC64E8FEE89A0,SHA256=01E3C0AA24CE9F8D62753702DF5D7A827C390AF5E2B76D1F1A5B96C777FD1A4E,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.311{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-stdio-l1-1-0.dllMD5=53E23E326C11191A57DDF7ADA5AA3C17,SHA256=293C76A26FBC0C86DCF5906DD9D9DDC77A5609EA8C191E88BDC907C03B80A3A5,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.311{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-runtime-l1-1-0.dllMD5=C25321FE3A7244736383842A7C2C199F,SHA256=BF55134F17B93D8AC4D8159A952BEE17CB0C925F5256AA7F747C13E5F2D00661,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.311{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-process-l1-1-0.dllMD5=E18FD20E089CB2C2C58556575828BE36,SHA256=B06B2D8C944BFF73BD5A4AAD1CAD6A4D724633E7BD6C6B9E236E35A99B1D35F2,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.311{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-private-l1-1-0.dllMD5=B4BE272187CB85E719DFB5BF48BB9B1B,SHA256=CCAF41E616B9A872D35C8083CBF8FDC14371FA3EF159FE699514643C26A4EBF3,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.295{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-multibyte-l1-1-0.dllMD5=FF4DE9CE85C4B01312DF6E3CDD81B0FF,SHA256=D7E676B9F1E162957D0549AB0B91E2CD754643490B0654BF9A86AA1E77CB3C37,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.295{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-math-l1-1-0.dllMD5=877C5FF146078466FF4370F3C0F02100,SHA256=9B05A43FDC185497E8C2CEA3C6B9EB0D74327BD70913A298A6E8AF64514190E8,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.295{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-locale-l1-1-0.dllMD5=0D50A16C2B3EC10B4D4E80FFEB0C1074,SHA256=FAB41A942F623590402E4150A29D0F6F918EE096DBA1E8B320ADE3EC286C7475,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.295{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-heap-l1-1-0.dllMD5=5D409D47F9AEBD6015F7C71D526028C3,SHA256=7050043B0362C928AA63DD7800E5B123C775425EBA21A5C57CBC052EBC1B0BA2,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.295{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-filesystem-l1-1-0.dllMD5=D76F73BE5B6A2B5E2FA47BC39ECCDFE5,SHA256=6C86E40C956EB6A77313FA8DD9C46579C5421FA890043F724C004A66796D37A6,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.295{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-environment-l1-1-0.dllMD5=FE93C3825A95B48C27775664DC54CAE4,SHA256=C4ED8F65C5A0DBF325482A69AB9F8CBD8C97D6120B87CE90AC4CBA54AC7D377A,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.295{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-convert-l1-1-0.dllMD5=AFC20D2EF1F6042F34006D01BFE82777,SHA256=CD5256B2FB46DEAA440950E4A68466B2B0FF61F28888383094182561738D10A9,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.295{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-conio-l1-1-0.dllMD5=E3D0F4E97F07033C1FEAF72362BBB367,SHA256=3067981026FAD83882F211BFE32210CE17F89C6A15916C13E62069E00D5A19E3,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.295{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-xstate-l2-1-0.dllMD5=42DC903598FF9D2BFB92D3F1F1563A92,SHA256=583BE047AA83CCE2E8950F5F550DABC5F7CB5957860316E3F409BFAFB10B963C,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.295{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-timezone-l1-1-0.dllMD5=BDD63EA2508C27B43E6D52B10DA16915,SHA256=7D4252AB1B79C5801B58A08CE16EFD3B30D8235733028E5823F3709BD0A98BCF,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.295{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-synch-l1-2-0.dllMD5=B9BC664A451424342A73A8B12918F88D,SHA256=0C5C4DFEA72595FB7AE410F8FA8DA983B53A83CE81AEA144FA20CAB613E641B7,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.295{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-processthreads-l1-1-1.dllMD5=247061D7C5542286AEDDADE76897F404,SHA256=CCB974C24DDFA7446278CA55FC8B236D0605D2CAAF273DB8390D1813FC70CD5B,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.295{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-localization-l1-2-0.dllMD5=6B4F2CA3EFCEB2C21E93F92CDC150A9D,SHA256=B39A515B9E48FC6589703D45E14DCEA2273A02D7FA6F2E1D17985C0228D32564,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.280{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-file-l2-1-0.dllMD5=ADB3471F89E47CD93B6854D629906809,SHA256=355633A84DB0816AB6A340A086FB41C65854C313BD08D427A17389C42A1E5B69,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.280{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-file-l1-2-0.dllMD5=19DF2B0F78DC3D8C470E836BAE85E1FF,SHA256=BD9E07BBC62CE82DBC30C23069A17FBFA17F1C26A9C19E50FE754D494E6CD0B1,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.280{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\aitrx.dllMD5=33DB84F8E81452480D77ACF86DE752B3,SHA256=846DC32BB1AD96BE1013B265732C41B09FD71BFA8E629F6488A71C6AA4724D97,IMPHASH=2271936EB70EBD8B194BDEF20EADD115truefalse - insufficient disk space 23542300x8000000000000000330862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.280{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AIRWER.DLLMD5=27548987FCD7D9F0FDD7516E189CB69C,SHA256=475727DBCCA421D4AD74C7C7C2A56E8793121A13097B0CBFDBC74038BB5807B0,IMPHASH=E97982C89A0DE512D5E83ECDF99CA4F3truefalse - insufficient disk space 23542300x8000000000000000330861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.280{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AirSpace.Etw.manMD5=47E7AA43FC251A8D6E9481C6B511EB54,SHA256=AC00511ACFF3E5B47104CDAB01BBC6FA40D07C2E247854013F764FEBD5CB1B09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.264{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\aimgr.exeMD5=BDDC31B0B245D57045E0A05533B0FA7B,SHA256=54AEF306E96EB6347CAEEBEC0B2FFED57ADAB722E234FA6E6458173860AF8BDA,IMPHASH=5079A2D1484665849F98EBB47358ED56truefalse - insufficient disk space 23542300x8000000000000000330859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.264{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeMD5=16BE5F9FE882465C6BDC2E11D86DA87D,SHA256=B824A4BD5E73ACD22E7FE20735CD997E3B0AB8FE61B5E1BC1EE185775FAC7920,IMPHASH=5079A2D1484665849F98EBB47358ED56truefalse - insufficient disk space 23542300x8000000000000000330858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.264{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.dllMD5=C9928517065AA4D90C1A8A0EC75C258B,SHA256=63F8AF661E5867A5580C5039750EFA5D5BEE90528A3BAD14A4207C5873650159,IMPHASH=1E5D099099F4A8954E4AA9B7CEB0F70Etruefalse - insufficient disk space 23542300x8000000000000000330857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.140{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ADALPREVIOUS.DLLMD5=39BF8820CE9726FCA9FD7AD9FAABE848,SHA256=4A6EED494A53CA7799347FDF26E59B439F518BBE38B77055583AAD1FC1D77D60,IMPHASH=0CA72982BAB70940FDE0377D81985A3Btruefalse - insufficient disk space 23542300x8000000000000000330856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.110{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ADAL.DLLMD5=83940B529D140372B1FF153CF83E478D,SHA256=1D246C806D9F170AAC09E8AA3507553B7833BA2067B81150588444B3C93BAADB,IMPHASH=B9F6A0D18416DEC1580419AB5B1F9EB8truefalse - insufficient disk space 23542300x8000000000000000330855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.093{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEXBE.DLLMD5=07EDB64672349CEADDCFBCF6BAF258BB,SHA256=BF0E5F96E424EC9193E7257F25144FFF488CDA630F0C8E0BA20020312561BDD5,IMPHASH=768EAA3BF956C8B095B69BA3D5B7C18Btruefalse - insufficient disk space 23542300x8000000000000000330854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.078{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEWSS.DLLMD5=5CEA0D16C8A3FCE723259E309E5BFE9B,SHA256=F273DF94D3483F8207963F29208415338642C64469ABE91B88E72633CEC9EA0D,IMPHASH=98AB081143FCC97D965A9F8C0DADFDB4truefalse - insufficient disk space 23542300x8000000000000000330853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.078{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEWDAT.DLLMD5=69FA2BBDC3ADD82E1BF0B52B549A540E,SHA256=0B5CF166CEA38CB4887B9483B7D0A164A2F7ACD6C97AE69E4B5092C30BB2642D,IMPHASH=9BE905A5EA9B446A03591439F984B046truefalse - insufficient disk space 23542300x8000000000000000330852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.047{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACETXT.DLLMD5=5D90356D88C76D9FE3146460BA66D495,SHA256=CA324ED833E3368149F4A7327213F240C5B941DC3BAFAC73A23431FD74805D33,IMPHASH=0697C203B82A717A1E75120B498619B8truefalse - insufficient disk space 23542300x8000000000000000330851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.047{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEOLEDB.DLLMD5=64053A90260D3BF03E321139ED9450EF,SHA256=00FC3BD25181A8BD47A4320865A1589591BB9F085BD4A0E553CF71E224595052,IMPHASH=6C29B94C5367CE90A0F8F95EEA78DC11truefalse - insufficient disk space 23542300x8000000000000000330850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.031{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODTXT.DLLMD5=0EA659111497543AA327B7FEB8E5A652,SHA256=27C877F5F08A22E5CB0211EB510F541A9904D7FEC98D0446ABCEE3606ED96C3B,IMPHASH=22D409DEFB7358610450A1C90B013119truefalse - insufficient disk space 23542300x8000000000000000330849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.031{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODEXL.DLLMD5=936BA41BF0F1747B5C466B5C0C16648C,SHA256=B5D8F7F1BD152D3DB81006284EFFD3C1592206F926EABC88AFD938A4C30C064B,IMPHASH=22D409DEFB7358610450A1C90B013119truefalse - insufficient disk space 23542300x8000000000000000330848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.031{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODDBS.DLLMD5=956F57EC27942E496215771B9C39746D,SHA256=58275482703CC9E50C5FCB757165576D19EE00A022497AA1AD43E68BF7D61C70,IMPHASH=22D409DEFB7358610450A1C90B013119truefalse - insufficient disk space 23542300x8000000000000000330847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.031{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODBC.DLLMD5=128059B689DD58B19EC531B178C5E51B,SHA256=D815EB002ED6DFE014418489138C43A9871D0D4C3C06DF55B0B87BFBDFC424CF,IMPHASH=0A3A9AE2B734B510F02C0A9A8D385E64truefalse - insufficient disk space 23542300x8000000000000000330846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.015{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODATASERVICE.DLLMD5=A1EB639DF7F333AB2DD0A789EDD319BB,SHA256=4D098C851156E6553B1A0378643F461235EB705C8BDF61C81A4BC5F7172E20BF,IMPHASH=FA77EC39268771B83145DA4406A23390truefalse - insufficient disk space 23542300x8000000000000000330845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.000{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODATA.DLLMD5=946754BB97E2046C60E3AB1B714777F4,SHA256=BEA65202B0EFAE312CF8740A68E720D1AB1CFB298610BD2C2DE68977F5F0BAF9,IMPHASH=D5E01E85A6E413C786E21F96AF1B2C58truefalse - insufficient disk space 23542300x8000000000000000330844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:46.000{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEEXCL.DLLMD5=E9347570240547E5181ECAAC6203F764,SHA256=27879EB91D17164539C3153EA4DE25BBEC229860EA8D045FA0AB9661886D9DCE,IMPHASH=9776D60B3033DEA9CF8ECD8DF3CE84B8truefalse - insufficient disk space 23542300x8000000000000000330910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:47.939{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOIDRES.DLLMD5=CEE457CB36FDF7DE289295A05597B682,SHA256=1EC70C585B4FB9AFCF17C3949DCA1E99BFB0413C96BCA98ECA25C5AC020DAA2A,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:47.923{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOIDCLIL.DLLMD5=A70C38D2A1EDD18C91A795E8350FD569,SHA256=67B0CDFD20A1AB35568F93AE8AF89A5DAC779E66EAD3990E5E5D81F5DA8721A6,IMPHASH=3851DB4A49725A75EC5531978F341596truefalse - insufficient disk space 23542300x8000000000000000330908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:47.907{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXEMD5=2C34B1DA2AF388BC062E75B434E0BA12,SHA256=6AFD889E5CB2A6A024A3BABEE341693851BEB64635417D1AA3165C76015065A6,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:47.892{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSO99LRES.DLLMD5=7DE8F45D5148F0966AE5392B28DA02AD,SHA256=D1CCB25F37C6B597066A651262628878CFF3AF0ADCA6FCB75DCFA9C13E7CCEA4,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:47.642{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso98win32client.dllMD5=886E3CC3D05E7E9E0ABFAD43F5E5F4EB,SHA256=12C975F02516D34B066E30721A73B60A55D55DA5E3C9D7D5B8BE6275C3E468C9,IMPHASH=FAC0D189F73D04FCB4959B78480F4D23truefalse - insufficient disk space 23542300x8000000000000000330905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:47.434{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B98FB7EBDAE757D825A702EBADCF1AF,SHA256=2A9B83A625F1517BC418D8DFDDAF28C2F50452BC107F25F408282326FC621242,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:47.717{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2EDBD489846FC0C4328481537EBD20A4,SHA256=45722B7FC6F732F8AF6FF5D07DA8A5C62D9D9C85171DDB59A64614915A8B108C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000448079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:47.623{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADFFAC72464C35D14C4AEE3DFF0E34C7,SHA256=563CBC069B47502FC91C91418FAE1A6EBB05A7DE732831188DE53E66F03B82A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000448078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:47.090{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B47F-63D3-CC03-00000000BC02}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:47.090{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:47.090{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:47.090{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:47.090{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:47.090{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B47F-63D3-CC03-00000000BC02}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000448072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:47.090{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B47F-63D3-CC03-00000000BC02}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000448071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:47.091{45AAC21C-B47F-63D3-CC03-00000000BC02}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000330904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:47.405{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso50win32client.dllMD5=A754E7988BD5FCE4DEF098EDE09BBE13,SHA256=E8904CFA4A46FBCF9685DDB47A179090E61C1294E826AEAED4EDBBBFBCF00004,IMPHASH=4FE7F03E2273F42592C4FF72438EE27Btruefalse - insufficient disk space 23542300x8000000000000000330903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:47.392{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso40UIwin32client.dllMD5=B6F0A3D55F85C60081647D8BABB4F45A,SHA256=6FA36105482AF3E0AB908DF0F1C3B331B76EC09E67F7D3CC831FC93F42A09D21,IMPHASH=A0766B886C2359C0C805FDFA94E66F3Ctruefalse - insufficient disk space 23542300x8000000000000000330902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:47.217{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSO40UIRES.DLLMD5=65BA450450C1B408B2923F2332613DE7,SHA256=2C4ABF2D61114837E49386678B97911384632DB3ABD51A7B76C4B079093D7E99,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:47.170{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso30win32client.dllMD5=E9FF9B293AFA56EF38417E648B173B98,SHA256=8C0C558833D3F5864AF75798E47A736262235A0AFA8A6000756C878B8EB45D0C,IMPHASH=60D809780E1419BD049E089F859099C9truefalse - insufficient disk space 23542300x8000000000000000330900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:47.030{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso20win32client.dllMD5=F0281140C833BC6064C6B50EDA5A76D0,SHA256=2F81F24B8EB0B4FFF429748643EBD6F9A7D3109799CF9C29D76E8F0015FE6C1F,IMPHASH=2695470E0D18B4216B7EF4D794012BB8truefalse - insufficient disk space 354300x8000000000000000448083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:46.260{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52706-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000448082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:46.260{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52706-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 23542300x8000000000000000448081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:48.689{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=790E375EB55B885A33CAC1CB60FCBF4A,SHA256=C270D6CDA36F662EECAF6CAD27F88DF1AA8562F11E8B1F86B3CF39C7D4C190E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:48.993{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\vcruntime140_1.dllMD5=7667B0883DE4667EC87C3B75BED84D84,SHA256=04E7CCBDCAD7CBAF0ED28692FB08EAB832C38AAD9071749037EE7A58F45E9D7D,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69truefalse - insufficient disk space 23542300x8000000000000000330939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:48.993{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\vcruntime140.dllMD5=11D9AC94E8CB17BD23DEA89F8E757F18,SHA256=E1D6F78A72836EA120BD27A33AE89CBDC3F3CA7D9D0231AAA3AAC91996D2FA4E,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302truefalse - insufficient disk space 23542300x8000000000000000330938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:48.978{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\vccorlib140.dllMD5=7EF7EAB654DF53E087AC4703C9EA0B16,SHA256=13E568FDCDE1B7B7F2D1C97A474BDB8858F5AB761157F0FEA7201CCECF84B9B8,IMPHASH=D5EC94CA50152CC1E7188B825074FEF2truefalse - insufficient disk space 23542300x8000000000000000330937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:48.978{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\VBAJET32.DLLMD5=A302D22CC544B6BFB4E1BB522B036CB1,SHA256=76823CF79F5C76C96E2FCA31D06796D62727ABE559FFBA78E5F21DC324E55188,IMPHASH=027F3DD417A1D5A85A3741AE4A80B27Btruefalse - insufficient disk space 23542300x8000000000000000330936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:48.978{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ucrtbase.dllMD5=9CD0AFF3E05FCA90BF9A227C94669DF6,SHA256=FBED69A52FDCF571DD37FE4CC63CB86ED3732B5B998807F14968788027C00754,IMPHASH=1D85FB9CE80726BDA08CAF2946EF5F93truefalse - insufficient disk space 23542300x8000000000000000330935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:48.962{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\TextIntelligence.dllMD5=BD6D6D60B40A60B25D862867772C949A,SHA256=15E5A610C20B71FE35EF8AB85EBCD150B3358CEF53AFCC527E95D7FFE94B3C55,IMPHASH=E71E31F3855E0C7651F01C20A097A9DEtruefalse - insufficient disk space 23542300x8000000000000000330934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:48.931{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\RICHED20.DLLMD5=186EB80AAC937FBE7E72834F4870CBB0,SHA256=F0101FDD651A4973A22B908AB383CC519BA535E7B7547A2E3F154D41DD116477,IMPHASH=6CA76A39037688D00C147EF4FEF99FBAtruefalse - insufficient disk space 23542300x8000000000000000330933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:48.900{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OsfInstallerConfigOnLogon.xmlMD5=95C80BBE7F67A3252306F706A5716CD1,SHA256=C6C5C58E95302D767632363CC0D440A20936C15FE139770B37C06C85FBF961BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:48.884{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OsfInstallerConfig.xmlMD5=F24F9ABEC3A753455E03F69C401EE844,SHA256=0A994049FBADB1602C9412CBF21C9C38E38170CA8C95A160D3BAF7E4407D0A24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:48.884{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\oregres.dllMD5=54CEEEBE5E49222FB3A021A4B9C467DE,SHA256=BA40AA1FBED954CB1C3047B76A391788F8EA82019773C005147A92AA9D1FE39C,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:48.884{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OPTINPS.DLLMD5=D2DC7987CB9333CBCA0B1A0274BAA575,SHA256=6049D62D40F88B775E7132A382F98070B6A6A33A9AE5D9115A4A54A00226899E,IMPHASH=C4573F1441092B4DCB3CF557FE922798truefalse - insufficient disk space 23542300x8000000000000000330929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:48.884{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\operfmon.exeMD5=5DBA5E8DA7DAE66D835AB8CB266BFC6F,SHA256=09E76ECDC46026501DCBDE072948421B2F32B6144EB321B3685D17253B7D1A6B,IMPHASH=5F7D7EC9CDC580A3B11737D259077F71truefalse - insufficient disk space 23542300x8000000000000000330928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:48.884{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exeMD5=66AC0B5FC118A218E5C07A582A863A64,SHA256=A5180DC53FBC4B93556A0FFC92958BA6289AAEEF7D34FA931F24D8B272FAFF27,IMPHASH=BE0C69F736B04EE2CDEFB6F0098F18BBtruefalse - insufficient disk space 23542300x8000000000000000330927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:48.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OFFREL.DLLMD5=B6609D8F93786BBE4A97DB1BF4D056E6,SHA256=0212663E50E00F3757F9B2EABC91A000DCD1DE1027E1B4AF1ECC65629962F5BF,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:48.869{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\offhud.dllMD5=2CFF24E327F52F5DFD12A7459E5F1BFB,SHA256=7854248F1F557C1FF36CC2E28929163E2EB78B3FC70E73DB101E9B9ED6F60B46,IMPHASH=1CBC5B88E062C8E18DF41D03CB879711truefalse - insufficient disk space 23542300x8000000000000000330925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:48.853{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ODATACPP.DLLMD5=B791C4393C0ADB96398B8F4CCF202E00,SHA256=DD3D39D28252910B4598E3765E32A912BFB4811E356D40B5880E86369397C9F7,IMPHASH=8712A0FDC18EA87229DD839552079C6Ftruefalse - insufficient disk space 23542300x8000000000000000330924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:48.837{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MUOPTIN.DLLMD5=3938A6AE13A4C95C30470D154F31BA30,SHA256=031AD6E8F093C320AEC8D6C279E198AA3235CF0EE08604858B7C4DA4921BDF05,IMPHASH=D74BCD6327BF283B918DC169009C6072truefalse - insufficient disk space 23542300x8000000000000000330923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:48.837{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MUAUTH.CABMD5=F984F9C2D7AEFABDB51E772941087133,SHA256=B74549A7FC9BD485E99A45802F81530C75B814CB0BD7FDE1DF861EB805E8D755,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:48.837{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msvcr120.dllMD5=49FB6E786B2F9DF8812E0E317CED55CB,SHA256=9461F2E4ADD5C650102ACDE0C62377FF86D9B19FC20D0003F326CCD474E8B7B9,IMPHASH=8F18E22935EF8B336E246EE763FBEC97truefalse - insufficient disk space 23542300x8000000000000000330921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:48.822{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msvcp140.dllMD5=CB75D6437418AFE1A7B52ACF75730FF1,SHA256=7C4CE9D6BFCD6D9DB4EEF4E75ECDCF5A8E5320106E80F1ECA617439FA43F33E8,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1truefalse - insufficient disk space 23542300x8000000000000000330920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:48.806{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msvcp120.dllMD5=8C8D1140787DA60A343DD11C1CDF4992,SHA256=6AA1ECE9DD340D05AEC43248592A78B70D21959DE8727F506D21A3A962348583,IMPHASH=D0A59246EAB41D54812CD63C2326E1F1truefalse - insufficient disk space 23542300x8000000000000000330919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:48.806{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSSOAP30.DLLMD5=58FF10E7DA4602A122FFF0A512BD88B8,SHA256=4D0E1DC8ED292D89748F084EF2ADD6B1EC68FC1DFE04BCEC3D6898510B813695,IMPHASH=EF2A853C433F3C635B0B519EF1614128truefalse - insufficient disk space 23542300x8000000000000000330918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:48.790{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSPTLS.DLLMD5=0BAA1220A6DE9E7FD30E2A9F46AA1912,SHA256=12127C1B4140939D314166377B280E14BEEE9D4B2DF1D92F903183F0C9634A6C,IMPHASH=71BB80379B07CE206FBF78060B98EBCBtruefalse - insufficient disk space 23542300x8000000000000000330917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:48.775{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLMF.DLLMD5=F8622048083A90625D8F3E553C85A309,SHA256=E1156D166B0588DA8D9743284E7C0B7DBF333C658BC03430667DC7D1CDA9310B,IMPHASH=FD362CE2A88C043D6947C98DBC4896B1truefalse - insufficient disk space 23542300x8000000000000000330916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:48.759{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXEMD5=C216EAE8369D13248C84F608A0EEA3E0,SHA256=A3E3AD1D02E546F3EE67C0B98AA63A2373DB8BEDA63226E267182C7AA6B06AB7,IMPHASH=9E4C2B2F00FFE021FA7C05BF9CF2BEEEtruefalse - insufficient disk space 23542300x8000000000000000330915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:48.759{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXEV.DLLMD5=75CB15E2F6CD429FD213C7EA88F955E7,SHA256=D1E8524C85EE87B6A2A8B02C2F87C5C6B1EB7E0EBC171536E878A88C5E16A790,IMPHASH=6BED9084DFBDE5FB2B11CF232B907F35truefalse - insufficient disk space 23542300x8000000000000000330914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:48.759{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msowercrash.dllMD5=334CDBB42A8660DE4BAAD60779D80672,SHA256=0A05D4708EBD8FE13AC291A1464B2C170C8C8487F2BBA87663DD0A3C24127F7F,IMPHASH=4108EEBECFF557ECB3F7159B6F786B7Dtruefalse - insufficient disk space 23542300x8000000000000000330913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:48.759{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dllMD5=3A8DD3A903F8E4BA6DF18C4590186B58,SHA256=F000A50D0C0C45CA5C52D45E007921BA33A7332A05099A25BD377F1AB2655E64,IMPHASH=E3A5C6CB39354F4878F90E9AA1F0B6D7truefalse - insufficient disk space 23542300x8000000000000000330912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:48.728{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSORES.DLLMD5=1804412AD2F09D4EEC6C927058DFA418,SHA256=239C8A159103E42D1B407BB64858D80EB761C5D198B90AD57079B5C0CFFA2F25,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:48.527{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43F02DBBAF9B9E5908F2ED3794AC48EE,SHA256=C7EA27F8F2DDCA6DA4D331FCFBCE352BBF2DF552D592CAEA84B93D7A4F7FB8CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000448101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:49.835{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B481-63D3-CE03-00000000BC02}1216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:49.835{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:49.835{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:49.835{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:49.835{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:49.835{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B481-63D3-CE03-00000000BC02}1216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000448095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:49.835{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B481-63D3-CE03-00000000BC02}1216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000448094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:49.836{45AAC21C-B481-63D3-CE03-00000000BC02}1216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000448093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:49.788{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBD3D7D6C7146CBA9AB4D5A11FE276E3,SHA256=41E1CC51D08AF22A2C478AB1C12D1BE2D80396EAE09B99280E994BEC55A54DD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.969{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\1033\msointl30.dllMD5=2B5CC278EA7C78F2800CFACCA8E3C5EC,SHA256=208B161B7E428CA47B19ACCFB0382AEDB661A89C003C6D34EBA6ED9B4911753B,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.969{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\1033\MSOINTL.DLLMD5=86D1F7AB366FA52B3693F611D6D82226,SHA256=5D31770B08759324705E45776FC926E87B5134D6908DCE0BBB5C661AF2DE2625,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.953{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\vcruntime140.dllMD5=31CE620CB32AC950D31E019E67EFC638,SHA256=1E0F8F7F13502F5CEE17232E9BEBCA7B44DD6EC29F1842BB61033044C65B2BBF,IMPHASH=B06D4116DA69A513992D529F84731E6Ftruefalse - insufficient disk space 23542300x8000000000000000331206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.938{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\vccorlib140.dllMD5=3A2C18EF2DF37EA41788F50042774C22,SHA256=EA85134227C8E5A23A63D60E6CDB2BC38F925427BA75426A3BE33212435E1741,IMPHASH=E2C243EAA5D873A145FCEF834080DE02truefalse - insufficient disk space 23542300x8000000000000000331205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.938{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\ucrtbase.dllMD5=BF5EE52BA36031A005B3D7B15F1CA090,SHA256=5A41249C27EF3253B690F95A0A86ABE2337C3405570602E7D8DFD7C3445FF923,IMPHASH=C060FE320860AA232972D941EF87C2A9truefalse - insufficient disk space 23542300x8000000000000000331204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.922{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\msvcr120.dllMD5=1A22AC29230FF06E278CF85992F48C86,SHA256=3A3F61F1D187142BBA9B37B318F6052A09743FF24FCDB3CEE478D1BC5C68D300,IMPHASH=AA8D086DEB6960B10F8791DF466A5610truefalse - insufficient disk space 23542300x8000000000000000331203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.906{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\msvcp140.dllMD5=0A0042FE544C91CD57BC2F7EF40BB974,SHA256=4190F0A1306257CED4975448794E1D42BE312E334FFCCFB4910A4A39CDE9DF57,IMPHASH=6042F1676A7711E459589EF169A5B501truefalse - insufficient disk space 23542300x8000000000000000331202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.891{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\msvcp120.dllMD5=E3244FDCEC84C99E4B60227EB3B70893,SHA256=81FBC2824E73F0D101D91854694A52E79DB0FFAADBB2A10DEAAF47B3B7F9B2B0,IMPHASH=6CCDA270A497A2C5A36A7F385CC9910Dtruefalse - insufficient disk space 23542300x8000000000000000331201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.891{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\mfc140u.dllMD5=51C91B404C701CC26B8B6DC7AACD8037,SHA256=9F60F7AF82BCEDC3C91D796F9C4442900BFF40A192E30EFC798AB9230AA9F0B7,IMPHASH=EFB56419C1BA206D8C70E3157D5C83A0truefalse - insufficient disk space 23542300x8000000000000000331200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.828{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\concrt140.dllMD5=EC5A86B5E7BDFFD50E022E431287273A,SHA256=290F577461B2D4197DB0B7D09341225C90CF066984F965E54C9FA4AA16BA6687,IMPHASH=F7E155027608DB4293A50332363A537Btruefalse - insufficient disk space 23542300x8000000000000000331199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.828{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-utility-l1-1-0.dllMD5=D6ABF5C056D80592F8E2439E195D61AC,SHA256=8858D883D180CEA63E3BF4A3F5BC9E0F9FA16C9A35A84C4EFE65308CEA13A364,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.828{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-time-l1-1-0.dllMD5=1FA7C2B81CDFD7ACE42A2A9A0781C946,SHA256=CAFDB772A1D7ACF0807478FDBA1E00FD101FC29C136547B37131F80D21DACFFD,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.828{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-string-l1-1-0.dllMD5=5E72659B38A2977984BBC23ED274F007,SHA256=44A4DB6080F6BDAE6151F60AE5DC420FAA3BE50902E88F8F14AD457DEC3FE4EA,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.828{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-stdio-l1-1-0.dllMD5=32D7B95B1BCE23DB9FBD0578053BA87F,SHA256=104A76B41CBD9A945DBA43A6FFA8C6DE99DB2105D4CE93A717729A9BD020F728,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.813{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-runtime-l1-1-0.dllMD5=AE3FA6BF777B0429B825FB6B028F8A48,SHA256=66B86ED0867FE22E80B9B737F3EE428BE71F5E98D36F774ABBF92E3AACA71BFB,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.813{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-process-l1-1-0.dllMD5=8F8A47617DFD829A63E3EC4AFF2718D9,SHA256=6D4A1AAD695A3451C2D3F564C7CC8D37192CD35539874DF6AE55E24847E51784,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.813{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-private-l1-1-0.dllMD5=1DD5666125B8734E92B1041139FA6C37,SHA256=D0FF5F6BB94961D4C17F0709297A6B5A5FA323C9AC82F4FE27187912B4B13CF3,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.813{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-multibyte-l1-1-0.dllMD5=809BC1010EAF714CD095189AF236CE2F,SHA256=B52F2B9DE19D12B0E727E13E3DDE93009E487BFB2DD97FD23952C7080949D97E,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.813{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-math-l1-1-0.dllMD5=D0D380AF839124368A96D6AA82C7C8AE,SHA256=06985D00BF4985024E95442702BBDB53C2127E99F16440424F3380A88883F1A5,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.813{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-locale-l1-1-0.dllMD5=E70D8FE9D21841202B4FD1CF55D37AC5,SHA256=E087F611B3659151DFB674728202944A7C0FE71710F280840E00A5C4B640632D,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.813{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-heap-l1-1-0.dllMD5=39D81596A7308E978D67AD6FDCCDD331,SHA256=3D109FD01F6684414D8A1D0D2F5E6C5B4E24DE952A0695884744A6CBD44A8EC7,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.813{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-filesystem-l1-1-0.dllMD5=AB8734C2328A46E7E9583BEFEB7085A2,SHA256=921B7CF74744C4336F976DB6750921B2A0960E8AA11268457F5ED27C0E13B2C8,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.813{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-environment-l1-1-0.dllMD5=45C54A21261180410091CEFB23F6A5AE,SHA256=2B0FEA07DB507B7266346EAB3CA7EDE3821876AADC519DAF059B130B85640918,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.813{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-convert-l1-1-0.dllMD5=5245F303E96166B8E625DD0A97E2D66A,SHA256=90A63611D9169A8CD7D030CD2B107B6E290E50E2BEBA6FA640A7497A8599AFF5,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.813{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-conio-l1-1-0.dllMD5=3B038338C1EB179D8EEE3883CF42BC3E,SHA256=C17786E9031062F56E4B205F394A795E11EF9367B922763DDF391F2ACAB2E979,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.813{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-core-xstate-l2-1-0.dllMD5=E20C50CB320A5718AE869D8EC4D460CA,SHA256=48C776F38EAED72CB05A993484F60CBFDF5AF59AEBC48E53481A997AE7DED8DC,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.813{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-core-timezone-l1-1-0.dllMD5=A20084F41B3F1C549D6625C790B72268,SHA256=0FA42237FD1140FD125C6EDB728D4C70AD0276C72FA96C2FAABF7F429FA7E8F1,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.797{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-core-synch-l1-2-0.dllMD5=F6B4D8D403D22EB87A60BF6E4A3E7041,SHA256=25687E95B65D0521F8C737DF301BF90DB8940E1C0758BB6EA5C217CF7D2F2270,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.797{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-core-processthreads-l1-1-1.dllMD5=C2EAD5FCCE95A04D31810768A3D44D57,SHA256=42A9A3D8A4A7C82CB6EC42C62D3A522DAA95BEB01ECB776AAC2BFD4AA1E58D62,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.797{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-core-localization-l1-2-0.dllMD5=3B9D034CA8A0345BC8F248927A86BF22,SHA256=A7AC7ECE5E626C0B4E32C13299E9A44C8C380C8981CE4965CBE4C83759D2F52D,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.797{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-core-file-l2-1-0.dllMD5=BFB08FB09E8D68673F2F0213C59E2B97,SHA256=6D5881719E9599BF10A4193C8E2DED2A38C10DE0BA8904F48C67F2DA6E84ED3E,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.797{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-core-file-l1-2-0.dllMD5=F6D1216E974FB76585FD350EBDC30648,SHA256=348B70E57AE0329AC40AC3D866B8E896B0B8FEF7E8809A09566F33AF55D33271,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.797{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\SYSTEM\ole db\xmlrwbin.dllMD5=FCBC2253DC6927C4F792F44F805F609D,SHA256=F953813D76D89B11E580561E90541E1CFAAE98E5DAEAEABBBCCE43C3909515A0,IMPHASH=9E54CCC4DB31FA1F3F0DFBD27A4D2A5Atruefalse - insufficient disk space 23542300x8000000000000000331176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.797{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\SYSTEM\ole db\xmlrw.dllMD5=017F5C59D1570660FCBC09B775922104,SHA256=103C8356181EF954B83E09466796D70FCEC0AF3E048FEE4E152A4A02C010A23F,IMPHASH=1FF0EE6C59291003C7C25125B92B9FABtruefalse - insufficient disk space 23542300x8000000000000000331175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.782{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\SYSTEM\MSMAPI\1033\MSMAPI32.DLLMD5=E8EA52F30AE11327C3106A66E9BCD177,SHA256=E7F64C546D2CA91E9B5B9B8A5A9140D0BA670668A81A91E55AC732D72D1E3BDD,IMPHASH=EC76EBB699F78E1B6BB06CD54BF09B8Btruefalse - insufficient disk space 23542300x8000000000000000331174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.782{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\FPWEC.DLLMD5=7CA8E12C2AD558E4CA5BA004078D71B1,SHA256=F1659251342B217472AD50B552D0BF3FF139322320C6750FA45834151116EB80,IMPHASH=D7E0D793796BFC07D5055271853035B9truefalse - insufficient disk space 23542300x8000000000000000331173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.766{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\FPSRVUTL.DLLMD5=4931571BDB7B983C918874B2794E5C30,SHA256=775CD962D62C2B1491DCD393410ECECDFAC4F54CE8533AD7C4A152B8B84B80C9,IMPHASH=3545B80D968C201338FF5E9C70E49DEEtruefalse - insufficient disk space 23542300x8000000000000000331172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.735{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\FPEXT.MSGMD5=0AE4DAAE09D2390DB9B6E551BFC11CFB,SHA256=EDD64B3A52776B147EE73CCA9D91753889C814FDD9CAB4DA018164232EF4B05E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.719{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUIRES.DLLMD5=3B2D6C7AD57EB2B25427EE10FEAE8C39,SHA256=718AA5D753460B88F65E7DF949D3C73A96005B0D841CAF6EA8BA1FCE1BA96E4F,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.673{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUI.DLLMD5=B77F61B5DEC6D0C4FEF5019E9953B5D9,SHA256=5A559CD225589AD4F9268EFDA0D4A23EC22EA41038DE5AF20265E96EDFA11C6F,IMPHASH=9E75A291EF84DDDE3F4D891CAFF8C177truefalse - insufficient disk space 23542300x8000000000000000331169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.641{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99B687233A55BFBA72D5B9CD237FB7D5,SHA256=8F80CBEA72C14DEC02D868367EAABA00A0FCA1FB3EE95CAADAA8BB58A31F7019,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.641{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBE7.DLLMD5=E89E8B7620E73A02B670E8FF391F7700,SHA256=7CA53492D89FC8875504E5BA59CFB65F5CB03041973C3F68E0D16F4583ECCF17,IMPHASH=150029E984790C7A698A8E7E9FD2048Atruefalse - insufficient disk space 10341000x8000000000000000448092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:49.382{45AAC21C-B481-63D3-CD03-00000000BC02}42245456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:49.212{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B481-63D3-CD03-00000000BC02}4224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:49.212{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:49.212{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:49.212{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:49.212{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:49.212{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B481-63D3-CD03-00000000BC02}4224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000448085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:49.212{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B481-63D3-CD03-00000000BC02}4224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000448084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:49.212{45AAC21C-B481-63D3-CD03-00000000BC02}4224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000331167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.578{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\VBEUIINTL.DLLMD5=455994351B9C675D023701FC8A73D2A2,SHA256=BC83251F675959A95092EC104225454E012F2E3511BC8D03911C9E438614A0BE,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.563{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLLMD5=CDA3EA478C604783B76964E88FD7030D,SHA256=DEBCD9E5DA29B2675C95055DBC342B74369BB5ED34ED5BAFC0738F470D5B4E69,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.563{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23E61066020EB6FB6549BD60A62A3483,SHA256=435CD94396FA82349565E509BA4EE343762B6C2A10B80CB5E3C3D0C385A879CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.547{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\MSB1XTOR.DLLMD5=19A2B21377116883FCEA7AE13B7B5F37,SHA256=79C34CAC54D9177604E6FFDB66F59913EA55C12A51D1A9915A7316BC9FFD1758,IMPHASH=4B6049F396D01CD038F322BF60C4E8E9truefalse - insufficient disk space 23542300x8000000000000000331163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.547{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\MSB1CORE.DLLMD5=358F9D603D007181E06BC7F5D31C8261,SHA256=6347CAB852374359EB54348EE5FE37B4254B6DFD3E43C6998ADAB81342FB6160,IMPHASH=0CCAE91A41C5667EF8AE4CE1E86D292Ctruefalse - insufficient disk space 23542300x8000000000000000331162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.547{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\MSB1CACH.LEXMD5=72F5C05B7EA8DD6059BF59F50B22DF33,SHA256=1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.547{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\WT61FR.LEXMD5=AC1A4D9488BA1EADBA8E75DE999F458B,SHA256=23D1353BE7B274F49B81681DD0C38EE8610A4AB474027DD0E6E785F4F78BBEA9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.533{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\MSB1FREN.ITSMD5=C5E1AACA8C5E036362454EE35FF58954,SHA256=C757B055C46CB251E3156C6A330C3A1D4A2EEFF9E6033639BFB6DBACBB28799F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.518{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\MSB1FREN.DLLMD5=16251448C6A8DDB7E3C99030973F3C8D,SHA256=51340679CF9822E4693115915FD3CD429A42B1D2960B241DA88023703D9A9024,IMPHASH=36A115A16DE18D80F6C6E43ACBEA1D8Ctruefalse - insufficient disk space 23542300x8000000000000000331158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.518{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\WT61ES.LEXMD5=F2F705D54ACE093DF8926457457CEAAB,SHA256=F062122E982549CACE246336228C99D06F9A593E06771437832DAC14C23C1622,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.501{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\MSB1ESEN.ITSMD5=F070EB5C7F32BC459F28868EBD7366AE,SHA256=6C00FCD51C975866AF367AD05F5D6A918F71E98E98B7FB0251840A8C98F194AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.486{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\MSB1ESEN.DLLMD5=0502A480170F7F34338DF071A7C8E912,SHA256=2DB39D2563CBCDC6EF3F5AB87C9AB935E74D2AB72E7E0ED5D21F3C7872692212,IMPHASH=36A115A16DE18D80F6C6E43ACBEA1D8Ctruefalse - insufficient disk space 23542300x8000000000000000331155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.481{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENFR\MSB1ENFR.ITSMD5=30C994B72C8C51A6BDB179E8C65F4119,SHA256=8A1D16B3783F1CE30B0A961072959AE94BE5822E659C50DD2325FCB1B443C9C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.466{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENES\MSB1ENES.ITSMD5=0F5FEF8BAF126FA8D17FCB6C9BCA60E6,SHA256=C122F2C1157563D8DF9C7CE28C47FCB2C6DD8BEF81BD0718444D830FBD7AE098,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.450{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\THEMES.INFMD5=923AB7258E7D5067BC98151B8C655122,SHA256=DE50EB8F5E6A91D7528D6C8F9182672C63BFFC67C75E8B8452C41285913D7CA1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.449{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATERMAR\WATERMAR.INFMD5=FC0319A91851214A949BEE6BF652E9C7,SHA256=4E33A4F9B3860E4297EF616F2AE7D9180AF22DE743A6D856C2808A2269EFC150,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.447{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATERMAR\WATERMAR.ELMMD5=42FBEAC23709FADA0172325C90B16A2D,SHA256=C8C3BEE802006417B55BD38B425BF0A0B81C3B530B0071506E604ED43EFC188B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.444{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATERMAR\THMBNAIL.PNGMD5=AAD47ED974F403C17E8BBE7E06C06AAA,SHA256=CE230D731AF61A231E0302D80B55A546B6A61E541B0362AEAEE9B1BCB5C2359F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.443{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATERMAR\PREVIEW.GIFMD5=6D337EEA691A1040F3CB656236B96603,SHA256=157837838E1389DD95E5780803CE8AEBA67B18C4F3DD906A9F205D88E3327926,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.441{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATER\WATER.INFMD5=63E2E89F25CD6C90F6DE2F92E33CAF7D,SHA256=4DF728DA652193F0AB69188977DC1AA0A5377E1FF1A1E26E86AB97784D083362,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.440{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATER\WATER.ELMMD5=4E9217B8378494F4F91A5F99EEF28802,SHA256=0E11F41027730AF2FDA94CE7649AC25041359108C2DE4C875B00160E27D1B7F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.437{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATER\THMBNAIL.PNGMD5=98064570E3B9604CBFF7F5CA1B0FDD94,SHA256=9274B2344A6647687117F92E6C1B19EBEE9F5BDF4AB5E36EED6A643ACFF72D30,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.435{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATER\PREVIEW.GIFMD5=5E9A13033FB5337C56FA29ABE5EB5B44,SHA256=D153285C008ADFCF12990FDCD1F1523456C1AC763DA06B9E731A6F91B427E005,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.433{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\THMBNAIL.PNGMD5=62CAACC449BC5EED31482CE1AAA50893,SHA256=A4CA7C53E5217BE9831A893BE66F929D8DD17CB88FBF0B4B200E29374BAE8878,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.429{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\SUMIPNTG.INFMD5=DF6B1690621B690AA89B8392656FF228,SHA256=0B759C3FB8A35D77625EA0E56A98A200E359D361D02458E51B7B81A66788B33B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.428{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\SUMIPNTG.ELMMD5=C28E37335BD78E5035406AB81E03A3D5,SHA256=1F785E694D0D8EF7AF167FD24A3B132A9BEC424B71CB6B547676697C2BDEED34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.424{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\PREVIEW.GIFMD5=7299DDBB6907E79C4931D5FECB865434,SHA256=F0FB02EE401BC09AF0862E05046E38D65CD1BDA1540D43590F430535F0EE0E05,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.422{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\THMBNAIL.PNGMD5=808C7637F14B2E24B8A466C351A86EBB,SHA256=052F544267D47AA0C3866E138D084D8545E227F4722B4B459AF53B28961ECFA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.420{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\STUDIO.INFMD5=AB516394217E1E49A053C974F5B3EBA8,SHA256=0254300E09A4C1552E4CDBF65CB64CF8A87BEA75FF8C1786BDA30C2052604416,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.420{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\STUDIO.ELMMD5=055A948852E637092C573492A1F41835,SHA256=1ACB76CC64F979DF6ECB975A8E98D2F941718EB1F6908AADC61BA93185242704,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.417{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\PREVIEW.GIFMD5=CC7EBF71409B855CF9578A2178BABCC6,SHA256=1D74B13E7DFAF744A56FFC6906CF2EB59E9FD674621392DCABD50C375FBBE551,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.399{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\THMBNAIL.PNGMD5=BABF2714A3C374BC74279EB1A7503730,SHA256=050C6F742204F9F6322AE444B58BB3A2BCBEFBB790DD67B9C07AA45EB0646D8B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.399{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\STRTEDGE.INFMD5=2ADD8E4F53D97DF580A38BB7F9960A78,SHA256=6F7E8A85E4BC01FB3545F10AD939B87282157CF517B02E4C5E787C7843E626BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.399{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\STRTEDGE.ELMMD5=9C0ABBD88A17394ADDE4EB1797421486,SHA256=821DBE2C6DD6039462134158B071076D7CDD7E8321FEB5CF9C67BA78503C45A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.399{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A134C9EE0ABA96ACE07F9F47FAE460EE,SHA256=4935081B84653D968A14221C983FA67B0C40F21C13CA95AE1118F7101C59DB3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.399{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\PREVIEW.GIFMD5=DDDBDA88B8CE10FEEBA357EB5BD82332,SHA256=2E1BDCF8236713F50A48FBAF1AB85D90D78F87A40A6A59BE4629D563C2D6A293,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.399{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\THMBNAIL.PNGMD5=FEE1A457532B54E1FA1147C3EB5DC7C4,SHA256=7F45F2582EC51D436258482EBC3230D3152D768D91527FC9F3D525883728D97E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.399{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\SPRING.INFMD5=7E06C52730B6247308068BA87B96BFE9,SHA256=615BD89F6AEB823F7322C5D871E02237617D24174A35039633C37C4BA94BA220,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.399{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\SPRING.ELMMD5=9AFB419EBEA07672C2D982CAB8C27A40,SHA256=ADD5383BBC65F268188EC8F90C75149FBBE7FCCAD4C2819D4A99602FEE9A0BE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.399{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\PREVIEW.GIFMD5=B9C82304A21BFDD6C5B1CC6476FCF100,SHA256=89A51DA8AB8E640032087B9AFDC874E084412C3AB49E5840EE8EC13671AABD89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.399{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\THMBNAIL.PNGMD5=B9687E8F0C1DCCB841E26CF16204D3C8,SHA256=6B83B00134CA654D5ACC0C9057B2B85E242697C83984723D5633FB4B770CAAB8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.399{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\SONORA.INFMD5=5F9338C1432F65FC24F738835D2ECB15,SHA256=679FDA9DE75041673C2C21DCFC8931E3E77215E416B0BBA47E2777004E7C71AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.384{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\SONORA.ELMMD5=E53E20970E92EE5DE3B6D0100FDBD381,SHA256=2EA74D51E3574546FD99A012A4343FD4C4BB69A1657E80CEFBF8A11098E8408F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.384{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\PREVIEW.GIFMD5=2DB3B087B4C49C4F64329C42717D4C19,SHA256=DD7648D32094EF14BAE42ED234478AA9B5CC7FF0582B1376EB880E53BFB85C83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.384{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\THMBNAIL.PNGMD5=2F432751D4367807C39B186183FCFBE3,SHA256=7CAE1977C72CB79BD2E90D259A3B1C3629095CD78B5EAEBF3221600B4050CF19,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.384{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\SLATE.INFMD5=399297F1492FB054FCEA7A9CBC1AE783,SHA256=26E51C7C912EDC1450B054E2C5DBC74D72DB15F7525FBA9B171FA4036D1C32DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.384{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\SLATE.ELMMD5=8252C81A291242E2FD8DF9910397F9EB,SHA256=310B8E8C55F84AAB27B9D993393B1C0CC143C6784CCF150143DA9D46A1257D16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.384{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\PREVIEW.GIFMD5=B92780842A88A7A1F4B1D2D6D36CA5C7,SHA256=5E91F9F46EC1209A795FA34996591C766906E678D3BB0D37C59D3BA61C537D27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.384{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\THMBNAIL.PNGMD5=F16A1C74515BFA92CEB97ACCD2569271,SHA256=EDE8924BBE479A96B00957F1D32D0388D689D9CC5860A9D4B28228BD16756F65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.384{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\SKY.INFMD5=65BCDF1892F3A327A29FD273020A13E5,SHA256=72FD3D2C0BD2EE3A27A890A55801EDFC102318F15421B22D3C72F146D851A26A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.384{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\SKY.ELMMD5=9379BA105894633A3B88C4039C9B8A11,SHA256=295DA3E706FFE86340DB9CCEDE6128F7B6F60A785840A47FEB2DB4B1765989A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.368{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\PREVIEW.GIFMD5=A48529759399DE66C561CB59EFE965DD,SHA256=B5EFDC847FF8A78024157FA53ECF599FFFF0DF14ADF793D1AE6598B12221E7CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.368{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\THMBNAIL.PNGMD5=48EA8D92E9DDCAF16ADEEAB7BE2DB07B,SHA256=2D67AAA2BE7FE03E3BADE483BA6AB3D23648944846F2B33CBD146F54C4D7F876,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.368{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\SATIN.INFMD5=FC93020E11D1149FCC74CA9D59D34CCB,SHA256=64277F042E9DF549500D5EEC7A58DACD64A33C0693FA4A1A9700C91172716BF9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.368{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\SATIN.ELMMD5=53E0547DBCB723E3252B602B9DE4C404,SHA256=B7E1BF5092BB5E9B286FC8704CD0E922A298BE71E76E82611984BD418C469192,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.368{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBEA678CDBBB2201FAC380ADC64D1122,SHA256=E0EFEE470C5BD65A73E11E487C35F410E1588D28C93714EC4D0548D0AC44CFFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.368{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\PREVIEW.GIFMD5=C93CA02421BBF090F51FDB38AEB9A4B0,SHA256=9DF7B3D6323CA7AB634EECDF86C402B40B2D7F5A96B38121942654F9207DD58F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.352{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\THMBNAIL.PNGMD5=2BDEF1B25723CBC7C62D1239D7CFF36C,SHA256=D2D2B31A91F6CF72DFE150C6874296147ED5D430344B2779DD9572BF5EE75474,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.352{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA79C9EE90D21C30F21152457AF22340,SHA256=1796684056939A82A3B956D4E5E11DC67A7F17B65D18F0895CFCDB6C85E0A6C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.352{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\RMNSQUE.INFMD5=74B22FBDE8DC4E3955AA802D7C553101,SHA256=99008D636F12EF2DDCBB4D9AAF11EF8233FF4A158B08ADF6AEEAC3BB5B6CEABB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.352{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\RMNSQUE.ELMMD5=0F414D10894B67FFF5686F30CF86CC9E,SHA256=FCCA843E121006A3AD1BE509DD020429E09B80ACA77B0EDA922DF13AE16B4D03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.337{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\PREVIEW.GIFMD5=CED6DEC94C6466E41830330EC1325193,SHA256=2432AA8714D3DB4996B6F13AED8C36A5A78CBF4BC514743695BB3B27FE423703,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.337{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\THMBNAIL.PNGMD5=A12FD9AA1C6487FE1815E57BAB4CF461,SHA256=B0CF9EB6EFBF3A1590961BC89CD86FAFE9A19CB41801C29518689011B81E4289,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.337{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\RIPPLE.INFMD5=8B19B82859FFE63B8CE12B5C28C29A08,SHA256=53458DD18EF8058A8E89A83C7D840AF5090B8D8DCDDEDC7E28B88926B27EE782,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.337{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\RIPPLE.ELMMD5=98E8E3D0B9E09D465A60FC226BDF3C22,SHA256=E89E5053FA6232DE5A707F2E1BA70E40690F3104E9DAC93623C88830A8EEB183,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.337{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\PREVIEW.GIFMD5=08AE7D46BEB79C5BD85D09AF2724CCDF,SHA256=06EF2ACCCB2AB230B0A28290A031F815E01F95DF53C737357998A88144F0EF2D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.337{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\THMBNAIL.PNGMD5=7EDEACD4460D65088DC948D93EDAC53D,SHA256=96731BD0D7865D4BA3D6EF34FEC552F1A9B06333CC29FB3CB179C18F8DEA33B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.337{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\RICEPAPR.INFMD5=CE234B2B8D4F7A256C028FCF3C0238D4,SHA256=D6E0F463EE96B0092FD8240C78AF217C9F4CC47459E3528636A4961F97C0AB40,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.337{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\RICEPAPR.ELMMD5=F276D3B7C0B12271C78B98D8325D023A,SHA256=D62B91C3A22A87B437977A1452936B875A9AAB26508B9EE39007B2DF115C2D98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.337{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\PREVIEW.GIFMD5=1B0938265C2C3ECCE2930A98F838E1BF,SHA256=B73789EC8550A808D7EE60F0005C99551BAD4291540DC685F3E3A10F9476FE5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.337{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\THMBNAIL.PNGMD5=8B1655E53F24CFC0DDD16A15BEA72B7E,SHA256=65CB54155B2DA91E57D382681503144B6741DB596E0D4DC6ABE3EA5C234B98F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.321{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\REFINED.INFMD5=634E5F7602CBB0C683F9F792A6DAD900,SHA256=73465350790B4193A7190AE8F2E629A557DED90F3979936E4BCCF05E1AFBCFC3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.321{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\REFINED.ELMMD5=BEE65C736F0DB7BED4A606D27886F864,SHA256=3315C6E2E3824A792A31C69DD6C93A158DE18AE0F19E107BEDEA995FBAC87EEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.321{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\PREVIEW.GIFMD5=CC695CA905882EC8D1177F0D62349992,SHA256=E97023B97278ED6328E14CDCA748A5E1208A4829E9ABA56AB39C07880F50C7CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.321{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\THMBNAIL.PNGMD5=533241D7FCF0535CC308E34B45AA98F9,SHA256=B698C81F6FDDA70ACB0B6738766054F2E1C7CF1258E34165EBD9775F3FF94CE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.321{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\RADIAL.INFMD5=30769646A61F24F10149E5CA8CAE6310,SHA256=532D3F2BA329D07B582F7EFFB092E3F3CE294609B20B9B01DDC41B60BED8C567,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.321{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\RADIAL.ELMMD5=D0084F903D6FF7B0F774D041D8DD6D6D,SHA256=4BCA4BA812B3C59C9478802DD4740EFFB8C2BFBAE36DBB0BD0F7D21B79C85AAE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.321{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\PREVIEW.GIFMD5=7E9C06CDA74E14E9ECB25DD3F8B950AC,SHA256=272561AC48179BFC9F2DC3CC808E451FDCFC64504F7528EEF5B3BEE979C8AF50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.321{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\THMBNAIL.PNGMD5=A3900BE6B4C76DB5C5AEAC6E7607DBD6,SHA256=5B3BD289494B3D4684D8BFA8415C8AADD98AAF76C6C4DD2F387F27227FEE7AA4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.321{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\QUAD.INFMD5=F3A78C9205929CF3C050435248FA3498,SHA256=8308F3364A61C836FF468E71AC47FBE0F69591963E98129846D9B53EE0D4C8A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.321{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\QUAD.ELMMD5=B2281647E62E111FE2CB8795A06C7DC7,SHA256=10A16F6C2E28B9474FBBFB30077749DB0AC9ED9E58670174950FBE9935C198A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.321{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\PREVIEW.GIFMD5=5C6740CC8AB79265C401870ADFE80E4E,SHA256=B324F5C1ED94FE6047B27380188A628F0101A45D1974DB83B17C8BE2F6507BC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.321{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\THMBNAIL.PNGMD5=4FCE3E9E1CF91210A745EFA9E8F7F041,SHA256=0C6984F1A91080AE096FAAB445DCC454BD9232A32B8F5818258317215AA8B674,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.305{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\PROFILE.INFMD5=B9FE6A8E5F66F30D1A3677642CEDE1CF,SHA256=9412573838B65A1C82AD6956E2D4637D54D43CC55FE7361A1A255D8FAC0C8798,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.305{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\PROFILE.ELMMD5=28DD35D32FAF2AEBA183107367143FE7,SHA256=203B9196FB89E4118B4748EC03ECE50DD60FC45BC1D9E3ED69E4B4F45B29CCD4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.305{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\PREVIEW.GIFMD5=9CD4BADFDE60A89052F247BA3046C98D,SHA256=60F7F5A9837A3858A8BA4382D52EAA756F81D0C14A13E33E974F0D5AC94314DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.305{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\THMBNAIL.PNGMD5=C065AA3BE55CA2A62A8A3D968F7C4C3D,SHA256=66F6F2A7FB78E10F73FCF520CD4EB47C5D4BD4CBCDA3D417489F94B1E6465F5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.305{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\PREVIEW.GIFMD5=24CCD91A1EE7475AE9ABF6E29A99FB22,SHA256=D87E0D12A05656AEF3A0BC364292E37C07F6AE7CE1C76B38728333D674585777,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.305{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\PIXEL.INFMD5=60E4E9C6890926007E4CBFB17C2FF300,SHA256=1C8D066238FFB792E7EBCEFB9D49CE1350D44B9756A7146A464A9F1EC0AD6D7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.305{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\PIXEL.ELMMD5=67C0F1E8FF36D1F73AA6CB65C68C7126,SHA256=D1CCEA095B0A96CA869AAF287B69B5DFDC23FEE898827AAFE59FFD23DA545D21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.305{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\THMBNAIL.PNGMD5=20CA507434CF913F0869E4A463F114D6,SHA256=A258C15A96788EE5B391A038E19A85AAC27AD9D396AF2C0A815E5CE29846C861,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.305{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\PREVIEW.GIFMD5=F91F526D336EC18D3B0D8C4003E78A85,SHA256=CE453FCDBFDE8FEBD44316DACDDB0952E5E7867F60395A2EAA321829F677844B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.305{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\PAPYRUS.INFMD5=0D770DE864750611C25CC8B844352417,SHA256=51BE77A6562330D36007E2D5F45DAC0AE58E013FEB872FE8370979B2A35E3010,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.305{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\PAPYRUS.ELMMD5=454F1FE52DDAC8279579674607B05742,SHA256=31112E5C15AF562E681434FAE97D18117C6B9BC65D58820A366D4FEE2D2C7A91,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.305{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\THMBNAIL.PNGMD5=397AC5AC1AFBDAD453920DDD61221886,SHA256=A0E690FDD3D5550320A4DE2EB018AFE2DE61C5ED8F8A850006D13C5282A5B660,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.290{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\PREVIEW.GIFMD5=89762BD26C0AF53967256137C8F79E79,SHA256=AF64AD86AD19E643CE61654EF6E90DD2A585A0543B760324E1A47120D27B19B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.290{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\NETWORK.INFMD5=45A92CB536DE147C246B284087B41DB8,SHA256=93CB4381D489CEFB2EB0520B09B9D1CB16EDC93A56F65335AFDCC445D22D4C26,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.290{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\NETWORK.ELMMD5=08D777F215AC90CEB70AE557894A84FE,SHA256=1828F8DAC138B89973E19698E64B9F832E612AB6F11C39BFF61FE9B321ABB4C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.290{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\THMBNAIL.PNGMD5=12562873E62C13D24AEE209244026068,SHA256=94EC0C324E328DBDC14C18240B3D1EB865E25EE2CBDCB40F61F017B2DB338D00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.290{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\PREVIEW.GIFMD5=7A0FB57704C3CB75AF928C633FB5C3D3,SHA256=93FC30AB709689029FAC4B23285568658BB703405F3FEE92CC268B959AF41F75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.290{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\LEVEL.INFMD5=D90A37AA37866C3B8D711D24B29B27EB,SHA256=6B684994E46D7D7015ADA1E30EDAE87275ACEDA238C7DBD0130C5067B8646939,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.290{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\LEVEL.ELMMD5=D0B2A52A880725F40208D6E1BDDB4396,SHA256=3748ECD9A67C888BE1D250ED9DD7782CC456057311B2887561BEE568FD3733CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.290{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\THMBNAIL.PNGMD5=9CB50C9E98E82E295AC45AAF90953B75,SHA256=802430C133012670873E85F5AF6656BA8F6CD5CED204413DFAE8566919E5B4E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.290{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\PREVIEW.GIFMD5=94839FFB68AFE8ADF144E0DC54A60872,SHA256=0307A5278A502F9E262A08F0480C83982E007F7CD6EC9452A0B5D1E12C9B0E30,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.290{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\LAYERS.INFMD5=666A26BBB90AB2BAF88A7EE82F056AA4,SHA256=0A293106355074C36237697B88F36E38B06B97F7BF5BBBB8A27B8FE54965AB86,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.290{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\LAYERS.ELMMD5=3B6744AEFA91318666307267C9D9C5F1,SHA256=F35BA5B9B894FD07D6B92AD1CDE1EC8077C7363C2E672AF3F78F3B0B17E6279D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.274{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\THMBNAIL.PNGMD5=F2537FC7251F0425C74E6999858E8FED,SHA256=A6E519107CB2B755687FA8B23F3CF9A314D5AFC066F89FD7A24817AD8F126AED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.274{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\PREVIEW.GIFMD5=4BFBDAB48594BCA2AFD04912B7CF4EFD,SHA256=A3790CCF62DECCF6E326E3FA98DC0D3C8D4C7B2448BBECE75F77FE965FE6AD3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.274{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\JOURNAL.INFMD5=AF0C2E5286196F1ABC042242FC12FF86,SHA256=E76FD736C806F90646ACF9157D136217BCAA716AF602846D68741E3468E15593,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.274{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\JOURNAL.ELMMD5=A1B02BB8402D95A5EF804E58FB49A2CC,SHA256=D1549795DB2D14202359B525EF4625C8CC270133E830599AB965849726159E8F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.274{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\THMBNAIL.PNGMD5=B5F9B548969F1FD9411D843AEA0554F0,SHA256=6E986113ABBF5514783B7A181CEEDF2DC0E390232DCB0F889EE27C9B8945D3E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.274{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\PREVIEW.GIFMD5=220B4FEA8D6AF78D77A49E36FEE9A7B7,SHA256=48918B5EBFAD3FBD13FDF360E68BD529CFB794E416D4CDCF62B755374543A5CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.274{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\IRIS.INFMD5=1477FB48B40B9157483059AA9C1B0B99,SHA256=93C60DB5D99F8E1854FD8C266D919A9251ACAAC912054F7ECEC9EB8219E1BF0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.274{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\IRIS.ELMMD5=063CC061D38B72A80DCA3DFD536BC56A,SHA256=CF3B4A9F646C121FBEAB3309B2BBE68503E21C7AB685CF7770FAC97A928D155B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.274{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\THMBNAIL.PNGMD5=8A099C27A764B27F3D839E82BC7252D8,SHA256=DA9447159B9892E7F849944A94F238DDECD0936FA2228C76970603BF2D5626C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.274{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\PREVIEW.GIFMD5=2A8FAAF864EEA471F96DE632BE07B89A,SHA256=1A40281463C5E618794E814A96FE3F2E006BC09375AB92532F683D3D0DC20787,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.259{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\INDUST.INFMD5=2E666809C30A3DB17E350F6EED52A910,SHA256=5F74BE1B10D8BD772DCBD4A7110E7174B6E144396E9695F94933DB84A8A21CC6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.259{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\INDUST.ELMMD5=0C24845FAF2E207146D5A2E8AA3B0789,SHA256=3CF08CF5BA52A2D9AF8742C91B41801A68DA01BDFBBD2941D1F0A133EE5CDAAF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.259{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\THMBNAIL.PNGMD5=9F75EBE4A41BD9946116AF8143474EDA,SHA256=A0A9C34DB7D06385D9A70B82B0C36EBECECCF19CD69B3E8383AF5A9C87FB1C4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.259{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\PREVIEW.GIFMD5=441E29CD847FC047A59D6D312319CCF8,SHA256=A50429EEF83D2B6A8BE251A847C48DD96C5029BF5D3E473D309BAF7B473DFE72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.259{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\ICE.INFMD5=77546C16158CB11DAF76644D0E4629DD,SHA256=7BD791DB0574EE0E755A903ED174B13FCF2E3193F23D9FD3CE044D69100B7D80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.259{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\ICE.ELMMD5=092DDAB504C079157B75D01EF8D978FB,SHA256=AC4DCCE8E9D6BACC0B0B08054C4C8EB2684EE3FE8B4CF9CAF3BB8B09029360AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.259{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\THMBNAIL.PNGMD5=970602E0E9BED12A5023EC38BB4104B9,SHA256=4EABF3B176EDD992B387D2DBA591D534B32F948E0A1762E1DC924AD47E061A5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.259{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\PREVIEW.GIFMD5=48FBB1DF538D4B6512F8A52F740EEB0F,SHA256=B1F2DCDB59A14305B5DD99B1405EECB3C5F5CB314E6FB332B5D271C892CF390E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.259{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\EXPEDITN.INFMD5=A7127CD687A93EA08AE2640FAEB68E6C,SHA256=CB0A2BC89F5A53EFC8AF28EBFD2DC41CB53C7ACF305233996081E6014857CDF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.259{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\EXPEDITN.ELMMD5=4B03B8F1EF2C0DEFBDDA5864FD4DE573,SHA256=131CE38EB5B4912880B187A52C76A55829FA1F97682FDA6ACE319DF0A28C4F28,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.243{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\THMBNAIL.PNGMD5=69802AA9F40EDE774F54C342AA482B74,SHA256=05F0C81C667434B2CAA16475F4F4F7F712B481E582306A9E8444567A90C871EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.243{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\PREVIEW.GIFMD5=C540A4ADD53A9661EEC418CC36CC3EC5,SHA256=F44FAE726574F4CF18889A145621F485C77554D71011339DD27DF6A02B2271FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.243{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\EVRGREEN.INFMD5=C92BD303E6FB2FBBCAE58C94ED21AC78,SHA256=9A9364CA10B291113B5A0D30870B9A92B3F8B1DA0C5E6892959258B7BF5A4172,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.243{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\EVRGREEN.ELMMD5=5B788ABD6071AA050817EA549249FBBE,SHA256=D6D3B8978813762372ABD41E36D7DF3689EBA2C658E64295B4C2F42739E4A8C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.243{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\THMBNAIL.PNGMD5=40AFEADD296FD403DE6819C7110D9F00,SHA256=73567FDDB1C83375FB44DF38FC8DBF7ABB719454B0CA696F49B2B5CBC665E15F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.243{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\PREVIEW.GIFMD5=FB84CD5AA67231103447A624AC04F5D6,SHA256=F3AF62927DBCBCE5E3E0E917208ED584361997C496DB39B89302F79BF34012B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.243{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\EDGE.INFMD5=6D5AE186C103E0F8DC6C684580298D40,SHA256=5369AA9E371D87A983C2061949301F3A069796EBA17BB13238FA93410A30AC1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.243{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\EDGE.ELMMD5=54984F6039614F5DE584B3F81A6ADC5E,SHA256=92AA3C4317A4D9B2D47A0B13115943CF7FFD9063E9BC1AA979D903FC156E6284,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.243{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\THMBNAIL.PNGMD5=8FD0BAE027A02A1B9F8DA12BDFFF65B1,SHA256=35D99BA1C3340D3BBBFA929D157C5534BBD465442F3D204E8531665907F4EACF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.243{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\PREVIEW.GIFMD5=729EE4A58D9909ACF7D5C9C24D5520C6,SHA256=3E928BBAB08D67EADF530BBC4987BC74CC9CFD82B83E27F301817D4C9706F5D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.243{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\ECLIPSE.INFMD5=EEFEEE53ED52350B376B8EEC2669A15E,SHA256=7C64556762B100164FA62B69F5205140CFFBB66F1043101A7FC53944F416C362,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.243{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\ECLIPSE.ELMMD5=3ADB926FBF3CB4D7658DAF59AD98B990,SHA256=2B150C898ACF6BBB1B693CCC53188F78AB5A483C44A0365B008CF8014ED24856,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.227{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\THMBNAIL.PNGMD5=70525BB4021AD636B5891731299DCC03,SHA256=CF81E6BD2BCC2A200D5B119761D7AF891C75F49917371E777D0EB90B8A5BFF87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.227{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\PREVIEW.GIFMD5=6E3A36F976D7AACBBACE25B9DD22F6DF,SHA256=B80C973BFF39F1693FEF733FEA91582608FF7044D113C6520CC5F88795FE6CF3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.227{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\ECHO.INFMD5=394800900F0EE48F9C3BDC4CD0757048,SHA256=A951DFB442C9B71631667159525288624C40EAC7C456B7686496298102A0D3EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.227{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\ECHO.ELMMD5=B150B21A1D4D8BA1A1300E3D444D85F3,SHA256=1BADF28294C35F858E22A1F78D066312FC7652C4450DFD031E8EB713198CC715,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.227{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\THMBNAIL.PNGMD5=152EBDA8AFE5F294F9D12F65F2455FCE,SHA256=DDDC4D5CF18C5C39FD0EFCBFF8EDDFC4B4F9CD64947EBB210D4BF26317EB9314,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.227{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\PREVIEW.GIFMD5=4C99AE7A0A801A80AA7BDE66D5D4A865,SHA256=8BB1D4718FC8A0F828815AC7B51E3FFD14AF45DB3D64CB442067697326E7233F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.227{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\DEEPBLUE.INFMD5=366A36D9847A942B72433117CBA2A2B2,SHA256=650A9BBB3AFD2A94301FE65E5B7EB880A28B7908A413BD59C2905C5F9C59C98F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.227{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\DEEPBLUE.ELMMD5=5B967D97116AB63255638404647B8650,SHA256=15CF48996B2BADDD2A383CC2BC0BCA7C485D2DCE14DFCE54FFC1C05A399A8953,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.227{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\THMBNAIL.PNGMD5=74C90A4F1D2F5CC26D9715E448B82B35,SHA256=A6167613EB70EBA0CBD2D2BC428B430714EBAEF7A858A08B4EDEBCD3599C4A73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.212{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\PREVIEW.GIFMD5=0E8DA8EDAE774D5B23AE6EB233BAC5F6,SHA256=C37E60F183F6E4533C30D56B1611B2CBABEF9F54A2938618F4A377ECB20CB526,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.212{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\CONCRETE.INFMD5=59C525ED8549C24114DFB79D73152CF3,SHA256=2F88876C268AD179B93FCF9F5CFB05FFEAFEBEB665512F1C91442D4B11C5D9A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.212{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\CONCRETE.ELMMD5=547EE88653E609D73010A0FF38355624,SHA256=93F05B75AF843D2305CB9E08723AE95E1DD5171BD8EA9986E9A5E805BC56A3A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.212{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\THMBNAIL.PNGMD5=42F3D266482F6E08F68A1F7DF8B47ACC,SHA256=AED1A75377CAE77535D62314EC276045AF7A223939B8F1859576EC5729A1F534,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.212{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\PREVIEW.GIFMD5=7B7307A7452A170C192C9DA9B7762B3B,SHA256=38DDB0414DB9409362BF8A42AFA418195272C4A0D4DF0CE4F438AAA755D3F667,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.212{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\COMPASS.INFMD5=669443036E68DD4038FF7611A515E697,SHA256=6CE49CB71B6E249B1B435DFC4DF0056EFEA45EA571D8C10BBC426409167FBF8E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.212{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\COMPASS.ELMMD5=88CEB5DA047A1BEBE5F624FA92FBA368,SHA256=CB211293C7C75844BF8CEDAE5C1BD229FC3CC115315A8ADD9385FB043656B042,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.212{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\THMBNAIL.PNGMD5=CDC4CCF13DA5F76298BC5793AD29FFF6,SHA256=EDBB9512B16C3FB14D9F705C51926083A8B4ED5F5CD4CD323CDA1C5DE7B84D61,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.212{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\PREVIEW.GIFMD5=2BF28053F0AB8E3E40B52ED59FA40FF7,SHA256=D9B1CA0A0F8D068DA8B588C1C57E1DF718816BB2EC1F39F36F7404C69B7C21DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.212{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\CASCADE.INFMD5=478F7CFFCA0B36FE454B7BF37FDD2CA8,SHA256=13B8EEBC065E04B462D8302524E7AE47DCE1E85D15F0F5253D147A6E07FEDD1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.196{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\CASCADE.ELMMD5=88B58AD7EEFD40C5A46729268CE01EC6,SHA256=70A1C09CCEE6E0E8675574AD25DB9E521F23B8D06601E23C37F622CA88DB6E89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.196{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\THMBNAIL.PNGMD5=A6F8E5E4972A965094FFB029BB3526C5,SHA256=5154BBE8F87DC6DE02524E8A6D466117F3D4B624FC38DF6B72D70D9A26EFA4F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.196{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\PREVIEW.GIFMD5=1DD89832D57F4A3486C1F23608FDE67B,SHA256=BBAFEB3EC93B76217EC0417CC29C435AA54E879EB0442CB670D847F9A01C74B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.196{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\CAPSULES.INFMD5=F41285E34DA7DC75759C38B385158A47,SHA256=15312FFA9F3F364E02EA9F55D4B9849F5D832784A7A86D20FCCED449560BB6B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.196{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\CAPSULES.ELMMD5=9F3053884FC5D2623DA6D3448B2D3C49,SHA256=E6A78DC3BE9DDC8E653AC96175956334D265A4C281A949D897621D93CB51857C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.196{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\THMBNAIL.PNGMD5=9626B6D0A0AC9DE5970E0538CF24557B,SHA256=4EADF94EAECC6DCF834D954BB5740EC0B43D506DCAB13B979EE48F86ECE04F29,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.196{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\PREVIEW.GIFMD5=97E00AD3565127BBFB1F60ACC06DA925,SHA256=DBFFA7B8A3F3F82FFC6AD56FB3686448DD61ACC5B370664953B775A38C8FF01C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.196{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\CANYON.INFMD5=AFB0B39FA6C2C2D1FFAE2519C7C3C116,SHA256=51629425DBAC1924BB8FC555BCB80E7FB4A69290936D157509677BACCEE2BFEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.196{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\CANYON.ELMMD5=3BD8A226A6CC5D50FCFC6B5958B75FAC,SHA256=248C1A5C52E45D8F9B62A1D9FFE59ED43D94EFAD2650E42216062DE1EBAB979B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.180{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\THMBNAIL.PNGMD5=5CBE6EB80A21280E29CA963B93DE65AF,SHA256=E2EE2041CFD06582E36758F289840E9334D0E4B2612796138CCA45B9D43FDA8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.180{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\PREVIEW.GIFMD5=8CC0B1A7BD2D7DE3F1029A2E034C8D1E,SHA256=1D804C8EE46B7995BD2865EC2B8545A938F5FDF3E8BAA1BE977E9ED74A37DDC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.180{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\BREEZE.INFMD5=09D030A74DB9AF87FE5272AB8F11C48E,SHA256=3CD3D8690D97F445EC5320D4231D91BA447FC21A41E078DB2DA34CD3FBCC0118,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.180{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\BREEZE.ELMMD5=207AC7E00D13860BA9F3CDB94D5D4D8B,SHA256=62ACEFBA58FF54382B039993942DE7A142F8F22D8F15BA84E8C8D5E98C8C1EC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.180{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\THMBNAIL.PNGMD5=E47A414B3AA4A200835278F62F41247B,SHA256=EB1D06F3F5EBA74C1F779038DFAE8E1F53A8D87BC7964F16405572FE3B239318,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.180{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\PREVIEW.GIFMD5=95DD8E42CB979586A685EAEF5BCA33FC,SHA256=EEBDC56C340E1A52EC8F48E87CFEC83F7108961B0512FAB163310A889346CDE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.180{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\BOLDSTRI.INFMD5=DFE800ACE985461F21FE12DCAC879127,SHA256=9E3FB6F41F0BB4A12F3C7FAAC65DDEEB6CCEF7CFD2B58F446269C3A3EF783100,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.180{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\BOLDSTRI.ELMMD5=B4B18174F72E10B4F5E26764AA7CB4A6,SHA256=57B4F7733D59CCBB5EC17D42EB55B4B90918DF2AC7DD4516AEF981A2C92C1C98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.180{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\THMBNAIL.PNGMD5=1AF6126D451EDC8CC8CF454A565423D3,SHA256=1122DA53BFE83AFCFB5748AE288B0B4ED78314FD6B837794611A65AA93B2C6D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.180{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\PREVIEW.GIFMD5=2A3DD7520BF90775598104C0890471F0,SHA256=95BA0215FD2B02EA7D6E8F4909B545A7A9B5B5A8AB6721E7229856C6891B008E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.180{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\BLUEPRNT.INFMD5=51F3CD325073E034F23E54A2D8D2E4F3,SHA256=8481AECABFD5E830EAC908592168F12FFAB9C05EFBE76F1C7EBB3C5A82A86E74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.165{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\BLUEPRNT.ELMMD5=B7D5E85F7F969D207BB8C3A2F44B41CE,SHA256=6C90D8972682907679D4A0FF04AD9058DEE6B0A83F3FBD15902EBEC516580311,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.165{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\THMBNAIL.PNGMD5=3B7A7929BE3C3133569924972EBA64B6,SHA256=A509EA8D2AB06455C12E19402A9FA9BAD4A7425FC11316450183B0EE97BC18BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.165{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\PREVIEW.GIFMD5=401569F3DF8E4B103EF9EB7F8A4AA971,SHA256=C2106BA8DF447C7966ED8A8C553342A4879F365DE9C11B4C9BC9A4C407F12813,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.165{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\BLUECALM.INFMD5=BCD550D7AE23CD6079AD2D31273648C5,SHA256=9922B9FDAFF6FF88AA150DD0201E3FEB5F23401C303200B5A2E2E397C9CBDA41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.165{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\BLUECALM.ELMMD5=B74D2D738225022B8FFD827DF40E25AF,SHA256=39C6A6AE938ACD0E61D17901079D71AAAEA22E15FFA11209F85A0BF6E1E5ECAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.165{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\THMBNAIL.PNGMD5=E436AFBA8080B841A395191CF72CEE35,SHA256=5EBA0DB294948F58DA974C71E08DA1B51F7764EB82777D0039E4FF856A8F91AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.165{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\PREVIEW.GIFMD5=C2897277FB83B5CD70F54D0880B9BF43,SHA256=47870B3D3F8147FAA0BBF8ACFCDF09D5ADBF470729BC9A1A5D8762635D47D268,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.165{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\BLENDS.INFMD5=B6743B451D2D88CE1DBBB8F9222C24A9,SHA256=9CD8735F5F6527A976BA47895E3F795C2E07AAA02FFA942FCE0EF51417506978,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.165{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\BLENDS.ELMMD5=EBC2C59F4E5B87EDC47838D1D220E7A0,SHA256=98683085184D70DF27CB609E23C9280682EDB8DAF84DED7E0169807FA968E6DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.149{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\THMBNAIL.PNGMD5=21CC8BEC7088E94DB85BB0FCDB9ED1E6,SHA256=B24F013BBA9E34003C0BC0B0FFFC446F42AA412072DD423E3F9EE71DCEFDB67E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.149{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\PREVIEW.GIFMD5=4BFB1AC5298CCE233F03FB9C43C3727F,SHA256=47526CD485FF24135F2452CB81F70F7D038AE4C016BF8087C288091B5D1529D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.149{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\AXIS.INFMD5=F6E7FF8173E7ED9D0CA315CCEC091659,SHA256=29E05D80BBB5A85FA71C5C9219077F1104CD9AF468C9A97344AD7A411304018B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.149{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\AXIS.ELMMD5=18CF8E92F6CF3501F6CAC6746B03C847,SHA256=0B87F8A4D8A6A43933D22367C06406789E31E46D97D7B6175E60531A2F06E55B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.149{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\THMBNAIL.PNGMD5=F463B38EB6F74778FAF7B256E9F72D2F,SHA256=8179708146C1F63FB89E1B0A420BC8F4A87E737DCD5E590381D639A011E58191,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.149{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\PREVIEW.GIFMD5=B456A5D76165782C0B6E8C8792320BB8,SHA256=FC92A35C33C60B6AA4C8216E2A21B17F9497E635608860507D3567DDC5A0BF36,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.149{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\ARCTIC.INFMD5=C2F79371C86D6EC3B2CCED5C53A87D16,SHA256=FAD6AB4C4CAB81E8A6926C20F3F1A2C40F5D39F05A0350B9CDBA4A137767B2E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.149{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\ARCTIC.ELMMD5=9597924FA7F81D8896B1CAA3BE6FA6F6,SHA256=72079C372D4353A141C9D34C8FA26207EF1A34E7A4E8BD193A16C221E7F8E78C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.149{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\THMBNAIL.PNGMD5=9B55336D8F2BB01A922A8F4CBE79948D,SHA256=612B43318CD6B8EE455ED379F714EDC40945DA576B3BCF8A4C8BACF94987EED1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.134{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\PREVIEW.GIFMD5=A652E0FBA63EFDE91243D5AF7BDFF63B,SHA256=6EF375CE03721CAE94F26C87EBA4AAF4A3832A77300F1B8A93EC1B2336AD3A66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.134{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\AFTRNOON.INFMD5=4B83E7D608AD91CD886263C80A79028B,SHA256=3ACFC662436090CCC40E11E832F1C32B7FF2A07360B17A5F928EB986B2A14D16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.134{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\AFTRNOON.ELMMD5=68365BA82747DD7B1E0974542502266B,SHA256=50B77EB23685B14014EC0DBB70579B5668274E64514DBD2D80370DF7AD12440E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.134{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\WPFT632.CNVMD5=235CA981A40D197B420CEAB0569CB7F0,SHA256=E69D86E305CD1F3CF223E9734C0CC30ABC6378DB8CE98A14C20E79BAD5829828,IMPHASH=68906A61E24957262129F77CEB2581ABtruefalse - insufficient disk space 23542300x8000000000000000330968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.134{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\WPFT532.CNVMD5=2BAC00373BCDA1AFDA7F8D9761285F2B,SHA256=85F662D50659BFED560A51851E50D97EFF761A13036D7BA23D785AA4006EDF0D,IMPHASH=C5C6BB3D0079A14A72F1BBD25AF09130truefalse - insufficient disk space 23542300x8000000000000000330967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.120{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\RECOVR32.CNVMD5=36A93271325A1AD31CA158B3874D6238,SHA256=0E1F30A8C7A067FC53C4E2030BA3EE59F922E90B04BFE94368A79F591BF7A1CA,IMPHASH=7B9B11E5CC915CC416A100F42644E689truefalse - insufficient disk space 23542300x8000000000000000330966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.120{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\MSCONV97.DLLMD5=56672F3A04C94EAA0351ABD358A4CDCA,SHA256=9664F7D906AB7C010A7AAC14717D8DAB0A0F4BCB1139A028179577C9968C460E,IMPHASH=340B904C2CBB3E5AB1165C08E714E53Ctruefalse - insufficient disk space 23542300x8000000000000000330965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.120{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXEMD5=20E309162EC15673A44E3907E168030A,SHA256=6D222CBFF2AA9883415D347BB834EC4688297F4C7062C6C4D5B1E62F8C5384BB,IMPHASH=B2FD695767EE193CE60B3BD06DF73BD5truefalse - insufficient disk space 23542300x8000000000000000330964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.104{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exeMD5=00B86644F0C08ABED43C1493DAF5E4E8,SHA256=8E5BA62E1AF68D2C95E8565B4AC8591E159F37AA71E8AD715B592F0E52A7ED2F,IMPHASH=96E4B794BF80C87811A9631CF18FC3D6truefalse - insufficient disk space 23542300x8000000000000000330963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.104{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\MSTAG.TLBMD5=B25764C3868F283D57DDB1A2108985D1,SHA256=E0A6CB59A8430BA886614384D021EC7402FB1AB472F281930187AD5F39E92B63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.104{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\MOFL.DLLMD5=A021CAA37C22DC0EEF698C906391B2DC,SHA256=1FFE9F2F0C99B866DD8A196B67976E09203E021E8F779F317DEA946E5DD5F174,IMPHASH=28A0FE93B35508770B552BBE2A79571Etruefalse - insufficient disk space 23542300x8000000000000000330961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.104{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.TXTMD5=92868B6D600CCB856B40839F64082C6A,SHA256=2735D96B46DDA22A2FEF4B07C665F376D89F57B112A2435CEE2160E57727CE13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.087{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.DLLMD5=E3E1E259D56137C2F1A0CCCC6C61243D,SHA256=F1EE84CD09D6C2700CA826615133A46021932CB46BCD475597FE1AEF83ACA43F,IMPHASH=7FB45B4B5B69AD8CA56789BA4647006Ftruefalse - insufficient disk space 23542300x8000000000000000330959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.072{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\IMCONTACT.DLLMD5=839BC17604D33ABEA3C3D93978279DC0,SHA256=4F06A2D2A265A9411EB2C0104E9BC3FAAC448ADC06D1F5437077D210D644C4A9,IMPHASH=6AAF99AE7256144BBB591B63C58DAC5Dtruefalse - insufficient disk space 23542300x8000000000000000330958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.072{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\IETAG.DLLMD5=3931F67110BDA23BC26C4385DB851F40,SHA256=1735A84F11EB009CDAD20223F2A9CF814C69DF6558AF1125FE57D2C950840904,IMPHASH=C03AA3BE857692B34151F7642CC81C10truefalse - insufficient disk space 23542300x8000000000000000330957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.072{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\FSTOCK.DLLMD5=324A0A7263A23D2A291C61E2D67327AB,SHA256=C88EBC37B574905EF40C9ABB029E95102D181988E95D7CC5F367F8F2E2154E53,IMPHASH=95E1B996612D55DDC446EE04CEAE7999truefalse - insufficient disk space 23542300x8000000000000000330956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.072{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\FPLACE.DLLMD5=4540FB0D3CE965336882405EE79EC0AB,SHA256=D67A5AB1534187C7A13E4AC12471C9167EE7FF3564CF46298E410A13314D5CA4,IMPHASH=8DDCA323E3AE063759CC7FCF1CCE1561truefalse - insufficient disk space 23542300x8000000000000000330955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.056{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\FPERSON.DLLMD5=BB083ADE18870F32C0715432FFD5CB1B,SHA256=FFF2872C4181A7FDAE3B1E7C9A5F493E6BA55C51436BA728781E45D14C06EE22,IMPHASH=9811FC5657B2BE6CDD2DC16084AFC4F6truefalse - insufficient disk space 23542300x8000000000000000330954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.056{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\FDATE.DLLMD5=4FCA06CB7226D238FB66FCBFAC1A5AD4,SHA256=346AD3298092A59E0E997F027F3B9477F885943074D2DBC02A050121494D2B41,IMPHASH=FCB0BF892F4BEB3814EF4B99A127C42Etruefalse - insufficient disk space 23542300x8000000000000000330953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.056{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\FBIBLIO.DLLMD5=C77314157BFFF1B5AF14A6547C7C9883,SHA256=AAC3A10AE7AF04F7C96FDDD5C7F34B866BF548EF25D1F70E4D5A1DBB9C4379CC,IMPHASH=4EEEF2818692D251574FC3B2840C7D9Ctruefalse - insufficient disk space 23542300x8000000000000000330952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.056{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\BASMLA.XSLMD5=ABC0D376936D58001E9744051B58A629,SHA256=ED0A5865EA90AB97762DBF6704420909BC6D1926ECC5F3EB570689BDE1AAF595,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.040{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\TIME.XMLMD5=A37A2D152C05641CC8374AD33F934D08,SHA256=C98CAEEDA59C585C926FA7941586990BF002D1BC848E01E94AE4EF48D81AF74F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.040{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\PHONE.XMLMD5=6F9BF3586040C19871CB0291928FEAFD,SHA256=30AB97F2DFBFBC020787ED9CFDBA0E5202485ECB2BA034EA79508672246F1E9B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.040{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\DATES.XMLMD5=DE3456C5219BDD0740ACDCC74890EF6E,SHA256=C8422CD7CCDA3D06A8F7A5F6EE0B6665330A33499B511AFD24D6FC69E92A5060,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.040{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\STINTL.DLLMD5=3B15F6CB5EF0908FDC5C496E5B0504CC,SHA256=94F2D0B6B0C4618E91E64E72368EE1725A9D759C3FFD5F07B932B1C02B45ABE0,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000330947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.040{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\MCABOUT.HTMMD5=523B9F41C843F0FA330039D2278DCAB1,SHA256=4B8436F876A48428E3619579662244A16A35669757031D62B8E5B2A4453FA890,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.040{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\MSWDS_FR.LEXMD5=167ECC9811F4C0D8F7EAC639E3EFAC5E,SHA256=077AFFC0822E3358C7914F55C004C39298D08AF7DE9A43547E235F92B1C47A14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.025{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\MSWDS_ES.LEXMD5=C3AAE163579C2C144489B1BB5F5DC586,SHA256=4C3AA0273544387D19627FC829BEB6E3DACC329FC048076D3B2B49CBA41ACAAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.025{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\MSWDS_EN.LEXMD5=EB7CB218D0FF5F270E1916D53FE5FBF2,SHA256=5B3A3ECD398C7C68A1F27D516D5078B4C7D8034EF52FA1AB74F1E364FC0E4374,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000330943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:49.009{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\MSLID.DLLMD5=7F65D2624541B0501D1A2D1B5E9616B6,SHA256=7DA461A73D8627547A8CC6F36FB35E0D7329F337BCE4BE97916C4A23A68A92A4,IMPHASH=A164638C508761FB9FEC0388418C359Btruefalse - insufficient disk space 23542300x8000000000000000330942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:48.993{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\WXPNSE.DLLMD5=F125E0CD7E33487D6186EAFDEF483A49,SHA256=AB2F55E172B939365D809CCC4B507171379F2E0C8C5AE3978938B8D4C9BF5FBE,IMPHASH=B48E6DA1E10BB9A16CE913E52AB04694truefalse - insufficient disk space 23542300x8000000000000000330941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:48.993{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\WISC30.DLLMD5=5F31AF0581835DC5AD7D04DD0A14D3C1,SHA256=7FA75933F2951F2CE5CC81F1D884920BE8D719296AFFE25449560F7CBBAAA22D,IMPHASH=219D13552115FE1082D980B98AA9B924truefalse - insufficient disk space 23542300x8000000000000000448118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:50.868{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01674698DD94036E9BD2A7AEC88F0487,SHA256=97A8D45E3ACC44F5011408490577505DC522C028568874908453CE7B1D56C7B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.893{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSO40UIRES.DLLMD5=96361BFEB54DDE134440D33C0C1873CA,SHA256=EDA4C62465F91DB7C9872041433901E2EBC76FA2D7D44B8D6193F5117B9A727D,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.830{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso30win32client.dllMD5=6AB5D1322008509EB116F0DD41C4B624,SHA256=7F6A84DBBC5A80E7CA5EF1DF0C2FF45F3CF07689A56D2E491C5E2F20DB8C6C18,IMPHASH=B687E77E6ACBF4A2A6344B10D5A112A2truefalse - insufficient disk space 23542300x8000000000000000331248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.752{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6E407EB968FC96983A7B28BA1873632,SHA256=0F87389CA0E30E87202C6AC4BF8C1E83CD711FC4BA4B62446289C4E14F8018BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.721{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso20win32client.dllMD5=2963AFF6E222323AE993FED741C31136,SHA256=5E30EB1B3A53A94483B5EF54344E1717BDAD0B03462F0CF1B37F72C65374FC49,IMPHASH=808D5951E0B0AE2BE188021CA7225DB0truefalse - insufficient disk space 23542300x8000000000000000331246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.658{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSO.DLLMD5=FB5BC8E18B417A9F49DC688D37120FC4,SHA256=7F792E232C6110B1B5ACAC8D6A6009CE64BAF461BF23310BDB855036A5732312,IMPHASH=953A1EAF34BDA3765320F30BB9940ADCtruefalse - insufficient disk space 10341000x8000000000000000448117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:50.680{45AAC21C-B482-63D3-CF03-00000000BC02}42803804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:50.430{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B482-63D3-CF03-00000000BC02}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:50.430{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:50.430{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:50.430{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:50.430{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:50.430{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B482-63D3-CF03-00000000BC02}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000448110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:50.430{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B482-63D3-CF03-00000000BC02}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000448109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:50.431{45AAC21C-B482-63D3-CF03-00000000BC02}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000448108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:50.089{45AAC21C-B481-63D3-CE03-00000000BC02}12165196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:50.039{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B481-63D3-CE03-00000000BC02}1216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000448106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:50.038{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B481-63D3-CE03-00000000BC02}1216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000448105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:50.038{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B481-63D3-CE03-00000000BC02}1216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000448104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:50.035{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B481-63D3-CE03-00000000BC02}1216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000448103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:50.035{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B481-63D3-CE03-00000000BC02}1216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000448102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:50.035{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B481-63D3-CE03-00000000BC02}1216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 354300x8000000000000000331245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:47.377{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51002-false10.0.1.12-8000- 23542300x8000000000000000331244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.369{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mlg.dllMD5=F44756C0490A747D987A6F9C3919AD94,SHA256=683D8A0A1BA2CA642970060BEA414108A412B2934E5032B034486F7AE816D1E5,IMPHASH=2655863A3A082E9B344A90A081CF422Btruefalse - insufficient disk space 23542300x8000000000000000331243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.332{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mfc140u.dllMD5=51C91B404C701CC26B8B6DC7AACD8037,SHA256=9F60F7AF82BCEDC3C91D796F9C4442900BFF40A192E30EFC798AB9230AA9F0B7,IMPHASH=EFB56419C1BA206D8C70E3157D5C83A0truefalse - insufficient disk space 23542300x8000000000000000331242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.281{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=897720652E2DC219A9A9696A9E0A8F69,SHA256=489748C74A0027594EC33D73A467C5920A72511425744145DF60FB366FA63522,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.265{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Csi.dllMD5=8767792DA7B2802D31D1C8F1A48790C8,SHA256=4AAD11346AE1C8915195805E9AC943AB1A26A63F46A24D166C639E61C3CF70EE,IMPHASH=F8DCED401C2BAD670774FC21F7994F70truefalse - insufficient disk space 23542300x8000000000000000331240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.187{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\concrt140.dllMD5=EC5A86B5E7BDFFD50E022E431287273A,SHA256=290F577461B2D4197DB0B7D09341225C90CF066984F965E54C9FA4AA16BA6687,IMPHASH=F7E155027608DB4293A50332363A537Btruefalse - insufficient disk space 23542300x8000000000000000331239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.187{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-utility-l1-1-0.dllMD5=D6ABF5C056D80592F8E2439E195D61AC,SHA256=8858D883D180CEA63E3BF4A3F5BC9E0F9FA16C9A35A84C4EFE65308CEA13A364,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.187{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-time-l1-1-0.dllMD5=1FA7C2B81CDFD7ACE42A2A9A0781C946,SHA256=CAFDB772A1D7ACF0807478FDBA1E00FD101FC29C136547B37131F80D21DACFFD,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.187{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-string-l1-1-0.dllMD5=5E72659B38A2977984BBC23ED274F007,SHA256=44A4DB6080F6BDAE6151F60AE5DC420FAA3BE50902E88F8F14AD457DEC3FE4EA,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.187{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-stdio-l1-1-0.dllMD5=32D7B95B1BCE23DB9FBD0578053BA87F,SHA256=104A76B41CBD9A945DBA43A6FFA8C6DE99DB2105D4CE93A717729A9BD020F728,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.187{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-runtime-l1-1-0.dllMD5=AE3FA6BF777B0429B825FB6B028F8A48,SHA256=66B86ED0867FE22E80B9B737F3EE428BE71F5E98D36F774ABBF92E3AACA71BFB,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.187{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-process-l1-1-0.dllMD5=8F8A47617DFD829A63E3EC4AFF2718D9,SHA256=6D4A1AAD695A3451C2D3F564C7CC8D37192CD35539874DF6AE55E24847E51784,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.171{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-private-l1-1-0.dllMD5=1DD5666125B8734E92B1041139FA6C37,SHA256=D0FF5F6BB94961D4C17F0709297A6B5A5FA323C9AC82F4FE27187912B4B13CF3,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.171{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-multibyte-l1-1-0.dllMD5=809BC1010EAF714CD095189AF236CE2F,SHA256=B52F2B9DE19D12B0E727E13E3DDE93009E487BFB2DD97FD23952C7080949D97E,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.171{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-math-l1-1-0.dllMD5=D0D380AF839124368A96D6AA82C7C8AE,SHA256=06985D00BF4985024E95442702BBDB53C2127E99F16440424F3380A88883F1A5,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.171{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-locale-l1-1-0.dllMD5=E70D8FE9D21841202B4FD1CF55D37AC5,SHA256=E087F611B3659151DFB674728202944A7C0FE71710F280840E00A5C4B640632D,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.171{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-heap-l1-1-0.dllMD5=39D81596A7308E978D67AD6FDCCDD331,SHA256=3D109FD01F6684414D8A1D0D2F5E6C5B4E24DE952A0695884744A6CBD44A8EC7,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.171{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-filesystem-l1-1-0.dllMD5=AB8734C2328A46E7E9583BEFEB7085A2,SHA256=921B7CF74744C4336F976DB6750921B2A0960E8AA11268457F5ED27C0E13B2C8,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.171{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-environment-l1-1-0.dllMD5=45C54A21261180410091CEFB23F6A5AE,SHA256=2B0FEA07DB507B7266346EAB3CA7EDE3821876AADC519DAF059B130B85640918,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.171{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-convert-l1-1-0.dllMD5=5245F303E96166B8E625DD0A97E2D66A,SHA256=90A63611D9169A8CD7D030CD2B107B6E290E50E2BEBA6FA640A7497A8599AFF5,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.171{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-conio-l1-1-0.dllMD5=3B038338C1EB179D8EEE3883CF42BC3E,SHA256=C17786E9031062F56E4B205F394A795E11EF9367B922763DDF391F2ACAB2E979,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.171{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-core-xstate-l2-1-0.dllMD5=E20C50CB320A5718AE869D8EC4D460CA,SHA256=48C776F38EAED72CB05A993484F60CBFDF5AF59AEBC48E53481A997AE7DED8DC,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.171{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-core-timezone-l1-1-0.dllMD5=A20084F41B3F1C549D6625C790B72268,SHA256=0FA42237FD1140FD125C6EDB728D4C70AD0276C72FA96C2FAABF7F429FA7E8F1,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.156{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-core-synch-l1-2-0.dllMD5=F6B4D8D403D22EB87A60BF6E4A3E7041,SHA256=25687E95B65D0521F8C737DF301BF90DB8940E1C0758BB6EA5C217CF7D2F2270,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.156{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-core-processthreads-l1-1-1.dllMD5=C2EAD5FCCE95A04D31810768A3D44D57,SHA256=42A9A3D8A4A7C82CB6EC42C62D3A522DAA95BEB01ECB776AAC2BFD4AA1E58D62,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.156{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-core-localization-l1-2-0.dllMD5=3B9D034CA8A0345BC8F248927A86BF22,SHA256=A7AC7ECE5E626C0B4E32C13299E9A44C8C380C8981CE4965CBE4C83759D2F52D,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.156{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-core-file-l2-1-0.dllMD5=BFB08FB09E8D68673F2F0213C59E2B97,SHA256=6D5881719E9599BF10A4193C8E2DED2A38C10DE0BA8904F48C67F2DA6E84ED3E,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.156{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-core-file-l1-2-0.dllMD5=F6D1216E974FB76585FD350EBDC30648,SHA256=348B70E57AE0329AC40AC3D866B8E896B0B8FEF7E8809A09566F33AF55D33271,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.156{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\aitrx.dllMD5=DCE3EB7544EF46AC53515A330E563EFE,SHA256=294871861CA38507F17933B82541C57A933387E1C005488621328714B9E70CE2,IMPHASH=05324BA8DBA2F7F54921D1E1399D861Ctruefalse - insufficient disk space 23542300x8000000000000000331216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.156{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\aimgr.exeMD5=5F445A59044AD992D6DF9EAD44667C6E,SHA256=E168D56D206A87D76E35AE496BF7DB1FD74FD61DD7F69EFDB027B5747A79DA55,IMPHASH=424011358DD1AAD5934F75F5F889B7CBtruefalse - insufficient disk space 23542300x8000000000000000331215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.156{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ai.exeMD5=D93D25933F1BCA889DFBDA1E08727429,SHA256=AB110BA6BA8AFAFFE22A2593B3B47DD902C5B2098E3FC091DEC0C75FA1A46480,IMPHASH=424011358DD1AAD5934F75F5F889B7CBtruefalse - insufficient disk space 23542300x8000000000000000331214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.140{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ai.dllMD5=E56D6BBA605B1E1027B020C63DA4CF15,SHA256=68D57C421FD88414A5B6E6246C67F8888525D4D27769187F865ECEBDE96BA97C,IMPHASH=99573626A3A5A39DE438A64B06A314E6truefalse - insufficient disk space 23542300x8000000000000000331213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.047{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ADALPREVIOUS.DLLMD5=A43365F6C06BDE5E859D4DB55F5FC89A,SHA256=A9FD564F656489B0F1E9FECBFAEA2BDD7C2525E16B201289B9341B3FA9043B4F,IMPHASH=E4D8786075C493F9B33E075B460E1C6Ctruefalse - insufficient disk space 23542300x8000000000000000331212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.016{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ADAL.DLLMD5=0B71A8FE9BDDC903B7465AC6BB9EDDB6,SHA256=5CC3275F35E5A92908432175132842402BC5615F76CB2DC9BB581E14CAB3F77B,IMPHASH=8F8D39B3F5E980B1C8357CD620FEC836truefalse - insufficient disk space 23542300x8000000000000000331211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.000{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\en-us\oregres.dll.muiMD5=47FB1A11E91DDD31B8C04D8AC5E18C7F,SHA256=4D4574BDF4D2646A9D135D99C2485EF405FD666E298FE305CCF84BED7DF90CE0,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:50.000{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODFMD5=3ADB67C1709C263B1C5E21BE5CA87812,SHA256=E2FB6CA63B4C59A462C37C02C1F305D1C67C5587BE582AF7FB73DE88EBB1894E,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:51.736{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE4C303D25C6AEB023D8A5B201F36917,SHA256=E3423C0FE4E336CDDA77C01586F2D3A55CB80188C86205E5831DC7EE8C83D1B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:51.963{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56DAD600D76B59F6CD3625CA1376A0D1,SHA256=2E67179BF1ED7040753B8A6E7DFA1DDF8CF94B71B8A8EBB15EA175767C189853,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000448127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:48.739{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52707-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000448126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:51.666{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B483-63D3-D003-00000000BC02}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:51.666{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:51.666{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:51.666{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:51.666{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:51.666{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B483-63D3-D003-00000000BC02}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000448120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:51.666{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B483-63D3-D003-00000000BC02}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000448119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:51.667{45AAC21C-B483-63D3-D003-00000000BC02}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000331256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:51.531{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOIDRES.DLLMD5=DA8DA6EB500E0FB1BDFDA712DA9A4921,SHA256=4A8C0AFD766640ECF59057F518C1B3605B110C3E7E944A0B8318209EA99EAB98,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:51.514{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOIDCLIL.DLLMD5=E0A33EBF1175DEE6D434E1D0C26C15F2,SHA256=F2894F8F5DA58464BAEEF07479F7AC6E924DEEBF609BC0121DD5BAE7091EE44C,IMPHASH=7FAB449DA81A525A6782861209DA7E8Etruefalse - insufficient disk space 23542300x8000000000000000331254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:51.498{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSO99LRES.DLLMD5=C0E6BB79680629D07C7DF3626F88B82A,SHA256=EC1BA7EA65BBF1D5C409E0282AE202482C32006F32F7F05032259C3F2B1FE8B9,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:51.219{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso98win32client.dllMD5=E23B503C17F3A86E4FFFE4CB812AF4E8,SHA256=860D6F89AD9D15C4F037154EF4D91143185FDE12E8902A9ED7B388B9F7C711A4,IMPHASH=07E6A4F0B82D716F88468C60E15764E9truefalse - insufficient disk space 23542300x8000000000000000331252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:51.018{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso50win32client.dllMD5=B848D6DB59DE6A30C14ECA2AC554034A,SHA256=3426571973916707625A7E9B17D6189B336428E5B2165CB9B529B3E93C557404,IMPHASH=8D29984519A132DC3718394E5EA3C847truefalse - insufficient disk space 23542300x8000000000000000331251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:51.018{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso40UIwin32client.dllMD5=7CD50C6CFA495F73EED621D6F65A5BAC,SHA256=5319ED59714EF0A5B93CA3396F5F36B3C4C9C2E09EB2C6FA318731E2E88F10C2,IMPHASH=EFB730F00D572CD52949FB7F29AB7136truefalse - insufficient disk space 23542300x8000000000000000331302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.644{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Microsoft.AnalysisServices.AzureClient.dllMD5=2424FE1A0C1B374760A6DEF7D5C6A396,SHA256=D47D0C262953BD17C0F4D9C4C84D65110BB4F7643915DCF0281917583DED923B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.644{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\adal.dllMD5=D4A01917B2E16FBB6B753077965D4AC8,SHA256=112700910CC8BF88332E6F7937971DBD6BE544D5B773F9C158C3F1772D48E84B,IMPHASH=792AD43B4F7A5D912D842C00406D74BFtruefalse - insufficient disk space 23542300x8000000000000000331300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.615{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\msolui.rllMD5=9F6E063FC5E577D6D5F615022E78CC03,SHA256=900F4D978EC223C792BD16AF17BD4E791150E1E6E02FEC171699B579719CC3C8,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.615{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\msmdsrvi.rllMD5=A0C096896EDFF388E32CFF01370145DE,SHA256=20EA6CD5B2AF1B15F8BEC38AEC8C09EEC27B510F2CB29A68B5B9C2984E4ADDE8,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.605{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\msmdsrv.rllMD5=F624FF58ACEFD5E46C4FC3618B9DE8CD,SHA256=E7D605EF8400721BF07147D4BD12282A3AD2FFDAE5C78E0C6680B217A9BDDC2D,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.571{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\trdtv2r41.xslMD5=139C1262B5497AD24275B2B1CFB9439E,SHA256=E03ADA781FF2463B7F1E801B221B705A1854632740B08AE7CA99D2DA58F09FD1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.571{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\Sybase.xslMD5=8ADDABEC57AC4EEE13EC50A6D8A3F6F8,SHA256=DB6C6345E95277C1AE5DFE3B175673A727FCF03F4BD2160FB18D657202CEE411,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.571{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sqlpdw.xslMD5=A7C71B6EBA4A5F1EDC9ECF7E4F6E31BC,SHA256=2BDA2E3DD013BD941574D36A5D20680F6A723A8B68E088A32A875B618B342A08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.571{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql90.xslMD5=423B72635EBF8F7F41960AA91B60BD6F,SHA256=B2EAC4DC85B29A7E996ECB039BF8BCC146D8D42BF11390F34A4A0437EB5D80C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.571{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql70.xslMD5=21D63F1CB061AD73CE2BDA2ACC9D299F,SHA256=250C56E4E7F555B0B3D99C1B1E3E6ED556C1A8DA79546ECB5DF38E442A652DFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.571{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql2000.xslMD5=C3A33EF6A0C4B793D71D443312BCA0A3,SHA256=2FE08F0C8ABB32B6CBDE10B08A5DCDF7AABFFF8F0E2950A09231CE6CBD2CD1D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.571{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql120.xslMD5=CEDDC8378284BC196983CCCD1FD5FD8B,SHA256=B5BA9E3B259558DC049241BBCD5B375D201AEC73609C0095EBB30423A8F55925,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.555{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\orcl7.xslMD5=FBBA19407C48722CF4E33F71B84D3100,SHA256=772509610DE7A549463E80F17C7F93C3491041BD4830CE56E026CCFB74CA0798,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.555{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msql.xslMD5=E585E1632BFC1B348238C7861CD1614C,SHA256=11AFD8719DDF8D86FED2C238883CED80A5E7ED4056C8B91DC8E52DDA8789A607,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.555{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msjet.xslMD5=07817F87945C259A27537F904AC7D4CE,SHA256=4958924C76280F353FAA16E191B596867B454F5AF301CB1C420ED280CDBD4564,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.555{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\Informix.xslMD5=52449767449CEF651386A81FB888E650,SHA256=40BC6D9B6D6DAEFB182732DFB28CB29B7304780E2A28C24BB4E827795B1FF5F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.555{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\hive.xslMD5=1E6D16E1C46BF192BFA7338DBD7122C5,SHA256=B767A68FA7E73AB32058D77C4786D72D155117437F49CEF5E6A4518460669188,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.555{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\db2v0801.xslMD5=E7705BA3F0FB6C7F481F2DE537576A79,SHA256=E98A1A4F6D96F4DD6A0D30800E010845A3476AEF08E6CFE8A4233A56759CE4CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.540{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\as90.xslMD5=7657CD6E4B01A396B99BAF6F5D52F222,SHA256=26C5A0FE600571F341FA4978A13723556E4953C28D4BFCB5D6D7BD041CDF07C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.540{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\as80.xslMD5=F7764EDB7A6BC223E07DF8C3674159AD,SHA256=5D80A0A30D78431191F0A18DA67B53F6E805A53715C6C8D5BAABA3425950495F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.540{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\System\ole db\xmlrwbin.dllMD5=17B8973F45CF4CA09452106CD1170C9D,SHA256=16F8699CA839055D486638DE959131E7D78999B64A37C2B4CDEE6CE9C5D50877,IMPHASH=0148E6DCA799C1BD9A727A1A2C1F23B5truefalse - insufficient disk space 23542300x8000000000000000331281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.540{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\System\ole db\xmlrw.dllMD5=5984FE7657AA78278C720942B40CFEB8,SHA256=3714B80BC052E1496D755B26B8DDFDD103D89230F853BAE4AEC5B4DB4571442F,IMPHASH=407C03AA22236D4A639F20F62FDB139Atruefalse - insufficient disk space 23542300x8000000000000000331280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.524{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\FPWEC.DLLMD5=1F5A7C7E2E38F0CC17CA5A2651CB6B8A,SHA256=2DDADF10254DA08645E9A8E6E440C37CFCEBB28F2409D6C35B48197BB5662380,IMPHASH=22F43DD72EB31E375D46843061102C47truefalse - insufficient disk space 23542300x8000000000000000331279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.508{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\FPSRVUTL.DLLMD5=05B47A59239D8B475B131CAB4E332FB3,SHA256=0DB7A72864DDDE03BE31A8F768DBBD367AE4CD996E5560335F2E3D511D0C706B,IMPHASH=FCBE40B44E2B3DF39FFC1C44C19F297Btruefalse - insufficient disk space 23542300x8000000000000000331278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.493{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBUI6.CHMMD5=3481D198FDB7826746AEBA5195A4F701,SHA256=DC415EF73A1A923B15107AE73D44D7848EF8D9AECFED2D6FFAF88E9CA695BB15,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.477{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBOB6.CHMMD5=7E9AFE12FA8C1CFA164789A720417032,SHA256=9BAB02384DB0E2CF6968E662673C11DE60B7E22C80317CC42822E72D1B67004B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.477{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBLR6.CHMMD5=11CC43E7DEBF7C5B86A201AB42507518,SHA256=B56AE972CE36A0A2484434FAC68EBBD692E27D34E389A0CB7E4EF0FFDCFE45FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.462{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBHW6.CHMMD5=5256D15E92EC519584547594FEBD1E47,SHA256=718441CD1D60A28B1DD0FF726F826CDB7EF9D230991B6F38248FAB680348AFFF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.462{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBENDF98.CHMMD5=A447359D734BA81AC475CD27EF0C71F0,SHA256=30B013E894AB44BB84168C1E7FB671604B5E5D03E90DFFAA29550B66F7DF2F13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.462{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBCN6.CHMMD5=4B660F9237E1493D442FF11687DADE37,SHA256=8A5D2E38D41F808E232E957F7EB086FCA6473D5A7344B4C391E6E03FD3A1561F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.462{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\FM20.CHMMD5=D8C6C38E086BC1C5D5A961C07211D2A0,SHA256=87D120D47FBCFE9FDE459F04AF45B74A81297B7654C26BBA9784FBF60BA6048D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.446{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA6\VBE6EXT.OLBMD5=3240C1965B654B7B9E747D65725AE625,SHA256=B90E4E7D54EEC34EF91F22D28B4AFC6CB7473B52FBEEFD8ECF179554F24349C6,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.446{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\PortalConnectCore.dllMD5=021D3EB1330AB59851E861F859D60C3C,SHA256=5272F386302F8BB5866ECECE59038FE2DB3482F3A869043C11C6A5AF1B28B8B4,IMPHASH=CFC2F0327DC56C2980B674F82058A09Dtruefalse - insufficient disk space 23542300x8000000000000000331269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.446{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\1033\PortalConnect.dllMD5=F0EE922D8B0510FFF42007F3C764D682,SHA256=E3F90ADBA782F53175FCF68B8558D112C1D0F22075EAAEB41D8E8713EC6EF398,IMPHASH=B3F5E92AFF2BACF941BEACB0AE100699truefalse - insufficient disk space 23542300x8000000000000000331268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.446{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\vcruntime140.dllMD5=31CE620CB32AC950D31E019E67EFC638,SHA256=1E0F8F7F13502F5CEE17232E9BEBCA7B44DD6EC29F1842BB61033044C65B2BBF,IMPHASH=B06D4116DA69A513992D529F84731E6Ftruefalse - insufficient disk space 23542300x8000000000000000331267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.430{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\vccorlib140.dllMD5=3A2C18EF2DF37EA41788F50042774C22,SHA256=EA85134227C8E5A23A63D60E6CDB2BC38F925427BA75426A3BE33212435E1741,IMPHASH=E2C243EAA5D873A145FCEF834080DE02truefalse - insufficient disk space 23542300x8000000000000000331266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.430{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ucrtbase.dllMD5=BF5EE52BA36031A005B3D7B15F1CA090,SHA256=5A41249C27EF3253B690F95A0A86ABE2337C3405570602E7D8DFD7C3445FF923,IMPHASH=C060FE320860AA232972D941EF87C2A9truefalse - insufficient disk space 23542300x8000000000000000331265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.415{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\TextIntelligence.dllMD5=D78692BA1D6E408E9C537C364AB998BA,SHA256=889D298E5D6C7E473727D2EF2EBB8F0FE9BBAEE2C44D994D50B5F737F02ED652,IMPHASH=3AFF9BCFDB5F61646AD6F51F0BF95223truefalse - insufficient disk space 23542300x8000000000000000331264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.383{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\oregres.dllMD5=87DB170D633E177E2422835376A3897E,SHA256=50D04C19A2595BF10158194416E6A898E51B1D8D0C81FFCCC18FD97F31CBA854,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.383{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\msvcr120.dllMD5=1A22AC29230FF06E278CF85992F48C86,SHA256=3A3F61F1D187142BBA9B37B318F6052A09743FF24FCDB3CEE478D1BC5C68D300,IMPHASH=AA8D086DEB6960B10F8791DF466A5610truefalse - insufficient disk space 23542300x8000000000000000331262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.368{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\msvcp140.dllMD5=0A0042FE544C91CD57BC2F7EF40BB974,SHA256=4190F0A1306257CED4975448794E1D42BE312E334FFCCFB4910A4A39CDE9DF57,IMPHASH=6042F1676A7711E459589EF169A5B501truefalse - insufficient disk space 23542300x8000000000000000331261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.368{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\msvcp120.dllMD5=E3244FDCEC84C99E4B60227EB3B70893,SHA256=81FBC2824E73F0D101D91854694A52E79DB0FFAADBB2A10DEAAF47B3B7F9B2B0,IMPHASH=6CCDA270A497A2C5A36A7F385CC9910Dtruefalse - insufficient disk space 23542300x8000000000000000331260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.352{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOXMLMF.DLLMD5=753F9BA3CB37D75F744417715E787954,SHA256=468B0C14F767EDD7C458943B89533AC8C2EA56B9A16FA6B6548D16E45E9E1681,IMPHASH=199613E25826809855841312107FADD3truefalse - insufficient disk space 23542300x8000000000000000331259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.352{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\msoshext.dllMD5=0BDB544A2DA9D3F59678A1742DC7B301,SHA256=9E932E426A6F1C62279546CA278CAD23EF55E51089309B2DBDD490A68D39F788,IMPHASH=EFE583F8E2C6348F7194E76C678D0EBBtruefalse - insufficient disk space 23542300x8000000000000000331258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.337{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSORES.DLLMD5=162DFAB696417870CDE16ADC03119381,SHA256=02E966C77B65709BD8DAF5B2C25B616A1BC2772DACF311FA0F328F9597F0993A,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000448129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:52.810{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E3855888A59843AE269A2024F127586,SHA256=7000DE32C3862BF090483D70E7093BFE29B9BA6D5CA1931CD6CEB52005186C84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.927{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Microsoft.AnalysisServices.AzureClient.dllMD5=B0B55B67509DF86928261BDA2EB8D0B4,SHA256=88D955FA2C4DC219876797111213BEFBD3F72D4061247FD9CE1FBA5C4124AD8A,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.911{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\adal.dllMD5=DF0D356FE3AF695DB60449C59F751D26,SHA256=193E6D0EFAF5D76CE3DC6C8363F72A1FD5C044F0C07D5DCAF963C97AA0A4FDDB,IMPHASH=9B53B105990EE4CB51C94E5E67134796truefalse - insufficient disk space 23542300x8000000000000000331341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.896{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\msolui.rllMD5=3E554CC78D949F6FAAAED7AD2637A880,SHA256=1AE16259D6D42A2B54DEDE93AFA39811E9B0960641D1111CB026BCAD8CF7BD94,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.896{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\msmdsrvi.rllMD5=C1FCBB5048B3859DFE7C161DEDFE4A10,SHA256=158CD4DF8889464B85138B1906537AA1D3274FB5405E833F57747E7ADFF4AB5A,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.880{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\msmdsrv.rllMD5=6F8A3572CC26E8DEBFE6AAD26DB88611,SHA256=F35522AE1AD72B5A9352D4411F68A59B361EAF4483975BF577D41449689C4032,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.849{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\trdtv2r41.xslMD5=139C1262B5497AD24275B2B1CFB9439E,SHA256=E03ADA781FF2463B7F1E801B221B705A1854632740B08AE7CA99D2DA58F09FD1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.849{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\Sybase.xslMD5=8ADDABEC57AC4EEE13EC50A6D8A3F6F8,SHA256=DB6C6345E95277C1AE5DFE3B175673A727FCF03F4BD2160FB18D657202CEE411,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.849{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sqlpdw.xslMD5=A7C71B6EBA4A5F1EDC9ECF7E4F6E31BC,SHA256=2BDA2E3DD013BD941574D36A5D20680F6A723A8B68E088A32A875B618B342A08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.849{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql90.xslMD5=423B72635EBF8F7F41960AA91B60BD6F,SHA256=B2EAC4DC85B29A7E996ECB039BF8BCC146D8D42BF11390F34A4A0437EB5D80C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.849{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql70.xslMD5=21D63F1CB061AD73CE2BDA2ACC9D299F,SHA256=250C56E4E7F555B0B3D99C1B1E3E6ED556C1A8DA79546ECB5DF38E442A652DFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.833{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql2000.xslMD5=C3A33EF6A0C4B793D71D443312BCA0A3,SHA256=2FE08F0C8ABB32B6CBDE10B08A5DCDF7AABFFF8F0E2950A09231CE6CBD2CD1D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.833{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql120.xslMD5=CEDDC8378284BC196983CCCD1FD5FD8B,SHA256=B5BA9E3B259558DC049241BBCD5B375D201AEC73609C0095EBB30423A8F55925,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.833{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\orcl7.xslMD5=FBBA19407C48722CF4E33F71B84D3100,SHA256=772509610DE7A549463E80F17C7F93C3491041BD4830CE56E026CCFB74CA0798,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.833{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msql.xslMD5=E585E1632BFC1B348238C7861CD1614C,SHA256=11AFD8719DDF8D86FED2C238883CED80A5E7ED4056C8B91DC8E52DDA8789A607,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.833{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msjet.xslMD5=07817F87945C259A27537F904AC7D4CE,SHA256=4958924C76280F353FAA16E191B596867B454F5AF301CB1C420ED280CDBD4564,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.833{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\Informix.xslMD5=52449767449CEF651386A81FB888E650,SHA256=40BC6D9B6D6DAEFB182732DFB28CB29B7304780E2A28C24BB4E827795B1FF5F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.818{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\hive.xslMD5=1E6D16E1C46BF192BFA7338DBD7122C5,SHA256=B767A68FA7E73AB32058D77C4786D72D155117437F49CEF5E6A4518460669188,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.818{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\db2v0801.xslMD5=E7705BA3F0FB6C7F481F2DE537576A79,SHA256=E98A1A4F6D96F4DD6A0D30800E010845A3476AEF08E6CFE8A4233A56759CE4CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.818{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\as90.xslMD5=7657CD6E4B01A396B99BAF6F5D52F222,SHA256=26C5A0FE600571F341FA4978A13723556E4953C28D4BFCB5D6D7BD041CDF07C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.818{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\as80.xslMD5=F7764EDB7A6BC223E07DF8C3674159AD,SHA256=5D80A0A30D78431191F0A18DA67B53F6E805A53715C6C8D5BAABA3425950495F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.818{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\xmsrv.dllMD5=6466F8390D4D442369C9B30DF659A928,SHA256=F9517E11076D58335930FC7E5CB4BFEA33D9E77F0B072FA2ACAD5C77DC874172,IMPHASH=284BED42BDE4BDE692345A681693AF57truefalse - insufficient disk space 10341000x8000000000000000331322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.695{72106695-B485-63D3-C103-00000000BD02}19645848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000331321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.681{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=44D06DF73A8912E7C4140BDF778908FC,SHA256=5E2D85822E6CD9E8F6A5AE8B7A939D52B21153B6FC21C6FA33A800107EC33C4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000331320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.650{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B485-63D3-C103-00000000BD02}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000331319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.650{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B485-63D3-C103-00000000BD02}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000331318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.650{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B485-63D3-C103-00000000BD02}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x8000000000000000331317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.632{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\respondent-20230127093815-103MD5=FAFF531EDF0CFC03BCEBADF518BA5361,SHA256=88BF976C27BC6DB398DABD588375EB870CCDB2E8695A85E73E9E0CF078A2553A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.532{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exeMD5=6295696237F75EBC2A28CAAF2F6146D6,SHA256=3B60A8A32AE8ED4CA92690DE3380EECC4A78252B2B78136B7F18C99D40C4608B,IMPHASH=B7C501B0DB1763B6E65FA369A35BA4F2truefalse - insufficient disk space 10341000x8000000000000000331315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.532{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B485-63D3-C103-00000000BD02}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.532{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.532{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.532{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.532{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.532{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B485-63D3-C103-00000000BD02}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.532{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B485-63D3-C103-00000000BD02}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000331308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.533{72106695-B485-63D3-C103-00000000BD02}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000331307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.532{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\msolui.dllMD5=B3FB16CECAA8E54B781E34676D94E90D,SHA256=3CF7C8D0E12B56C689FA72F5E7579D573E613D106F2D43DDB31A7BE7813E9547,IMPHASH=1D3D69C30F7DA842478095C1717231AFtruefalse - insufficient disk space 23542300x8000000000000000331306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.517{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\msolap.dllMD5=D3C5DBF374DE47B6CDA4FDA258BA8D9D,SHA256=0B1F230A744C4AA14E72BC6C9E7975498E92AE00A1E32E9F49BBA03458B5C672,IMPHASH=07A8A527B16D80A9265DB6DAE31CA566truefalse - insufficient disk space 23542300x8000000000000000331305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.407{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\msmgdsrv.dllMD5=DCDA79FA2E818184FB3B55B439108F8F,SHA256=151927A027F7FF25614168FAE0A43D46AD5030D282A7973A20171132A6486EBE,IMPHASH=9CC2EA448CD361CBF1ECA8D46B8796CAtruefalse - insufficient disk space 23542300x8000000000000000331304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.313{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\msmdlocal.dllMD5=8BF3BE0D1F4D9EA13BD4FC8C318982CF,SHA256=C900855D2C0EAC34C3E2CE7C8CA1CF115C868B5A0B6007A701B94CB1636AC8CD,IMPHASH=E7B824C8CBE2DE1DB10DFB572F6B20A6truefalse - insufficient disk space 23542300x8000000000000000331303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:53.096{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A402A7B55072DD990C14B68976AB75F,SHA256=C9A0AF3EE70EC74F439D3D465287BADD961F780F09CF4E416E4367D249A476BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:53.071{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79684960D065BB38A78376E5FBF4370B,SHA256=A89C761F1746EBCFA04D8E4928B21E5AA4BB8C0CA3A35C858953A24B1164C01D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000448131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:54.170{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6088D4127C97C984C91DA7F82EB3438,SHA256=5E661DBD4CAF0037726EF91C5B2D5CDF22A1CBFD18B1249B1006CEF258FE4877,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:54.714{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B486-63D3-C303-00000000BD02}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:54.712{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:54.712{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:54.711{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:54.711{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:54.711{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B486-63D3-C303-00000000BD02}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:54.711{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B486-63D3-C303-00000000BD02}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000331361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:54.711{72106695-B486-63D3-C303-00000000BD02}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000331360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:54.633{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230127093814-104MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:54.629{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exeMD5=4D48E8A63822ECCF4A0449AD4ABECE70,SHA256=205869D72E967518B3A763F07FDFF693F60E4FBE33E3AAD792311D581E756414,IMPHASH=244E6D305C0F470BD32E301DC79E8FF9truefalse - insufficient disk space 23542300x8000000000000000331358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:54.624{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msolui.dllMD5=E55D19FC8B5B4589CCCD40BDFFFE13AE,SHA256=A10FA5E7D1B3D9DFCDE0365687F64D70E0F88A46C9B069E912004440CDF10170,IMPHASH=75C610D0251B4C64BA567071C76C671Ftruefalse - insufficient disk space 23542300x8000000000000000331357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:54.621{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=074BE4782055F47372323C26ED483F47,SHA256=1A5C8359678568A03EBCBDB9C842D19AA653E38FF2149D1263068E89839B5BAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:54.617{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msolap.dllMD5=8ED83500EBE958D320CD6F563C7FC9A1,SHA256=02C913AE8761E078C153EA08F364C7F0F57272D5567A11598A6506797DFE640B,IMPHASH=B8FB0D9768FCF2842A130464DE8F8C56truefalse - insufficient disk space 23542300x8000000000000000331355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:54.518{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msmgdsrv.dllMD5=6B1B6E1EEC17F5790B1C58E21E8FDBA4,SHA256=AE5DA9A27D6F8F562367DA42C3660112FB6724F6538555AEE7C491CE9728D53B,IMPHASH=A1F30184B76FEB3D852679BB818DAA0Dtruefalse - insufficient disk space 23542300x8000000000000000331354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:54.442{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msmdlocal.dllMD5=90F4156455A04634CF78D916B5EEEEC1,SHA256=148D6835851E462E7BB570D53A804C26A017E42F20EA12186C86FD0B73727152,IMPHASH=A33203DAD8E43894D6D5F02F22DFD02Ctruefalse - insufficient disk space 10341000x8000000000000000331353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:54.426{72106695-B486-63D3-C203-00000000BD02}59445588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000331352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:54.364{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFECB9503F5C40892E5BF03542FA7BFD,SHA256=35B017BED800B5E04CFAEC07F24139591B92E71C7C6AF959FADFDDE116B7DE49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000331351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:54.208{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B486-63D3-C203-00000000BD02}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:54.208{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:54.208{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:54.208{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B486-63D3-C203-00000000BD02}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:54.208{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:54.208{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:54.208{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B486-63D3-C203-00000000BD02}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000331344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:54.208{72106695-B486-63D3-C203-00000000BD02}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000448132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:55.267{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88F924AF734858821896AD561A3D28DC,SHA256=81075E301984DACD50CE6444713040BC0493CE290ADFB3EC3ED9B000CF8DF86D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.983{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Tools.Base.dllMD5=611D05ABE991D60538321BAC1EDCB45E,SHA256=EDB2B2057E0F2D5600CFEBAD62BD41FA1D519B51986D05AC7EFA21816A15A0CD,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.983{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Shared.Windows.dllMD5=9E25194405021B071AA4250911B9AC24,SHA256=39317551B4EB490E1E681B35ACF53F1BCD2B9F1E5E4EDC4C7C421017A12F4BCF,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.983{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Shared.Base.dllMD5=3EBF9820B29215651E83C846479111A3,SHA256=32D3DD749437B12FFF4DA38382B94F31C05782A8485FF724C3D39B3FB88F85E3,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.936{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Grouping.Base.dllMD5=E6BBB33583A7D5DABF7858C8BB7F5E77,SHA256=692F8C61A730ADABD1D9E6CB38361CDF4EC21AA9AB7B910818C62517FB07DFEB,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.936{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Grid.Windows.dllMD5=DFC2486C5EE6A044CA3C0FECA08568BF,SHA256=A25E8A1BA998ACBC033EC26621DD494D416C9F1900415C52059DABBB9D3E199A,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.905{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Grid.Grouping.Windows.dllMD5=3B8CD57CE2EE8472B38156A2FDBAF836,SHA256=92E700EB15E1F963A8C3AB2B62C7850509FBE2D460D1F3181F9DFC30F555D68C,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.889{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Grid.Grouping.Base.dllMD5=937AA3E1A58327D7DE1351BD9FB33260,SHA256=C53B8AA5964C18B7F7DF9A1586C635DC956068809D3F6E39DB82BF67383A4A30,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 10341000x8000000000000000331474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.889{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B487-63D3-C503-00000000BD02}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000331473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.889{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Grid.Base.dllMD5=DCB7732D9CE4B9DA01F87E52FCA832E0,SHA256=5EBE7FB7A4480748C6D443B591D354318BB63D8AE4884828DB8A2F3FE963A772,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 10341000x8000000000000000331472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.889{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.889{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000331470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.889{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Core.dllMD5=DBD87246BE14DAB47FCD1D9582D0E908,SHA256=FE0B619FE610062366FA85320A931E4893F8AB29A7DF50C462AB04998A482383,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 10341000x8000000000000000331469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.889{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.889{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.889{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B487-63D3-C503-00000000BD02}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.889{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B487-63D3-C503-00000000BD02}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000331465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.894{72106695-B487-63D3-C503-00000000BD02}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000331464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.889{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Compression.Base.dllMD5=ECB6BF4E7AAA463013189C69BE114040,SHA256=CDA22A92DA1FA1EBCB3D782DDBCA9A3326458757645A2E7E8A9DF7B2104D036E,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.889{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFD16C0673F667DC0F60A123A95A60B2,SHA256=6442BA45F35C6561FA6633EA82A51B17749FF6A9CEE52B4C04CB7F8A07AC33E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.873{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\stdole.dllMD5=2878E2CEA511AF5562DAD618218C632A,SHA256=47C51A34D74F03ABBAD26DB22BA84B47022820E9254A4ECC8005BBBF580CBFA9,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.873{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SpreadsheetIQ.ExcelServices.dllMD5=7C06F693D09CFCAB10249D312C14F45E,SHA256=6159634B94331B60BD13839DA03F6813E2E34DC4E80B9DB67A05CC67B8B0D65D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.873{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SpreadsheetIQ.ExcelAddIn.dllMD5=5D47A9D535EF09CF2CCB16B2C8B26573,SHA256=7D325A198AA5B8C7C4C97BF5C70A3B864A688DC774963C8124DDBCF4CFC86EF0,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.858{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SpreadsheetIQ.Diagram.dllMD5=AE316D9D35EB365BB1C33A5A02220E1E,SHA256=8354E14AE2C5D852EE529C0C194D170FE4FAC77CA96AF45B91DCEA6BF6D623E6,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.858{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXEMD5=ACEF67C292EAE626CECEEB7B09EBF698,SHA256=BCCDFC24B632B60BEC1F62222DE46CB3FC8A69F1847BCC7401520FADDE81DF3E,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744truefalse - insufficient disk space 23542300x8000000000000000331457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.842{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\office.dllMD5=FF557FD307B6C32CD3A3EA9FC9FD60D7,SHA256=E0FC3E5BC4F5B26FA6DD9248381CE2731652220EF9E029968EB0765DFABEFA3C,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.842{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Northwoods.Go.dllMD5=9315264A60D65305FFB9BC361E9388CC,SHA256=C425A55A2617962FA32B411ACC7A2B951D91FA1052EFCF0980A60823C15A15D9,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.826{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\NativeShim.Resources.dllMD5=81ABEE51001A86AE3C28AAE74DA878FF,SHA256=7A600E261E837916639E125367541D245138E532EEC7798A80A81597CFE4580D,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.826{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\NativeShim.dllMD5=9AE4FDA5F6D2FF52AAE3F3283B387D30,SHA256=6CCF33CFA5F1AB5618D357646760B6018EA37D9DCD90D80DF3D2306AA9CEB2AC,IMPHASH=9F2DF82E612E00E042854C4935E05739truefalse - insufficient disk space 23542300x8000000000000000331453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.826{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\MSVCR120.DLLMD5=1A22AC29230FF06E278CF85992F48C86,SHA256=3A3F61F1D187142BBA9B37B318F6052A09743FF24FCDB3CEE478D1BC5C68D300,IMPHASH=AA8D086DEB6960B10F8791DF466A5610truefalse - insufficient disk space 23542300x8000000000000000331452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.811{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Microsoft.Vbe.Interop.dllMD5=A20CD59E25541AA177E11C106A465F6C,SHA256=597EE76F971FB97AD80DDA32DB34B655400DC4233EDAB07438347C7D54BDC073,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.795{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Microsoft.Office.Interop.Excel.dllMD5=2A98F9B4A1F6BBD574F954E8E279EE3C,SHA256=1EAFB5A1A8104EFFE8D18D4E31A1F1C299FD296E2CB312FEAF7E719797C53E3B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.780{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Microsoft.Office.Interop.Access.dllMD5=788FBEB87465F068CE56FC162856A406,SHA256=7AA3EB0A8E9B44F8CAD0A33E7F4D65D1D24B5078D4B90A39BF4E79A6C71B4147,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.748{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Microsoft.Office.Interop.Access.dao.dllMD5=00D44068D5998B6EB44067C3CB434CB2,SHA256=80375AB2197D4B8E8E9DF1FE7444AD8D050762595EA3F43EE5F2038CFECE9A48,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.748{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Inquire.dllMD5=2FC3109762ACF3641DCB1187C8B3DD0D,SHA256=042AD9D100E44BEF1BFD4163BF54BC3FB646D560DE5CC7484397B4C012923CBF,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.748{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.v11.1.dllMD5=9C9429BE3E84B071239BC8199CD97D5D,SHA256=7550DA2B0699879AD0552777D6CC3499969EAE9BA3E76CA4518D73DC82B41207,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.706{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinTree.v8.1.dllMD5=D9092DD6B5BDD6B68276FC57333E60B2,SHA256=47F4A3F5380F7106338C083C9C7E07A0FB92CE8374528ACEA6705AA0AB46316B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.690{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinTree.v11.1.dllMD5=C1C1F24BB22E6AA1F1A7416152150172,SHA256=ED6B0A3421165F2DB655D9C70236FDAD175C0F1EABC8A81C73B9AF1833BB7DE0,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.671{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinToolbars.v8.1.dllMD5=95941C315819B7F6D757B32E00CE4892,SHA256=7C6EA7275F9215A4B7C3E3528E8E101B7493348A40E0D7CB5DEF4C819BDAEE61,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.640{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinToolbars.v11.1.dllMD5=91B690FEADF95292AB8EE8B55F1BCCE6,SHA256=A9F876661D9E70FCE1F4B35BB67C042F48E88014CDB0F3D082650F49968C7D5A,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 354300x8000000000000000331442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:52.375{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51003-false10.0.1.12-8000- 23542300x8000000000000000331441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.593{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinTabControl.v8.1.dllMD5=65E2E513D53E2D603A762CBCB103A9D8,SHA256=556B546B885FF24D1CB6B09B7CFFCCFDE082C56DBDADA7A4583A065F812B7C92,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.593{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinTabControl.v11.1.dllMD5=D87597C8E17D066BEDF9F504E6B4CE99,SHA256=944D9958F8A86D1EA682275AAFCA2C5719EDAF9DAB51EDE3CF062C745E8C596A,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.592{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinStatusBar.v8.1.dllMD5=5D1D2B68186CCED158D152E26CAD6038,SHA256=2D37AD8FD0303C5764908776ECBB88D1D5928076AF1CFF1E6ED7A4687A03BA85,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.575{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinStatusBar.v11.1.dllMD5=80591B79DE77F57F05BA7CBE9C856257,SHA256=13C1A9C1C528B94651E1A7E5281F2464753611B19502B2F4471CCCBBB555AEF8,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.575{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinGrid.v8.1.dllMD5=CCDD4AF4AAB7B55A288A5C538B20AF95,SHA256=C9FBE30D1B08B828A06E8F02062964F05918F359CFD1939852F9919638965296,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.543{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinGrid.v11.1.dllMD5=DBD06CF680E8C5C9697B54CD53E97A74,SHA256=1C04FE49F195953E642E97B2D5058D335EC973934ED886D16319902E5A4B87B8,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.512{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinEditors.v8.1.dllMD5=9971086CACA3CDDB16BEAD52BC9EE92D,SHA256=140463E447E6C3DD773F198D49C54FEC8C74AE251D9EAD2C20C601B555358E57,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.512{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinEditors.v11.1.dllMD5=86E7BA8D5D0FC9189DD5ACB2586E3318,SHA256=F9622A7A6B56C3CA252772421E13FEA757A34729B5F815090D6F7094F6A284A5,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.497{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinChart.v11.1.dllMD5=E4B67E6EFA52F9B47CE28B91433E8019,SHA256=8C62794AC61D50CF145CD73AF6662B8129F0591917103B9510431DE299EDABC7,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.481{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraChart.v8.1.Design.dllMD5=AC1E2F991F9C1D4EFDC7DD23356CB976,SHA256=215067704245DE86A3116A3D324FD1F506B3C836F9FBAAADDB5F1574DFC2A1D7,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.450{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraChart.v11.1.Design.dllMD5=AD9B4A58B321320ECF16F43D3E3B1FFA,SHA256=6BBD4A0A43BB7C40F85022F511EC962F956B96AC2EAA326BAEB109F463723D00,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.418{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.Misc.v8.1.dllMD5=B11320EC9CBB58C435E28D75584152DA,SHA256=0D69B14267D46F401A637D9C93D7BF4712DCD7A2123EB4790F3A151F6AEBCFD0,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.403{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.Misc.v11.1.dllMD5=E2F4BAE1E6FC67BF63DD27ED10B8A34D,SHA256=28AC4D99E7B800A39BAD93D478B55B50634365C9F58CB5CB96D86C15A0CBFFE4,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.387{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Shared.v11.1.dllMD5=ECA37643C0FCDC79383DB17AA749CF37,SHA256=43D6D97CEF01FEB0187608A3B10296F9E57301F344C3CCCD4C0F6959DE59A4C7,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.372{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exeMD5=8CCE931C0B4B72761FEC3D829E7E6996,SHA256=EC6998993426B38DCD248081DE7E42857FB6BD18D967164B5658B4F282409B6D,IMPHASH=F36488DDDD78A5EA48F17E839F1D5BE7truefalse - insufficient disk space 23542300x8000000000000000331426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.372{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\ExcelMessageDismissal.txtMD5=FA69D6781CEC281949DBBB3B82E97642,SHA256=CB5EB0E41CC572C405707748889C308DF4B577F293A95E3B59A3F295420767A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.372{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\EmptyReport.rdlcMD5=E75DBFF1CAC35FBCA427712C7C8C8854,SHA256=85B06158C3F6DF9C4641DAC9509E2FCAD7E7EF83099C65228381743FC53D6B01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.372{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DocumentFormat.OpenXml.dllMD5=A1E6A470883B0DDC6F4039A9C336B142,SHA256=732245A34996CFD7C0F46AE924FF33F900B5D2419089EFEC9FBBD103B47CDBA1,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.293{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DcfMsoWrapper.x86.dllMD5=FB0E308AEDB81D676F9F0BA6D8940788,SHA256=EF07E65F0A4CBD3C31CE4745C8BB7D9633635F6D3033D4FF8406F13387EEBAAF,IMPHASH=14536B0F6515EE37EB1F650955DD8F6Ftruefalse - insufficient disk space 23542300x8000000000000000331422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.278{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DcfMsoWrapper.dllMD5=0576A146590E3FDC6597B5D6DCB3A82A,SHA256=EEC44712D7343F2ADB4BE407BB0C6B782DD3768ED9EFCCAC316899CC245AE7B0,IMPHASH=EB0C2AE12BCEA3E636E68BB4DE5A56A0truefalse - insufficient disk space 23542300x8000000000000000331421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.278{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXEMD5=00729EE43E81755EB702F88724BC2F00,SHA256=4E0DA381EF6E9ACC51F122EA53424B136CAD9C6B1F6A0F9C1BF6BCA201ED9D88,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744truefalse - insufficient disk space 10341000x8000000000000000331420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.278{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B487-63D3-C403-00000000BD02}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000331419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.278{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ABB0234686DF6BD6FAEDA2D1E650470,SHA256=075FA6204F821753EC5A62A21D3FCF3FBC925C86EACCB112A64377905A796B0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000331418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.278{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.278{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.278{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.278{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000331414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.278{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.SqlDatabase.dllMD5=7C4BD8DB30DC6F9F19DB21D6B261DA79,SHA256=E3812C2FECA1A2B75941E935BB905018B313401D7D17D2A875DA3F3D06398B1B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 10341000x8000000000000000331413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.278{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B487-63D3-C403-00000000BD02}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.278{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B487-63D3-C403-00000000BD02}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000331411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.279{72106695-B487-63D3-C403-00000000BD02}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000331410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.278{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exeMD5=8DC218AE02011B50D38E39403C3DEE7C,SHA256=1DDBF1A93412519CF3B1AE1C7034CD1638049969BABD97C64CBCA50EADCAF6DE,IMPHASH=F1EB4C93A0A7B69A04DD23F5B7C5D966truefalse - insufficient disk space 23542300x8000000000000000331409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.262{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.PasswordManager.dllMD5=FC04CE80FB95B7776BCD5BA02F4AE652,SHA256=EA8DF691A5FC332C4C2FE1E0E75729DCB48559AABE0129ACB3EA42A3BE59F7D5,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.262{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.MsoInterop.dllMD5=6699E20ED895661150724B01E891E386,SHA256=AFECA811667A56829576D1CE92E7F921A52216ECA2C0CE5604B2CC4A4973C3C4,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.262{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.FileUtils.dllMD5=6188789F85E4E7FAEA802B2B655192B5,SHA256=34D84EB239F2DF69CA5B37D188E4637BAA9355DBE95B548588341FE1D5653504,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.262{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ExcelServices.dllMD5=75E458C6816622E83471626163127606,SHA256=8EDE52D9165CB858E02BD3FEA25040E0193BA9F11BF7AFDC2C3E3338EDBCF7A6,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.248{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exeMD5=505BDAACC400BCBCECBDAAAD075CC562,SHA256=654E4196D6835C8C9882D2F81F4BE02A047A1E5C8F82DA319536C9763EE3B19F,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.248{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exeMD5=4AC1DD2A63E82AB5A2808E1C8503163E,SHA256=7D3CD311CC0BC90440359DAFEF5340B368F499D471CB75A09F04042C13CCC292,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744truefalse - insufficient disk space 23542300x8000000000000000331403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.248{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DatabaseServices.dllMD5=22E2438AA3C965129151C11A677BB1A0,SHA256=EA61E9884A567515514CB05C34193FD3364ED5D0A907F79152C668E19CEC81CD,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.248{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DatabaseCore.dllMD5=2FDFF6452AD26E62A83A094EE7066FBA,SHA256=EBD8505BA0D7D81AA9D3671FCCABE141590A262947895E1F457893FB744754C1,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.248{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ClientConfiguration.dllMD5=3DE0864DE0606D3A8C5DBFF685A8C405,SHA256=08C45393167A8412E0489463E34F480AB6A85F9293C349DE1B426EC994AF6867,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.233{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.AuditItems.dllMD5=81C87CDB889B8021E948CCFDA9C9A9BA,SHA256=9D785FFC8BABBE82301075ABCB436B55DDEC142CDD842DD41BB171E9CDDA6472,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.233{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\AccessMessageDismissal.txtMD5=30A7CA3CEDA3D36F0E3BD2B51DB0BFB4,SHA256=E5F94494CC73F6277D7E0ACA0FC0B55B9342843CCFFC1F4B51AD119AC688F54B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.233{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\AccessCompare.rdlcMD5=F6BDEB9478F3893C4EC45F428B3867D5,SHA256=DC14A50B1CD6E58C4E7FCFAD5258270895F445A02F93E224EB54BF2BDF76E443,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.233{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetIQ.ExcelServices.Resources.dllMD5=44379CB9B35565CFA3F9F307FBD88D20,SHA256=570D02F2592F0DE7D26A67298278C941AE3CE13CFF53FD3F476F0B883C36C41E,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.233{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetIQ.ExcelAddin.Resources.dllMD5=76F18B3E20EEC03A48F9262ABBA167ED,SHA256=F05B6748902FAD094200B78878C8D5814BF3B40951979AC9BD9BFBC52DF62EDC,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.223{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetIQ.Diagram.Resources.dllMD5=58748D65E2372F1B0115C090FD84AC14,SHA256=56BE7618BC054F504714F5D5D80C32DEAE4106579767DED5C4503CDCE1A9FE6C,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.221{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare_k_col.hxkMD5=DB9742E49C49C505B293A84518E95FA5,SHA256=1C17B95E5098ADB0C0E06AAC8A8C7C50C6A5EF1B696465D548C8A922F1D3A653,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.220{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare_f_col.hxkMD5=B8FBBC73DDDE31636552AB184B4E398F,SHA256=3C3702253A4695B5BCB18A2565B1D49F9F32F5F9F2442FD1395197970FA34EDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.220{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare_col.hxtMD5=5AC1958579D08756FDEDB946BDE3221C,SHA256=1898F85E6136A95BFB45AEAC310FBEFC647F7B286F697526CE5296DF5AB64D71,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.204{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare_col.hxcMD5=BC90F9B9CD21C20505905F3578A7251D,SHA256=993CD231F1609F40F38B2D94B4304F00B3929E55176F59F62A504CDF8966B5EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.204{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare.HxSMD5=3EFF8200E992C1A8DF43E0F6458B81FF,SHA256=3D9619EF6B3199685C888868DA2C3E55ABDED9F91011202D83A7082950685296,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.204{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare_k_col.hxkMD5=DB9742E49C49C505B293A84518E95FA5,SHA256=1C17B95E5098ADB0C0E06AAC8A8C7C50C6A5EF1B696465D548C8A922F1D3A653,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.204{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare_f_col.hxkMD5=B8FBBC73DDDE31636552AB184B4E398F,SHA256=3C3702253A4695B5BCB18A2565B1D49F9F32F5F9F2442FD1395197970FA34EDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.204{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare_col.hxtMD5=7A0A9E16BB4C03ACB2BB61E6048F6685,SHA256=A6C10BCE78849F5B27125DFF8D99AA5DB8144B0A6DCA86ED93EEF3FEC2D2EF1E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.204{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare_col.hxcMD5=0C0AEAD8A1877247B896303B840D9E21,SHA256=C393E8A88C65D92863F0983B845A6E44381894349EFB9C56841C32C3E744EFEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.204{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare.HxSMD5=5DC8AEA35A1B0CCA36F6CDEE5CC72DFA,SHA256=7AE50188C110AA14C8BBC997C0BEBE2F4FA8B12C6E573DE154A29B96E6C5C562,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.204{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\Common.PasswordManager.Resources.dllMD5=9C16B8A38F62C7AE984AAA6392EEC3FD,SHA256=797E7E6C9FB1735A87B7E917B734A38A9DC3EACE85FD918D9F5C5D75A8C04E2D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.204{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\Common.FileUtils.Resources.dllMD5=82F9617C6CE00AA81B7ABCD13A4F3DE7,SHA256=A23E9C42E92D1A3D2862A017A3128601F25DD147940CCE27549C1D4DB404A273,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.189{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\Common.ExcelServices.Resources.dllMD5=E551C5B9CE998BF4C01CCCC70E2F1EA5,SHA256=A91A7C59A82E8DC4D665274D110E9D336F6D50416E929B3414C5EF7CE678391D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.189{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\Common.ClientConfiguration.Resources.dllMD5=4A22913BCDE3CB5626900781B227EC24,SHA256=5EB882861CD94B787AC06A5D51550FF76FA5503C385091B3234250C7B5177890,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.189{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\Common.AuditItems.Resources.dllMD5=E42A0BF77843ACFC014E5A04CB866697,SHA256=0BFD378833E2C1BD37C4BA138233AD8530B543F4C14012D6CD731D43A7E93563,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.189{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\1033\NATIVESHIM.RESOURCES.DLLMD5=9196CDE49515BFA068E1587F2820CCD1,SHA256=3A68D8C08BEF28E50FD3A73FD8A4EFDA62BB9B20563E5482DB88E0511E7EF788,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.189{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\VVIEWRES.DLLMD5=6CF49E181B6B754FD597808918FA1DA2,SHA256=EE2DE1640FC0C428FA0A11AE87CE289C30D05DF729BF10AD89006B2CCBCAFFDE,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.173{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\VBAOWS10.CHMMD5=B372139B487135F7C8373309E664878D,SHA256=6D1F3A955B057FAEA65B580D16C31E7000A7F75A2A49C244E367FBCDBC4C1E59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.159{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\STSUPLD.INTL.DLLMD5=8131283514030D8341125CB84A17C06F,SHA256=9C003349C9DA9FF682B1DC24B31CD64E1B3614C5F8188808BDD764A3D76B5867,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.159{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\STSUCRES.DLLMD5=6C0D565AC8FFCDDE9648F8537CF6ABA1,SHA256=09C9411BDE0936EE13796FDB680D8310FB69B66D6234917DAA9DD09281B983A7,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.159{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\OCLTINT.DLLMD5=A11A45D3ACBD9C8E941799AFCADA53D7,SHA256=CECF5DC9C07A7166A62D6EDC108F304D215179F33FC7AA3BB5DB0B31819C1575,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.144{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\OcHelperResource.dllMD5=CF531B0A9E6362C821E2572F86D48CA2,SHA256=EE60673E132A6AC42D932064C39F2EBD3CFA922BA7E70FFC18C2C91899B847F7,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.144{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\MAPISHELLR.DLLMD5=44EFA73FB173CB3D99905B704DAA80EA,SHA256=04DEB18AC7E72A7E3769E0D53C444D86A9D5CBCDD2F29A4A673D18C0915967EF,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.144{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\GrooveIntlResource.dllMD5=C5A96674E7B7228C8F3225E1F5E50E60,SHA256=00AEF445F43744508E3D1D52C6234ACB31FAF0DC07E0286E03A27CA9B1A83239,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.048{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\BHOINTL.DLLMD5=16C4BC9B52DEF0534D29CDEE34C35469,SHA256=96E8D6CFE8B2226A98C322338E5959A6731A8966B532C0D0B2300F403F46873E,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:55.048{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\xmsrv.dllMD5=3C2AEDAE76F56E8BA5ED2F6C02C992D1,SHA256=6FA34C1D5D94977962065E42B84714B7BA5C8CA80C1877058F013445EDD86266,IMPHASH=43F401F99C13057B0ECD2E79345DC354truefalse - insufficient disk space 23542300x8000000000000000331588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.984{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\msvcr100.dllMD5=DF3CA8D16BDED6A54977B30E66864D33,SHA256=1D1A1AE540BA132F998D60D3622F0297B6E86AE399332C3B47462D7C0F560A36,IMPHASH=1208BCDC77CFFEE6A6813646321CFC79truefalse - insufficient disk space 23542300x8000000000000000331587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.984{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\msvcp140_codecvt_ids.dllMD5=4266E7BB9BFCE998083D2F4F938B11C9,SHA256=E1EE6D29E30708AD5812035626BBC1058EA12FD5503D5A79D28C9CB67FAB4A14,IMPHASH=536E29DAE203B5F7347030AEC0CBA513truefalse - insufficient disk space 23542300x8000000000000000331586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.969{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\msvcp140_atomic_wait.dllMD5=BC3FFB90A2C1D810B7B4C5BC5323EA82,SHA256=B3C793966C992A1489CCA247828A2E33790F4ADAD51F1AD04033F0EB5B09FDD5,IMPHASH=C1DFD2E42294117CA33D3C6B21826F93truefalse - insufficient disk space 23542300x8000000000000000331585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.969{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\msvcp140_2.dllMD5=84269806DCE633E56E492EF060FA8F88,SHA256=5FCA695ED2CEFEC010D546310699226EEF4B305DF38CBE3DEA2FDF9494ABC163,IMPHASH=2F8A18FEFABA28C3707DAE8605D51B60truefalse - insufficient disk space 23542300x8000000000000000331584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.969{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\msvcp140_1.dllMD5=8AD9C7CFFBB2413F4D5FF9F3AAA1A69B,SHA256=18AEF42187072C35B537BE80E3B2DA7CE4919B2C9574ADD19409D98E3026D916,IMPHASH=C1687527A3D5B7532FA653F66EBA12E1truefalse - insufficient disk space 23542300x8000000000000000331583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.969{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\msvcp140.dllMD5=CB75D6437418AFE1A7B52ACF75730FF1,SHA256=7C4CE9D6BFCD6D9DB4EEF4E75ECDCF5A8E5320106E80F1ECA617439FA43F33E8,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1truefalse - insufficient disk space 23542300x8000000000000000331582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.953{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\msvcp120.dllMD5=46060C35F697281BC5E7337AEE3722B1,SHA256=2ABF0AAB5A3C5AE9424B64E9D19D9D6D4AEBC67814D7E92E4927B9798FEF2848,IMPHASH=D0A59246EAB41D54812CD63C2326E1F1truefalse - insufficient disk space 23542300x8000000000000000331581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.953{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\msvcp110.dllMD5=7CAA1B97A3311EB5A695E3C9028616E7,SHA256=27F394AE01D12F851F1DEE3632DEE3C5AFA1D267F7A96321D35FD43105B035AD,IMPHASH=AC5237467F598A9A5B370A14ECCC4DC8truefalse - insufficient disk space 23542300x8000000000000000448133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:56.349{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D10762D974CD0EEFFEC3EA914059C76A,SHA256=21D3B7EBAB95901A8E31D4EA8FEF617089437847B2B68444EB5D14D64E8D6D3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.937{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\msvcp100.dllMD5=D029339C0F59CF662094EDDF8C42B2B5,SHA256=934D882EFD3C0F3F1EFBC238EF87708F3879F5BB456D30AF62F3368D58B6AA4C,IMPHASH=9A218D1EC03F40ECA74839863A511CB7truefalse - insufficient disk space 23542300x8000000000000000331579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.924{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\MSCOMCTL.OCXMD5=E4FDD31405AD94D286FD1ED9459A19A2,SHA256=9CD6DB326FF95989994D4F41265A3BA7C62242AD7DACEC6621A74DDC0CBA8B9A,IMPHASH=1AFF6888560FAD03E3CEF388EEFF2F16truefalse - insufficient disk space 23542300x8000000000000000331578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.908{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\mfcm140u.dllMD5=BBBA50CD81EDBB8390569CEA9283C244,SHA256=D5C82971A53FBF97A02E7F85ACF2C1463E2B7C43F3AE05769860E027B08EC9A7,IMPHASH=A00A23817F42C86F3BE22027215382ADtruefalse - insufficient disk space 23542300x8000000000000000331577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.904{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\mfcm140.dllMD5=9891103CF2A71B9D756415FA9D63BF07,SHA256=C50D50043D747C1543F47F8337D80CA34B7B0AE778BB15C572006D81C498DFD5,IMPHASH=869D47EE2794D605357F7919B0371FFCtruefalse - insufficient disk space 23542300x8000000000000000331576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.888{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\mfc140u.dllMD5=587C85228848E52AAFB3863FF1A6F2B8,SHA256=BFE1547439BEBFBB7A46F292BDEDD8213315E98D778D969225D2EBE2D93FE297,IMPHASH=B4F070F0028C97D4B44509B262314B3Dtruefalse - insufficient disk space 23542300x8000000000000000331575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.826{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\mfc140rus.dllMD5=6028931481FD8CD2A161A98596D26D47,SHA256=DDDD9A69B9059C66600F0C15E14D09569E82072818064616DF07D7865FA594E0,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.826{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\mfc140kor.dllMD5=8A8D5A2A15BCA698E3F4C0DEE7F3B68A,SHA256=4B21528E14F37DCCECE9E48A21FEABBB29726FF046389D71BED686F02C714CA4,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.826{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\mfc140jpn.dllMD5=2CAC6E0CFCF97D23CB01A43B668F65ED,SHA256=E6B48070B2AF0A72BAF0142E3B22A18C5DECA2E1E7991DC26D726E32AEC719C9,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.826{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\mfc140ita.dllMD5=DCBAB91E7837A2B16C41273FFFB80FE5,SHA256=11F0051EF2D02242B4DCFE56234C080454454CD0F096C2EBCAAD45F753899584,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.826{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\mfc140fra.dllMD5=55B1D60E26EEA0D3882C4F90D777C37D,SHA256=89B6B5DBC83CBE80157C2E9ED18C3AE1BC8BEB46D23DC57D09829FBA8EB757C2,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.826{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\mfc140esn.dllMD5=E888C2B57D77A7284ED05D6717DA9866,SHA256=1E35F8699CEB177773D748DC58CD85383C881E6727CC142786FE29526DF470AF,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.810{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\mfc140enu.dllMD5=73E5C40531CFED728EE19252B7FCC759,SHA256=F2879BE967A4D5BC101BBFD9A2412F6CD1371D55817E7E0922F73C2210734583,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.810{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\mfc140deu.dllMD5=FE4A0C24C949163A1F2A4A7AB32E6620,SHA256=DF440389F9AA8A2C6EDE74A275A86AB14DA4975E237F455405D444FF54D59557,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.810{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\mfc140cht.dllMD5=06EC4276F956F1863F0184314C765637,SHA256=9113E55E260AF6EB6D76EAC8D22280EAC950F329BA767DC2D80E5709C663C455,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.810{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\mfc140chs.dllMD5=733F18E298F48AC76659AB9F579345DA,SHA256=C2258825DD172AE2F1F36C7FBB8D395D2B523FC8CF6FCD8354D65C6C85286CB9,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.810{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\mfc140.dllMD5=5F850F10EEBC04C0C098F2362CFA2270,SHA256=A15850446B7880C9DB9AF1A960E19D97DBC5BE9409915CA76207ECE0C5B5306E,IMPHASH=AD02F132E98EBB70CEA0B7ED4D9964F4truefalse - insufficient disk space 10341000x8000000000000000331564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.795{72106695-B488-63D3-C603-00000000BD02}55201664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000331563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.750{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\FM20ENU.DLLMD5=A5796C36D8BD407DEE6BB1FDAEBD95FA,SHA256=1D1BD95B849BFC6E9F069AB0C24C0098CAA5DAC5C4D8C49901C5F3DCE876AE76,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.750{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\FM20.DLLMD5=57F0E032FA3CA9567210EDC3854054FD,SHA256=F28531A21A7FEA149D3CEFBDA44C3B63EDE42692FDF128284E18389E5FF9872C,IMPHASH=380129977EB4E8B0E45ED33307E8C610truefalse - insufficient disk space 23542300x8000000000000000331561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.727{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\concrt140.dllMD5=D1BA293F1D7BD7B38DB8953821D42E9B,SHA256=B3FDB569B567C2B82369C1DBBAC1B6C5BBD74B5E03D2357491985BE064DFEFF7,IMPHASH=5F9B23BD4B0029001F687A1AD625BE31truefalse - insufficient disk space 23542300x8000000000000000331560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.692{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\atl110.dllMD5=FE00086A2FC935AF640C7F302C12FE89,SHA256=873D57E5CD660D49B403780685E91B6E3BC9E65B6E59435E0C5A5DFA1DE0422C,IMPHASH=8CA7AED35B720AAC9EC88ED55BAD59B3truefalse - insufficient disk space 23542300x8000000000000000331559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.684{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\atl100.dllMD5=5A55E3E6F53592F8170623DEFA2B7954,SHA256=B524543192E78A2C97D3EC9AA0CFCBBAA308439D3A33F9A1F4EDFBD3181D7919,IMPHASH=AA9299515F154AF30B53DE8ACB647CC4truefalse - insufficient disk space 23542300x8000000000000000331558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.671{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Mozilla Firefox\plugins\npMeetingJoinPluginOC.dllMD5=B75AA976DA5269657A33EF17EF2838ED,SHA256=75183FC13C0A1E45B24A3AF96A361E419A122F0FE1EE9E9B251886274C2FA14D,IMPHASH=D03C3B1A366B52733F0A6088900430B5truefalse - insufficient disk space 23542300x8000000000000000331557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.665{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLLMD5=1539045753EE0F22E9942770D84BA827,SHA256=8A982E5C63AFF87084208A87F4B319018B52DD8134131037AA6CD2A0A738CF82,IMPHASH=228C90277BA5CECB341FDA69F67C24CBtruefalse - insufficient disk space 10341000x8000000000000000331556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.577{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B488-63D3-C603-00000000BD02}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.577{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.577{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.577{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.577{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.577{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B488-63D3-C603-00000000BD02}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.577{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B488-63D3-C603-00000000BD02}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000331549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.576{72106695-B488-63D3-C603-00000000BD02}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000331548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.497{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\VVIEWDWG.DLLMD5=E1E478801AEB7A94A0345F47AC1EAADC,SHA256=E37957B153B5BA531C90AB29DB292097B87334A87AB6C8EFE8EF083266C68A86,IMPHASH=E1C99F73F34645EF182AB81AD6E31CEEtruefalse - insufficient disk space 23542300x8000000000000000331547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.435{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\vcruntime140.dllMD5=31CE620CB32AC950D31E019E67EFC638,SHA256=1E0F8F7F13502F5CEE17232E9BEBCA7B44DD6EC29F1842BB61033044C65B2BBF,IMPHASH=B06D4116DA69A513992D529F84731E6Ftruefalse - insufficient disk space 23542300x8000000000000000331546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.419{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\vccorlib140.dllMD5=3A2C18EF2DF37EA41788F50042774C22,SHA256=EA85134227C8E5A23A63D60E6CDB2BC38F925427BA75426A3BE33212435E1741,IMPHASH=E2C243EAA5D873A145FCEF834080DE02truefalse - insufficient disk space 23542300x8000000000000000331545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.419{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\URLREDIR.DLLMD5=B1481F32F9AE280CCBC61C8AD776682B,SHA256=18EF6640DE7F9CC92A39A7EA821440D11EC8B4734440DEC09B912286B61C1E1D,IMPHASH=DCF2E449F9BB9D139C000D9ACA021B3Btruefalse - insufficient disk space 23542300x8000000000000000331544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.404{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ucrtbase.dllMD5=BF5EE52BA36031A005B3D7B15F1CA090,SHA256=5A41249C27EF3253B690F95A0A86ABE2337C3405570602E7D8DFD7C3445FF923,IMPHASH=C060FE320860AA232972D941EF87C2A9truefalse - insufficient disk space 23542300x8000000000000000331543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.388{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\STSUPLD.DLLMD5=4EB16FA4BF5E5A6EBBD04944122932EE,SHA256=70EAC936AA0A2116523BEAE5CDC56A62CD75DCEF7CA67E772C2D8D3EA671D3CE,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.388{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\STSCOPY.DLLMD5=5A0C012363593735ECE5B5A3E2660DFC,SHA256=3BDB8099CD7A29AB3A7C5537AE6080118F0620E398127DF52A86CF93D957D3BF,IMPHASH=0D73E3933AC07AC498DB234A1DB6CFB3truefalse - insufficient disk space 23542300x8000000000000000331541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.372{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\PPSLAX.DLLMD5=62B6D60B01CA2E35D2CCEC7E3BDAA994,SHA256=0F81AA0BF90EA2B73F78AE13D0FFB324E1B5B7941F2958B9A72BB2A542536358,IMPHASH=E49083C77B627C12647C15AC0D802AC5truefalse - insufficient disk space 23542300x8000000000000000331540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.372{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OWSSUPP.DLLMD5=945ADF70828C36FD87A8207A56C2D212,SHA256=57430AE9F43ABD5AC24ADF8C054DA7E21E68A71F93429B91133D3556A39F26B9,IMPHASH=87129B5DB51BAC86039EB664D9F15359truefalse - insufficient disk space 23542300x8000000000000000331539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.372{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D48880ACA8CF30BCDE74D4826AE630AC,SHA256=9C19F54DC613C045CB130F726A8A7189A61F3F1411143C3B1C0A431F0CF3F15B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.357{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OWSCLT.DLLMD5=2B2C1471D6114ECECEEC63B87F142350,SHA256=662B8560248DB5CC35D12CBC6AF2DF0186FA33B100E882BA1E441051B9FB2926,IMPHASH=532E4F6ACDED6DEC568AE39D084E9305truefalse - insufficient disk space 23542300x8000000000000000331537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.357{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OSFROAMINGPROXY.DLLMD5=4E772574EAE660769596CC479603DE0A,SHA256=A7E00BA88DDAF8F85DF84DF02E0E75EF27B9DC679716014242C021C5155BAABC,IMPHASH=FBD9F3DD5F62916FE2ED3B9E558007B4truefalse - insufficient disk space 23542300x8000000000000000331536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.357{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OSFPROXY.DLLMD5=1444A35FB444C7DB815DB2323A839ABA,SHA256=CA806CC5ADD0D50B5256674CEFD620A1C45FEA164C9CB3CA4DB8716F276F97BF,IMPHASH=FBD9F3DD5F62916FE2ED3B9E558007B4truefalse - insufficient disk space 23542300x8000000000000000331535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.357{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONLNTCOMLIB.DLLMD5=C22AA1BC57B54BBA20A6FCA2E1494044,SHA256=7CF8EEDBD95A18827396DAD80574BC44A7D5620546586141C479661D9CF088DB,IMPHASH=945B9E61142CA4C293834D9A376232DAtruefalse - insufficient disk space 23542300x8000000000000000331534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.341{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONBttnIELinkedNotes.dllMD5=B96FCA8D1A2D1BEAFA9E1854BCB5D415,SHA256=C542A647C61D88495112960DE3B6C2EE514EE5DDAB7F1B64804728793612E132,IMPHASH=D99E383A832BD92D1D40C16FE24008E6truefalse - insufficient disk space 23542300x8000000000000000331533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.341{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONBttnIE.dllMD5=5BE87A2AA3FB1DE2B0A1B78A5D00800F,SHA256=04A2A67AA688AEB88EA85D121D86D0BDDC5BE7984E2E6C80683ED2AC77DCD9CB,IMPHASH=FA9E48B1414431E75C7254E68FFBB9FDtruefalse - insufficient disk space 23542300x8000000000000000331532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.326{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OLKFSTUB.DLLMD5=942DB588AF58AD5FD696D15D23036A2F,SHA256=57C8368AB17A2545F7A2DB5975402E9D6B717A2DB3145D0E0E7C3B3CCE7B48CB,IMPHASH=A89063B0B54BF9A51BD341289155D6DAtruefalse - insufficient disk space 23542300x8000000000000000331531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.326{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OCHelper.dllMD5=76FBB2ABB48A4C779D545D4A859ECBA3,SHA256=2A3BA107BF116B61A8BC9A6FB6C0DD6BC24D054C7B7F0C86514C510BF054B201,IMPHASH=BB11038EB71A4CAC8688357AD0EF26B2truefalse - insufficient disk space 23542300x8000000000000000331530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.310{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NPSPWRAP.DLLMD5=D527E2163E571C9A1089FF3A15596831,SHA256=4B05831D66170655F3345BBDBF9ADB4AAD94BEBA51A83A55CA4717FE148ADD34,IMPHASH=7671FF7B2EBA8B76174A25A846DFCABBtruefalse - insufficient disk space 23542300x8000000000000000331529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.310{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NAMEEXT.DLLMD5=3805936C821ED67F8DADA530125BF6A0,SHA256=116AEF45395C949DF3EFA61D43B08696E877FBC5D78EE8C02440D8BABCDC59EB,IMPHASH=C310A60A4DC7DDF02F718E66FC28CC48truefalse - insufficient disk space 23542300x8000000000000000331528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.310{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NAMECONTROLPROXY.DLLMD5=8CF7633450ACAA63BAE6BFB00314D8EC,SHA256=91FEDE0AB8C367C10299ACD7643CE74E2F37E6615AC0A22E6E59ED3810DAD05A,IMPHASH=1CFB7F013E01DEE64A2AE8065944157Atruefalse - insufficient disk space 23542300x8000000000000000331527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.310{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NAME.DLLMD5=3645F55A86E12CDF9BD2A66376D3962B,SHA256=B8852F5222D421989FA9801B5AB7659D92D98ECA6A7CAD49973ECB13D6242C23,IMPHASH=FF5EA5A4BEB93BC2F9FAA273BE0AAFE1truefalse - insufficient disk space 23542300x8000000000000000331526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.294{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\msvcr120.dllMD5=1A22AC29230FF06E278CF85992F48C86,SHA256=3A3F61F1D187142BBA9B37B318F6052A09743FF24FCDB3CEE478D1BC5C68D300,IMPHASH=AA8D086DEB6960B10F8791DF466A5610truefalse - insufficient disk space 23542300x8000000000000000331525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.279{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\msvcp140.dllMD5=0A0042FE544C91CD57BC2F7EF40BB974,SHA256=4190F0A1306257CED4975448794E1D42BE312E334FFCCFB4910A4A39CDE9DF57,IMPHASH=6042F1676A7711E459589EF169A5B501truefalse - insufficient disk space 23542300x8000000000000000331524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.279{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\msvcp120.dllMD5=E3244FDCEC84C99E4B60227EB3B70893,SHA256=81FBC2824E73F0D101D91854694A52E79DB0FFAADBB2A10DEAAF47B3B7F9B2B0,IMPHASH=6CCDA270A497A2C5A36A7F385CC9910Dtruefalse - insufficient disk space 23542300x8000000000000000331523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.263{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLLMD5=355CB250CB53C3D493E3675F9078F760,SHA256=9A9C237DF13AB82C6555D420A105301B5DEA0D88F293F255DDC16793D453166C,IMPHASH=32B118B929D6ACD638E3A93B13760FDEtruefalse - insufficient disk space 23542300x8000000000000000331522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.263{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXEMD5=C248EE9072228997A6DEFA2C08ED9892,SHA256=082F60EB2356879F0BC9B37FA0EE74DE76696A49814E91F65844E724D0E865A9,IMPHASH=9FF14D50B4B69EE0F93691E569A2F21Etruefalse - insufficient disk space 23542300x8000000000000000331521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.249{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHEV.DLLMD5=265DAEB4AF29E68315345AB75CACEB3C,SHA256=9DA4A4C5D63ADD1D7F0A6CADC1CCEAC48D2EF9B4C4A5D18FBCA29E5F966447AF,IMPHASH=6E397FE97DB5D9F0B5CF516C2B736C7Ctruefalse - insufficient disk space 23542300x8000000000000000331520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.249{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A60DE05BBD3EC90CC1A92ACB02EC19C4,SHA256=0FCF6E28582B0AFE43BB7EB810ECF44A7EFAAB9411C016A5C70A71F27C0DEBF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.249{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MINSBROAMINGPROXY.DLLMD5=8E1D0694D2091FC64019C0745FE47BBD,SHA256=6603424B76C6FC5471AA4111EEF994120300343E7C69942D1176473D3FF3A17A,IMPHASH=FBD9F3DD5F62916FE2ED3B9E558007B4truefalse - insufficient disk space 23542300x8000000000000000331518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.234{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MINSBPROXY.DLLMD5=CD76AF712330982CC3389B8DE51286A1,SHA256=D97A0A152D5858F344D88C802D28391266A5BEAC314F10ADF4A2ECE90E08FA21,IMPHASH=FBD9F3DD5F62916FE2ED3B9E558007B4truefalse - insufficient disk space 23542300x8000000000000000331517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.234{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\mfc140u.dllMD5=51C91B404C701CC26B8B6DC7AACD8037,SHA256=9F60F7AF82BCEDC3C91D796F9C4442900BFF40A192E30EFC798AB9230AA9F0B7,IMPHASH=EFB56419C1BA206D8C70E3157D5C83A0truefalse - insufficient disk space 23542300x8000000000000000331516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.185{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MeetingJoinAxOC.dllMD5=DE64F87044B4B75A8BFBF0D0A81C6762,SHA256=332DDD38EC6877D222FE874D95C297135C0507870B4A2B3FF8D76A177995A066,IMPHASH=8E73537858A4DD94C8C6CD4D6467068Btruefalse - insufficient disk space 23542300x8000000000000000331515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.185{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\JitV.dllMD5=A0313F584B34D59C5DCF01D23F9E07F2,SHA256=724C377BA84234475A8C276A4E648ABBE29DFAB686690D9DE74EB621F170E9C1,IMPHASH=5B88A3BC3186955DD56EF86D971C8A80truefalse - insufficient disk space 23542300x8000000000000000331514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.169{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\Interceptor.tlbMD5=2FF8B1F761F3055D62CF7A2CDB79B5D8,SHA256=BD6A1DDA7BD3010876FE4C9B11C7537DB6D6CFB10723D8A8759381CF625C28D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.169{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\Interceptor.dllMD5=BDE3F678FC79F9095D5E5E3A07AF6729,SHA256=FE86C626D2DAECB87E94EB47BC2EA84E46051C9F9D7FE5CF8752388B5CCB723A,IMPHASH=1F2A9C021941C1D48ED608CC1F653934truefalse - insufficient disk space 23542300x8000000000000000331512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.169{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\IEAWSDC.DLLMD5=13AC4F3412A823359A1EB2A30ECCC275,SHA256=69E8431B4B04149E3271AD945AEEA2B7CAF07AC0202E5ECA4D020DE32E0D596F,IMPHASH=3F12CFE1A1DB416D3BF72496977F8DCEtruefalse - insufficient disk space 23542300x8000000000000000331511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.154{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\GROOVEEX.DLLMD5=C461B687493B97AF10D17E51EA304943,SHA256=515C814EBA3F776291078BFA49EAEF5FC508007A73E5A4DEFAB17CB3F31A0807,IMPHASH=FA84916B5443ACF5B74E4A0A22ED56C3truefalse - insufficient disk space 23542300x8000000000000000331510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.125{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\concrt140.dllMD5=EC5A86B5E7BDFFD50E022E431287273A,SHA256=290F577461B2D4197DB0B7D09341225C90CF066984F965E54C9FA4AA16BA6687,IMPHASH=F7E155027608DB4293A50332363A537Btruefalse - insufficient disk space 23542300x8000000000000000331509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.125{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AutoHelper.dllMD5=7E601AF457849D20234D3B5C3AFF30B6,SHA256=D0A18EF6A3FEA72CB260095C54111C02B035954BDBAAF46ACDF307FBEC67A7AE,IMPHASH=508CFF9C0035E2E11C32291D59C2BF5Btruefalse - insufficient disk space 23542300x8000000000000000331508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.125{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exeMD5=6F3FDB3F4B7ABA29C1965AACA97043F0,SHA256=87F29B09073B7139CB5427A42FF5D1E76B7A7205D10B33DE2E49B26C49FF6638,IMPHASH=3ACA1C28F362E896962B5C793DC41EA1truefalse - insufficient disk space 23542300x8000000000000000331507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.125{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingChromeHook.dllMD5=3FE95BFA8E10D1E336A7E2CB596D7ACF,SHA256=88D2943638CC35CFAFC9EBD664DDBB34A8FD76D5D039BF66ACF6563F52811C29,IMPHASH=0B09CC8A58FE3C94957CD125F52B60E6truefalse - insufficient disk space 23542300x8000000000000000331506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.109{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-utility-l1-1-0.dllMD5=D6ABF5C056D80592F8E2439E195D61AC,SHA256=8858D883D180CEA63E3BF4A3F5BC9E0F9FA16C9A35A84C4EFE65308CEA13A364,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.109{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-time-l1-1-0.dllMD5=1FA7C2B81CDFD7ACE42A2A9A0781C946,SHA256=CAFDB772A1D7ACF0807478FDBA1E00FD101FC29C136547B37131F80D21DACFFD,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.109{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-string-l1-1-0.dllMD5=5E72659B38A2977984BBC23ED274F007,SHA256=44A4DB6080F6BDAE6151F60AE5DC420FAA3BE50902E88F8F14AD457DEC3FE4EA,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.109{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-stdio-l1-1-0.dllMD5=32D7B95B1BCE23DB9FBD0578053BA87F,SHA256=104A76B41CBD9A945DBA43A6FFA8C6DE99DB2105D4CE93A717729A9BD020F728,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.109{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-runtime-l1-1-0.dllMD5=AE3FA6BF777B0429B825FB6B028F8A48,SHA256=66B86ED0867FE22E80B9B737F3EE428BE71F5E98D36F774ABBF92E3AACA71BFB,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.109{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-process-l1-1-0.dllMD5=8F8A47617DFD829A63E3EC4AFF2718D9,SHA256=6D4A1AAD695A3451C2D3F564C7CC8D37192CD35539874DF6AE55E24847E51784,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.109{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-private-l1-1-0.dllMD5=1DD5666125B8734E92B1041139FA6C37,SHA256=D0FF5F6BB94961D4C17F0709297A6B5A5FA323C9AC82F4FE27187912B4B13CF3,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.109{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-multibyte-l1-1-0.dllMD5=809BC1010EAF714CD095189AF236CE2F,SHA256=B52F2B9DE19D12B0E727E13E3DDE93009E487BFB2DD97FD23952C7080949D97E,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.109{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-math-l1-1-0.dllMD5=D0D380AF839124368A96D6AA82C7C8AE,SHA256=06985D00BF4985024E95442702BBDB53C2127E99F16440424F3380A88883F1A5,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.109{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-locale-l1-1-0.dllMD5=E70D8FE9D21841202B4FD1CF55D37AC5,SHA256=E087F611B3659151DFB674728202944A7C0FE71710F280840E00A5C4B640632D,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.109{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-heap-l1-1-0.dllMD5=39D81596A7308E978D67AD6FDCCDD331,SHA256=3D109FD01F6684414D8A1D0D2F5E6C5B4E24DE952A0695884744A6CBD44A8EC7,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.109{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-filesystem-l1-1-0.dllMD5=AB8734C2328A46E7E9583BEFEB7085A2,SHA256=921B7CF74744C4336F976DB6750921B2A0960E8AA11268457F5ED27C0E13B2C8,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.092{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-environment-l1-1-0.dllMD5=45C54A21261180410091CEFB23F6A5AE,SHA256=2B0FEA07DB507B7266346EAB3CA7EDE3821876AADC519DAF059B130B85640918,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.092{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-convert-l1-1-0.dllMD5=5245F303E96166B8E625DD0A97E2D66A,SHA256=90A63611D9169A8CD7D030CD2B107B6E290E50E2BEBA6FA640A7497A8599AFF5,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.092{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-conio-l1-1-0.dllMD5=3B038338C1EB179D8EEE3883CF42BC3E,SHA256=C17786E9031062F56E4B205F394A795E11EF9367B922763DDF391F2ACAB2E979,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.092{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-core-xstate-l2-1-0.dllMD5=E20C50CB320A5718AE869D8EC4D460CA,SHA256=48C776F38EAED72CB05A993484F60CBFDF5AF59AEBC48E53481A997AE7DED8DC,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.092{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-core-timezone-l1-1-0.dllMD5=A20084F41B3F1C549D6625C790B72268,SHA256=0FA42237FD1140FD125C6EDB728D4C70AD0276C72FA96C2FAABF7F429FA7E8F1,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.092{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-core-synch-l1-2-0.dllMD5=F6B4D8D403D22EB87A60BF6E4A3E7041,SHA256=25687E95B65D0521F8C737DF301BF90DB8940E1C0758BB6EA5C217CF7D2F2270,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.092{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-core-processthreads-l1-1-1.dllMD5=C2EAD5FCCE95A04D31810768A3D44D57,SHA256=42A9A3D8A4A7C82CB6EC42C62D3A522DAA95BEB01ECB776AAC2BFD4AA1E58D62,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.092{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-core-localization-l1-2-0.dllMD5=3B9D034CA8A0345BC8F248927A86BF22,SHA256=A7AC7ECE5E626C0B4E32C13299E9A44C8C380C8981CE4965CBE4C83759D2F52D,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.092{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-core-file-l2-1-0.dllMD5=BFB08FB09E8D68673F2F0213C59E2B97,SHA256=6D5881719E9599BF10A4193C8E2DED2A38C10DE0BA8904F48C67F2DA6E84ED3E,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.092{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-core-file-l1-2-0.dllMD5=F6D1216E974FB76585FD350EBDC30648,SHA256=348B70E57AE0329AC40AC3D866B8E896B0B8FEF7E8809A09566F33AF55D33271,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.092{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.XlsIO.Base.dllMD5=DBEF8DD7EFC6DA29D3826851CD60642C,SHA256=5CB7AD4134572D199F9CAE22B079A43B828BFF9FD685004FEF4405A906F5DAAE,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 10341000x8000000000000000331483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.076{72106695-B487-63D3-C503-00000000BD02}61003728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000331482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:56.045{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Tools.Windows.dllMD5=B1FAC679B47FAE77F0A1B1C97D7BC9E8,SHA256=08704125D977AF9FD036F0157FDE1AE8BC4C2722A907CD34575D1618E88F0420,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000448135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:57.436{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33468C6F408A7B53FC6CA201F69948FA,SHA256=16337212D1B42941B75760352B560166758B3C822E3C7F5055F2E7F5FB754587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.970{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\visicon.exeMD5=0544D83171001F37AA1A21E832521F63,SHA256=A5F7AD2168FD55BED94F8F3AECC18B2C715B66D134610E4A122FB92FBED9AA25,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.938{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exeMD5=85E5179E2929B37B8A9B8710B48ACC9C,SHA256=07E01AC0A4E23A5AD5BCEE2C8D0901FC3F6F73C592A6BDAB88CCAE757B774BB3,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.923{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pubs.exeMD5=969D60865DAE090927E577EF947C2947,SHA256=132C8FB1C821229062AEF94C91BB993FF1E46469FCC0AC794DAB5BBC045FF711,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.907{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pptico.exeMD5=035B92F2812A946924A94AEF736F296D,SHA256=ED02C32FF160036029FA215357532801B24884D1CB273E4E15F477EC99039F78,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.907{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7EE4E8D5D709C46D531330033782ED14,SHA256=B93FAF93ABD3BAB9D30A2D668812B29795AA4036EBF9D5C38671D40DAB811A5B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.860{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pj11icon.exeMD5=18FFEEC3C489CE1980C9DBC623AF2CD2,SHA256=8B564E34F009B9846A4F6D5DCBCC764376C740F5AD8003BA438B92F9E0CFD30B,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.845{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exeMD5=9CA8F1401DFC1F3ABCAD5B7E27D0EE84,SHA256=5C4299E67D5DC35597A4B531EA882E78C7A9828E5D3764D0EB23B0F196E3DD91,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.829{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exeMD5=7358C1AF4C59612605A36CE3D5BD2A70,SHA256=C3A7EAABE82E304EECB63DAC5A8D8D9646D545B750314C1EEA0979A74A728B59,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.829{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmadminicon.exeMD5=7358C1AF4C59612605A36CE3D5BD2A70,SHA256=C3A7EAABE82E304EECB63DAC5A8D8D9646D545B750314C1EEA0979A74A728B59,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.829{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exeMD5=F29A4071F6B80AEBD11F7BBD62505AB2,SHA256=5C9605112BB355E9D7CDFF00B28805EBD6E0FEC19BDAC9A87540BC11EC10222D,IMPHASH=321C1218EDA91FD06B745AA8D28C300Btruefalse - insufficient disk space 23542300x8000000000000000331639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.813{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exeMD5=7965F9613F95E3CCBF759B93149C23B0,SHA256=CA0E240EC3C378AFEABD7B22A450406D04EA43E9C093ABDE6980F5F4556027C6,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.798{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\lyncicon.exeMD5=AA43DCCC0ADDC1A8EFA30C70FD4474F2,SHA256=9736982A4476A501DBD03450A67383B81AC6AD38395DBD063CD63C68142E1D4C,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.782{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\joticon.exeMD5=90D77D6A24B9D55B691F32730B74481C,SHA256=562B95065362710C1D1C1A6BFBF763911D1130406A55E26975A9B2664CBC1D59,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.766{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\grv_icons.exeMD5=5EBBCDB2984CF625B14D7A16A99F5F6C,SHA256=473DD9A90391C7887C8CF8E9AA1D5B13EC1CD1A6286AAE074289BAD8425034C2,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.766{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\graph.icoMD5=58F5AC079150EECE385C296FFB565A16,SHA256=69C12CB174CCBBF92B9C39532B576703BC058C7FD3E58F28BB723621F64D687D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.751{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\dbcicons.exeMD5=85E5179E2929B37B8A9B8710B48ACC9C,SHA256=07E01AC0A4E23A5AD5BCEE2C8D0901FC3F6F73C592A6BDAB88CCAE757B774BB3,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.751{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.exeMD5=375A76D9D131FCFF80467B664B5A9ED1,SHA256=E846F54C44935DD9FFE73DB368D639EEE73ECF276A4421432DD493540055EA6B,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.697{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessData.Intl\16.0.0.0__71E9BCE111E9429C\microsoft.office.businessdata.intl.dllMD5=3AAB306A943B040818C1D5A90C8D381D,SHA256=EE3F18937810AA6EF1D74C9B86F9E35D7870937FA65737153A4A4293E61240B1,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.688{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessData\16.0.0.0__71E9BCE111E9429C\microsoft.office.businessdata.dllMD5=5606AD77DF97602A0EEB7B411FE7A155,SHA256=52EAFEDC009E4DB5ACC0C7903ECA4B00E196CC77F2D4F7A279DF7A2478B0233C,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.660{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4DCC1A94F783965DE1A1A66C88B8EF3,SHA256=F8987B0E5DD4F9E70C94A01838B6F9BDDBA9A7969E536A939A35C0C16FFC2CC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.644{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.BusinessData\16.0.0.0__71E9BCE111E9429C\Microsoft.BusinessData.dllMD5=C2070DBB8265A907B7D71F1DFB84FBDE,SHA256=3C049D7D992C0DD2BD0517E3607133BC848EAFB25F0F540A3079CDFD5682C466,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000331628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.634{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\assembly\GAC_64\Microsoft.Office.Access.BusinessDataCatalog\16.0.0.0__71E9BCE111E9429C\Microsoft.Office.Access.BusinessDataCatalog.DLLMD5=258F10F2BBF0DF628EEE4EFB44B7983F,SHA256=058C689B0BFF1B359098CF2400CD3DA1369E04C149BCADC6488B924FAB7C109D,IMPHASH=FD2A425C67CE1906367495FBB4A6E2F0truefalse - insufficient disk space 23542300x8000000000000000331627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.618{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\vcruntime140.dllMD5=31CE620CB32AC950D31E019E67EFC638,SHA256=1E0F8F7F13502F5CEE17232E9BEBCA7B44DD6EC29F1842BB61033044C65B2BBF,IMPHASH=B06D4116DA69A513992D529F84731E6Ftruefalse - insufficient disk space 23542300x8000000000000000331626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.602{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\vccorlib140.dllMD5=3A2C18EF2DF37EA41788F50042774C22,SHA256=EA85134227C8E5A23A63D60E6CDB2BC38F925427BA75426A3BE33212435E1741,IMPHASH=E2C243EAA5D873A145FCEF834080DE02truefalse - insufficient disk space 23542300x8000000000000000331625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.587{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\msvcp140_codecvt_ids.dllMD5=F8BF6857B3FFE342BB06EBB40D85349F,SHA256=DD4A2E82CF4050BAE3F8EF178A71528A6933187B94872B4686885481CE557873,IMPHASH=72E793C2D219D77E6E25707A25EF03FBtruefalse - insufficient disk space 23542300x8000000000000000331624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.587{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\msvcp140_atomic_wait.dllMD5=536BB69F7A8FBA997AB1950D6E6737DA,SHA256=651B426602C3BA021759F297D68013504420CC15C0F1003FA2BCDE3B4D7F0DDF,IMPHASH=D68ECBA137090B167CF249D17E6B9507truefalse - insufficient disk space 23542300x8000000000000000331623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.575{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\msvcp140_2.dllMD5=3EF5FCAFD51BA88ED48ED38D89BA36D3,SHA256=7BF18F791B503F6C4EC8B4FADEEB2B2C547750A4AC36C91D9D6469B4D048E137,IMPHASH=6C7C5C396D66ABF87313C2E845BF42E0truefalse - insufficient disk space 23542300x8000000000000000331622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.575{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\msvcp140_1.dllMD5=F16A7655E68E864775051CAC0234C5C9,SHA256=09192837E98161DAD48CDBAC4E2E00A6AA9FF2912A601FFCA36C1DEA8E4E38C5,IMPHASH=60906B3ADC1136B7747200C4084A6DABtruefalse - insufficient disk space 23542300x8000000000000000331621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.575{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\msvcp140.dllMD5=0A0042FE544C91CD57BC2F7EF40BB974,SHA256=4190F0A1306257CED4975448794E1D42BE312E334FFCCFB4910A4A39CDE9DF57,IMPHASH=6042F1676A7711E459589EF169A5B501truefalse - insufficient disk space 23542300x8000000000000000331620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.544{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfcm140u.dllMD5=2573E505166EEA3C706AEDFD5AFABBB0,SHA256=FD19CE03D9474B57BD38C59EE6598D636156FA8C4F157E418AD82B867683F9B7,IMPHASH=490DD8E874DC8FBAC0A2DD6A12E8351Btruefalse - insufficient disk space 23542300x8000000000000000331619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.525{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfcm140.dllMD5=5B2A6A2B06A4A8350669DE8573258EF4,SHA256=28627BFFBA0EF8DEA79515FC4C055A8DA3930933DA7567CF9F53C906988F932E,IMPHASH=5A8E9EF0741C8577A5328A51DE65A944truefalse - insufficient disk space 23542300x8000000000000000331618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.525{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140u.dllMD5=51C91B404C701CC26B8B6DC7AACD8037,SHA256=9F60F7AF82BCEDC3C91D796F9C4442900BFF40A192E30EFC798AB9230AA9F0B7,IMPHASH=EFB56419C1BA206D8C70E3157D5C83A0truefalse - insufficient disk space 23542300x8000000000000000331617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.337{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140rus.dllMD5=2418DC529F1FB5D09E5D462C2E11FB46,SHA256=2D05F51DF7311CDD742BB173241DB32022CBBF2BA4B52E9297C8017F221EC09F,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.321{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140kor.dllMD5=C37AC3AE27B472B4105A278A0318E708,SHA256=511DAFF89F83643A125BEDC8EB79803CF67C8018DBCD406735213D4BC29B84C0,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.321{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140jpn.dllMD5=80F5A4C290F946DD8CE0935144A6D10B,SHA256=F8CA989BF8E3E0EE6D75F79BD13724BA64491EA415199A5EEED61CBDAB6557EC,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.306{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140ita.dllMD5=B0A583AD51BD64AA13856136B63CAF8A,SHA256=5D51EA6294F1A1F1ABA160810677A392841D77C40DB6C8CBB612DC94A6014D64,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.290{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140fra.dllMD5=0CDC3678FC5745D769A46CD834D2349B,SHA256=10EF5C32DCCED821A609EBC1ABA08E25CDA528471BEBAF11388CEF842B232982,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.276{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140esn.dllMD5=F53D40E7E4E4244CE7F0358A4DBB7F2E,SHA256=DD5C808DBE941092D37071DF634E93CABF968CE7CDA5DAFE7F6238F12B9F8CBC,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.260{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140enu.dllMD5=ADB9861CE9C72FFAB66A9AC64E483A03,SHA256=7F8BE380A45748156806FC21F44C6F8066B0D095093FAF1F881311ECB316AE33,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.243{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140deu.dllMD5=B4BCBB76EBC011ACE8DB1FAB83D04662,SHA256=8DC0C96A466B558A4846EFA4D4346A3EB4C1CA51E347830049484F8572E19769,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.243{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140cht.dllMD5=55CFC01ECFC76EA9318B97FA909E63E9,SHA256=746CB89FB29A291B0026C980B8D69B21BD443A9E3FC4EA24D2DED954CBF72209,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.227{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140chs.dllMD5=0B67803DEF4B8862DFBCACDB3CF22F4F,SHA256=5AF2600DC14A5F75FD4AF3B431AB7FFFC69763BE9590B17EFE16B99B71EF6942,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.227{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140.dllMD5=D5E4D363511A6613F365DE4C3318B7B9,SHA256=4C9704783AE2BBF5AB67D5D98A3B2A591D7FA4A203337DE849E1A3D779DCD813,IMPHASH=49CB4C300F5F31D98FC65B365BBEF94Etruefalse - insufficient disk space 10341000x8000000000000000331606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.096{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B489-63D3-C703-00000000BD02}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000331605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.096{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\concrt140.dllMD5=EC5A86B5E7BDFFD50E022E431287273A,SHA256=290F577461B2D4197DB0B7D09341225C90CF066984F965E54C9FA4AA16BA6687,IMPHASH=F7E155027608DB4293A50332363A537Btruefalse - insufficient disk space 23542300x8000000000000000331604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.095{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C946ADE2C92BE370E938449DFDD7130E,SHA256=17C624D56C3400BEF1BAF45FB953A0AA30E29FBAAB4996EB59A00DC3EC627374,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000331603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.091{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.091{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.090{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.090{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B489-63D3-C703-00000000BD02}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.090{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.090{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B489-63D3-C703-00000000BD02}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000331597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.089{72106695-B489-63D3-C703-00000000BD02}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000331596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.078{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\VEN2232.OLBMD5=C09E01B2D65A20D203330AD348936464,SHA256=6A18FA706EA802C1C2A56B3D049A2DE44E39536B1CA0FFB5ED8B5906751CDD7C,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.078{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\vcruntime140_1.dllMD5=7667B0883DE4667EC87C3B75BED84D84,SHA256=04E7CCBDCAD7CBAF0ED28692FB08EAB832C38AAD9071749037EE7A58F45E9D7D,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69truefalse - insufficient disk space 23542300x8000000000000000331594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.078{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\vcruntime140.dllMD5=11D9AC94E8CB17BD23DEA89F8E757F18,SHA256=E1D6F78A72836EA120BD27A33AE89CBDC3F3CA7D9D0231AAA3AAC91996D2FA4E,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302truefalse - insufficient disk space 23542300x8000000000000000331593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.062{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\vccorlib140.dllMD5=7EF7EAB654DF53E087AC4703C9EA0B16,SHA256=13E568FDCDE1B7B7F2D1C97A474BDB8858F5AB761157F0FEA7201CCECF84B9B8,IMPHASH=D5EC94CA50152CC1E7188B825074FEF2truefalse - insufficient disk space 23542300x8000000000000000331592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.047{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\vccorlib120.dllMD5=BDD8AE768DBF3E6C65D741CB3880B8A7,SHA256=602ADD77CBD807D02306DE1D0179CB71A908EECB11677116FC206A7E714AB6D6,IMPHASH=85727CB86AAFD871280FFE38FF204B60truefalse - insufficient disk space 23542300x8000000000000000331591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.031{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\vccorlib110.dllMD5=2AEB4F8E2BD49FA46E7FCA142A1003A8,SHA256=F5F635C0CF8252B81C8283AE7063E5BDBC7D608EE8798EC6064707B489339D5D,IMPHASH=26901E30C69F9783330D2859D883C1CCtruefalse - insufficient disk space 23542300x8000000000000000331590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.016{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\msvcr120.dllMD5=9C861C079DD81762B6C54E37597B7712,SHA256=AD32240BB1DE55C3F5FCAC8789F583A17057F9D14914C538C2A7A5AD346B341C,IMPHASH=8F18E22935EF8B336E246EE763FBEC97truefalse - insufficient disk space 23542300x8000000000000000331589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.000{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\msvcr110.dllMD5=7C3B449F661D99A9B1033A14033D2987,SHA256=AE996EDB9B050677C4F82D56092EFDC75F0ADDC97A14E2C46753E2DB3F6BD732,IMPHASH=2D8550B19D324144E95B49AAE32A0DCAtruefalse - insufficient disk space 354300x8000000000000000448134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:53.766{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52708-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000448136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:58.506{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D7C3CD6F12A4476A42FE8576889C6E2,SHA256=0076F28A685A212BA3BA5A1CCBF5D35D25B8E4049932067B556FDBE5285A1BA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.913{72106695-9B85-63D3-1700-00000000BD02}12241604C:\Windows\System32\svchost.exe{72106695-B48A-63D3-C803-00000000BD02}5516C:\Program Files\Microsoft Office\root\integration\integrator.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.888{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B48A-63D3-C903-00000000BD02}3864C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000331710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.888{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B48A-63D3-C903-00000000BD02}3864C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000331709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.887{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B48A-63D3-C903-00000000BD02}3864C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000331708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.881{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B48A-63D3-C803-00000000BD02}5516C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000331707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.881{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B48A-63D3-C803-00000000BD02}5516C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000331706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.881{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B48A-63D3-C803-00000000BD02}5516C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x8000000000000000331705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.796{72106695-B48A-63D3-C803-00000000BD02}5516NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Windows\Temp\WIN-HOST-CTUS-A-20230127-1124.logMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.785{72106695-B48A-63D3-C803-00000000BD02}5516NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\integrator.exe.db-journalMD5=BEA25500E8B35E21D13E049220CF96F8,SHA256=948328A21B88308A134356C08DDE3DFE2479F3386B13FC6C01F8972DC9697E0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.777{72106695-B48A-63D3-C803-00000000BD02}5516NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\integrator.exe.db-journalMD5=D2B904D4FC2FC6AFA7477F83D8306941,SHA256=603DE7FF014BCD2231181921D3D781E33DEB0405DF2DE559D347920DC910D6D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.749{72106695-B48A-63D3-C803-00000000BD02}5516NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\integrator.exe_Rules.xmlMD5=439CCD39EDC80E2CDAD9CB2402592F29,SHA256=93C6E7F24C6A8E7C8A79C2AEE26224CAE00693CDAE335A89C11BC6D4B7678B04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000331701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.742{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B48A-63D3-C803-00000000BD02}5516C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000331700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.741{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B48A-63D3-C803-00000000BD02}5516C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000331699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.741{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B48A-63D3-C803-00000000BD02}5516C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x8000000000000000331698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.672{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5885EB1EB5FF2C1FEFDC080A0E713759,SHA256=A883AF3971660F32274FF0EAE1849DB20CD502F671862E581E6B1AF633648CC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000331697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.472{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B48A-63D3-C803-00000000BD02}5516C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.472{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B48A-63D3-C803-00000000BD02}5516C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.472{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B48A-63D3-C803-00000000BD02}5516C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.444{72106695-B48A-63D3-C903-00000000BD02}38645300C:\Windows\system32\conhost.exe{72106695-B48A-63D3-C803-00000000BD02}5516C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.425{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B48A-63D3-C903-00000000BD02}3864C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.410{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B48A-63D3-C803-00000000BD02}5516C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.410{72106695-B403-63D3-B103-00000000BD02}60923896C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B48A-63D3-C803-00000000BD02}5516C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1d10b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1cf33|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1cb9c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+11572b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+115592|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+114b8e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+114481|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1136f6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+f8144|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+2e10d|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37e250|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37c243|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.410{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000331689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.332{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\FileSystemMetadata.xmlMD5=CAA29C72715E470023C06C1A1787B0B9,SHA256=91B631F33C0BEC6CB3AACFC0BFE69ECB35B9A0FD20C2794A36A4401D32BDD111,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.332{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\c2rx.sccdMD5=9269AB87E50698D5FE5ECD711720DC4E,SHA256=369D73ACD78D7215E79E8DB6616986B18E028CBB678D28D00DB92095C4C085E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.332{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vreg\wordmui.msi.16.en-us.vreg.datMD5=9C5989B9BB764A08031F866582A544EA,SHA256=5D854721E9DD5550DEE8C134717CB1B98E5FB46F4C6496BF99BBD15B79513A2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.332{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vreg\word.x-none.msi.16.x-none.vreg.datMD5=06AED465505BE0FB41AD15A4FDD0DCD8,SHA256=C6F569546AF5167DDB8CE2E89E571177650B97EEE56B84434405778F09978E4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.316{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vreg\publishermui.msi.16.en-us.vreg.datMD5=10EFCA74EAEC466974F5817148EEE769,SHA256=39A8110D38BA8D3942A66B53028C8D0FDA441FA28B6D8D188E0FFB7B6362C0B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.316{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vreg\publisher.x-none.msi.16.x-none.vreg.datMD5=8F615A3EEED9C2FD5824AAE553B96DD3,SHA256=4388A128476F56FCA6BA9B1A3502F1EFE3E06CC7FF59148E9F5A5F48383D2D19,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.300{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vreg\proof.fr-fr.msi.16.fr-fr.vreg.datMD5=C7DC0A277DFCFAFE739B14351D9E0E92,SHA256=BA9BB2361CB6F8B08D9A340DB259729E4CBEBD4920569113C8BF72F2546F07D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.300{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vreg\proof.es-es.msi.16.es-es.vreg.datMD5=93BD2E05F96992350E2F95A2061192A2,SHA256=4D3BD29E9BBD3B46D20EB6E569948AF64EEE20707DC188374ADAE368DE73ECD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.300{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vreg\proof.en-us.msi.16.en-us.vreg.datMD5=1D1A10BCE4FF45DCBDC2FCB046740C2C,SHA256=50218EAC37CAE449251DC848C8896AEADA24176556618DA9C4381EAB080978FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.300{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vreg\powerpointmui.msi.16.en-us.vreg.datMD5=DB2B287C8B20993B65D410CBF496742B,SHA256=2FADF34C79494CEBE8D4A8015FB38543DA45B4BC9C244DE599072315F98DC67E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.300{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vreg\powerpoint.x-none.msi.16.x-none.vreg.datMD5=EF71937031428BBFEECEEF7E2506A5FA,SHA256=29B0A31ED85FA56459E8DF58E39F8830A2DBBC70D6099EE836A7773F14935D0F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.285{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vreg\powerpivot.x-none.msi.16.x-none.vreg.datMD5=50637BBB1543D0CC9C1CA5655812A47D,SHA256=0C261506A97327DA60890C7F717091F509DD4BE8D8013642DC3B5C4D46206F3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.285{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vreg\outlookmui.msi.16.en-us.vreg.datMD5=713429198FC77CFC78BAEF720FE375A0,SHA256=8B5E845C660783197606309B30D86D9CEAB52654149571D3C9390460501DEF0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.285{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vreg\outlook.x-none.msi.16.x-none.vreg.datMD5=85B788B63E15E3779A87E6401090C954,SHA256=03A54B15A70F229EA42068C97CD9A0DFD34958A250D4874CCA3AD4A0591CE63D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.269{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vreg\osmuxmui.msi.16.en-us.vreg.datMD5=6A4A89053391B7420A506A2AB3CEDCE4,SHA256=5B8463089B6B3D8AA57A88D6179A413B0052948447573F46FB415031F10708B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.269{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vreg\osmux.x-none.msi.16.x-none.vreg.datMD5=53B420B08D97002CEC5E1573955482AC,SHA256=6D5B02C23BCFE5C9DA4E00D9B3EB5B483A169BD5FF3921F29FA3D70744C853A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.269{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vreg\osmmui.msi.16.en-us.vreg.datMD5=4FDB0252E2C38F0D428F6A864860D72E,SHA256=326E1AD77B89D09BCBFAED5A45B0BBE3013A83E2E5E542BE982329A41E606779,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.253{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vreg\osm.x-none.msi.16.x-none.vreg.datMD5=22FF72B33C36BAF60BF28B704E3A759B,SHA256=F45245CCE8365BE4A8313E9E13DEC54FF0B599A6C4433921609101D086AF7ED2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.253{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vreg\onenotemui.msi.16.en-us.vreg.datMD5=7D8757BD145838EA88309AA493B1FB8B,SHA256=802B4716C665E63F42EF9AC2D244ECFEF092DD758C395379FD26B6A3B5DC557D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.253{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vreg\onenote.x-none.msi.16.x-none.vreg.datMD5=7CD15A9044FCC1D20A7948D5375A26A6,SHA256=76E89858942878E67249F8FAB93C755E7649953CEFEBBC88D3A422921624E658,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.253{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vreg\officemui.msi.16.en-us.vreg.datMD5=4EF166A3E85F8BA7E4E5D36EADBC9144,SHA256=1924BB881AC3135A14F24175DEF60A8097E88E6EF50D74308B44DF91198F7251,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.238{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vreg\office32ww.msi.16.x-none.vreg.datMD5=9BCFF981B28DA23222BFB165506605EF,SHA256=CB01D302EC29E410AA66B1B8301C9F8548CD9530683884184BC2B8519F9FB0F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.222{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vreg\office32mui.msi.16.en-us.vreg.datMD5=6A64495A6B47E032418CD383365F3A98,SHA256=7359BCB314D290461DB7FE899FFFDFB78F094D5D2D1EEDCB81D85533C8A68AE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.222{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vreg\office.x-none.msi.16.x-none.vreg.datMD5=D7D526ED8E4C4D3F31CFA0C879D8F1D0,SHA256=3FA9A6A1754C910D5F272BAB1FCD642D63B28D753B2FD5EAFD0D1DAA8AEB49ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.191{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vreg\lyncmui.msi.16.en-us.vreg.datMD5=B71E5316959D10FEFF7E354B225EE81E,SHA256=DF48DE5AD65714C8B151C532F7FC9C0B651D518189888A30FE8301898A0AF145,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.191{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vreg\lync.x-none.msi.16.x-none.vreg.datMD5=F7F26D743EA81261ECF84A1EC7BC30ED,SHA256=91A711D8FE215A4EAE028D26772C7B0AC04612980E2628FA5F704CD0309BB50E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.175{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vreg\excelmui.msi.16.en-us.vreg.datMD5=64C377466EF3EF5FA727F9B403604DFB,SHA256=7719A3BC41FE361104885D02A31588BF0110968772C6E79CB5D8A8D94BBBC766,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.175{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vreg\excel.x-none.msi.16.x-none.vreg.datMD5=06B3E4EE7C51924FB41E8BAD8CA2F5E8,SHA256=BA1C08A4DBE7CF10671112AA2BF44308855AA2962A175B86427A6A3A35D2DC91,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.160{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vreg\dcfmui.msi.16.en-us.vreg.datMD5=4974ED6B480B24A5D7BB9BCF938A997F,SHA256=7E4F2B78F42412FC924BA107AD8F2A4FFC22A7BEC942B8D1BF1C50FFBB4E80D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.144{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vreg\dcf.x-none.msi.16.x-none.vreg.datMD5=D1D5D4AE8058E5668D0F2C53C06A193D,SHA256=0B905DCE73D796EB4581ECC21115D1073CE3E5A8F8446F3A4C0BD1BF6080A269,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.144{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vreg\accessmui.msi.16.en-us.vreg.datMD5=8C6B4B62C033B0F40DB56E46AD1FE767,SHA256=A16649657355EDF93F99F12EAFF8DD80038D612FE732222856B2B79191598D5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.144{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vreg\access.x-none.msi.16.x-none.vreg.datMD5=A08B5B1F055F0156802D519F9FF5EFA5,SHA256=024D1DB2F4FE9B64005548EB85C1EBF066E45AAD08C37AC924048613D47B35A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.134{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\SHELLNEW\MSPUB.PUBMD5=0627B4727E2BFE1D1CB7F06B82BFCC5C,SHA256=E050EA777D910137FFF7C160992EC026AB4F76832B6C96701B114E379ABF4CA3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.134{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\SHELLNEW\EXCEL12.XLSXMD5=C0EDCC68BA60D6BCBF77BC5132BF2A5D,SHA256=4A51286A29368A60AB9B8C76DFC4F96903588C986CAEE9309E3FC1EB8E5FC5C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.115{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exeMD5=7965F9613F95E3CCBF759B93149C23B0,SHA256=CA0E240EC3C378AFEABD7B22A450406D04EA43E9C093ABDE6980F5F4556027C6,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.110{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exeMD5=7965F9613F95E3CCBF759B93149C23B0,SHA256=CA0E240EC3C378AFEABD7B22A450406D04EA43E9C093ABDE6980F5F4556027C6,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.078{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exeMD5=7965F9613F95E3CCBF759B93149C23B0,SHA256=CA0E240EC3C378AFEABD7B22A450406D04EA43E9C093ABDE6980F5F4556027C6,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.063{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exeMD5=7965F9613F95E3CCBF759B93149C23B0,SHA256=CA0E240EC3C378AFEABD7B22A450406D04EA43E9C093ABDE6980F5F4556027C6,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.049{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exeMD5=DF7F1F2430D026533E1348351B1C53FF,SHA256=EE72BECB0EB8AB0307134905CAAAED13F2A94C3E763A802138AA17F9274B43DF,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000331650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.001{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exeMD5=15438AA37CA8C86AFA38C644BF2C40C5,SHA256=43321F53A6EA3C0F6B4284744EF57051F5C855B487E00070BD9D10342C72007C,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000448156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:59.782{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DE8BDF3A17DF23697C74AFFEA05A25F,SHA256=338A0F77C9BFF7D4CCB8C8CAA21372B78B43330F3626F79AEDF19BDBF5658E18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:59.820{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B48B-63D3-CA03-00000000BD02}6012C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000331733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:59.820{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B48B-63D3-CA03-00000000BD02}6012C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000331732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:59.820{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B48B-63D3-CA03-00000000BD02}6012C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000331731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:59.819{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B48B-63D3-CA03-00000000BD02}6012C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000331730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:59.819{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B48B-63D3-CA03-00000000BD02}6012C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000331729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:59.819{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B48B-63D3-CA03-00000000BD02}6012C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 354300x8000000000000000331728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.776{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c800:2d50:9ad:ffff-60244-truea00:10e:0:0:0:0:0:0-53domain 354300x8000000000000000331727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.485{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51004-false10.0.1.12-8000- 23542300x8000000000000000331726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:59.706{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5548F71FCEBEC114462C59DE89C8389,SHA256=47CAF6D5E14AAEAFC8795253B5D1DC9A07787BC0BBEB90CDEC5ABB4C58458371,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000448155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:59.571{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000448154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:59.555{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000448153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:59.544{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000448152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:59.541{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000448151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:59.540{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000448150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:59.537{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000448149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:59.501{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000448148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:59.492{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000448147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:59.474{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000448146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:59.465{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000448145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:59.452{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000448144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:59.438{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000448143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:59.431{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000448142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:59.418{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000448141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:59.406{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000448140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:59.393{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000448139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:59.382{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000448138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:59.316{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000448137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:59.310{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000331725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:59.262{72106695-B105-63D3-1F03-00000000BD02}39924316C:\Windows\System32\RuntimeBroker.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\TokenBroker.dll+112ea|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6210c|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000331724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:59.262{72106695-B105-63D3-1F03-00000000BD02}39924316C:\Windows\System32\RuntimeBroker.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+11213|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6210c|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000331723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:59.247{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B48B-63D3-CA03-00000000BD02}6012C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:59.231{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B48B-63D3-CA03-00000000BD02}6012C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:59.231{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B48B-63D3-CA03-00000000BD02}6012C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:59.231{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:59.216{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:59.216{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:59.216{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:59.216{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:59.216{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000331714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:59.010{72106695-B48A-63D3-C803-00000000BD02}5516NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\integrator.exe.db-walMD5=3EC7463AEA067572BD34979B5E87DE50,SHA256=0A627AF207CF58DADA29558D0D84C0391C3B1201B785D3F9AEC3BC13F305244A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:59.010{72106695-B48A-63D3-C803-00000000BD02}5516NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\integrator.exe.db-shmMD5=67408C7CE4C9B26573C01B1A7D2395D6,SHA256=15F65CD8BDDF173779AE09652AC62C7B73B3DAD70F40C924946F0217EAE1B970,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:00.838{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13A14452090AFD5B8395AAE9619B209F,SHA256=B57140D9B59BA68CD9F5B1E13993E471B291E3C752E5CD54375EBAB0E5375CC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.779{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3EA0444155B3228B8A65B634EDD64AB,SHA256=0E60C08407E3DE29368C49180020C7744863D1C476DF6A991B12DFF5A8B8A19C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000331781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.778{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B48B-63D3-CA03-00000000BD02}6012C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000331780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.778{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B48B-63D3-CA03-00000000BD02}6012C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000331779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.778{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B48B-63D3-CA03-00000000BD02}6012C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000331778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.725{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B48B-63D3-CA03-00000000BD02}6012C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.713{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000448162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:00.142{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000448161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:00.139{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000448160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:00.135{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 354300x8000000000000000448159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:57.227{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A60244- 10341000x8000000000000000448158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:00.133{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000448157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:00.132{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000331776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.700{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.689{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.685{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.676{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.665{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.653{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.651{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.619{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.612{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.597{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.591{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.589{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.586{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.584{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.581{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.577{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.576{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.574{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.573{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.571{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.569{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.564{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.555{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.549{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.542{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.539{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.524{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.497{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.496{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.486{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 23542300x8000000000000000331746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.458{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\Logs\WindowsUpdate\WindowsUpdate.20220511.045803.842.1.etlMD5=73BBCACA0B80B450A8C46F770FF8412C,SHA256=9738170B6D478CD0FFF0C0D67D103BE3A91372FD3877E2A8453126982618397D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000331745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.442{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.436{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.421{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.415{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.402{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.389{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.381{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.371{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.362{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.341{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000331735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:00.334{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 23542300x8000000000000000331789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:01.804{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12DBBC6409CFB34F862826C87B38338B,SHA256=52B8078A1F591B549665E3AD4625AF88A83887004E9F6A1440B79F92EE2E0A1D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:01.921{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B621426F0148FE460A70BA4BF5260D05,SHA256=C280BAB6A49A5C243F75402D6DE3C6CAE0DDFDE904813AD309BC9FDAE1CF99D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000448165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:57.605{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A49592- 354300x8000000000000000448164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:57.514{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A58576- 23542300x8000000000000000331788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:01.558{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=FBB90D15A1B41F87CDC5FBC14114FFD5,SHA256=EF7808F01B0386A2816E08A1A851DB4FE8BE9D9B894DFC304984D876C681E250,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000331787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.164{00000000-0000-0000-0000-000000000000}5516<unknown process>-tcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51008-false72.21.91.29-80http 354300x8000000000000000331786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:58.103{00000000-0000-0000-0000-000000000000}5516<unknown process>-tcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51007-false13.89.179.8-443https 354300x8000000000000000331785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.876{00000000-0000-0000-0000-000000000000}5516<unknown process>-tcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51006-false52.109.8.45-443https 354300x8000000000000000331784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.816{00000000-0000-0000-0000-000000000000}5516<unknown process>-tcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51005-false52.109.8.45-443https 354300x8000000000000000331783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:24:57.777{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal60244-false10.0.1.14-53domain 23542300x8000000000000000331790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:02.932{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAB4D85F2023C100D401AC1300343EBC,SHA256=638866B2DE9B2F3EC6A6ECFED95798CAA2B2B0C38D90256CFEE7FCF1A146C315,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000448188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:02.859{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000448187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:02.831{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000448186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:02.827{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000448185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:02.811{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000448184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:02.789{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000448183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:02.753{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000448182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:02.742{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000448181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:02.730{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000448180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:02.721{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000448179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:02.718{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000448178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:02.713{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000448177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:02.709{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000448176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:02.708{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000448175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:02.705{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 354300x8000000000000000448174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:59.513{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A52356- 354300x8000000000000000448173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:59.513{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A65508- 354300x8000000000000000448172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:24:58.834{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52709-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000448171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:02.190{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000448170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:02.188{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000448169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:02.186{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000448168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:02.166{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000448167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:02.156{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 23542300x8000000000000000448189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:03.010{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6AAABBA433A0EDB31D234B34CD0B2A4,SHA256=B350C98D75FCC970A7B0993DC8FFE839554E524E705F2609A1EB88C44D5E46F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000448190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:04.124{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D68B618888AD196C53EB2DB3DB8A6D43,SHA256=CC9B52CE3674C011390DBFC981A7394DA346A940EA1938087EF89E0FF862C5B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:02.519{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51009-false10.0.1.12-8000- 23542300x8000000000000000331791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:04.006{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=797E99B40B9CCF6AFAC41036C6ED486E,SHA256=26AC53D616015424795E22D11DB0CE798EAA11C934699147E88789422F33C9BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000331793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:05.046{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F754F8624DAFA7682A55481FCC8CE4DA,SHA256=2C18E9B87F6AFAA6BEDE5FB9C9E08EFA87E67FB88AC380DDB4DFF36A32C20B3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:05.220{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17BDD898401C0BF9A5D5116161FBAB78,SHA256=6CA7CEDD81705F15D2DBCBAC308C2707671F9183DF84F8EC88F8C4E22E37E29D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000448192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:06.307{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61D441B4C8BED15B21326C6D80C35745,SHA256=8256DFBCFCA976C9547F90C5935B86B5219147DDD9D424E523D3BD83213F349B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000331851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:06.989{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.BlankProjectTemplate.16\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /NEWDB "%%1" 13241300x8000000000000000331850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:06.989{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ADEFile.16\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP "%%1" %%2 %%3 %%4 %%5 %%6 %%7 %%8 %%9 13241300x8000000000000000331849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:06.973{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.WebApplicationReference.16\shell\open\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:06.973{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.WebApplicationReference.16\shell\open\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:06.973{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.WebApplicationReference.16\shell\open\ddeexec\(Default)[SetForeground][ShellOpenDatabase "%%1"] 13241300x8000000000000000331846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:06.973{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.WebApplicationReference.16\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP "%%1" %%2 %%3 %%4 %%5 %%6 %%7 %%8 %%9 13241300x8000000000000000331845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:06.973{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.WizardUserDataFile.16\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP "%%1" 13241300x8000000000000000331844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:06.973{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ACCDTFile.16\shell\open\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:06.973{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ACCDTFile.16\shell\open\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:06.973{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ACCDTFile.16\shell\open\ddeexec\(Default)[SetForeground][ShellOpenDatabase "%%1"] 13241300x8000000000000000331841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:06.973{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ACCDTFile.16\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP "%%1" 13241300x8000000000000000331840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:06.957{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ACCDRFile.16\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /RUNTIME "%%1" %%2 %%3 %%4 %%5 %%6 %%7 %%8 %%9 13241300x8000000000000000331839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:06.957{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ACCDEFile.16\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP "%%1" %%2 %%3 %%4 %%5 %%6 %%7 %%8 %%9 13241300x8000000000000000331838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:06.957{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ACCDCFile.16\shell\open\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:06.957{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ACCDCFile.16\shell\open\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:06.957{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ACCDCFile.16\shell\open\ddeexec\(Default)[SetForeground][ShellOpenDatabase "%%1"] 13241300x8000000000000000331835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:06.957{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ACCDCFile.16\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP "%%1" 13241300x8000000000000000331834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:06.957{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Application.16\shell\openAsReadOnly\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:06.957{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Application.16\shell\openAsReadOnly\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:06.957{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Application.16\shell\openAsReadOnly\ddeexec\(Default)[SetForeground][ShellOpenDatabase "%%1",0,1] 13241300x8000000000000000331831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:06.957{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Application.16\shell\openAsReadOnly\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /RO "%%1" %%2 %%3 %%4 %%5 %%6 %%7 %%8 %%9 13241300x8000000000000000331830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:06.957{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Application.16\shell\open\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:06.957{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Application.16\shell\open\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:06.957{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Application.16\shell\open\ddeexec\(Default)[SetForeground][ShellOpenDatabase "%%1"] 13241300x8000000000000000331827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:06.957{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Application.16\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP "%%1" %%2 %%3 %%4 %%5 %%6 %%7 %%8 %%9 13241300x8000000000000000331826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:06.957{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Application.16\shell\New\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:06.957{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Application.16\shell\New\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:06.957{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Application.16\shell\New\ddeexec\(Default)[SetForeground][ShellNewDatabase "%%1"] 13241300x8000000000000000331823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:06.942{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Application.16\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /n "%%1" 13241300x8000000000000000331822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:06.942{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ACCDAExtension.16\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE /NOSTARTUP "%%1" 13241300x8000000000000000331821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:06.942{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\VisioViewer.Viewer\shell\open\ddeexec\topic\(Default)WWW_OpenURL 13241300x8000000000000000331820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:06.942{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\VisioViewer.Viewer\shell\open\ddeexec\(Default)"file:%%1",,-1,,,,, 13241300x8000000000000000331819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:06.942{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\VisioViewer.Viewer\shell\open\command\(Default)"C:\Program Files\Microsoft Office\root\Client\appvlp.exe" "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome 13241300x8000000000000000331818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:06.911{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\ms-office-storage-host\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\protocolhandler.exe "%%1" 13241300x8000000000000000331817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:06.847{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\xmlfile\shell\Open\ddeexec\topic\(Default)(Empty) 13241300x8000000000000000331816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:06.847{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\xmlfile\shell\Open\ddeexec\(Default)(Empty) 13241300x8000000000000000331815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:06.847{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\xmlfile\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "%%1" 13241300x8000000000000000331814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:06.847{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\xmlfile\shell\edit\command\(Default)"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb edit "%%1" 13241300x8000000000000000331813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:06.815{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\xmlfile\shell\Open\ddeexec\topic\(Default)(Empty) 13241300x8000000000000000331812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:06.815{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\xmlfile\shell\Open\ddeexec\(Default)(Empty) 13241300x8000000000000000331811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:06.815{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\xmlfile\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "%%1" 13241300x8000000000000000331810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:06.815{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\xmlfile\shell\edit\command\(Default)"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb edit "%%1" 11241100x8000000000000000331809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T10232023-01-27 11:25:06.753{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Word.lnk2023-01-27 11:25:06.753 11241100x8000000000000000331808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T10232023-01-27 11:25:06.753{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype for Business.lnk2023-01-27 11:25:06.753 11241100x8000000000000000331807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T10232023-01-27 11:25:06.737{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Publisher.lnk2023-01-27 11:25:06.737 11241100x8000000000000000331806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T10232023-01-27 11:25:06.737{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerPoint.lnk2023-01-27 11:25:06.737 11241100x8000000000000000331805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T10232023-01-27 11:25:06.722{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Outlook.lnk2023-01-27 11:25:06.722 11241100x8000000000000000331804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T10232023-01-27 11:25:06.706{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\OneNote.lnk2023-01-27 11:25:06.706 11241100x8000000000000000331803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T10232023-01-27 11:25:06.706{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools\Telemetry Log for Office.lnk2023-01-27 11:25:06.706 11241100x8000000000000000331802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T10232023-01-27 11:25:06.691{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools\Telemetry Dashboard for Office.lnk2023-01-27 11:25:06.691 11241100x8000000000000000331801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T10232023-01-27 11:25:06.691{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools\Spreadsheet Compare.lnk2023-01-27 11:25:06.691 11241100x8000000000000000331800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T10232023-01-27 11:25:06.691{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools\Skype for Business Recording Manager.lnk2023-01-27 11:25:06.691 11241100x8000000000000000331799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T10232023-01-27 11:25:06.675{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools\Office Language Preferences.lnk2023-01-27 11:25:06.675 11241100x8000000000000000331798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T10232023-01-27 11:25:06.675{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools\Database Compare.lnk2023-01-27 11:25:06.675 11241100x8000000000000000331797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T10232023-01-27 11:25:06.675{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools2023-01-27 11:25:06.675 11241100x8000000000000000331796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T10232023-01-27 11:25:06.675{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Excel.lnk2023-01-27 11:25:06.675 11241100x8000000000000000331795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T10232023-01-27 11:25:06.612{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Access.lnk2023-01-27 11:25:06.612 23542300x8000000000000000331794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:06.111{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFB20F178702C77684B65E3E5F0642C7,SHA256=287A65F1E6D480D50355FF5A66710163C700796B435315AB6A91FCECD58D138A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000448194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:04.808{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52710-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000448193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:07.411{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C00C8B2B2939B507E1A7AA9538C6F373,SHA256=3E433825BC6EA7AD83031B6C17D2B165DC3D43BBEFA72DE3CFAC8D2E93AA08B7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000332495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.857{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\tel\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x8000000000000000332494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.857{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\skypecast15\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x8000000000000000332493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.856{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\sips\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x8000000000000000332492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.856{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\sip\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x8000000000000000332491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.855{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\ma-filelink\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x8000000000000000332490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.855{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\ma-chan\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x8000000000000000332489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.854{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Lync15classic\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x8000000000000000332488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.854{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Lync15\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x8000000000000000332487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.854{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\im\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x8000000000000000332486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.853{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\conf\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x8000000000000000332485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.853{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\callto\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x8000000000000000332484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.852{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNoteDesktop.URL.16\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" /hyperlink "%%1" 13241300x8000000000000000332483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.852{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNoteDesktop\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" /hyperlink "%%1" 13241300x8000000000000000332482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.851{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNote.URL.16\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" /hyperlink "%%1" 13241300x8000000000000000332481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.851{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNote\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" /hyperlink "%%1" 13241300x8000000000000000332480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.850{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\ms-word\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\protocolhandler.exe "%%1" 13241300x8000000000000000332479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.849{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\webcals\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /share "%%1" 13241300x8000000000000000332478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.848{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\webcal\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /share "%%1" 13241300x8000000000000000332477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.847{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\stssync\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /share "%%1" 13241300x8000000000000000332476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.847{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Outlook.URL.webcal.15\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /share "%%1" 13241300x8000000000000000332475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.846{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Outlook.URL.stssync.15\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /share "%%1" 13241300x8000000000000000332474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.846{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Outlook.URL.mailto.15\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" -c IPM.Note /mailto "%%1" 13241300x8000000000000000332473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.845{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Outlook.URL.feed.15\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /share "%%1" 13241300x8000000000000000332472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.844{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\mailto\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" -c IPM.Note /mailto "%%1" 13241300x8000000000000000332471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.843{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\feeds\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /share "%%1" 13241300x8000000000000000332470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.842{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\feed\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /share "%%1" 13241300x8000000000000000332469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.841{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\ms-publisher\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\protocolhandler.exe "%%1" 13241300x8000000000000000332468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.841{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\ms-powerpoint\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\protocolhandler.exe "%%1" 13241300x8000000000000000332467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.840{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\ms-excel\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\protocolhandler.exe "%%1" 13241300x8000000000000000332466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.840{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\ms-access\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\protocolhandler.exe "%%1" 13241300x8000000000000000332465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.839{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\ms-office-storage-host\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\protocolhandler.exe "%%1" 13241300x8000000000000000332464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.838{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Lync.exe\PathC:\Program Files\Microsoft Office\Root\Office16\ 13241300x8000000000000000332463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.838{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Lync.exe\(Default)C:\Program Files\Microsoft Office\Root\Office16\Lync.exe 13241300x8000000000000000332462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.838{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MsoHtmEd.exe\UseURL1 13241300x8000000000000000332461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.838{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OneNote.exe\SaveURL1 13241300x8000000000000000332460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.838{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OneNote.exe\UseURL1 13241300x8000000000000000332459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.838{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OneNote.exe\PathC:\Program Files\Microsoft Office\Root\Office16\ 13241300x8000000000000000332458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OneNote.exe\(Default)C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE 13241300x8000000000000000332457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Winword.exe\SaveURL1 13241300x8000000000000000332456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Winword.exe\UseURL1 13241300x8000000000000000332455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Winword.exe\PathC:\Program Files\Microsoft Office\Root\Office16\ 13241300x8000000000000000332454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Winword.exe\(Default)C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 13241300x8000000000000000332453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SKYPESERVER.EXE\PathC:\Program Files\Microsoft Office\Root\Office16\SkypeSrv\ 13241300x8000000000000000332452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SKYPESERVER.EXE\(Default)C:\Program Files\Microsoft Office\Root\Office16\SkypeSrv\SKYPESERVER.EXE 13241300x8000000000000000332451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE\PathC:\Program Files\Microsoft Office\Root\Office16\ 13241300x8000000000000000332450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE\(Default)C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE 13241300x8000000000000000332449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MSPUB.EXE\SaveURL1 13241300x8000000000000000332448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MSPUB.EXE\UseURL1 13241300x8000000000000000332447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MSPUB.EXE\PathC:\Program Files\Microsoft Office\Root\Office16\ 13241300x8000000000000000332446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MSPUB.EXE\(Default)C:\Program Files\Microsoft Office\Root\Office16\MSPUB.EXE 13241300x8000000000000000332445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SKYPESERVER.EXE\PathC:\Program Files\Microsoft Office\Root\Office16\SkypeSrv\ 13241300x8000000000000000332444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SKYPESERVER.EXE\(Default)C:\Program Files\Microsoft Office\Root\Office16\SkypeSrv\SKYPESERVER.EXE 13241300x8000000000000000332443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\powerpnt.exe\SaveURL1 13241300x8000000000000000332442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\powerpnt.exe\UseURL1 13241300x8000000000000000332441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\powerpnt.exe\PathC:\Program Files\Microsoft Office\Root\Office16\ 13241300x8000000000000000332440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\powerpnt.exe\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE 13241300x8000000000000000332439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SKYPESERVER.EXE\PathC:\Program Files\Microsoft Office\Root\Office16\SkypeSrv\ 13241300x8000000000000000332438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SKYPESERVER.EXE\(Default)C:\Program Files\Microsoft Office\Root\Office16\SkypeSrv\SKYPESERVER.EXE 13241300x8000000000000000332437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\excel.exe\SaveURL1 13241300x8000000000000000332436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\excel.exe\UseURL1 13241300x8000000000000000332435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\excel.exe\PathC:\Program Files\Microsoft Office\Root\Office16\ 13241300x8000000000000000332434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\excel.exe\(Default)C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE 13241300x8000000000000000332433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MSACCESS.EXE\UseURL1 13241300x8000000000000000332432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MSACCESS.EXE\PathC:\Program Files\Microsoft Office\Root\Office16\ 13241300x8000000000000000332431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MSACCESS.EXE\(Default)C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE 13241300x8000000000000000332430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\sdxhelper.exe\(Default)C:\Program Files\Microsoft Office\Root\Office16\SDXHelper.exe 13241300x8000000000000000332429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\msoxmled.exe\UseURL1 13241300x8000000000000000332428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\msoxmled.exe\(Default)C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE 13241300x8000000000000000332427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MsoHtmEd.exe\UseURL1 13241300x8000000000000000332426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\msoasb.exe\(Default)C:\Program Files\Microsoft Office\Root\Office16\msoasb.exe 13241300x8000000000000000332425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:07.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\msoadfsb.exe\(Default)C:\Program Files\Microsoft Office\Root\Office16\msoadfsb.exe 13241300x8000000000000000332424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.812{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\skypecast15\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x8000000000000000332423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.812{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\tel\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x8000000000000000332422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.812{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\sip\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x8000000000000000332421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.812{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Microsoft.Lync.15TelProtocol.1\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x8000000000000000332420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.812{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Microsoft.Lync.15Join.1\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x8000000000000000332419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.812{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Microsoft.Lync.15ClassicJoin.1\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x8000000000000000332418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.812{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\ma-filelink\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x8000000000000000332417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.797{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Lync15classic\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x8000000000000000332416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.797{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Lync15\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x8000000000000000332415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.797{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\ma-chan\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x8000000000000000332414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.797{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\callto\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x8000000000000000332413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.797{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\sips\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x8000000000000000332412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.797{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\conf\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x8000000000000000332411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.797{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\im\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x8000000000000000332410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.781{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNoteDesktop.URL.16\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" /hyperlink "%%1" 13241300x8000000000000000332409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.781{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNote.URL.16\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" /hyperlink "%%1" 13241300x8000000000000000332408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.781{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNoteDesktop\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" /hyperlink "%%1" 23542300x8000000000000000332407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:07.781{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FC21800D2E7CE9370A2C8964D46AEA0,SHA256=67C6368782DD99CC4A5FA7A685FB6C0CED4F57C703D83CCFDFD4C625D0552518,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000332406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.765{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNote.Folder.1\shell\OpenAsReadOnly\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "%%1" 13241300x8000000000000000332405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.765{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNote.Folder.1\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "%%1" 13241300x8000000000000000332404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.765{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNote.Folder.1\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "%%1" 13241300x8000000000000000332403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.765{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNote\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" /hyperlink "%%1" 13241300x8000000000000000332402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.765{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNote.Notebook.1\shell\OpenAsReadOnly\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "%%1" 13241300x8000000000000000332401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.765{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNote.Notebook.1\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "%%1" 13241300x8000000000000000332400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.765{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNote.Notebook.1\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "%%1" 13241300x8000000000000000332399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.765{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNote.TableOfContents.12\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" /navigate "%%1" 13241300x8000000000000000332398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.765{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNote.TableOfContents\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" /navigate "%%1" 13241300x8000000000000000332397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.765{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNote.Package\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "%%1" 13241300x8000000000000000332396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.750{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNote.Section.1\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" /print "%%1" 13241300x8000000000000000332395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.750{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNote.Section.1\shell\OpenAsReadOnly\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "%%1" 13241300x8000000000000000332394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.750{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNote.Section.1\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "%%1" 13241300x8000000000000000332393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.750{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNote.Section.1\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" /new "%%1" 13241300x8000000000000000332392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.750{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNote.Section.1\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "%%1" 13241300x8000000000000000332391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.750{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.UriLink.16\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\protocolhandler.exe "%%1" 13241300x8000000000000000332390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.734{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\ms-word\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\protocolhandler.exe "%%1" 13241300x8000000000000000332389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.734{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Wizard.8\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "%%1" 13241300x8000000000000000332388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.734{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Backup.8\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /vp "%%1" 13241300x8000000000000000332387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.734{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Backup.8\shell\Printto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /j "%%1" "%%2" 13241300x8000000000000000332386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.734{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Backup.8\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /i "%%1" 13241300x8000000000000000332385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.734{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Backup.8\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "%%1" /o "%%u" 13241300x8000000000000000332384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.719{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Backup.8\shell\OnenotePrintto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /j "%%1" "%%2" 13241300x8000000000000000332383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.719{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Backup.8\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "%%1" 13241300x8000000000000000332382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.719{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Backup.8\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /vu "%%1" 13241300x8000000000000000332381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.719{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.RTF.8\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /vp "%%1" 13241300x8000000000000000332380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.719{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.RTF.8\shell\Printto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /j "%%1" "%%2" 13241300x8000000000000000332379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.719{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.RTF.8\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /i "%%1" 13241300x8000000000000000332378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.719{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.RTF.8\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "%%1" /o "%%u" 13241300x8000000000000000332377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.719{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.RTF.8\shell\OnenotePrintto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /j "%%1" "%%2" 13241300x8000000000000000332376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.703{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.RTF.8\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "%%1" 13241300x8000000000000000332375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.703{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.RTF.8\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /vu "%%1" 13241300x8000000000000000332374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.703{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.OpenDocumentText.12\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /vp "%%1" 13241300x8000000000000000332373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.703{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.OpenDocumentText.12\shell\printto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /j "%%1" "%%2" 13241300x8000000000000000332372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.703{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.OpenDocumentText.12\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /i "%%1" 13241300x8000000000000000332371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.703{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.OpenDocumentText.12\shell\OpenAsReadOnly\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /h /n "%%1" 13241300x8000000000000000332370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.703{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.OpenDocumentText.12\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "%%1" 13241300x8000000000000000332369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.703{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.OpenDocumentText.12\shell\OnenotePrintto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /j "%%1" "%%2" 13241300x8000000000000000332368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.703{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.OpenDocumentText.12\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "%%1" 13241300x8000000000000000332367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.703{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.OpenDocumentText.12\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /vu "%%1" 13241300x8000000000000000332366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.703{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Template.12\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /vp "%%1" 13241300x8000000000000000332365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.703{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Template.12\shell\Printto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /j "%%1" "%%2" 13241300x8000000000000000332364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.703{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Template.12\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /i "%%1" 13241300x8000000000000000332363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.703{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Template.12\shell\OpenAsReadOnly\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /h /n "%%1" 13241300x8000000000000000332362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.703{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Template.12\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "%%1" /o "%%u" 13241300x8000000000000000332361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.703{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Template.12\shell\OnenotePrintto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /j "%%1" "%%2" 13241300x8000000000000000332360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.687{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Template.12\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "%%1" 13241300x8000000000000000332359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.687{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Template.12\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /vu "%%1" 13241300x8000000000000000332358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.687{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.TemplateMacroEnabled.12\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /vp "%%1" 13241300x8000000000000000332357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.687{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.TemplateMacroEnabled.12\shell\Printto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /j "%%1" "%%2" 13241300x8000000000000000332356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.687{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.TemplateMacroEnabled.12\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /i "%%1" 13241300x8000000000000000332355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.687{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.TemplateMacroEnabled.12\shell\OpenAsReadOnly\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /h /n "%%1" 13241300x8000000000000000332354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.687{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.TemplateMacroEnabled.12\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "%%1" /o "%%u" 13241300x8000000000000000332353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.687{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.TemplateMacroEnabled.12\shell\OnenotePrintto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /j "%%1" "%%2" 13241300x8000000000000000332352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.687{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.TemplateMacroEnabled.12\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "%%1" 13241300x8000000000000000332351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.687{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.TemplateMacroEnabled.12\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /vu "%%1" 13241300x8000000000000000332350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.687{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\wordhtmltemplate\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" 13241300x8000000000000000332349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.672{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Template.8\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /vp "%%1" 13241300x8000000000000000332348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.672{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Template.8\shell\Printto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /j "%%1" "%%2" 13241300x8000000000000000332347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.672{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Template.8\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /i "%%1" 13241300x8000000000000000332346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.672{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Template.8\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "%%1" /o "%%u" 13241300x8000000000000000332345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.672{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Template.8\shell\OnenotePrintto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /j "%%1" "%%2" 13241300x8000000000000000332344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.672{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Template.8\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "%%1" 13241300x8000000000000000332343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.672{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Template.8\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /vu "%%1" 13241300x8000000000000000332342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.672{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\wordxmlfile\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" 13241300x8000000000000000332341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.672{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Document.12\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /vp "%%1" 13241300x8000000000000000332340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.672{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Document.12\shell\Printto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /j "%%1" "%%2" 13241300x8000000000000000332339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.672{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Document.12\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /i "%%1" 13241300x8000000000000000332338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.672{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Document.12\shell\OpenAsReadOnly\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /h /n "%%1" 13241300x8000000000000000332337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.656{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Document.12\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "%%1" /o "%%u" 13241300x8000000000000000332336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.656{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Document.12\shell\OnenotePrintto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /j "%%1" "%%2" 13241300x8000000000000000332335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.656{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Document.12\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "%%1" 13241300x8000000000000000332334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.656{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Document.12\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /vu "%%1" 13241300x8000000000000000332333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.656{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.DocumentMacroEnabled.12\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /vp "%%1" 13241300x8000000000000000332332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.656{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.DocumentMacroEnabled.12\shell\Printto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /j "%%1" "%%2" 13241300x8000000000000000332331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.656{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.DocumentMacroEnabled.12\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /i "%%1" 13241300x8000000000000000332330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.656{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.DocumentMacroEnabled.12\shell\OpenAsReadOnly\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /h /n "%%1" 13241300x8000000000000000332329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.656{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.DocumentMacroEnabled.12\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "%%1" /o "%%u" 13241300x8000000000000000332328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.656{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.DocumentMacroEnabled.12\shell\OnenotePrintto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /j "%%1" "%%2" 13241300x8000000000000000332327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.656{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.DocumentMacroEnabled.12\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "%%1" 13241300x8000000000000000332326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.656{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.DocumentMacroEnabled.12\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /vu "%%1" 13241300x8000000000000000332325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.656{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\wordhtmlfile\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" 13241300x8000000000000000332324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.640{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Document.8\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /vp "%%1" 13241300x8000000000000000332323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.640{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Document.8\shell\Printto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /j "%%1" "%%2" 13241300x8000000000000000332322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.640{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Document.8\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /i "%%1" 13241300x8000000000000000332321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.640{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Document.8\shell\OpenAsReadOnly\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /h /n "%%1" 13241300x8000000000000000332320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.640{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Document.8\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "%%1" /o "%%u" 13241300x8000000000000000332319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.640{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Document.8\shell\OnenotePrintto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /j "%%1" "%%2" 13241300x8000000000000000332318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.640{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Document.8\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "%%1" 13241300x8000000000000000332317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.640{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Document.8\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /vu "%%1" 13241300x8000000000000000332316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.640{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.AutoRecovery.8\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /vp "%%1" 13241300x8000000000000000332315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.640{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.AutoRecovery.8\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "%%1" /o "%%u" 13241300x8000000000000000332314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.640{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\webcals\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /share "%%1" 13241300x8000000000000000332313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.640{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\webcal\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /share "%%1" 13241300x8000000000000000332312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.625{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Outlook.URL.stssync.15\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /share "%%1" 13241300x8000000000000000332311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.625{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Outlook.URL.webcal.15\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /share "%%1" 13241300x8000000000000000332310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.625{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\stssync\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /share "%%1" 13241300x8000000000000000332309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.609{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\feeds\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /share "%%1" 13241300x8000000000000000332308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.609{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\feed\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /share "%%1" 13241300x8000000000000000332307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.609{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Outlook.URL.mailto.15\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" -c IPM.Note /mailto "%%1" 13241300x8000000000000000332306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.609{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Outlook.URL.feed.15\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /share "%%1" 13241300x8000000000000000332305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.609{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\AtWorkRendering\shell\PrintTo\command\(Default)0 13241300x8000000000000000332304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.609{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Outlook.File.vcs.15\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /vcal "%%1" 13241300x8000000000000000332303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.594{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Outlook.File.vcf.15\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /v "%%1" 13241300x8000000000000000332302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.594{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Outlook.File.pst.15\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /pst "%%1" 13241300x8000000000000000332301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.594{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Outlook.File.oft.15\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /p "%%1" 13241300x8000000000000000332300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.594{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Outlook.File.oft.15\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /t "%%1" 13241300x8000000000000000332299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.594{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Outlook.File.oft.15\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /t "%%1" 13241300x8000000000000000332298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.578{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Outlook.File.msg.15\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /p "%%1" 13241300x8000000000000000332297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.578{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Outlook.File.msg.15\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "%%1" 13241300x8000000000000000332296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.578{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Outlook.File.ics.15\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /ical "%%1" 13241300x8000000000000000332295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.578{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Outlook.File.hol.15\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /hol "%%1" 13241300x8000000000000000332294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.578{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Outlook.File.eml.15\shell\Open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE /eml "%%1" 13241300x8000000000000000332293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.578{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Publisher.UriLink.16\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\protocolhandler.exe "%%1" 13241300x8000000000000000332292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.578{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\ms-publisher\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\protocolhandler.exe "%%1" 13241300x8000000000000000332291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.564{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Publisher.Document.16\shell\PrintTo\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSPUB.EXE" /p %%1 *%%2, %%3, %%4 13241300x8000000000000000332290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.564{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Publisher.Document.16\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSPUB.EXE" /p %%1 13241300x8000000000000000332289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.564{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Publisher.Document.16\shell\OpenAsReadOnly\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSPUB.EXE" /r "%%1" 13241300x8000000000000000332288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.564{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Publisher.Document.16\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSPUB.EXE" /ou "%%u" "%%1" 13241300x8000000000000000332287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.564{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Publisher.Document.16\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSPUB.EXE" /n %%1 13241300x8000000000000000332286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.564{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Publisher.Document.16\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSPUB.EXE" %%1 13241300x8000000000000000332285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.564{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OfficeListShortcut\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSPUB.EXE" %%1 13241300x8000000000000000332284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.564{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.UriLink.16\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\protocolhandler.exe "%%1" 13241300x8000000000000000332283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.564{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Slide.8\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vp "%%1" 13241300x8000000000000000332282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.549{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Slide.8\shell\Show\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE /s "%%1" 13241300x8000000000000000332281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.549{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Slide.8\shell\Print\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE /p "%%1" 13241300x8000000000000000332280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.549{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Slide.8\shell\OpenAsReadOnly\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE /h "%%1" 13241300x8000000000000000332279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.549{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Slide.8\shell\Open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE "%%1" /ou "%%u" 13241300x8000000000000000332278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.549{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Slide.8\shell\New\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE /n "%%1" 13241300x8000000000000000332277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.549{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Slide.8\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vu "%%1" 13241300x8000000000000000332276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.549{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OrgPlusWOPX.4\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ORGCHART.EXE" %%1 13241300x8000000000000000332275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.549{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\ms-powerpoint\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\protocolhandler.exe "%%1" 13241300x8000000000000000332274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.549{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OfficeTheme.12\shell\Show\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "%%1" 13241300x8000000000000000332273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.549{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OfficeTheme.12\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /p "%%1" 13241300x8000000000000000332272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.549{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OfficeTheme.12\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "%%1" /ou "%%u" 13241300x8000000000000000332271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.549{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OfficeTheme.12\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "%%1" 23542300x8000000000000000332270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:07.549{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=123AEF764B68C0AC69ED26FB19791CAD,SHA256=CFF1E720839454D1184F9F639C4C2F7EEE96D80B025A0B24E57F841DCC1571B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000332269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.549{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Slide.12\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vp "%%1" 13241300x8000000000000000332268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.549{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Slide.12\shell\Show\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE /s "%%1" 13241300x8000000000000000332267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.547{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Slide.12\shell\Print\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE /p "%%1" 13241300x8000000000000000332266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.546{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Slide.12\shell\OpenAsReadOnly\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE /h "%%1" 13241300x8000000000000000332265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.546{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Slide.12\shell\Open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE "%%1" /ou "%%u" 13241300x8000000000000000332264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.545{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Slide.12\shell\New\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE /n "%%1" 13241300x8000000000000000332263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.545{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Slide.12\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vu "%%1" 13241300x8000000000000000332262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.542{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideMacroEnabled.12\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vp "%%1" 13241300x8000000000000000332261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.542{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideMacroEnabled.12\shell\Show\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE /s "%%1" 13241300x8000000000000000332260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.541{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideMacroEnabled.12\shell\Print\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE /p "%%1" 13241300x8000000000000000332259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.540{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideMacroEnabled.12\shell\OpenAsReadOnly\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE /h "%%1" 13241300x8000000000000000332258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.539{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideMacroEnabled.12\shell\Open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE "%%1" /ou "%%u" 13241300x8000000000000000332257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.538{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideMacroEnabled.12\shell\New\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE /n "%%1" 13241300x8000000000000000332256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.537{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideMacroEnabled.12\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vu "%%1" 13241300x8000000000000000332255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.532{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Wizard.8\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "%%1" /ou "%%u" 13241300x8000000000000000332254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.530{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\powerpointxmlfile\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" 13241300x8000000000000000332253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.528{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Show.12\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vp "%%1" 13241300x8000000000000000332252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.527{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Show.12\shell\Show\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "%%1" 13241300x8000000000000000332251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.526{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Show.12\shell\PrintTo\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /pt "%%2" "%%3" "%%4" "%%1" 13241300x8000000000000000332250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.526{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Show.12\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /p "%%1" 13241300x8000000000000000332249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.525{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Show.12\shell\OpenAsReadOnly\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE /h "%%1" 13241300x8000000000000000332248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.524{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Show.12\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "%%1" /ou "%%u" 13241300x8000000000000000332247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.524{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Show.12\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "%%1" 13241300x8000000000000000332246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.523{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Show.12\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vu "%%1" 13241300x8000000000000000332245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.518{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.ShowMacroEnabled.12\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vp "%%1" 13241300x8000000000000000332244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.518{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.ShowMacroEnabled.12\shell\Show\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "%%1" 13241300x8000000000000000332243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.517{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.ShowMacroEnabled.12\shell\PrintTo\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /pt "%%2" "%%3" "%%4" "%%1" 13241300x8000000000000000332242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.517{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.ShowMacroEnabled.12\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /p "%%1" 13241300x8000000000000000332241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.516{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.ShowMacroEnabled.12\shell\OpenAsReadOnly\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE /h "%%1" 13241300x8000000000000000332240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.515{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.ShowMacroEnabled.12\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "%%1" /ou "%%u" 13241300x8000000000000000332239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.515{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.ShowMacroEnabled.12\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "%%1" 13241300x8000000000000000332238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.514{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.ShowMacroEnabled.12\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vu "%%1" 23542300x8000000000000000332237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:07.511{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DD4412F20220CB81F95059D7E310618,SHA256=B120BE4894112B99E8F02C559C1FA41DC59BDDFF2801AD596A3C14039C11B98C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000332236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.510{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\powerpointhtmlfile\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" 13241300x8000000000000000332235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.508{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Show.8\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vp "%%1" 13241300x8000000000000000332234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.508{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Show.8\shell\Show\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "%%1" 13241300x8000000000000000332233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.507{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Show.8\shell\PrintTo\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /pt "%%2" "%%3" "%%4" "%%1" 13241300x8000000000000000332232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.507{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Show.8\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /p "%%1" 13241300x8000000000000000332231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.506{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Show.8\shell\OpenAsReadOnly\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE /h "%%1" 13241300x8000000000000000332230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.505{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Show.8\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "%%1" /ou "%%u" 13241300x8000000000000000332229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.505{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Show.8\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "%%1" 13241300x8000000000000000332228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.504{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Show.8\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vu "%%1" 13241300x8000000000000000332227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.499{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideShow.12\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vp "%%1" 13241300x8000000000000000332226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.494{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideShow.12\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /p "%%1" 13241300x8000000000000000332225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.493{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideShow.12\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "%%1" /ou "%%u" 13241300x8000000000000000332224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.492{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideShow.12\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "%%1" 13241300x8000000000000000332223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.491{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideShow.12\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vu "%%1" 13241300x8000000000000000332222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.472{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideShowMacroEnabled.12\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vp "%%1" 13241300x8000000000000000332221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.467{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideShowMacroEnabled.12\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /p "%%1" 13241300x8000000000000000332220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.466{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideShowMacroEnabled.12\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "%%1" /ou "%%u" 13241300x8000000000000000332219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.465{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideShowMacroEnabled.12\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "%%1" 13241300x8000000000000000332218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.463{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideShowMacroEnabled.12\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vu "%%1" 13241300x8000000000000000332217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.459{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideShow.8\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vp "%%1" 13241300x8000000000000000332216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.458{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideShow.8\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /p "%%1" 13241300x8000000000000000332215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.457{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideShow.8\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "%%1" /ou "%%u" 13241300x8000000000000000332214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.456{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideShow.8\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "%%1" 13241300x8000000000000000332213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.455{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideShow.8\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vu "%%1" 13241300x8000000000000000332212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.451{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Addin.12\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "%%1" /ou "%%u" 13241300x8000000000000000332211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.447{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Addin.8\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "%%1" 13241300x8000000000000000332210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.443{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Template.12\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vp "%%1" 13241300x8000000000000000332209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.436{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Template.12\shell\Show\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "%%1" 13241300x8000000000000000332208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.436{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Template.12\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /p "%%1" 13241300x8000000000000000332207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.436{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Template.12\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "%%1" /ou "%%u" 13241300x8000000000000000332206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.431{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Template.12\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "%%1" 13241300x8000000000000000332205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.431{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Template.12\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vu "%%1" 13241300x8000000000000000332204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.427{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.TemplateMacroEnabled.12\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vp "%%1" 13241300x8000000000000000332203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.425{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.TemplateMacroEnabled.12\shell\Show\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "%%1" 13241300x8000000000000000332202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.424{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.TemplateMacroEnabled.12\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /p "%%1" 13241300x8000000000000000332201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.424{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.TemplateMacroEnabled.12\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "%%1" /ou "%%u" 13241300x8000000000000000332200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.423{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.TemplateMacroEnabled.12\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "%%1" 13241300x8000000000000000332199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.419{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.TemplateMacroEnabled.12\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vu "%%1" 13241300x8000000000000000332198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.414{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\powerpointhtmltemplate\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" 13241300x8000000000000000332197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.410{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Template.8\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vp "%%1" 13241300x8000000000000000332196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.408{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Template.8\shell\Show\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "%%1" 13241300x8000000000000000332195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.406{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Template.8\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /p "%%1" 13241300x8000000000000000332194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.406{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Template.8\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "%%1" /ou "%%u" 13241300x8000000000000000332193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.405{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Template.8\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "%%1" 13241300x8000000000000000332192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.404{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Template.8\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vu "%%1" 13241300x8000000000000000332191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.399{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.OpenDocumentPresentation.12\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vp "%%1" 13241300x8000000000000000332190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.398{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.OpenDocumentPresentation.12\shell\Show\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "%%1" 13241300x8000000000000000332189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.397{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.OpenDocumentPresentation.12\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /p "%%1" 13241300x8000000000000000332188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.396{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.OpenDocumentPresentation.12\shell\OpenAsReadOnly\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE /h "%%1" 13241300x8000000000000000332187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.395{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.OpenDocumentPresentation.12\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "%%1" /ou "%%u" 13241300x8000000000000000332186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.391{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.OpenDocumentPresentation.12\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "%%1" 13241300x8000000000000000332185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.390{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.OpenDocumentPresentation.12\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vu "%%1" 13241300x8000000000000000332184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.381{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\ODCfile\shell\EditText\command\(Default)%%SystemRoot%%\System32\notepad.exe "%%1" 13241300x8000000000000000332183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.380{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\ODCfile\shell\Edit\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE /y 13241300x8000000000000000332182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.379{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\ODCfile\shell\Analyze\ddeexec\(Default)(Empty) 13241300x8000000000000000332181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.379{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\ODCfile\shell\Analyze\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE "%%1" 13241300x8000000000000000332180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.378{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\ms-excel\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\protocolhandler.exe "%%1" 13241300x8000000000000000332179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.374{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.WebQuery\shell\edit\ddeexec\topic\(Default)system 13241300x8000000000000000332178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.374{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.WebQuery\shell\edit\ddeexec\(Default)[new()][newwebquery?("%%1")] 13241300x8000000000000000332177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.374{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.WebQuery\shell\edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /w "%%1" 13241300x8000000000000000332176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.373{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.UriLink.16\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\protocolhandler.exe "%%1" 13241300x8000000000000000332175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.366{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Chart\shell\Print\ddeexec\(Default)(Empty) 13241300x8000000000000000332174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.365{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Chart\shell\Print\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE /q "%%1" 13241300x8000000000000000332173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.365{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Chart\shell\Open\ddeexec\(Default)(Empty) 13241300x8000000000000000332172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.364{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Chart\shell\Open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE "%%1" 13241300x8000000000000000332171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.361{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Chart.8\shell\Print\ddeexec\(Default)(Empty) 13241300x8000000000000000332170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.361{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Chart.8\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" 13241300x8000000000000000332169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.361{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Chart.8\shell\Open\ddeexec\(Default)(Empty) 13241300x8000000000000000332168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.360{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Chart.8\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "%%1" 13241300x8000000000000000332167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.360{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Chart.8\shell\New\ddeexec\(Default)(Empty) 13241300x8000000000000000332166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.359{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Chart.8\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "%%1" 13241300x8000000000000000332165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.357{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Workspace\shell\Open\ddeexec\(Default)(Empty) 13241300x8000000000000000332164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.356{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Workspace\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "%%1" 13241300x8000000000000000332163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.356{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Workspace\shell\New\ddeexec\(Default)(Empty) 13241300x8000000000000000332162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.354{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Workspace\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "%%1" 13241300x8000000000000000332161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.345{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template\shell\ViewProtected\ddeexec\(Default)(Empty) 13241300x8000000000000000332160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.344{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vp "%%1" 13241300x8000000000000000332159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.344{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template\shell\Printto\ddeexec\(Default)(Empty) 13241300x8000000000000000332158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.343{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template\shell\Printto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" /j "%%2" 13241300x8000000000000000332157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.343{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template\shell\Print\ddeexec\(Default)(Empty) 13241300x8000000000000000332156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.343{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" 13241300x8000000000000000332155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.342{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template\shell\OpenAsReadOnly\ddeexec\(Default)(Empty) 13241300x8000000000000000332154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.342{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template\shell\OpenAsReadOnly\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /h "%%1" 13241300x8000000000000000332153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.341{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template\shell\Open\ddeexec\(Default)(Empty) 13241300x8000000000000000332152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.341{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "%%1" 13241300x8000000000000000332151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.340{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template\shell\New\ddeexec\(Default)(Empty) 13241300x8000000000000000332150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.340{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "%%1" 13241300x8000000000000000332149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.339{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vu "%%1" 13241300x8000000000000000332148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.335{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.TemplateMacroEnabled\shell\ViewProtected\ddeexec\(Default)(Empty) 13241300x8000000000000000332147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.335{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.TemplateMacroEnabled\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vp "%%1" 13241300x8000000000000000332146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.334{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.TemplateMacroEnabled\shell\Printto\ddeexec\(Default)(Empty) 13241300x8000000000000000332145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.334{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.TemplateMacroEnabled\shell\Printto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" /j "%%2" 13241300x8000000000000000332144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.332{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.TemplateMacroEnabled\shell\Print\ddeexec\(Default)(Empty) 13241300x8000000000000000332143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.332{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.TemplateMacroEnabled\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" 13241300x8000000000000000332142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.332{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.TemplateMacroEnabled\shell\OpenAsReadOnly\ddeexec\(Default)(Empty) 13241300x8000000000000000332141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.330{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.TemplateMacroEnabled\shell\OpenAsReadOnly\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /h "%%1" 13241300x8000000000000000332140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.330{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.TemplateMacroEnabled\shell\Open\ddeexec\(Default)(Empty) 13241300x8000000000000000332139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.330{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.TemplateMacroEnabled\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "%%1" 13241300x8000000000000000332138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.328{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.TemplateMacroEnabled\shell\New\ddeexec\(Default)(Empty) 13241300x8000000000000000332137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.328{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.TemplateMacroEnabled\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "%%1" 13241300x8000000000000000332136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.328{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.TemplateMacroEnabled\shell\Edit\ddeexec\(Default)(Empty) 13241300x8000000000000000332135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.328{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.TemplateMacroEnabled\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vu "%%1" 13241300x8000000000000000332134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.323{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excelhtmltemplate\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" 13241300x8000000000000000332133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.321{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template.8\shell\ViewProtected\ddeexec\(Default)(Empty) 13241300x8000000000000000332132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.321{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template.8\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vp "%%1" 13241300x8000000000000000332131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.320{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template.8\shell\Printto\ddeexec\(Default)(Empty) 13241300x8000000000000000332130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.319{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template.8\shell\Printto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" /j "%%2" 13241300x8000000000000000332129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.318{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template.8\shell\Print\ddeexec\(Default)(Empty) 13241300x8000000000000000332128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.317{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template.8\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" 13241300x8000000000000000332127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.317{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template.8\shell\OpenAsReadOnly\ddeexec\(Default)(Empty) 13241300x8000000000000000332126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.316{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template.8\shell\OpenAsReadOnly\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /h "%%1" 13241300x8000000000000000332125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.315{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template.8\shell\Open\ddeexec\(Default)(Empty) 13241300x8000000000000000332124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.315{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template.8\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "%%1" 13241300x8000000000000000332123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.315{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template.8\shell\New\ddeexec\(Default)(Empty) 13241300x8000000000000000332122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.314{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template.8\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "%%1" 13241300x8000000000000000332121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.314{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template.8\shell\Edit\ddeexec\(Default)(Empty) 13241300x8000000000000000332120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.313{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template.8\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vu "%%1" 13241300x8000000000000000332119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.310{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.12\shell\ViewProtected\ddeexec\(Default)(Empty) 13241300x8000000000000000332118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.310{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.12\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vp "%%1" 13241300x8000000000000000332117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.310{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.12\shell\Printto\ddeexec\(Default)(Empty) 13241300x8000000000000000332116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.309{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.12\shell\Printto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" /j "%%2" 13241300x8000000000000000332115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.309{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.12\shell\Print\ddeexec\(Default)(Empty) 13241300x8000000000000000332114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.309{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.12\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" 13241300x8000000000000000332113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.307{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.12\shell\OpenAsReadOnly\ddeexec\(Default)(Empty) 13241300x8000000000000000332112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.307{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.12\shell\OpenAsReadOnly\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /h "%%1" 13241300x8000000000000000332111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.304{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.12\shell\Open\ddeexec\(Default)(Empty) 13241300x8000000000000000332110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.304{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.12\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "%%1" 13241300x8000000000000000332109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.304{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.12\shell\New\ddeexec\(Default)(Empty) 13241300x8000000000000000332108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.304{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.12\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "%%1" 13241300x8000000000000000332107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.304{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.12\shell\Edit\ddeexec\(Default)(Empty) 13241300x8000000000000000332106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.301{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.12\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vu "%%1" 13241300x8000000000000000332105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.291{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetMacroEnabled.12\shell\ViewProtected\ddeexec\(Default)(Empty) 13241300x8000000000000000332104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.291{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetMacroEnabled.12\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vp "%%1" 13241300x8000000000000000332103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.291{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetMacroEnabled.12\shell\Printto\ddeexec\(Default)(Empty) 13241300x8000000000000000332102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.290{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetMacroEnabled.12\shell\Printto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" /j "%%2" 13241300x8000000000000000332101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.290{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetMacroEnabled.12\shell\Print\ddeexec\(Default)(Empty) 13241300x8000000000000000332100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.289{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetMacroEnabled.12\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" 13241300x8000000000000000332099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.289{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetMacroEnabled.12\shell\OpenAsReadOnly\ddeexec\(Default)(Empty) 13241300x8000000000000000332098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.288{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetMacroEnabled.12\shell\OpenAsReadOnly\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /h "%%1" 13241300x8000000000000000332097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.288{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetMacroEnabled.12\shell\Open\ddeexec\(Default)(Empty) 13241300x8000000000000000332096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.288{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetMacroEnabled.12\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "%%1" 13241300x8000000000000000332095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.287{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetMacroEnabled.12\shell\New\ddeexec\(Default)(Empty) 13241300x8000000000000000332094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.286{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetMacroEnabled.12\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "%%1" 13241300x8000000000000000332093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.286{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetMacroEnabled.12\shell\Edit\ddeexec\(Default)(Empty) 13241300x8000000000000000332092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.285{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetMacroEnabled.12\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vu "%%1" 13241300x8000000000000000332091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.283{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excelhtmlfile\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" 13241300x8000000000000000332090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.281{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetBinaryMacroEnabled.12\shell\ViewProtected\ddeexec\(Default)(Empty) 13241300x8000000000000000332089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.280{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetBinaryMacroEnabled.12\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vp "%%1" 13241300x8000000000000000332088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.280{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetBinaryMacroEnabled.12\shell\Printto\ddeexec\(Default)(Empty) 13241300x8000000000000000332087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.279{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetBinaryMacroEnabled.12\shell\Printto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" /j "%%2" 13241300x8000000000000000332086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.279{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetBinaryMacroEnabled.12\shell\Print\ddeexec\(Default)(Empty) 13241300x8000000000000000332085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.279{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetBinaryMacroEnabled.12\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" 13241300x8000000000000000332084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.278{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetBinaryMacroEnabled.12\shell\OpenAsReadOnly\ddeexec\(Default)(Empty) 13241300x8000000000000000332083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.277{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetBinaryMacroEnabled.12\shell\OpenAsReadOnly\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /h "%%1" 13241300x8000000000000000332082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.277{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetBinaryMacroEnabled.12\shell\Open\ddeexec\(Default)(Empty) 13241300x8000000000000000332081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.277{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetBinaryMacroEnabled.12\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "%%1" 13241300x8000000000000000332080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.276{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetBinaryMacroEnabled.12\shell\New\ddeexec\(Default)(Empty) 13241300x8000000000000000332079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.276{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetBinaryMacroEnabled.12\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "%%1" 13241300x8000000000000000332078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.275{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetBinaryMacroEnabled.12\shell\Edit\ddeexec\(Default)(Empty) 13241300x8000000000000000332077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.274{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetBinaryMacroEnabled.12\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vu "%%1" 13241300x8000000000000000332076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.270{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.8\shell\ViewProtected\ddeexec\(Default)(Empty) 13241300x8000000000000000332075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.269{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.8\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vp "%%1" 13241300x8000000000000000332074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.269{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.8\shell\Printto\ddeexec\(Default)(Empty) 13241300x8000000000000000332073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.268{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.8\shell\Printto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" /j "%%2" 13241300x8000000000000000332072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.268{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.8\shell\Print\ddeexec\(Default)(Empty) 13241300x8000000000000000332071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.267{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.8\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" 13241300x8000000000000000332070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.267{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.8\shell\OpenAsReadOnly\ddeexec\(Default)(Empty) 13241300x8000000000000000332069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.266{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.8\shell\OpenAsReadOnly\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /h "%%1" 13241300x8000000000000000332068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.266{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.8\shell\Open\ddeexec\(Default)(Empty) 13241300x8000000000000000332067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.265{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.8\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "%%1" 13241300x8000000000000000332066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.265{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.8\shell\New\ddeexec\(Default)(Empty) 13241300x8000000000000000332065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.265{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.8\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "%%1" 13241300x8000000000000000332064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.264{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.8\shell\Edit\ddeexec\(Default)(Empty) 13241300x8000000000000000332063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.263{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.8\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vu "%%1" 13241300x8000000000000000332062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.256{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Macrosheet\shell\ViewProtected\ddeexec\(Default)(Empty) 13241300x8000000000000000332061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.255{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Macrosheet\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vp "%%1" 13241300x8000000000000000332060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.254{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Macrosheet\shell\Print\ddeexec\(Default)(Empty) 13241300x8000000000000000332059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.254{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Macrosheet\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" 13241300x8000000000000000332058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.252{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Macrosheet\shell\Open\ddeexec\(Default)(Empty) 13241300x8000000000000000332057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.252{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Macrosheet\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "%%1" 13241300x8000000000000000332056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.250{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Macrosheet\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" 13241300x8000000000000000332055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.248{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Macrosheet\shell\Edit\ddeexec\(Default)(Empty) 13241300x8000000000000000332054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.248{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Macrosheet\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vu "%%1" 13241300x8000000000000000332053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.243{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.XLL\shell\Open\ddeexec\(Default)(Empty) 13241300x8000000000000000332052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.242{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.XLL\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -xlls "%%1" 13241300x8000000000000000332051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.238{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Backup\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vp "%%1" 13241300x8000000000000000332050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.237{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Backup\shell\Print\ddeexec\(Default)(Empty) 13241300x8000000000000000332049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.237{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Backup\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" 13241300x8000000000000000332048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.236{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Backup\shell\Open\ddeexec\(Default)(Empty) 23542300x8000000000000000332047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:07.235{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F89D189C8D9B1410F81445F56E40929,SHA256=5A86BF1300634AD9C7348924D8E051FDB4582DD4384D32C128866FEC2A0A7A74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000332046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.235{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Backup\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "%%1" 13241300x8000000000000000332045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.234{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Backup\shell\Edit\ddeexec\(Default)(Empty) 13241300x8000000000000000332044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.233{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Backup\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vu "%%1" 13241300x8000000000000000332043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.211{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.AddInMacroEnabled\shell\Open\ddeexec\(Default)(Empty) 13241300x8000000000000000332042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.210{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.AddInMacroEnabled\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "%%1" 13241300x8000000000000000332041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.206{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Addin\shell\Open\ddeexec\(Default)(Empty) 13241300x8000000000000000332040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.206{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Addin\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "%%1" 13241300x8000000000000000332039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.202{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SLK\shell\Open\ddeexec\(Default)(Empty) 13241300x8000000000000000332038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.202{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SLK\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "%%1" 13241300x8000000000000000332037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.198{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\rqyfile\shell\Edit_Query_in_Notepad\command\(Default)%%SystemRoot%%\System32\notepad.exe "%%1" 13241300x8000000000000000332036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.189{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\oqyfile\shell\Edit_Query_in_Notepad\command\(Default)%%SystemRoot%%\System32\notepad.exe "%%1" 13241300x8000000000000000332035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.187{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.OpenDocumentSpreadsheet.12\shell\ViewProtected\ddeexec\(Default)(Empty) 13241300x8000000000000000332034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.186{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.OpenDocumentSpreadsheet.12\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vp "%%1" 13241300x8000000000000000332033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.185{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.OpenDocumentSpreadsheet.12\shell\Printto\ddeexec\(Default)(Empty) 13241300x8000000000000000332032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.184{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.OpenDocumentSpreadsheet.12\shell\Printto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" /j "%%2" 13241300x8000000000000000332031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.183{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.OpenDocumentSpreadsheet.12\shell\Print\ddeexec\(Default)(Empty) 13241300x8000000000000000332030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.183{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.OpenDocumentSpreadsheet.12\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" 13241300x8000000000000000332029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.182{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.OpenDocumentSpreadsheet.12\shell\OpenAsReadOnly\ddeexec\(Default)(Empty) 13241300x8000000000000000332028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.181{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.OpenDocumentSpreadsheet.12\shell\OpenAsReadOnly\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /h "%%1" 13241300x8000000000000000332027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.180{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.OpenDocumentSpreadsheet.12\shell\Open\ddeexec\(Default)(Empty) 13241300x8000000000000000332026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.179{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.OpenDocumentSpreadsheet.12\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "%%1" 13241300x8000000000000000332025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.179{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.OpenDocumentSpreadsheet.12\shell\New\ddeexec\(Default)(Empty) 13241300x8000000000000000332024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.177{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.OpenDocumentSpreadsheet.12\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "%%1" 13241300x8000000000000000332023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.176{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.OpenDocumentSpreadsheet.12\shell\Edit\ddeexec\(Default)(Empty) 13241300x8000000000000000332022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.175{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.OpenDocumentSpreadsheet.12\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vu "%%1" 13241300x8000000000000000332021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.170{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\iqyfile\shell\open\ddeexec\(Default)(Empty) 13241300x8000000000000000332020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.170{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\iqyfile\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE "%%1" 13241300x8000000000000000332019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.168{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\iqyfile\shell\Edit_Query_in_Notepad\command\(Default)%%SystemRoot%%\System32\notepad.exe "%%1" 13241300x8000000000000000332018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.165{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\dqyfile\shell\open\ddeexec\(Default)(Empty) 13241300x8000000000000000332017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.164{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\dqyfile\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE "%%1" 13241300x8000000000000000332016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.163{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\dqyfile\shell\Edit_Query_in_Notepad\command\(Default)%%SystemRoot%%\System32\notepad.exe "%%1" 13241300x8000000000000000332015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.158{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.CSV\shell\Print\ddeexec\(Default)(Empty) 13241300x8000000000000000332014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.158{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.CSV\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" 13241300x8000000000000000332013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.157{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.CSV\shell\Open\ddeexec\(Default)(Empty) 13241300x8000000000000000332012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.157{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.CSV\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "%%1" 13241300x8000000000000000332011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.147{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.UriLink.16\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\protocolhandler.exe "%%1" 13241300x8000000000000000332010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.140{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Module.1\shell\open\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000332009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.139{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Module.1\shell\open\ddeexec\ifexec\(Default)[] 13241300x8000000000000000332008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.139{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Module.1\shell\open\ddeexec\(Default)[SetForeground][OpenModule "%%1"] 13241300x8000000000000000332007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.138{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Module.1\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenModule "%%1"] 13241300x8000000000000000332006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.136{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Macro.1\shell\open\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000332005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.136{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Macro.1\shell\open\ddeexec\ifexec\(Default)[] 13241300x8000000000000000332004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.135{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Macro.1\shell\open\ddeexec\(Default)[SetForeground][ShellOpenMacro "%%1"] 13241300x8000000000000000332003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.134{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Macro.1\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [ShellOpenMacro "%%1"] 13241300x8000000000000000332002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.132{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Macro.1\shell\design\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000332001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.132{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Macro.1\shell\design\ddeexec\ifexec\(Default)[] 13241300x8000000000000000332000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.130{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Macro.1\shell\design\ddeexec\(Default)[SetForeground][ShellOpenMacro "%%1", 1] 13241300x8000000000000000331999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.129{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Macro.1\shell\design\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [ShellOpenMacro "%%1", 1] 13241300x8000000000000000331998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.124{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Diagram.1\shell\open\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.124{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Diagram.1\shell\open\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.124{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Diagram.1\shell\open\ddeexec\(Default)[SetForeground][OpenDiagram "%%1"] 13241300x8000000000000000331995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.124{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Diagram.1\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenDiagram "%%1"] 13241300x8000000000000000331994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.122{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.View.1\shell\open\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.122{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.View.1\shell\open\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.122{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.View.1\shell\open\ddeexec\(Default)[SetForeground][OpenView "%%1"] 13241300x8000000000000000331991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.122{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.View.1\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenView "%%1"] 13241300x8000000000000000331990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.121{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.View.1\shell\design\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.121{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.View.1\shell\design\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.121{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.View.1\shell\design\ddeexec\(Default)[SetForeground][OpenView "%%1", 1] 13241300x8000000000000000331987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.120{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.View.1\shell\design\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenView "%%1", 1] 13241300x8000000000000000331986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.115{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\printto\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.114{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\printto\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.114{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\printto\ddeexec\(Default)[PrintTo "%%1","%%2","%%3","%%4"] 13241300x8000000000000000331983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.114{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\printto\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE /NOSTARTUP /SHELLSYSTEM [PrintTo "%%1","%%2","%%3","%%4"][ShellQuit] 13241300x8000000000000000331982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.112{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\print\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.112{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\print\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.112{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\print\ddeexec\(Default)[PrintTo "%%1"] 13241300x8000000000000000331979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.111{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\print\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE /NOSTARTUP /SHELLSYSTEM [PrintTo "%%1"][ShellQuit] 13241300x8000000000000000331978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.111{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\preview\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.111{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\preview\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.110{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\preview\ddeexec\(Default)[SetForeground][OpenQuery "%%1", 2] 13241300x8000000000000000331975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.109{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\preview\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenQuery "%%1", 2] 13241300x8000000000000000331974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.108{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\open\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.108{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\open\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.108{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\open\ddeexec\(Default)[SetForeground][OpenQuery "%%1"] 13241300x8000000000000000331971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.107{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE /NOSTARTUP /SHELLSYSTEM [OpenQuery "%%1"] 13241300x8000000000000000331970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.107{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\design\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.106{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\design\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.106{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\design\ddeexec\(Default)[SetForeground][OpenQuery "%%1", 1] 13241300x8000000000000000331967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.106{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\design\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenQuery "%%1", 1] 13241300x8000000000000000331966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.103{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\ms-access\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\protocolhandler.exe "%%1" 13241300x8000000000000000331965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.100{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.StoredProcedure.1\shell\open\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.100{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.StoredProcedure.1\shell\open\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.099{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.StoredProcedure.1\shell\open\ddeexec\(Default)[SetForeground][OpenStoredProcedure "%%1"] 13241300x8000000000000000331962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.097{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.StoredProcedure.1\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenStoredProcedure "%%1"] 13241300x8000000000000000331961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.097{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.StoredProcedure.1\shell\design\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.097{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.StoredProcedure.1\shell\design\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.097{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.StoredProcedure.1\shell\design\ddeexec\(Default)[SetForeground][OpenStoredProcedure "%%1", 1] 13241300x8000000000000000331958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.097{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.StoredProcedure.1\shell\design\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenStoredProcedure "%%1", 1] 13241300x8000000000000000331957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.094{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\printto\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.093{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\printto\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.093{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\printto\ddeexec\(Default)[PrintTo "%%1","%%2","%%3","%%4"] 13241300x8000000000000000331954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.092{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\printto\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE /NOSTARTUP /SHELLSYSTEM [PrintTo "%%1","%%2","%%3","%%4"][ShellQuit] 13241300x8000000000000000331953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.091{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\print\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.091{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\print\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.089{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\print\ddeexec\(Default)[PrintTo "%%1"] 13241300x8000000000000000331950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.089{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\print\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE /NOSTARTUP /SHELLSYSTEM [PrintTo "%%1"][ShellQuit] 13241300x8000000000000000331949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.088{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\preview\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.088{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\preview\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.087{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\preview\ddeexec\(Default)[SetForeground][OpenForm "%%1", 2] 13241300x8000000000000000331946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.087{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\preview\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenForm "%%1", 2] 13241300x8000000000000000331945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.086{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\open\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.086{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\open\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.086{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\open\ddeexec\(Default)[SetForeground][OpenForm "%%1"] 13241300x8000000000000000331942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.085{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenForm "%%1"] 13241300x8000000000000000331941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.084{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\design\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.083{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\design\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.082{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\design\ddeexec\(Default)[SetForeground][OpenForm "%%1", 1] 13241300x8000000000000000331938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.069{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\design\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenForm "%%1", 1] 13241300x8000000000000000331937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.069{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\datasheet\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.069{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\datasheet\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.069{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\datasheet\ddeexec\(Default)[SetForeground][OpenForm "%%1", 3] 13241300x8000000000000000331934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.069{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\datasheet\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /SHELLSYSTEM [OpenForm "%%1", 3] 13241300x8000000000000000331933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.069{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.DataAccessPage.1\shell\open\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.069{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.DataAccessPage.1\shell\open\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.069{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.DataAccessPage.1\shell\open\ddeexec\(Default)[SetForeground][OpenDataAccessPage "%%1"] 13241300x8000000000000000331930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.069{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.DataAccessPage.1\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenDataAccessPage "%%1"] 13241300x8000000000000000331929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.069{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.DataAccessPage.1\shell\design\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.069{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.DataAccessPage.1\shell\design\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.069{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.DataAccessPage.1\shell\design\ddeexec\(Default)[SetForeground][OpenDataAccessPage "%%1", 1] 13241300x8000000000000000331926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.069{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.DataAccessPage.1\shell\design\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenDataAccessPage "%%1", 1] 13241300x8000000000000000331925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.069{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\printto\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.069{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\printto\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.069{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\printto\ddeexec\(Default)[PrintTo "%%1","%%2","%%3","%%4"] 13241300x8000000000000000331922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.069{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\printto\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE /NOSTARTUP /SHELLSYSTEM [PrintTo "%%1","%%2","%%3","%%4"][ShellQuit] 13241300x8000000000000000331921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.069{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\print\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.069{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\print\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.051{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\print\ddeexec\(Default)[PrintTo "%%1"] 13241300x8000000000000000331918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.051{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\print\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE /NOSTARTUP /SHELLSYSTEM [PrintTo "%%1"][ShellQuit] 13241300x8000000000000000331917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.051{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\preview\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.051{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\preview\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.051{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\preview\ddeexec\(Default)[SetForeground][OpenReport "%%1", 2] 13241300x8000000000000000331914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.051{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\preview\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenReport "%%1", 2] 13241300x8000000000000000331913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.051{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\open\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.051{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\open\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.051{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\open\ddeexec\(Default)[SetForeground][OpenReport "%%1", 2] 13241300x8000000000000000331910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.051{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenReport "%%1", 2] 13241300x8000000000000000331909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.051{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\design\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.051{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\design\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.051{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\design\ddeexec\(Default)[SetForeground][OpenReport "%%1", 1] 13241300x8000000000000000331906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.051{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\design\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenReport "%%1", 1] 13241300x8000000000000000331905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.051{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\browse\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.051{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\browse\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.051{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\browse\ddeexec\(Default)[SetForeground][OpenReport "%%1", 5] 13241300x8000000000000000331902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.051{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\browse\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenReport "%%1", 5] 13241300x8000000000000000331901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.051{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\printto\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.051{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\printto\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.051{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\printto\ddeexec\(Default)[PrintTo "%%1","%%2","%%3","%%4"] 13241300x8000000000000000331898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.051{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\printto\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE /NOSTARTUP /SHELLSYSTEM [PrintTo "%%1","%%2","%%3","%%4"][ShellQuit] 13241300x8000000000000000331897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.051{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\print\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.051{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\print\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.035{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\print\ddeexec\(Default)[PrintTo "%%1"] 13241300x8000000000000000331894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.035{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\print\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE /NOSTARTUP /SHELLSYSTEM [PrintTo "%%1"][ShellQuit] 13241300x8000000000000000331893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.035{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\preview\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.035{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\preview\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.035{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\preview\ddeexec\(Default)[SetForeground][OpenTable "%%1", 2] 13241300x8000000000000000331890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.035{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\preview\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenTable "%%1", 2] 13241300x8000000000000000331889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.035{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\open\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.035{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\open\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.035{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\open\ddeexec\(Default)[SetForeground][OpenTable "%%1"] 13241300x8000000000000000331886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.035{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE /NOSTARTUP /SHELLSYSTEM [OpenTable "%%1"] 13241300x8000000000000000331885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.035{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\design\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.035{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\design\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.035{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\design\ddeexec\(Default)[SetForeground][OpenTable "%%1", 1] 13241300x8000000000000000331882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.035{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\design\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenTable "%%1", 1] 13241300x8000000000000000331881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.035{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\accessthmltemplate\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" 13241300x8000000000000000331880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.020{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Workgroup.16\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP "%%1" 13241300x8000000000000000331879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.020{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.WizardDataFile.16\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP "%%1" 13241300x8000000000000000331878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.020{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.BlankDatabaseTemplate.16\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /NEWDB "%%1" 13241300x8000000000000000331877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.020{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.MDEFile.16\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP "%%1" %%2 %%3 %%4 %%5 %%6 %%7 %%8 %%9 13241300x8000000000000000331876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.020{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\accesshtmlfile\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" 13241300x8000000000000000331875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.020{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.MDBFile\shell\openAsReadOnly\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.020{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.MDBFile\shell\openAsReadOnly\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.020{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.MDBFile\shell\openAsReadOnly\ddeexec\(Default)[SetForeground][ShellOpenDatabase "%%1",0,1] 13241300x8000000000000000331872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.004{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.MDBFile\shell\open\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.004{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.MDBFile\shell\open\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.004{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.MDBFile\shell\open\ddeexec\(Default)[SetForeground][ShellOpenDatabase "%%1"] 13241300x8000000000000000331869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.004{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.MDBFile\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP "%%1" %%2 %%3 %%4 %%5 %%6 %%7 %%8 %%9 13241300x8000000000000000331868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.004{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.MDBFile\shell\New\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.004{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.MDBFile\shell\New\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.004{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.MDBFile\shell\New\ddeexec\(Default)[SetForeground][ShellNewDatabase "%%1"] 13241300x8000000000000000331865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.004{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.MDBFile\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /n "%%1" 13241300x8000000000000000331864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.004{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Extension.16\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE /NOSTARTUP "%%1" 13241300x8000000000000000331863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.004{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Shortcut.Function.1\shell\open\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.004{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Shortcut.Function.1\shell\open\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.004{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Shortcut.Function.1\shell\open\ddeexec\(Default)[SetForeground][OpenFunction "%%1"] 13241300x8000000000000000331860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.004{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Shortcut.Function.1\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /SHELLSYSTEM [OpenFunction "%%1"] 13241300x8000000000000000331859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.004{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Shortcut.Function.1\shell\design\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.004{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Shortcut.Function.1\shell\design\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.004{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Shortcut.Function.1\shell\design\ddeexec\(Default)[SetForeground][OpenFunction "%%1", 1] 13241300x8000000000000000331856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:07.004{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Shortcut.Function.1\shell\design\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /SHELLSYSTEM [OpenFunction "%%1", 1] 13241300x8000000000000000331855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:06.989{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Project.16\shell\Open\ddeexec\topic\(Default)ShellSystem 13241300x8000000000000000331854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:06.989{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Project.16\shell\Open\ddeexec\ifexec\(Default)[] 13241300x8000000000000000331853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:06.989{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Project.16\shell\Open\ddeexec\(Default)[SetForeground][ShellOpenDatabase "%%1"] 13241300x8000000000000000331852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:06.989{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Project.16\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP "%%1" %%2 %%3 %%4 %%5 %%6 %%7 %%8 %%9 23542300x8000000000000000448195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:08.492{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=323478F8AF2EA28C83D2D06F17D6FEBC,SHA256=A114A1558293410BF11FB4E09A569C045A750FC4B1E9ECAE13629D28FAE254FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000332547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:08.657{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DBD4A86DC49A33871FDE32C892E334C,SHA256=967EBF5E166823544F1DA118475DCB581E4D3C8AD81D8179B0D9040EE4209AC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000332546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.249{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{FDEA20DB-AC7A-42f8-90EE-82208B9B4FC0}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.245{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{FB453AD8-2EF4-44D3-98A8-8C6474E63CE4}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.240{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{F14E8B03-D080-4D3A-AEBA-355E77B20F3D}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.234{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{EAE50EB0-4A62-11CE-BED6-00AA00611080}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.229{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{EA778DB4-CE69-4da5-BC1D-34E2168D5EED}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.224{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{E9729012-8271-4e1f-BC56-CF85F914915A}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.218{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{DFD181E0-5E2F-11CE-A449-00AA004A803D}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.214{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{DD4CB8C5-F540-47ff-84D7-67390D2743CA}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.209{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{DCA0ED3C-B95D-490f-9C60-0FF3726C789A}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.197{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{D7053240-CE69-11CD-A777-00DD01143C57}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.192{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.169{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{9BDAC276-BE24-4F04-BB22-11469B28A496}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.169{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{978C9E23-D4B0-11CE-BF2D-00AA003F40D0}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.169{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{9432194C-DF54-4824-8E24-B013BF2B90E3}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.154{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{8BD21D60-EC42-11CE-9E0D-00AA006002F3}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.154{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{8BD21D50-EC42-11CE-9E0D-00AA006002F3}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.154{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{8BD21D40-EC42-11CE-9E0D-00AA006002F3}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.138{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{8BD21D30-EC42-11CE-9E0D-00AA006002F3}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.138{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{8BD21D20-EC42-11CE-9E0D-00AA006002F3}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.138{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{8BD21D10-EC42-11CE-9E0D-00AA006002F3}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.124{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{86F56B7F-A81B-478d-B231-50FD37CBE761}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.124{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{7931F65C-2564-4C19-AE71-E7DDFA008F6A}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.124{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{79176FB0-B7F2-11CE-97EF-00AA006D2776}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.109{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{787A2D6B-EF66-488D-A303-513C9C75C344}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.109{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{6E182020-F460-11CE-9BCD-00AA00608E01}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.109{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{6C1B3099-127A-4BE1-93BC-DD4771EEEF90}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.094{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{6C177EBD-C42D-4728-A04B-4131892EDBF6}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.076{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{6240EF28-7EAB-4dc7-A5E3-7CFB35EFB34D}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.076{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{5E90CC8B-E402-4350-82D7-996E92010608}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.076{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{5CBA34AE-E344-40CF-B61D-FBA4D0D1FF54}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.061{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{5512D124-5CC6-11CF-8D67-00AA00BDCE1D}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.061{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{5512D122-5CC6-11CF-8D67-00AA00BDCE1D}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.061{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{5512D11E-5CC6-11CF-8D67-00AA00BDCE1D}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.047{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{5512D11C-5CC6-11CF-8D67-00AA00BDCE1D}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.047{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{5512D11A-5CC6-11CF-8D67-00AA00BDCE1D}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.031{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{5512D118-5CC6-11CF-8D67-00AA00BDCE1D}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 23542300x8000000000000000332510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:08.031{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0143875D6D82E0BFCA0D20F5AB279991,SHA256=2F61D8324425F8156E14A49B11FD3F7F8674F725AB17DF3AF6C91893BC0D5523,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000332509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.031{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{5512D116-5CC6-11CF-8D67-00AA00BDCE1D}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.031{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{5512D114-5CC6-11CF-8D67-00AA00BDCE1D}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.029{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{5512D112-5CC6-11CF-8D67-00AA00BDCE1D}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.024{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{5512D110-5CC6-11CF-8D67-00AA00BDCE1D}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.018{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{5052A832-2C0F-46c7-B67C-1F1FEC37B280}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.012{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{4C599241-6926-101B-9992-00000B65C6F9}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.007{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{4795051A-6429-4D63-BCA0-D706532954AC}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:08.002{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{46E31370-3F7A-11CE-BED6-00AA00611080}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.996{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{3D0FD779-0C2D-4708-A9BA-62F7458A5A53}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.991{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{227B1F3B-C276-4DE0-9FAA-C0AD42ADDCF0}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.983{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{19FED08E-EFD1-45da-B524-7BE4774A6AEE}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.957{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{13D557B6-A469-4362-BEAF-52BFD0F180E2}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.948{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{04082FC6-E032-49F2-A263-FE64E9DA1FA3}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x8000000000000000332496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:07.938{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{02AF6DD2-77E6-44DF-B3E1-57CF1476D8EA}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 23542300x8000000000000000448196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:09.585{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC17E51ABD9DCCA001EDF6FD5ADB544,SHA256=1B340F2DC2CA8ADD13704328DC73C21DC80075C767F55D3C3C050682D341D5C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000332550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:08.844{72106695-9B84-63D3-0B00-00000000BD02}6283260C:\Windows\system32\lsass.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:08.844{72106695-9B84-63D3-0B00-00000000BD02}6283260C:\Windows\system32\lsass.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:08.844{72106695-9B84-63D3-0B00-00000000BD02}6283260C:\Windows\system32\lsass.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000448197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:10.648{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28B19A0DFE26BA2C4138BF6B89899B4D,SHA256=34CD2BCF5927B81D20EA8665DC1A8F53F116AE136142B44A73FF1840672658FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000332551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:09.751{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B88B7DD6B863C33D99F291B4002DF5C1,SHA256=AFC986D0A8558AD90A94477DCC4D6EE5E321C724F131FA547B420315E2942A75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000332553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:10.909{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\Office16\OUTLCTL.DLL 23542300x8000000000000000448199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:11.752{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A8E25BA78DBEC2BC66AEC426A610FD8,SHA256=CACEC857BAAD7C699A1E96A45319143AD5D181D7BF2CA46C32A7A9012F08EEDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000448198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:11.694{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\respondent-20230127093833-103MD5=ABD21C848C86C8C4C327246443A18885,SHA256=621828FF48080C628607F27990B50D4C7839DD5149D1A5B05A104AE9C04F6CF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000332552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:08.389{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51010-false10.0.1.12-8000- 354300x8000000000000000448202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:09.816{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52711-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000448201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:12.729{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A09B15215E7EFC320944D96E75982295,SHA256=FD8C1A786E5D60F383D9E2D5B68FCA07084E38594C8DFC11027A01B80ABB56FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000448200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:12.700{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\surveyor-20230127093831-104MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000332558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:11.280{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0D73B5FE97604932163799C86F314E2,SHA256=A834DA104C25A094C5BFD0691E50400E8DF3EB080C1F64418754D9A48557DECB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000332557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:11.147{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000332556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:11.147{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000332555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:11.147{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000332554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:11.147{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 13241300x8000000000000000332559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:11.804{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{4D2F086C-6EA3-101B-A18A-00AA00446E07}\InprocServer32\(Default)mapi32.dll 23542300x8000000000000000448203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:13.814{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A2F340BC3137464C2820F6305F2899A,SHA256=1566EFEA76DE8C98D24EC6C41F44D6BE74477960E47FEC705331A9D652B1E5F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000448204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:14.912{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37E3CF0C34F1936804C9E626BF11F79E,SHA256=217887266D10DB9D26CDC5BEA6CBBF43E5260DC44DCB412B1CA71537917FE7A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000332560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:12.277{72106695-B106-63D3-2B03-00000000BD02}964WIN-HOST-CTUS-A\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000014.dbMD5=92C651ADF579D7932CEF97888FF13A05,SHA256=8C42A8ACF37DD275DFA98652F5C4090E272A7DA9F15420AD099E25AF1F2CE857,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000332765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.799{72106695-B499-63D3-CB03-00000000BD02}58562936C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b2c4|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.798{72106695-B499-63D3-CB03-00000000BD02}58562288C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b2c4|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.798{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-B499-63D3-DA03-00000000BD02}5788C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.798{72106695-B499-63D3-CB03-00000000BD02}58565308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b2c4|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.783{72106695-B499-63D3-CB03-00000000BD02}58562288C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.783{72106695-B499-63D3-CB03-00000000BD02}58562288C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.783{72106695-B499-63D3-CB03-00000000BD02}58562936C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.783{72106695-B499-63D3-CB03-00000000BD02}58562936C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.783{72106695-B499-63D3-CB03-00000000BD02}58565308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.783{72106695-B499-63D3-CB03-00000000BD02}58565308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.783{72106695-B499-63D3-CB03-00000000BD02}58565028C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b35a|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.783{72106695-B499-63D3-CB03-00000000BD02}58562288C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b35a|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8788|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.783{72106695-B499-63D3-CB03-00000000BD02}58565308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b35a|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.783{72106695-B499-63D3-CB03-00000000BD02}58562936C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b35a|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8788|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.783{72106695-B499-63D3-CB03-00000000BD02}58565028C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b2c4|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.783{72106695-B499-63D3-CB03-00000000BD02}58562936C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b2c4|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8788|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.783{72106695-B499-63D3-CB03-00000000BD02}58565308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b2c4|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.783{72106695-B499-63D3-CB03-00000000BD02}58562288C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b2c4|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8788|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.783{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.783{72106695-B499-63D3-CB03-00000000BD02}58562936C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8788|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.783{72106695-B499-63D3-CB03-00000000BD02}58562936C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8788|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.783{72106695-B499-63D3-CB03-00000000BD02}58562288C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8788|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.783{72106695-B499-63D3-CB03-00000000BD02}58562288C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8788|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.783{72106695-B499-63D3-CB03-00000000BD02}58565028C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.783{72106695-B499-63D3-CB03-00000000BD02}58565308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.783{72106695-B499-63D3-CB03-00000000BD02}58565028C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.783{72106695-B499-63D3-CB03-00000000BD02}58565308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.783{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.783{72106695-B499-63D3-CB03-00000000BD02}58562288C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b35a|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.783{72106695-B499-63D3-CB03-00000000BD02}58562288C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b2c4|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.783{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.767{72106695-B499-63D3-CB03-00000000BD02}58562288C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.767{72106695-B499-63D3-CB03-00000000BD02}58562288C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.767{72106695-B499-63D3-CB03-00000000BD02}58565308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b35a|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.767{72106695-B499-63D3-CB03-00000000BD02}58562936C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b35a|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.767{72106695-B499-63D3-CB03-00000000BD02}58562288C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b35a|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.767{72106695-B499-63D3-CB03-00000000BD02}58565028C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b35a|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.767{72106695-B499-63D3-CB03-00000000BD02}58562936C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b2c4|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.767{72106695-B499-63D3-CB03-00000000BD02}58565308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b2c4|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.767{72106695-B499-63D3-CB03-00000000BD02}58562288C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b2c4|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.767{72106695-B499-63D3-CB03-00000000BD02}58565028C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b2c4|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.767{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.767{72106695-B499-63D3-CB03-00000000BD02}58562936C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.767{72106695-B499-63D3-CB03-00000000BD02}58562936C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.767{72106695-B499-63D3-CB03-00000000BD02}58565308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.767{72106695-B499-63D3-CB03-00000000BD02}58562288C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.767{72106695-B499-63D3-CB03-00000000BD02}58565028C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.767{72106695-B499-63D3-CB03-00000000BD02}58565308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.767{72106695-B499-63D3-CB03-00000000BD02}58565028C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.767{72106695-B499-63D3-CB03-00000000BD02}58562288C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.767{72106695-B499-63D3-DB03-00000000BD02}57923388C:\Windows\system32\conhost.exe{72106695-B499-63D3-DA03-00000000BD02}5788C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.767{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.767{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.752{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.752{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}5792C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000332710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.752{72106695-B499-63D3-CB03-00000000BD02}58562936C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b35a|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.752{72106695-B499-63D3-CB03-00000000BD02}58565308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b35a|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.752{72106695-B499-63D3-CB03-00000000BD02}58565028C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b35a|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.752{72106695-B499-63D3-CB03-00000000BD02}58562288C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b35a|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.752{72106695-B499-63D3-CB03-00000000BD02}58562936C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b2c4|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.752{72106695-B499-63D3-CB03-00000000BD02}58565308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b2c4|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.752{72106695-B499-63D3-CB03-00000000BD02}58565028C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b2c4|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.752{72106695-B499-63D3-CB03-00000000BD02}58562288C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b2c4|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.752{72106695-B499-63D3-CB03-00000000BD02}58562936C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.752{72106695-B499-63D3-CB03-00000000BD02}58565308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.752{72106695-B499-63D3-CB03-00000000BD02}58562936C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.752{72106695-B499-63D3-CB03-00000000BD02}58565308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.752{72106695-B499-63D3-CB03-00000000BD02}58565028C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.752{72106695-B499-63D3-CB03-00000000BD02}58565028C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.752{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.752{72106695-B499-63D3-CB03-00000000BD02}58562288C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.752{72106695-B499-63D3-CB03-00000000BD02}58562288C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.752{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000332692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.752{72106695-9B84-63D3-0A00-00000000BD02}6202516C:\Windows\system32\services.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000332691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.753{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\System32\msiexec.exe5.0.14393.5648 (rs1_release.230105-1654)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeC:\Windows\system32\msiexec.exe /VC:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=9D709253D0D3EF4CBB4CF7BC10276AC7,SHA256=B2BE692D9794337588A16DB43A09371F3D18154E98171856CD4B739998C4D291,IMPHASH=C96E4BCFCDB1BA383604F04AB3452B2F{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000332690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.752{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}5788C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000332689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.752{72106695-B403-63D3-B103-00000000BD02}60922240C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{00000000-0000-0000-0000-000000000000}5788C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1d10b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1cf33|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+599c1c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+6c1f04|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+63c683|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+63cb94|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+68ac04|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+f8144|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+2e10d|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37e250|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37c243|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.752{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.736{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+1f048|C:\Windows\system32\lsasrv.dll+1e271|C:\Windows\system32\lsasrv.dll+1ca8e|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.736{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.736{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.736{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.736{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D703-00000000BD02}5668C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.736{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.736{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D703-00000000BD02}5668C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.736{72106695-9B85-63D3-1400-00000000BD02}10322256C:\Windows\system32\svchost.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.736{72106695-9B85-63D3-1400-00000000BD02}10321120C:\Windows\system32\svchost.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.736{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B499-63D3-D703-00000000BD02}5668C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.736{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.736{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.736{72106695-B499-63D3-CB03-00000000BD02}58565028C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+d6b7a|C:\Windows\System32\SHELL32.dll+9b704|C:\Windows\System32\SHELL32.dll+9b358|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.736{72106695-B499-63D3-CB03-00000000BD02}58565308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+d6b7a|C:\Windows\System32\SHELL32.dll+9b704|C:\Windows\System32\SHELL32.dll+9b358|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.736{72106695-B499-63D3-CB03-00000000BD02}58562936C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+d6b7a|C:\Windows\System32\SHELL32.dll+9b704|C:\Windows\System32\SHELL32.dll+9b358|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.736{72106695-B499-63D3-CB03-00000000BD02}58562288C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+d6b7a|C:\Windows\System32\SHELL32.dll+9b704|C:\Windows\System32\SHELL32.dll+9b358|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.736{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.736{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.736{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.720{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.720{72106695-B499-63D3-CB03-00000000BD02}58565028C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+d6b68|C:\Windows\System32\SHELL32.dll+9b704|C:\Windows\System32\SHELL32.dll+9b358|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.720{72106695-B499-63D3-CB03-00000000BD02}58562288C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+d6b68|C:\Windows\System32\SHELL32.dll+9b704|C:\Windows\System32\SHELL32.dll+9b358|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.720{72106695-B499-63D3-CB03-00000000BD02}58562936C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+d6b68|C:\Windows\System32\SHELL32.dll+9b704|C:\Windows\System32\SHELL32.dll+9b358|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.720{72106695-B499-63D3-CB03-00000000BD02}58565028C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+d6b68|C:\Windows\System32\SHELL32.dll+9b704|C:\Windows\System32\SHELL32.dll+9b358|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.720{72106695-B499-63D3-CB03-00000000BD02}58562288C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+d6b68|C:\Windows\System32\SHELL32.dll+9b704|C:\Windows\System32\SHELL32.dll+9b358|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.720{72106695-B499-63D3-CB03-00000000BD02}58562936C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+d6b68|C:\Windows\System32\SHELL32.dll+9b704|C:\Windows\System32\SHELL32.dll+9b358|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.720{72106695-B499-63D3-CB03-00000000BD02}58565308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+d6b68|C:\Windows\System32\SHELL32.dll+9b704|C:\Windows\System32\SHELL32.dll+9b358|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.720{72106695-B499-63D3-CB03-00000000BD02}58565308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+d6b68|C:\Windows\System32\SHELL32.dll+9b704|C:\Windows\System32\SHELL32.dll+9b358|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.720{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.720{72106695-B499-63D3-D803-00000000BD02}49965504C:\Windows\system32\conhost.exe{72106695-B499-63D3-D703-00000000BD02}5668C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000332657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.705{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000332656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.705{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B499-63D3-D803-00000000BD02}4996C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000332655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.705{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000332654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-ConnectPipe2023-01-27 11:25:13.705{72106695-B403-63D3-B103-00000000BD02}6092\FTA_5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x8000000000000000332653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-ConnectPipe2023-01-27 11:25:13.705{72106695-B403-63D3-B103-00000000BD02}6092\ShortcutNotifier_5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x8000000000000000332652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-ConnectPipe2023-01-27 11:25:13.705{72106695-B403-63D3-B103-00000000BD02}6092\ShortcutNotifier_5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x8000000000000000332651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-ConnectPipe2023-01-27 11:25:13.705{72106695-B403-63D3-B103-00000000BD02}6092\ShortcutNotifier_5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x8000000000000000332650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-ConnectPipe2023-01-27 11:25:13.705{72106695-B403-63D3-B103-00000000BD02}6092\ShortcutNotifier_5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x8000000000000000332649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-ConnectPipe2023-01-27 11:25:13.705{72106695-B403-63D3-B103-00000000BD02}6092\ShortcutNotifier_5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x8000000000000000332648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-ConnectPipe2023-01-27 11:25:13.705{72106695-B403-63D3-B103-00000000BD02}6092\ShortcutNotifier_5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x8000000000000000332647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-ConnectPipe2023-01-27 11:25:13.705{72106695-B403-63D3-B103-00000000BD02}6092\ShortcutNotifier_5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x8000000000000000332646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-ConnectPipe2023-01-27 11:25:13.705{72106695-B403-63D3-B103-00000000BD02}6092\ShortcutNotifier_5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x8000000000000000332645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-ConnectPipe2023-01-27 11:25:13.705{72106695-B403-63D3-B103-00000000BD02}6092\ShortcutNotifier_5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x8000000000000000332644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-ConnectPipe2023-01-27 11:25:13.705{72106695-B403-63D3-B103-00000000BD02}6092\ShortcutNotifier_5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 734700x8000000000000000332643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.689{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000332642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.689{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000332641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-ConnectPipe2023-01-27 11:25:13.689{72106695-B403-63D3-B103-00000000BD02}6092\ShortcutNotifier_5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x8000000000000000332640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.689{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}5668C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000332639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.689{72106695-B403-63D3-B103-00000000BD02}60922240C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{00000000-0000-0000-0000-000000000000}5668C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1d10b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1cf33|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+599ac7|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+6c2080|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+63cb2b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+68ac04|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+f8144|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+2e10d|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37e250|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37c243|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000332638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-ConnectPipe2023-01-27 11:25:13.689{72106695-B403-63D3-B103-00000000BD02}6092\ShortcutNotifier_5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x8000000000000000332637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-ConnectPipe2023-01-27 11:25:13.689{72106695-B403-63D3-B103-00000000BD02}6092\ShortcutNotifier_5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x8000000000000000332636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-ConnectPipe2023-01-27 11:25:13.689{72106695-B403-63D3-B103-00000000BD02}6092\ShortcutNotifier_5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x8000000000000000332635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.673{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.673{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.673{72106695-9B84-63D3-0B00-00000000BD02}6283260C:\Windows\system32\lsass.exe{72106695-B499-63D3-D503-00000000BD02}5232C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.673{72106695-9B84-63D3-0B00-00000000BD02}6283260C:\Windows\system32\lsass.exe{72106695-B499-63D3-D503-00000000BD02}5232C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.673{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B499-63D3-D503-00000000BD02}5232C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.673{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.660{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.660{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.660{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.644{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.644{72106695-B499-63D3-D603-00000000BD02}51483528C:\Windows\system32\conhost.exe{72106695-B499-63D3-D503-00000000BD02}5232C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.641{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B499-63D3-D603-00000000BD02}5148C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000332623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.635{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}5232C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000332622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.635{72106695-B403-63D3-B103-00000000BD02}60922240C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{00000000-0000-0000-0000-000000000000}5232C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1d10b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1cf33|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+599ac7|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+59995e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+6c1a19|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+63c754|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+63cae0|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+68ac04|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+f8144|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+2e10d|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37e250|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37c243|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.634{72106695-B102-63D3-1003-00000000BD02}3944400C:\Windows\system32\csrss.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x13ffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000332620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.633{72106695-B102-63D3-1103-00000000BD02}3676104C:\Windows\system32\winlogon.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|C:\Windows\system32\winlogon.exe+60dea|C:\Windows\system32\winlogon.exe+3508a|C:\Windows\system32\winlogon.exe+1bbfd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.628{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000332618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.628{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000332617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.628{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 11241100x8000000000000000332616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T10532023-01-27 11:25:13.619{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor2023-01-27 11:25:13.619 11241100x8000000000000000332615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T10532023-01-27 11:25:13.617{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\Microsoft\Office2023-01-27 11:25:13.617 10341000x8000000000000000332614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.615{72106695-9B84-63D3-0B00-00000000BD02}6282476C:\Windows\system32\lsass.exe{72106695-B499-63D3-D203-00000000BD02}4552C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.615{72106695-9B84-63D3-0B00-00000000BD02}6282476C:\Windows\system32\lsass.exe{72106695-B499-63D3-D203-00000000BD02}4552C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000332612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:13.614{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523S-1-5-18v2.26|AppPkgId=S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523|LUOwn=S-1-5-18|M=microsoft.windows.fontdrvhost|Name=Usermode Font Driver Host|Desc=Usermode Font Driver Host| 10341000x8000000000000000332611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.613{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000332610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.613{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000332609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.613{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 13241300x8000000000000000332608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:13.613{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x00000e03) 13241300x8000000000000000332607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:13.613{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{9414DA0D-42B9-4088-A5D9-2E37CA752203}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=Usermode Font Driver Host|Desc=Usermode Font Driver Host|LUOwn=S-1-5-18|AppPkgId=S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523|EmbedCtxt=Usermode Font Driver Host| 13241300x8000000000000000332606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:13.612{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x00000e02) 13241300x8000000000000000332605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:13.612{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{234A5DF6-F7C2-4B67-9373-F74B81231CA3}v2.26|Action=Block|Active=TRUE|Dir=In|Name=Usermode Font Driver Host|Desc=Usermode Font Driver Host|LUOwn=S-1-5-18|AppPkgId=S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523|EmbedCtxt=Usermode Font Driver Host| 10341000x8000000000000000332604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.611{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B499-63D3-D203-00000000BD02}4552C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.586{72106695-B499-63D3-D303-00000000BD02}43646040C:\Windows\system32\conhost.exe{72106695-B499-63D3-D203-00000000BD02}4552C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.586{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.585{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B499-63D3-D303-00000000BD02}4364C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000332600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.580{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B499-63D3-D203-00000000BD02}4552C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000332599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.579{72106695-B403-63D3-B103-00000000BD02}60922240C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{00000000-0000-0000-0000-000000000000}4552C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1d10b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1cf33|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+599937|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+6c1a19|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+63c754|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+63cae0|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+68ac04|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+f8144|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+2e10d|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37e250|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37c243|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.575{72106695-9B84-63D3-0B00-00000000BD02}6283260C:\Windows\system32\lsass.exe{72106695-B499-63D3-D003-00000000BD02}4676C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.574{72106695-9B84-63D3-0B00-00000000BD02}6283260C:\Windows\system32\lsass.exe{72106695-B499-63D3-D003-00000000BD02}4676C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.572{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B499-63D3-D003-00000000BD02}4676C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.570{72106695-9B84-63D3-0B00-00000000BD02}6283260C:\Windows\system32\lsass.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.570{72106695-9B84-63D3-0B00-00000000BD02}6283260C:\Windows\system32\lsass.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.558{72106695-B499-63D3-D103-00000000BD02}44925240C:\Windows\system32\conhost.exe{72106695-B499-63D3-D003-00000000BD02}4676C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.549{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B499-63D3-D103-00000000BD02}4492C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000332591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.543{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B499-63D3-D003-00000000BD02}4676C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000332590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.543{72106695-B403-63D3-B103-00000000BD02}60922240C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B499-63D3-D003-00000000BD02}4676C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1d10b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1cf33|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+599ac7|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+599c69|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+6c1f04|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+63c683|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+63cae0|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+68ac04|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+f8144|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+2e10d|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37e250|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37c243|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.538{72106695-9B84-63D3-0B00-00000000BD02}6282476C:\Windows\system32\lsass.exe{72106695-B499-63D3-CD03-00000000BD02}1864C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.538{72106695-9B84-63D3-0B00-00000000BD02}6282476C:\Windows\system32\lsass.exe{72106695-B499-63D3-CD03-00000000BD02}1864C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.536{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B499-63D3-CD03-00000000BD02}1864C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.522{72106695-B499-63D3-CF03-00000000BD02}6561948C:\Windows\system32\conhost.exe{72106695-B499-63D3-CD03-00000000BD02}1864C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.511{72106695-B499-63D3-CE03-00000000BD02}45565464C:\Windows\system32\conhost.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.511{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B499-63D3-CF03-00000000BD02}656C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000332583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.504{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B499-63D3-CD03-00000000BD02}1864C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000332582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.504{72106695-B403-63D3-B103-00000000BD02}60922240C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B499-63D3-CD03-00000000BD02}1864C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1d10b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1cf33|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+599c1c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+6c1f04|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+63c683|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+63cae0|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+68ac04|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+f8144|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+2e10d|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37e250|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37c243|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.502{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B499-63D3-CE03-00000000BD02}4556C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000332580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.497{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000332579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.497{72106695-B403-63D3-B103-00000000BD02}60924348C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1d10b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1cf33|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1cb9c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+11572b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+115592|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+66cb1d|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+66b65e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+f8144|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+2e10d|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37e250|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37c243|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000332578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:25:13.474{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\O365ProPlusRetail - en-us\PublisherMicrosoft Corporation 17141700x8000000000000000332577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-CreatePipe2023-01-27 11:25:13.467{72106695-B499-63D3-CB03-00000000BD02}5856\ShellEx_5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe 17141700x8000000000000000332576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-CreatePipe2023-01-27 11:25:13.467{72106695-B499-63D3-CB03-00000000BD02}5856\FTA_5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe 10341000x8000000000000000332575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.466{72106695-9B84-63D3-0B00-00000000BD02}6282476C:\Windows\system32\lsass.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.466{72106695-9B84-63D3-0B00-00000000BD02}6282476C:\Windows\system32\lsass.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000332573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-CreatePipe2023-01-27 11:25:13.465{72106695-B499-63D3-CB03-00000000BD02}5856\ShortcutNotifier_5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe 10341000x8000000000000000332572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.426{72106695-B102-63D3-1003-00000000BD02}3944400C:\Windows\system32\csrss.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000332571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.426{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000332570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.426{72106695-B403-63D3-B103-00000000BD02}60924600C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll+1a68f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll+1aa2e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll+19c2a|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll+1ae1f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll+1f5e3|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll+1ed69|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll+1da56|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll+8d3ef|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll+d82d|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll+5000b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll+5143b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll+507be|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000332569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:13.363{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Clients\Mail\Microsoft Outlook\protocols\mailto\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" -c IPM.Note /mailto "%%1" 13241300x8000000000000000332568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:13.363{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Clients\Mail\Microsoft Outlook\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /recycle 23542300x8000000000000000332567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:12.960{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE50183EC9B268F7F329CEE7EB63BBE2,SHA256=16673EFDF3DA6E72E5EE300D3C509A8E62FC5674370A34FFC26FEB69FC494ED7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000332566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:12.648{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x8000000000000000332565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:12.648{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x8000000000000000332564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:12.648{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x8000000000000000332563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:12.648{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d93242-0x058cc32a) 13241300x8000000000000000332562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:12.648{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x8000000000000000332561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:12.648{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 23542300x8000000000000000333116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:16.992{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Config.Msi\620525.rbsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:16.990{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFF503B94C8193C840.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000333114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:16.990{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFF8900C14BC21B718.TMPMD5=34F0D705A33073CD6B74C6AAF9D88BC6,SHA256=E624B5637D659464A30C8891011C017C1291D1EBDD2684E92EBEB8B9F1137D82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:16.967{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI112B.tmpMD5=05BF52601A17F9C4F73C4E5104F61906,SHA256=3B8FDD75D25CA3D47C43A1D7EC614CEF735AAD3B5BD1B07E83BB98BEE9C86DA2,IMPHASH=9E51A8485B8EAB753B3803CFEA838504truefalse - insufficient disk space 10341000x8000000000000000333112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:16.945{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:16.944{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000333110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:16.869{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI109E.tmpMD5=05BF52601A17F9C4F73C4E5104F61906,SHA256=3B8FDD75D25CA3D47C43A1D7EC614CEF735AAD3B5BD1B07E83BB98BEE9C86DA2,IMPHASH=9E51A8485B8EAB753B3803CFEA838504truefalse - insufficient disk space 10341000x8000000000000000333109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:16.843{72106695-B49C-63D3-E303-00000000BD02}60605600C:\Windows\System32\MsiExec.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\MsiExec.exe+6bca|C:\Windows\System32\MsiExec.exe+7184|C:\Windows\System32\MsiExec.exe+8e17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:16.834{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B49C-63D3-E303-00000000BD02}6060C:\Windows\System32\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:16.813{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:16.813{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:16.813{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:16.812{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:16.812{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B49C-63D3-E303-00000000BD02}6060C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000333102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:16.812{72106695-B499-63D3-D903-00000000BD02}57764536C:\Windows\system32\msiexec.exe{72106695-B49C-63D3-E303-00000000BD02}6060C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Windows\system32\Msi.dll+ba748|C:\Windows\system32\Msi.dll+16e0a4|C:\Windows\system32\Msi.dll+16e71c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000333101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:16.812{72106695-B49C-63D3-E303-00000000BD02}6060C:\Windows\System32\msiexec.exe5.0.14393.5648 (rs1_release.230105-1654)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeC:\Windows\System32\MsiExec.exe -Embedding D71DFCB25A15A43176AEBC5F3201D33C E Global\MSI0000C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=9D709253D0D3EF4CBB4CF7BC10276AC7,SHA256=B2BE692D9794337588A16DB43A09371F3D18154E98171856CD4B739998C4D291,IMPHASH=C96E4BCFCDB1BA383604F04AB3452B2F{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\System32\msiexec.exeC:\Windows\system32\msiexec.exe /V 10341000x8000000000000000333100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:16.809{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:16.809{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000333098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:16.792{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI108D.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000333097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:16.792{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:16.791{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000333095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.326{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51011-false10.0.1.12-8000- 10341000x8000000000000000333094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:16.364{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:16.364{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:16.298{72106695-B499-63D3-D903-00000000BD02}57765864C:\Windows\system32\msiexec.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\apphelp.dll+20ffd|C:\Windows\system32\apphelp.dll+209c1|C:\Windows\system32\Msi.dll+e03f7|C:\Windows\system32\Msi.dll+19fbad|C:\Windows\system32\Msi.dll+2eb1e|C:\Windows\system32\Msi.dll+47575|C:\Windows\system32\Msi.dll+10b335|C:\Windows\system32\Msi.dll+10a556|C:\Windows\system32\Msi.dll+f4b1f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000333091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:16.291{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98C5A27F0EC1C3B24649D4FAB0190B95,SHA256=433B646C429B9D106C4C660E2EFC026855B88D78DA5EA115F6058D09709888F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:16.213{45AAC21C-9B85-63D3-1000-00000000BC02}368NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=BD7FB791A175D27264D2D09621C1DC40,SHA256=416256F234E11B51A7453E9D349FE9D17066C221175C401B86D347DD566608D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000448205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:16.103{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A84F6AACA0A2D28910C0F3C6CB13A3E,SHA256=15DF0DDCC263FD488EC98259198507859D8A733EE5F24A6B396FBFB0633A2513,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000333090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:16.182{72106695-9B85-63D3-1500-00000000BD02}1040NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-984.datMD5=037838826A5B02F7ADF474375E92457E,SHA256=EF3D23851B54808E070CFF7E9D1CA1E7472AAC3DF7FFBC2A35933D0CDCA3E7AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:16.134{72106695-9B85-63D3-1100-00000000BD02}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=29FD68D43D2C5AF5FAD45CC8E3EE29A4,SHA256=9AEE7F5AD4C1EECF2260B8FD9DE188B71B8861FD6230317599248B42F3B0D1B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:16.125{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=24F5CD31C781A82216E87A0694B995BF,SHA256=521DB10D229C046BA8F253E47C3156FB1EC05C3700F4F37B1CCD1E684E60BB03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:16.120{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6CB20215C954401EA9F7F2E4CB73C2D,SHA256=ED0C574F36C89A59772161DAAF6076A03C2273F545AE5D08F44CE67B04BD1D05,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:16.087{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E1F27CBD5A33A77D7B5F76C1C8F510E,SHA256=BE7E1F0FF2BFD00943DC46BB6545C9A8AAF503A343C6D8E242CFD45882F3A21F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000333085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:16.019{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:16.018{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000333083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:16.018{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\620523.msiMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:16.011{72106695-9B85-63D3-1500-00000000BD02}1040NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-703.datMD5=D3282DC9D8C875B478872BACB987BDD7,SHA256=503847DAD852C06E826A18D5D2B741F50BD69333737ADFD90E55DAA5431BBD8F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000333081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:15.982{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:15.982{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:15.982{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:15.982{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000333077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:15.960{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B632DF94B416355FA1ADB71778917408,SHA256=A90CB7751B68E22B9B3075E9AE5BDB3FBC4636AFC6D33B56C5BA8026A441BEE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:15.626{72106695-B106-63D3-2B03-00000000BD02}964WIN-HOST-CTUS-A\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000015.dbMD5=F601C93127FC952D553A335201AC54E1,SHA256=8199B9979B90549DD93D8BDFE0589FCA1E25334744E4A26658B1B4939CD23FEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000333075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:15.592{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000333074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:15.592{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000333073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:15.592{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 23542300x8000000000000000333072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:15.505{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA910B55C5049167EE0DE190AA3D5C77,SHA256=4B22B84D4B1D8B95FA2623B357A0ABA03947F61793DCB6621E7A6CE2DD0D8345,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000333071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:15.168{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:15.158{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:15.147{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:15.137{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:15.126{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:15.116{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:15.106{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:15.095{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:15.086{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:15.076{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:15.066{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:15.056{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:15.046{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:15.036{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:15.027{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:15.016{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:15.005{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.995{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.984{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.975{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.965{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.956{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.947{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.938{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.929{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.920{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.910{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.900{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.891{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.881{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.872{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.863{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.854{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.845{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.837{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.828{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.820{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.812{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.804{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.795{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.786{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.776{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.738{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.730{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.721{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.714{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.705{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.690{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.682{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.674{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.666{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.658{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.650{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.641{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.633{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.626{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.618{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.611{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.603{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.594{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.587{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.579{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.570{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.570{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.570{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.569{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.562{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.562{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.562{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.560{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.552{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.544{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.536{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.527{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.518{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.507{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.498{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.489{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.480{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.472{72106695-9B85-63D3-1400-00000000BD02}10321360C:\Windows\system32\svchost.exe{72106695-B49A-63D3-E203-00000000BD02}3960C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.472{72106695-9B85-63D3-1400-00000000BD02}10321120C:\Windows\system32\svchost.exe{72106695-B49A-63D3-E203-00000000BD02}3960C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.463{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B49A-63D3-E203-00000000BD02}3960C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.462{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.456{72106695-B102-63D3-1003-00000000BD02}39441080C:\Windows\system32\csrss.exe{72106695-B49A-63D3-E203-00000000BD02}3960C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000332987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.452{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B49A-63D3-E203-00000000BD02}3960C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000332986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.452{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B49A-63D3-E203-00000000BD02}3960C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.447{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.440{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000332983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.440{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000332982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.440{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000332981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.439{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.435{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CE03-00000000BD02}4556C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000332979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.435{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CE03-00000000BD02}4556C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000332978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.435{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CE03-00000000BD02}4556C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000332977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.432{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000332976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.432{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000332975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.432{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000332974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.431{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.430{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000332972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.430{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000332971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.430{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000332970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.418{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.411{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.403{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.396{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.389{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.382{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.375{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.368{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.361{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.354{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.348{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.342{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.335{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.329{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.323{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.317{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.311{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.303{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.296{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.291{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.284{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.278{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.272{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.265{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.259{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.253{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.248{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.241{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.235{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.230{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.224{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.218{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.212{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.207{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.200{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.194{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.181{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.175{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.170{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.163{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.163{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000332929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.163{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000332928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.163{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000332927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.158{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.152{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.147{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.143{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000332923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.143{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000332922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.143{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000332921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.142{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.136{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.131{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.125{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.119{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.114{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.109{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.104{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.099{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.094{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.089{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.084{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.079{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.065{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.041{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.034{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.029{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.024{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.019{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.014{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.009{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:14.003{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.994{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.989{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.985{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-E003-00000000BD02}5772C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.984{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-E003-00000000BD02}5772C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.982{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.980{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B499-63D3-E003-00000000BD02}5772C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.974{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.967{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.961{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.958{72106695-B499-63D3-E103-00000000BD02}44125892C:\Windows\system32\conhost.exe{72106695-B499-63D3-E003-00000000BD02}5772C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.955{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.949{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.944{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B499-63D3-E103-00000000BD02}4412C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000332886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.944{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.939{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.938{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B499-63D3-E003-00000000BD02}5772C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000332883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.938{72106695-B403-63D3-B103-00000000BD02}60922240C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B499-63D3-E003-00000000BD02}5772C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1d10b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1cf33|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+599ac7|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+59995e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+6c1a19|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+63c754|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+63cb94|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+68ac04|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+f8144|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+2e10d|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37e250|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37c243|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.932{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.924{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000332880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T10532023-01-27 11:25:13.923{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\Microsoft\Office\Office Automatic Updates 2.02023-01-27 11:25:13.923 10341000x8000000000000000332879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.919{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-DE03-00000000BD02}5868C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.918{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-DE03-00000000BD02}5868C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.913{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B499-63D3-DE03-00000000BD02}5868C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.913{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.908{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.901{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.896{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.895{72106695-B499-63D3-DF03-00000000BD02}13445912C:\Windows\system32\conhost.exe{72106695-B499-63D3-DE03-00000000BD02}5868C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.890{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.884{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B499-63D3-DF03-00000000BD02}1344C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000332869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.884{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.878{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.876{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B499-63D3-DE03-00000000BD02}5868C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000332866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.875{72106695-B403-63D3-B103-00000000BD02}60922240C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{00000000-0000-0000-0000-000000000000}5868C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1d10b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1cf33|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+599937|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+6c1a19|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+63c754|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+63cb94|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+68ac04|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+f8144|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+2e10d|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37e250|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37c243|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.872{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.868{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.867{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-DC03-00000000BD02}5888C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.867{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-DC03-00000000BD02}5888C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.863{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B499-63D3-DC03-00000000BD02}5888C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.861{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.856{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.854{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.850{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CE03-00000000BD02}4556C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000332856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.850{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CE03-00000000BD02}4556C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000332855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.850{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CE03-00000000BD02}4556C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000332854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.849{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.849{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CE03-00000000BD02}4556C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000332852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.849{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CE03-00000000BD02}4556C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000332851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.849{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CE03-00000000BD02}4556C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000332850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.846{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.845{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.845{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.845{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.845{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.845{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.844{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.844{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.844{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.844{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.843{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.843{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.843{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.843{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.843{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.842{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.842{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.842{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.842{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.842{72106695-B499-63D3-DD03-00000000BD02}58285756C:\Windows\system32\conhost.exe{72106695-B499-63D3-DC03-00000000BD02}5888C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.842{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.841{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.841{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.841{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.841{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.841{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.840{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.840{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.840{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.840{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.839{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.839{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.839{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.837{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.837{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.836{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.836{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.836{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.835{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.835{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.835{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.835{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.835{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.834{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.834{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.834{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.834{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.834{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.834{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.834{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.833{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.833{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.833{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.833{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.833{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.833{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.832{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.832{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.832{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.832{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.832{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.831{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.831{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.831{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.826{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000332785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.826{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000332784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.826{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000332783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.825{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000332782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.825{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000332781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.825{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000332780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.825{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B499-63D3-DD03-00000000BD02}5828C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000332779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.824{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.818{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.817{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.816{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.812{72106695-9B84-63D3-0A00-00000000BD02}6203860C:\Windows\system32\services.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.812{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B499-63D3-DC03-00000000BD02}5888C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000332773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.811{72106695-B403-63D3-B103-00000000BD02}60922240C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B499-63D3-DC03-00000000BD02}5888C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1d10b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1cf33|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+599ac7|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+599c69|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+6c1f04|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+63c683|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+63cb94|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+68ac04|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+f8144|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+2e10d|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37e250|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37c243|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.809{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.805{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-DA03-00000000BD02}5788C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.804{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-DA03-00000000BD02}5788C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.800{72106695-B499-63D3-CB03-00000000BD02}58562936C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b35a|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.800{72106695-B499-63D3-CB03-00000000BD02}58562288C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b35a|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.800{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+91eb3|c:\windows\system32\fntcache.dll+68192|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:13.799{72106695-B499-63D3-CB03-00000000BD02}58565308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b35a|C:\Windows\System32\SHELL32.dll+9b432|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+c427|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+89d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe+8a88|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000333216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.957{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF846849AA6B0F221D.TMPMD5=9FC758CABA92B196BC6479D1DBC991F9,SHA256=26B2EBAD244DB26026353D6D4EDB7C18BC88A0B39AEB2A567CE84179EE1D05F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.954{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF04412C30EBFF4AC1.TMPMD5=FC9EA7E35C77C76C9A687BD520B1FFB5,SHA256=4935053ACEADE0F2F9AAEB2A05AF0BB91A7F1E4FF502B2DD16AD2A0A9AC50BC6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.948{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Config.Msi\620525.rbsMD5=1197897B36C68E51D489E731C2578FE9,SHA256=EB0A56F94B7C6B1579826A6F1C62506C5AEBF5B2C309F3D8A234D234001699B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000333213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.947{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.947{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.947{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.947{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000333209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.944{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF0F4DD83F8276A224.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000333208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.943{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFA20467379518AF1C.TMPMD5=34F0D705A33073CD6B74C6AAF9D88BC6,SHA256=E624B5637D659464A30C8891011C017C1291D1EBDD2684E92EBEB8B9F1137D82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.939{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF496D52981CDAA2A1.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000333206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.939{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFD8F4708FC8CD34C0.TMPMD5=34F0D705A33073CD6B74C6AAF9D88BC6,SHA256=E624B5637D659464A30C8891011C017C1291D1EBDD2684E92EBEB8B9F1137D82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.935{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI108D.tmpMD5=C9D9A2170E7DE392744F82FC06820609,SHA256=003D41407A6D831BC1212D92BD289B453918148DFE888CBA1F83C0D056A9F74B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.922{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI1301.tmpMD5=F9186FE5CF991AB986C716B13E6CD038,SHA256=3BC8077A8CF4ADD6A10BEFE91CEF394F50258C252C9490E5FBA982777E5007CF,IMPHASH=1BA6E0B11D86AC38E9C4D61934A54FACtruefalse - insufficient disk space 10341000x8000000000000000333203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.840{72106695-B49D-63D3-E403-00000000BD02}10884028C:\Windows\system32\sppsvc.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\KERNELBASE.dll+2c44d|C:\Windows\system32\sppsvc.exe+8d719|C:\Windows\system32\sppsvc.exe+7eaa8|C:\Windows\system32\sppsvc.exe+748f0|C:\Windows\system32\sppsvc.exe+957de|C:\Windows\system32\sppsvc.exe+5454f|C:\Windows\system32\sppsvc.exe+a1cdb|C:\Windows\system32\sppsvc.exe+b414a|C:\Windows\system32\sppsvc.exe+b443f|C:\Windows\system32\RPCRT4.dll+7b183|C:\Windows\system32\RPCRT4.dll+d5bc1|C:\Windows\system32\RPCRT4.dll+538bc|C:\Windows\system32\RPCRT4.dll+35824|C:\Windows\system32\RPCRT4.dll+3473d|C:\Windows\system32\RPCRT4.dll+34feb|C:\Windows\system32\RPCRT4.dll+20ddc|C:\Windows\system32\RPCRT4.dll+2125c|C:\Windows\system32\RPCRT4.dll+106bc|C:\Windows\system32\RPCRT4.dll+11f1b|C:\Windows\system32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4 10341000x8000000000000000333202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.840{72106695-B49D-63D3-E403-00000000BD02}10884028C:\Windows\system32\sppsvc.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\KERNELBASE.dll+2c44d|C:\Windows\system32\sppsvc.exe+8d719|C:\Windows\system32\sppsvc.exe+74a0a|C:\Windows\system32\sppsvc.exe+95791|C:\Windows\system32\sppsvc.exe+5454f|C:\Windows\system32\sppsvc.exe+a1cdb|C:\Windows\system32\sppsvc.exe+b414a|C:\Windows\system32\sppsvc.exe+b443f|C:\Windows\system32\RPCRT4.dll+7b183|C:\Windows\system32\RPCRT4.dll+d5bc1|C:\Windows\system32\RPCRT4.dll+538bc|C:\Windows\system32\RPCRT4.dll+35824|C:\Windows\system32\RPCRT4.dll+3473d|C:\Windows\system32\RPCRT4.dll+34feb|C:\Windows\system32\RPCRT4.dll+20ddc|C:\Windows\system32\RPCRT4.dll+2125c|C:\Windows\system32\RPCRT4.dll+106bc|C:\Windows\system32\RPCRT4.dll+11f1b|C:\Windows\system32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000333201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.819{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=164990828E55C74F667005D2B8604F76,SHA256=EFCCBA9051D9A228B14D2ED081B8EAF515784DD7606B015549DD26F27FC704C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000333200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.728{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B49A-63D3-E203-00000000BD02}3960C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.728{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B49A-63D3-E203-00000000BD02}3960C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.728{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B49A-63D3-E203-00000000BD02}3960C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.531{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B49D-63D3-E403-00000000BD02}1088C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.528{72106695-9B84-63D3-0A00-00000000BD02}6203860C:\Windows\system32\services.exe{72106695-B49D-63D3-E403-00000000BD02}1088C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.527{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B49D-63D3-E403-00000000BD02}1088C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.489{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B49D-63D3-E403-00000000BD02}1088C:\Windows\system32\sppsvc.exe0x103800C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000333193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.488{72106695-9B84-63D3-0A00-00000000BD02}6202516C:\Windows\system32\services.exe{72106695-B49D-63D3-E403-00000000BD02}1088C:\Windows\system32\sppsvc.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.436{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.435{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.435{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.420{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.420{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.420{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.410{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.410{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.408{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.407{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.406{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.406{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.405{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.405{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.405{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.405{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000448209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:17.862{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BE5C28FBFDDE0FE71780A14C6E00D3EC,SHA256=3A93A58D5E2572524FD856D30333DEC7D6CDC11BA4774F64ABE9CD255A64D639,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000448208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:14.912{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52712-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000448207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:17.204{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F942C921386AFA5228C84A22CF0E0B,SHA256=355C20A21884D4FBA4BD6EB141B6F81BC3B067647F38615DA32F5ABDD5A6E40F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000333176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.404{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.404{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.403{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.403{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.403{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.403{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.402{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.402{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.402{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.402{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.401{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.401{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.400{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.400{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.400{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.399{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.399{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.399{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.398{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.398{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.398{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.397{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.397{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.397{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.396{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.396{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.396{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.396{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.395{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.395{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000333146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:17.395{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}\URLUpdateInfo(Empty) 13241300x8000000000000000333145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:25:17.395{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}\PublisherMicrosoft Corporation 13241300x8000000000000000333144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:17.395{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}\InstallSourceC:\Program Files\Microsoft Office\root\Integration\ 10341000x8000000000000000333143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.394{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.394{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.393{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.392{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.382{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.382{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000333137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.253{72106695-B106-63D3-2B03-00000000BD02}964WIN-HOST-CTUS-A\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000016.dbMD5=51E3E95726DD84D2B2A16C417D409B12,SHA256=CD20162C960127D17D00DD6F430BBF60157BD53E0B5790F49163F692BCB46D24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000333136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.220{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.220{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.219{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.219{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000333132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:17.213{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\SysWOW64\vcruntime140.dll2023-01-27 11:25:17.213 11241100x8000000000000000333131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:17.204{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\SysWOW64\vccorlib140.dll2023-01-27 11:25:17.203 11241100x8000000000000000333130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:17.202{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\SysWOW64\msvcp140_codecvt_ids.dll2023-01-27 11:25:17.202 11241100x8000000000000000333129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:17.200{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\SysWOW64\msvcp140_atomic_wait.dll2023-01-27 11:25:17.200 11241100x8000000000000000333128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:17.197{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\SysWOW64\msvcp140_2.dll2023-01-27 11:25:17.197 11241100x8000000000000000333127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:17.196{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\SysWOW64\msvcp140_1.dll2023-01-27 11:25:17.196 11241100x8000000000000000333126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:17.191{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\SysWOW64\msvcp140.dll2023-01-27 11:25:17.191 11241100x8000000000000000333125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:17.167{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\SysWOW64\concrt140.dll2023-01-27 11:25:17.167 11241100x8000000000000000333124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.160{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files\Microsoft Office\Office16\vNextDiag.ps12023-01-27 11:25:17.159 254200x8000000000000000333123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T10992023-01-27 11:25:17.157{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE2002-02-01 19:02:02.0002023-01-27 11:25:17.155 11241100x8000000000000000333122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:25:17.155{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE2023-01-27 11:25:17.155 11241100x8000000000000000333121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.153{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files\Microsoft Office\Office16\OSPP.VBS2023-01-27 11:25:17.153 11241100x8000000000000000333120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:17.079{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig.companion.dll2023-01-27 11:25:17.077 11241100x8000000000000000333119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:17.050{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pidgenx.dll2023-01-27 11:25:17.050 254200x8000000000000000333118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T10992023-01-27 11:25:17.048{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE2002-02-01 19:02:02.0002023-01-27 11:25:17.024 11241100x8000000000000000333117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:25:17.024{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE2023-01-27 11:25:17.024 10341000x8000000000000000333237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:18.874{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B49E-63D3-E503-00000000BD02}4860C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:18.874{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B49E-63D3-E503-00000000BD02}4860C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:18.845{72106695-B49E-63D3-E603-00000000BD02}35646100C:\Windows\system32\conhost.exe{72106695-B49E-63D3-E503-00000000BD02}4860C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:18.829{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B49E-63D3-E603-00000000BD02}3564C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000333233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:18.829{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B49E-63D3-E503-00000000BD02}4860C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000333232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:18.829{72106695-B403-63D3-B103-00000000BD02}60924348C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B49E-63D3-E503-00000000BD02}4860C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1d10b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1cf33|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1cb9c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+11572b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+115592|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+fd15e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+66b665|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+f8144|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+2e10d|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37e250|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37c243|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000333231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:18.824{72106695-B499-63D3-CC03-00000000BD02}4388NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\integrator.exe.db-walMD5=67BA4D7D97B1E2F20E47BF40FDB81C0E,SHA256=064F2D869A7CC38AA688631DC7D165E807A043E7BCBE6DCC87873115FC63D4E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:18.824{72106695-B499-63D3-CC03-00000000BD02}4388NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\integrator.exe.db-shmMD5=FE1F629C0D91C4D4987E880CEA0E8D70,SHA256=096D6FEAE7FB2822A200AE1BD2973DD95346596B4C4ABE451853B17E6109233F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000333229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:18.816{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B49D-63D3-E403-00000000BD02}1088C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000333228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:18.816{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B49D-63D3-E403-00000000BD02}1088C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 23542300x8000000000000000333227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:18.674{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCBF50E7EDB7F698255846F4C17544DD,SHA256=6ECC558A917426370CA137E518C0201EB8DC757FF00858AE6748743C452C6871,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000333226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:18.469{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B49D-63D3-E403-00000000BD02}1088C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:18.469{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B49D-63D3-E403-00000000BD02}1088C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:18.463{72106695-9B85-63D3-1700-00000000BD02}12241008C:\Windows\System32\svchost.exe{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\integration\integrator.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000448210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:18.215{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=468D8479513AA74C736C280224663268,SHA256=0FBE768CE6BB9ADEEC58881B4946AC8298E8E3AB5BACA40EB1C18C46B2E6F4CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000333223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:18.105{72106695-B499-63D3-CC03-00000000BD02}4388NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Windows\Temp\WIN-HOST-CTUS-A-20230127-1125.logMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:18.072{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\inprogressinstallinfo.ipiMD5=8B1BD3ACEA1F7B977EB40DDD6259FAC2,SHA256=F24728A42319C1672DA3327A33E4A72AB6208EA192A0994C1467F565510C8F69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:18.072{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFEF8A9887DE015B0B.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000333220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:18.071{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFB45C6C65A1D8CFE1.TMPMD5=8B1BD3ACEA1F7B977EB40DDD6259FAC2,SHA256=F24728A42319C1672DA3327A33E4A72AB6208EA192A0994C1467F565510C8F69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:18.068{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF9EC2C9FD1FB4F592.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000333218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:18.068{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF09282F03732FE2A5.TMPMD5=8B1BD3ACEA1F7B977EB40DDD6259FAC2,SHA256=F24728A42319C1672DA3327A33E4A72AB6208EA192A0994C1467F565510C8F69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:18.063{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\620523.msiMD5=AE001F6BE0E419AED5A91E84F59079F0,SHA256=FD31699BABE638C34CB2FFE4F9F19EDD3998554DE784BC4956AA067A859EF84F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:19.952{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1BB92F18AFFD4C303DCC18D6CDC460E,SHA256=4F71CB17C48CCDBF5B7CF7EB0DFDE5C1A9B0822AE0AF427C4B18E1B142DF1E73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000333248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:19.661{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B49E-63D3-E603-00000000BD02}3564C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:19.659{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B49E-63D3-E603-00000000BD02}3564C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:19.659{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B49E-63D3-E603-00000000BD02}3564C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:19.653{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B49E-63D3-E503-00000000BD02}4860C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:19.653{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B49E-63D3-E503-00000000BD02}4860C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:19.651{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B49E-63D3-E503-00000000BD02}4860C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:19.649{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B49E-63D3-E503-00000000BD02}4860C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:19.649{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B49E-63D3-E503-00000000BD02}4860C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:19.649{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B49E-63D3-E503-00000000BD02}4860C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x8000000000000000333239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:19.562{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34EB06B0583BCFA86B7A35C78702B35E,SHA256=8F49740E445CE64B597F683C14135B7E258B98C53D0E50E12FD15F8E88730F82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000448231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:16.828{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A59138- 10341000x8000000000000000448230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:19.649{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:19.626{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:19.610{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:19.602{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:19.599{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:19.594{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:19.554{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:19.529{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:19.490{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:19.472{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:19.458{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:19.440{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:19.421{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:19.401{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:19.394{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:19.382{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:19.373{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 23542300x8000000000000000448213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:19.311{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=804D0DDC4F6D8AF37FD618A5A2EC2175,SHA256=5703A87569C29BD7972390AB3972345D1FD276D9F3953CE5D3F3F57A89D57C47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000448212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:19.308{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:19.303{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 23542300x8000000000000000333238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:19.406{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F43BFA3C546AAE8BA379CF244B4E2D27,SHA256=93279260AF28340CE6BA6CF3D5422A7D915FA669D3AF0694B3CB11E6EEFF786F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000333307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.841{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B49E-63D3-E603-00000000BD02}3564C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000333306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.841{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B49E-63D3-E603-00000000BD02}3564C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000333305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.840{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B49E-63D3-E603-00000000BD02}3564C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000333304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.838{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B49E-63D3-E503-00000000BD02}4860C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000333303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.838{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B49E-63D3-E503-00000000BD02}4860C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000333302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.838{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B49E-63D3-E503-00000000BD02}4860C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000333301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.808{72106695-9B85-63D3-1700-00000000BD02}12241604C:\Windows\System32\svchost.exe{72106695-B49E-63D3-E503-00000000BD02}4860C:\Program Files\Microsoft Office\root\integration\integrator.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.753{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B49E-63D3-E603-00000000BD02}3564C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.749{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B49E-63D3-E503-00000000BD02}4860C:\Program Files\Microsoft Office\root\integration\integrator.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.744{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.743{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.739{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.721{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.708{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.700{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.695{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.674{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 23542300x8000000000000000333290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.666{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6211FD86DC2C94D939103BA7C622764C,SHA256=BD38E781E74D1367BAAF472DA75AD73017E301866F8C5884CFB4D4E4CA890D11,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000333289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.661{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.645{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.644{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.608{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.601{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.588{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.582{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.580{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.577{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.576{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.573{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.570{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.569{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.566{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.566{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000448237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:20.342{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:20.339{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 23542300x8000000000000000448235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:20.337{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F86DA28B2504B1064C52744FA796C18B,SHA256=7FA6977D4B1BD64A82F40ADF3C2551526610E9C270CF8EE9CAD533E51B1B28A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000448234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:20.335{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:20.332{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:20.330{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000333274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.564{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.562{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.559{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.551{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.547{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 354300x8000000000000000333269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:17.545{72106695-B499-63D3-CC03-00000000BD02}4388C:\Program Files\Microsoft Office\root\Integration\Integrator.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51012-false40.79.189.59-443https 10341000x8000000000000000333268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.539{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.535{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.528{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.514{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.512{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.502{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.466{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.458{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.450{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.441{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 23542300x8000000000000000333258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.429{72106695-B49E-63D3-E503-00000000BD02}4860NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Windows\Temp\WIN-HOST-CTUS-A-20230127-1125a.logMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000333257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.423{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.411{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.397{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.396{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B49E-63D3-E503-00000000BD02}4860C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.389{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.366{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.359{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000333250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:20.348{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000333600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.988{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B4A1-63D3-FA03-00000000BD02}4668C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000333599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.988{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.988{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.988{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B4A1-63D3-F903-00000000BD02}5836C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000333596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.988{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.988{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.988{72106695-B4A1-63D3-E703-00000000BD02}6681584C:\Program Files\Microsoft Office\root\integration\integrator.exe{72106695-B4A1-63D3-F903-00000000BD02}5836C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Microsoft Office\root\integration\integrator.exe+942b6|C:\Program Files\Microsoft Office\root\integration\integrator.exe+94464|C:\Program Files\Microsoft Office\root\integration\integrator.exe+94efd|C:\Program Files\Microsoft Office\root\integration\integrator.exe+33794e|C:\Program Files\Microsoft Office\root\integration\integrator.exe+32da93|C:\Program Files\Microsoft Office\root\integration\integrator.exe+14953|C:\Program Files\Microsoft Office\root\integration\integrator.exe+140d4|C:\Program Files\Microsoft Office\root\integration\integrator.exe+2aee6|C:\Program Files\Microsoft Office\root\integration\integrator.exe+37bca8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000333593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.988{72106695-B4A1-63D3-F903-00000000BD02}5836C:\Windows\System32\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exeschtasks.exe /Delete /F /tn "Microsoft\Office\OfficeTelemetryAgentFallBack2016"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=EEB7A2162E4DBE32B56BEB84658483AE,SHA256=A9A4FD9C1BB7C5CF8F77F761CAE60F4AC4AFB8DAEEBB46B3AD6983D5E599CDC1,IMPHASH=8AC94113AD25518D369E4EE37BEDAB4F{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\Integration\Integrator.exeintegrator.exe /I /Extension /Msi MsiName=C2RInt.16.msi,C2RIntLoc.en-us.16.msi,* /C2R PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files\Microsoft Office\root" 11241100x8000000000000000333592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T10532023-01-27 11:25:21.972{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn20162023-01-27 11:25:21.972 10341000x8000000000000000333591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.972{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-F703-00000000BD02}1372C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.972{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-F703-00000000BD02}1372C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.972{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B4A1-63D3-F703-00000000BD02}1372C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.957{72106695-B4A1-63D3-F803-00000000BD02}46925420C:\Windows\system32\conhost.exe{72106695-B4A1-63D3-F703-00000000BD02}1372C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.943{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B4A1-63D3-F803-00000000BD02}4692C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000333586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.943{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.943{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.943{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.943{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.943{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B4A1-63D3-F703-00000000BD02}1372C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000333581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.943{72106695-B4A1-63D3-E703-00000000BD02}6681584C:\Program Files\Microsoft Office\root\integration\integrator.exe{72106695-B4A1-63D3-F703-00000000BD02}1372C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Microsoft Office\root\integration\integrator.exe+942b6|C:\Program Files\Microsoft Office\root\integration\integrator.exe+94464|C:\Program Files\Microsoft Office\root\integration\integrator.exe+94d1a|C:\Program Files\Microsoft Office\root\integration\integrator.exe+338006|C:\Program Files\Microsoft Office\root\integration\integrator.exe+32da93|C:\Program Files\Microsoft Office\root\integration\integrator.exe+14953|C:\Program Files\Microsoft Office\root\integration\integrator.exe+140d4|C:\Program Files\Microsoft Office\root\integration\integrator.exe+2aee6|C:\Program Files\Microsoft Office\root\integration\integrator.exe+37bca8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000333580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.951{72106695-B4A1-63D3-F703-00000000BD02}1372C:\Windows\System32\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exeschtasks.exe /Create /tn "Microsoft\Office\OfficeTelemetryAgentLogOn2016" /XML "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=EEB7A2162E4DBE32B56BEB84658483AE,SHA256=A9A4FD9C1BB7C5CF8F77F761CAE60F4AC4AFB8DAEEBB46B3AD6983D5E599CDC1,IMPHASH=8AC94113AD25518D369E4EE37BEDAB4F{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\Integration\Integrator.exeintegrator.exe /I /Extension /Msi MsiName=C2RInt.16.msi,C2RIntLoc.en-us.16.msi,* /C2R PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files\Microsoft Office\root" 10341000x8000000000000000333579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.943{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-F503-00000000BD02}4552C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.927{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-F503-00000000BD02}4552C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.927{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B4A1-63D3-F503-00000000BD02}4552C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.910{72106695-B4A1-63D3-F603-00000000BD02}43643528C:\Windows\system32\conhost.exe{72106695-B4A1-63D3-F503-00000000BD02}4552C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.910{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.910{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.895{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.895{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.895{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B4A1-63D3-F603-00000000BD02}4364C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000333570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.895{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B4A1-63D3-F503-00000000BD02}4552C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000333569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.895{72106695-B4A1-63D3-E703-00000000BD02}6681584C:\Program Files\Microsoft Office\root\integration\integrator.exe{72106695-B4A1-63D3-F503-00000000BD02}4552C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Microsoft Office\root\integration\integrator.exe+942b6|C:\Program Files\Microsoft Office\root\integration\integrator.exe+94464|C:\Program Files\Microsoft Office\root\integration\integrator.exe+94efd|C:\Program Files\Microsoft Office\root\integration\integrator.exe+33794e|C:\Program Files\Microsoft Office\root\integration\integrator.exe+32da93|C:\Program Files\Microsoft Office\root\integration\integrator.exe+14953|C:\Program Files\Microsoft Office\root\integration\integrator.exe+140d4|C:\Program Files\Microsoft Office\root\integration\integrator.exe+2aee6|C:\Program Files\Microsoft Office\root\integration\integrator.exe+37bca8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000333568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.904{72106695-B4A1-63D3-F503-00000000BD02}4552C:\Windows\System32\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exeschtasks.exe /Delete /F /tn "Microsoft\Office\OfficeTelemetryAgentLogOn2016"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=EEB7A2162E4DBE32B56BEB84658483AE,SHA256=A9A4FD9C1BB7C5CF8F77F761CAE60F4AC4AFB8DAEEBB46B3AD6983D5E599CDC1,IMPHASH=8AC94113AD25518D369E4EE37BEDAB4F{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\Integration\Integrator.exeintegrator.exe /I /Extension /Msi MsiName=C2RInt.16.msi,C2RIntLoc.en-us.16.msi,* /C2R PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files\Microsoft Office\root" 13241300x8000000000000000333567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.895{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{B8A3CFD8-6F13-4B39-8FE9-0CA01EF372E0}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\TecProxy.dll 13241300x8000000000000000333566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.895{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{DDE944C8-1C10-46AA-BF25-B8BAE99F2F64}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\Tec.dll 13241300x8000000000000000333565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.895{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{E2F5480E-ED5A-4DDE-B8A8-F9F297479F62}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\ODFFILT.DLL 13241300x8000000000000000333564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.895{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{4693FF15-B962-420A-9E5D-176F7D4B8321}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\ODFFILT.DLL 13241300x8000000000000000333563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.895{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\ODFFILT.DLL 13241300x8000000000000000333562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.879{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{20E823C2-62F3-4638-96BD-90F4F6784EBC}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\OFFFILTX.DLL 13241300x8000000000000000333561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.879{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{312AB530-ECC9-496E-AE0E-C9E6C5392499}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\OFFFILTX.DLL 13241300x8000000000000000333560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.879{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{F90DFE0C-CBDF-41FF-8598-EDD8F222A2C8}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\OFFFILTX.DLL 13241300x8000000000000000333559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.879{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{DDFE337F-4987-4EC8-BDE3-133FA63D5D85}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\OFFFILTX.DLL 13241300x8000000000000000333558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.879{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\OFFFILTX.DLL 13241300x8000000000000000333557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.879{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{4039B326-9F27-4B4A-B460-47A0C6A39D5C}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\MSGFILT.DLL 13241300x8000000000000000333556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.879{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{ED475410-B0D6-11D2-8C3B-00104B2A6676}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\OLMAPI32.DLL 13241300x8000000000000000333555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:21.879{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{A0D4CD32-5D5D-4f72-BAAA-767A7AD6BAC5}\shell\open\command\(Default)"C:\Program Files\Microsoft Office\root\Client\AppVLP.exe" rundll32.exe shell32.dll,Control_RunDLL "C:\Program Files\Microsoft Office\root\Office16\MLCFG32.CPL" 13241300x8000000000000000333554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.879{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{138508bc-1e03-49ea-9c8f-ea9e1d05d65d}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\MAPISHELL.DLL 13241300x8000000000000000333553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.879{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{F8E61EDD-EA25-484e-AC8A-7447F2AAE2A9}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll 13241300x8000000000000000333552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1183,IFEOSetValue2023-01-27 11:25:21.879{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scanpst.exe\MitigationOptionsQWORD (0x00000000-0x00000100) 13241300x8000000000000000333551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1183,IFEOSetValue2023-01-27 11:25:21.879{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scanost.exe\MitigationOptionsQWORD (0x00000000-0x00000100) 13241300x8000000000000000333550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1183,IFEOSetValue2023-01-27 11:25:21.864{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cnfnot32.exe\MitigationOptionsQWORD (0x00000000-0x00000100) 13241300x8000000000000000333549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1183,IFEOSetValue2023-01-27 11:25:21.864{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outlook.exe\MitigationOptionsQWORD (0x00000000-0x00000100) 13241300x8000000000000000333548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:21.864{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\Outlook\TypesSupportedDWORD (0x00000007) 13241300x8000000000000000333547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:21.848{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\Outlook\EventMessageFileC:\Program Files\Microsoft Office\root\Office16\1033\MAPIR.DLL 13241300x8000000000000000333546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:21.848{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\Outlook\VersionDWORD (0x0000000d) 23542300x8000000000000000333545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.848{72106695-B4A1-63D3-E703-00000000BD02}668NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\nslist.hxlMD5=77D59F2C2D8BC491DF6AE32D78C68913,SHA256=1B369136BDD124C99D9DA73104CE9241C2CD5F81D1844E15B7F6B921C65690CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000333544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.832{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{B8A3CFD8-6F13-4B39-8FE9-0CA01EF372E0}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\TecProxy.dll 13241300x8000000000000000333543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.832{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{DDE944C8-1C10-46AA-BF25-B8BAE99F2F64}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\Tec.dll 23542300x8000000000000000333542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.832{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9C146EFDFBBF4F950FA1FDF4F898100,SHA256=11FDCD7AE47EDA11ECE6D6286A6B05DD95DEE030240584F0EE0A48464F454228,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000333541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.832{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{E2F5480E-ED5A-4DDE-B8A8-F9F297479F62}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\ODFFILT.DLL 13241300x8000000000000000333540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.832{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{4693FF15-B962-420A-9E5D-176F7D4B8321}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\ODFFILT.DLL 13241300x8000000000000000333539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.832{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\ODFFILT.DLL 13241300x8000000000000000333538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.817{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{20E823C2-62F3-4638-96BD-90F4F6784EBC}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\OFFFILTX.DLL 13241300x8000000000000000333537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.817{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{312AB530-ECC9-496E-AE0E-C9E6C5392499}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\OFFFILTX.DLL 13241300x8000000000000000333536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.817{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{F90DFE0C-CBDF-41FF-8598-EDD8F222A2C8}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\OFFFILTX.DLL 13241300x8000000000000000333535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.817{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{DDFE337F-4987-4EC8-BDE3-133FA63D5D85}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\OFFFILTX.DLL 13241300x8000000000000000333534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.817{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\OFFFILTX.DLL 13241300x8000000000000000333533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.817{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{4039B326-9F27-4B4A-B460-47A0C6A39D5C}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\MSGFILT.DLL 13241300x8000000000000000333532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1183,IFEOSetValue2023-01-27 11:25:21.817{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosrec.exe\MitigationOptionsQWORD (0x00000000-0x00000100) 13241300x8000000000000000333531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1183,IFEOSetValue2023-01-27 11:25:21.817{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe\MitigationOptionsQWORD (0x00000000-0x00000100) 13241300x8000000000000000333530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1183,IFEOSetValue2023-01-27 11:25:21.817{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\orgchart.exe\MitigationOptionsQWORD (0x00000000-0x00000100) 23542300x8000000000000000333529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.817{72106695-B4A1-63D3-E703-00000000BD02}668NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\nslist.hxlMD5=C367950DE4250257F40B938D05A20D4A,SHA256=520CC4168DF58532BEB5419C66ED077848522A99A3439213B5A846A89446DA77,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000333528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1183,IFEOSetValue2023-01-27 11:25:21.803{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspub.exe\MitigationOptionsQWORD (0x00000000-0x00000100) 13241300x8000000000000000333527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:25:21.803{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Office\16.0\ClickToRunStore\Applications\PublisherC:\Program Files\Microsoft Office\root\Office16\MSPUB.EXE 23542300x8000000000000000333526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.803{72106695-B4A1-63D3-E703-00000000BD02}668NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\nslist.hxlMD5=F17CC57C012C506F3365AABAEB165736,SHA256=9837469654827BB9D718D54D1D5166502B19531773C747A23C22A0AB46277131,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x8000000000000000333525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T10532023-01-27 11:25:21.787{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\Microsoft\Office\Office Performance Monitor2023-01-27 11:25:21.787 10341000x8000000000000000333524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.786{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-F303-00000000BD02}656C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.786{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-F303-00000000BD02}656C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.783{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B4A1-63D3-F303-00000000BD02}656C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000333521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.782{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63F60C488F577389C48FBDE1330C8FCE,SHA256=5957FEA8A5F731AF006F9C8270FA5C88ABD8DFA203A640A9BA4EC2638DFC4AEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.778{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4A4DB0517FD90CF5B916C478BE22AD1,SHA256=3EF1C4F215FC4B1B370A7CA370564898D172FF63F7AE44A43165D4F701AEF62B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000333519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.769{72106695-B4A1-63D3-F403-00000000BD02}25802044C:\Windows\system32\conhost.exe{72106695-B4A1-63D3-F303-00000000BD02}656C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.765{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.765{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.765{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.765{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.760{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B4A1-63D3-F403-00000000BD02}2580C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000333513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.754{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B4A1-63D3-F303-00000000BD02}656C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000333512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.754{72106695-B4A1-63D3-E703-00000000BD02}6681584C:\Program Files\Microsoft Office\root\integration\integrator.exe{72106695-B4A1-63D3-F303-00000000BD02}656C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Microsoft Office\root\integration\integrator.exe+942b6|C:\Program Files\Microsoft Office\root\integration\integrator.exe+94464|C:\Program Files\Microsoft Office\root\integration\integrator.exe+94d1a|C:\Program Files\Microsoft Office\root\integration\integrator.exe+338006|C:\Program Files\Microsoft Office\root\integration\integrator.exe+32da93|C:\Program Files\Microsoft Office\root\integration\integrator.exe+14953|C:\Program Files\Microsoft Office\root\integration\integrator.exe+140d4|C:\Program Files\Microsoft Office\root\integration\integrator.exe+2aee6|C:\Program Files\Microsoft Office\root\integration\integrator.exe+37bca8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000333511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.754{72106695-B4A1-63D3-F303-00000000BD02}656C:\Windows\System32\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exeschtasks.exe /Create /tn "Microsoft\Office\Office Performance Monitor" /XML "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Performance Monitor.xml"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=EEB7A2162E4DBE32B56BEB84658483AE,SHA256=A9A4FD9C1BB7C5CF8F77F761CAE60F4AC4AFB8DAEEBB46B3AD6983D5E599CDC1,IMPHASH=8AC94113AD25518D369E4EE37BEDAB4F{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\Integration\Integrator.exeintegrator.exe /I /Extension /Msi MsiName=C2RInt.16.msi,C2RIntLoc.en-us.16.msi,* /C2R PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files\Microsoft Office\root" 10341000x8000000000000000333510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.753{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.753{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.753{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.753{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000333506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.745{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2159469C8D3C1F3B639C28F263EEE69D,SHA256=1E2B3120CC068604A59B8F9DB9FF12A1A7A431276AE3D17C2AC1122E8AB69B0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000333505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.744{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-F103-00000000BD02}1240C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.744{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-F103-00000000BD02}1240C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.739{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B4A1-63D3-F103-00000000BD02}1240C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.732{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.732{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.732{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.732{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.727{72106695-B4A1-63D3-F203-00000000BD02}55121864C:\Windows\system32\conhost.exe{72106695-B4A1-63D3-F103-00000000BD02}1240C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.720{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.720{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.720{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.720{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.719{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B4A1-63D3-F203-00000000BD02}5512C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000333492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.714{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B4A1-63D3-F103-00000000BD02}1240C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000333491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.714{72106695-B4A1-63D3-E703-00000000BD02}6681584C:\Program Files\Microsoft Office\root\integration\integrator.exe{72106695-B4A1-63D3-F103-00000000BD02}1240C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Microsoft Office\root\integration\integrator.exe+942b6|C:\Program Files\Microsoft Office\root\integration\integrator.exe+94464|C:\Program Files\Microsoft Office\root\integration\integrator.exe+94efd|C:\Program Files\Microsoft Office\root\integration\integrator.exe+33794e|C:\Program Files\Microsoft Office\root\integration\integrator.exe+32da93|C:\Program Files\Microsoft Office\root\integration\integrator.exe+14953|C:\Program Files\Microsoft Office\root\integration\integrator.exe+140d4|C:\Program Files\Microsoft Office\root\integration\integrator.exe+2aee6|C:\Program Files\Microsoft Office\root\integration\integrator.exe+37bca8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000333490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.714{72106695-B4A1-63D3-F103-00000000BD02}1240C:\Windows\System32\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exeschtasks.exe /Delete /F /tn "Microsoft\Office\Office Performance Monitor"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=EEB7A2162E4DBE32B56BEB84658483AE,SHA256=A9A4FD9C1BB7C5CF8F77F761CAE60F4AC4AFB8DAEEBB46B3AD6983D5E599CDC1,IMPHASH=8AC94113AD25518D369E4EE37BEDAB4F{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\Integration\Integrator.exeintegrator.exe /I /Extension /Msi MsiName=C2RInt.16.msi,C2RIntLoc.en-us.16.msi,* /C2R PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files\Microsoft Office\root" 13241300x8000000000000000333489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1183,IFEOSetValue2023-01-27 11:25:21.712{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoadfsb.exe\MitigationOptionsQWORD (0x00000000-0x00000100) 13241300x8000000000000000333488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.712{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{5A1DCFD3-7982-48F2-8A3D-5C35272862DE}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\MsoAdfPs.DLL 13241300x8000000000000000333487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1183,IFEOSetValue2023-01-27 11:25:21.712{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoasb.exe\MitigationOptionsQWORD (0x00000000-0x00000100) 13241300x8000000000000000333486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.711{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{807583E5-5146-11D5-A672-00B0D022E945}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLMF.DLL 10341000x8000000000000000333485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.705{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.705{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.705{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.704{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000333481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T10532023-01-27 11:25:21.702{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\Microsoft\Office\Office Feature Updates Logon2023-01-27 11:25:21.702 10341000x8000000000000000333480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.699{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-EF03-00000000BD02}4580C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.699{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-EF03-00000000BD02}4580C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.695{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.695{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.695{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.694{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.694{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-B4A1-63D3-EF03-00000000BD02}4580C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.682{72106695-B4A1-63D3-F003-00000000BD02}57046140C:\Windows\system32\conhost.exe{72106695-B4A1-63D3-EF03-00000000BD02}4580C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.674{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B4A1-63D3-F003-00000000BD02}5704C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000333471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.669{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B4A1-63D3-EF03-00000000BD02}4580C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000333470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.668{72106695-B4A1-63D3-E703-00000000BD02}6681584C:\Program Files\Microsoft Office\root\integration\integrator.exe{00000000-0000-0000-0000-000000000000}4580C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Microsoft Office\root\integration\integrator.exe+942b6|C:\Program Files\Microsoft Office\root\integration\integrator.exe+94464|C:\Program Files\Microsoft Office\root\integration\integrator.exe+94d1a|C:\Program Files\Microsoft Office\root\integration\integrator.exe+338006|C:\Program Files\Microsoft Office\root\integration\integrator.exe+32da93|C:\Program Files\Microsoft Office\root\integration\integrator.exe+14953|C:\Program Files\Microsoft Office\root\integration\integrator.exe+140d4|C:\Program Files\Microsoft Office\root\integration\integrator.exe+2aee6|C:\Program Files\Microsoft Office\root\integration\integrator.exe+37bca8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000333469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.669{72106695-B4A1-63D3-EF03-00000000BD02}4580C:\Windows\System32\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exeschtasks.exe /Create /tn "Microsoft\Office\Office Feature Updates Logon" /XML "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates Logon.xml"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=EEB7A2162E4DBE32B56BEB84658483AE,SHA256=A9A4FD9C1BB7C5CF8F77F761CAE60F4AC4AFB8DAEEBB46B3AD6983D5E599CDC1,IMPHASH=8AC94113AD25518D369E4EE37BEDAB4F{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\Integration\Integrator.exeintegrator.exe /I /Extension /Msi MsiName=C2RInt.16.msi,C2RIntLoc.en-us.16.msi,* /C2R PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files\Microsoft Office\root" 10341000x8000000000000000333468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.660{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-ED03-00000000BD02}4356C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.660{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A1-63D3-E803-00000000BD02}5548C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.660{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A1-63D3-E803-00000000BD02}5548C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.660{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-ED03-00000000BD02}4356C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.660{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A1-63D3-E803-00000000BD02}5548C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.659{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A1-63D3-E803-00000000BD02}5548C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.659{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A1-63D3-E803-00000000BD02}5548C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.659{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A1-63D3-E803-00000000BD02}5548C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.656{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.656{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.656{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.655{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B4A1-63D3-ED03-00000000BD02}4356C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.639{72106695-B4A1-63D3-EE03-00000000BD02}52606012C:\Windows\system32\conhost.exe{72106695-B4A1-63D3-ED03-00000000BD02}4356C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.631{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B4A1-63D3-EE03-00000000BD02}5260C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000333454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.626{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B4A1-63D3-ED03-00000000BD02}4356C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000333453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.625{72106695-B4A1-63D3-E703-00000000BD02}6681584C:\Program Files\Microsoft Office\root\integration\integrator.exe{00000000-0000-0000-0000-000000000000}4356C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Microsoft Office\root\integration\integrator.exe+942b6|C:\Program Files\Microsoft Office\root\integration\integrator.exe+94464|C:\Program Files\Microsoft Office\root\integration\integrator.exe+94efd|C:\Program Files\Microsoft Office\root\integration\integrator.exe+33794e|C:\Program Files\Microsoft Office\root\integration\integrator.exe+32da93|C:\Program Files\Microsoft Office\root\integration\integrator.exe+14953|C:\Program Files\Microsoft Office\root\integration\integrator.exe+140d4|C:\Program Files\Microsoft Office\root\integration\integrator.exe+2aee6|C:\Program Files\Microsoft Office\root\integration\integrator.exe+37bca8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000333452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.625{72106695-B4A1-63D3-ED03-00000000BD02}4356C:\Windows\System32\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exeschtasks.exe /Delete /F /tn "Microsoft\Office\Office Feature Updates Logon"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=EEB7A2162E4DBE32B56BEB84658483AE,SHA256=A9A4FD9C1BB7C5CF8F77F761CAE60F4AC4AFB8DAEEBB46B3AD6983D5E599CDC1,IMPHASH=8AC94113AD25518D369E4EE37BEDAB4F{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\Integration\Integrator.exeintegrator.exe /I /Extension /Msi MsiName=C2RInt.16.msi,C2RIntLoc.en-us.16.msi,* /C2R PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files\Microsoft Office\root" 11241100x8000000000000000333451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T10532023-01-27 11:25:21.603{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\Microsoft\Office\Office Feature Updates2023-01-27 11:25:21.603 10341000x8000000000000000333450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.603{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-EB03-00000000BD02}4584C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.603{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-EB03-00000000BD02}4584C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.587{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B4A1-63D3-EB03-00000000BD02}4584C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.572{00000000-0000-0000-0000-000000000000}47282384C:\Windows\system32\conhost.exe{72106695-B4A1-63D3-EB03-00000000BD02}4584C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.572{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}4728C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000333445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.556{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}4584C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000333444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.556{72106695-B4A1-63D3-E703-00000000BD02}6681584C:\Program Files\Microsoft Office\root\integration\integrator.exe{00000000-0000-0000-0000-000000000000}4584C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Microsoft Office\root\integration\integrator.exe+942b6|C:\Program Files\Microsoft Office\root\integration\integrator.exe+94464|C:\Program Files\Microsoft Office\root\integration\integrator.exe+94d1a|C:\Program Files\Microsoft Office\root\integration\integrator.exe+338006|C:\Program Files\Microsoft Office\root\integration\integrator.exe+32da93|C:\Program Files\Microsoft Office\root\integration\integrator.exe+14953|C:\Program Files\Microsoft Office\root\integration\integrator.exe+140d4|C:\Program Files\Microsoft Office\root\integration\integrator.exe+2aee6|C:\Program Files\Microsoft Office\root\integration\integrator.exe+37bca8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000333443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.570{72106695-B4A1-63D3-EB03-00000000BD02}4584C:\Windows\System32\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exeschtasks.exe /Create /tn "Microsoft\Office\Office Feature Updates" /XML "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates.xml"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=EEB7A2162E4DBE32B56BEB84658483AE,SHA256=A9A4FD9C1BB7C5CF8F77F761CAE60F4AC4AFB8DAEEBB46B3AD6983D5E599CDC1,IMPHASH=8AC94113AD25518D369E4EE37BEDAB4F{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\Integration\Integrator.exeintegrator.exe /I /Extension /Msi MsiName=C2RInt.16.msi,C2RIntLoc.en-us.16.msi,* /C2R PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files\Microsoft Office\root" 10341000x8000000000000000333442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.556{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E903-00000000BD02}5516C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.556{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E903-00000000BD02}5516C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.556{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B4A1-63D3-E903-00000000BD02}5516C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.525{00000000-0000-0000-0000-000000000000}59363920C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}5516C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.525{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}5936C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000333437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.525{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}5516C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000333436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.525{72106695-B4A1-63D3-E703-00000000BD02}6681584C:\Program Files\Microsoft Office\root\integration\integrator.exe{00000000-0000-0000-0000-000000000000}5516C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Microsoft Office\root\integration\integrator.exe+942b6|C:\Program Files\Microsoft Office\root\integration\integrator.exe+94464|C:\Program Files\Microsoft Office\root\integration\integrator.exe+94efd|C:\Program Files\Microsoft Office\root\integration\integrator.exe+33794e|C:\Program Files\Microsoft Office\root\integration\integrator.exe+32da93|C:\Program Files\Microsoft Office\root\integration\integrator.exe+14953|C:\Program Files\Microsoft Office\root\integration\integrator.exe+140d4|C:\Program Files\Microsoft Office\root\integration\integrator.exe+2aee6|C:\Program Files\Microsoft Office\root\integration\integrator.exe+37bca8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000333435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.526{72106695-B4A1-63D3-E903-00000000BD02}5516C:\Windows\System32\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exeschtasks.exe /Delete /F /tn "Microsoft\Office\Office Feature Updates"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=EEB7A2162E4DBE32B56BEB84658483AE,SHA256=A9A4FD9C1BB7C5CF8F77F761CAE60F4AC4AFB8DAEEBB46B3AD6983D5E599CDC1,IMPHASH=8AC94113AD25518D369E4EE37BEDAB4F{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\Integration\Integrator.exeintegrator.exe /I /Extension /Msi MsiName=C2RInt.16.msi,C2RIntLoc.en-us.16.msi,* /C2R PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files\Microsoft Office\root" 13241300x8000000000000000333434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1183,IFEOSetValue2023-01-27 11:25:21.525{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sdxhelper.exe\MitigationOptionsQWORD (0x00000000-0x00000100) 13241300x8000000000000000333433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.509{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{02BCC737-B171-4746-94C9-0D8A0B2C0089}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\IEAWSDC.DLL 13241300x8000000000000000333432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:21.509{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\MSSOAP\EventMessageFileC:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSSOAP30.DLL 13241300x8000000000000000333431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:21.509{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\MSSOAP\TypesSupportedDWORD (0x00000001) 13241300x8000000000000000333430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:21.509{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\MSSOAP\CategoryMessageFileC:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSSOAP30.DLL 13241300x8000000000000000333429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:21.509{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\MSSOAP\CategoryCountDWORD (0x00000004) 13241300x8000000000000000333428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:21.509{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\Microsoft Office 16\TypesSupportedDWORD (0x00000007) 13241300x8000000000000000333427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:21.509{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\Microsoft Office 16\EventMessageFileC:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSORES.DLL;C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE 13241300x8000000000000000333426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:21.509{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\System\CurrentControlSet\Services\EventLog\OAlerts\Microsoft Office 16 Alerts\TypesSupportedDWORD (0x00000007) 13241300x8000000000000000333425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:21.509{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\System\CurrentControlSet\Services\EventLog\OAlerts\Microsoft Office 16 Alerts\EventMessageFileC:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\OFFREL.DLL 13241300x8000000000000000333424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:21.509{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\System\CurrentControlSet\Services\EventLog\OAlerts\RetentionDWORD (0x00000000) 13241300x8000000000000000333423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:21.509{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\System\CurrentControlSet\Services\EventLog\OAlerts\PrimaryModuleOAlerts 13241300x8000000000000000333422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:21.509{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\System\CurrentControlSet\Services\EventLog\OAlerts\MaxSizeDWORD (0x00020000) 13241300x8000000000000000333421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:21.509{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\System\CurrentControlSet\Services\EventLog\OAlerts\DisplayNameIDDWORD (0x00000066) 13241300x8000000000000000333420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:21.509{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\System\CurrentControlSet\Services\EventLog\OAlerts\DisplayNameFileC:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\OFFREL.DLL 13241300x8000000000000000333419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:21.509{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D66DC78C-4F61-447F-942B-3FB6980118CF}{D66DC78C-4F61-447F-942B-3FB6980118CF} 13241300x8000000000000000333418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:21.509{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{506F4668-F13E-4AA1-BB04-B43203AB3CC0}{506F4668-F13E-4AA1-BB04-B43203AB3CC0} 13241300x8000000000000000333417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.509{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{D66DC78C-4F61-447F-942B-3FB6980118CF}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL 13241300x8000000000000000333416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.494{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{A394DCA9-3727-11D4-BD85-00C04F6B93A4}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL 13241300x8000000000000000333415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.494{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{506F4668-F13E-4AA1-BB04-B43203AB3CC0}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL 13241300x8000000000000000333414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.494{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{6939BF8D-FF94-492C-9E4E-BD6439D8F867}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\VVIEWDWG.DLL 13241300x8000000000000000333413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.494{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{550D0110-8DCD-11D1-8524-00A02495E426}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\VVIEWDWG.DLL 13241300x8000000000000000333412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.494{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{000D0E00-0000-0000-C000-000000001157}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\VVIEWDWG.DLL 13241300x8000000000000000333411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.494{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{6939BF8D-FF94-492C-9E4E-BD6439D8F867}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\VVIEWDWG.DLL 13241300x8000000000000000333410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.494{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{550D0110-8DCD-11D1-8524-00A02495E426}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\VVIEWDWG.DLL 13241300x8000000000000000333409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.494{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{000D0E00-0000-0000-C000-000000001157}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\VVIEWDWG.DLL 13241300x8000000000000000333408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.494{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\VisioViewer.Viewer\shell\open\ddeexec\Application\(Default)IExplore 13241300x8000000000000000333407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.494{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\VisioViewer.Viewer\shell\open\ddeexec\(Default)"file:%%1",,-1,,,,, 13241300x8000000000000000333406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.494{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\VisioViewer.Viewer\shell\open\ddeexec\topic\(Default)WWW_OpenURL 13241300x8000000000000000333405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:21.494{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\VisioViewer.Viewer\shell\open\command\(Default)"%%ProgramFiles%%\Internet Explorer\iexplore.exe" -nohome 13241300x8000000000000000333404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.478{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{F8CF7A98-2C45-4c8d-9151-2D716989DDAB}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll 13241300x8000000000000000333403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.462{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\VisioViewer.Viewer\shell\open\ddeexec\Application\(Default)IExplore 13241300x8000000000000000333402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.462{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Office\16.0\ClickToRunStore\HKLM\SOFTWARE\Classes\VisioViewer.Viewer\shell\open\ddeexec\ApplicationDWORD (0x00000000) 13241300x8000000000000000333401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.462{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\VisioViewer.Viewer\shell\open\ddeexec\(Default)"file:%%1",,-1,,,,, 13241300x8000000000000000333400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.462{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\VisioViewer.Viewer\shell\open\ddeexec\topic\(Default)WWW_OpenURL 13241300x8000000000000000333399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:21.462{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\VisioViewer.Viewer\shell\open\command\(Default)"%%ProgramFiles%%\Internet Explorer\iexplore.exe" -nohome 13241300x8000000000000000333398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.462{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{F8CF7A98-2C45-4c8d-9151-2D716989DDAB}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\Interceptor.dll 13241300x8000000000000000333397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.462{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{355822FC-86F1-4BE8-B5F0-A33736789641}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\msoshext.dll 13241300x8000000000000000333396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.462{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{AFE9E2F0-5BBA-4169-A33B-EE3727AC3482}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\msoshext.dll 13241300x8000000000000000333395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.462{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{35C5242B-7455-4F9C-962B-369EA43ED6F3}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\msoshext.dll 13241300x8000000000000000333394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.462{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{72B66649-3DBF-429F-BD6F-7774A9784B78}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\msoshext.dll 13241300x8000000000000000333393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.462{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\msoshext.dll 13241300x8000000000000000333392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.462{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\msoshext.dll 13241300x8000000000000000333391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.462{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{5383EF74-273B-4278-AB0C-CDAA9FD5369E}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\msoshext.dll 13241300x8000000000000000333390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.462{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{01BE4CFB-129A-452B-A209-F9D40B3B84A5}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\msoshext.dll 13241300x8000000000000000333389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.462{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{33154C99-BF49-443D-A73C-303A23ABBE97}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\msoshext.dll 13241300x8000000000000000333388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.462{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{E3956DCF-D1C7-4375-AAAA-22FF8191C479}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\msoshext.dll 354300x8000000000000000333387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:19.464{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51013-false10.0.1.12-8000- 13241300x8000000000000000333386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:21.447{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{355822FC-86F1-4BE8-B5F0-A33736789641}Microsoft Word Thumbnail Handler 13241300x8000000000000000333385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:21.447{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{AFE9E2F0-5BBA-4169-A33B-EE3727AC3482}Microsoft Visio Thumbnail Handler 13241300x8000000000000000333384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:21.447{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{35C5242B-7455-4F9C-962B-369EA43ED6F3}Microsoft PowerPoint Thumbnail Handler 13241300x8000000000000000333383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:21.447{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{72B66649-3DBF-429F-BD6F-7774A9784B78}Microsoft Excel Thumbnail Handler 13241300x8000000000000000333382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:21.447{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}Microsoft Access Thumbnail Handler 13241300x8000000000000000333381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:21.447{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155}Microsoft Word Metadata Handler 13241300x8000000000000000333380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:21.447{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5383EF74-273B-4278-AB0C-CDAA9FD5369E}Microsoft Visio Metadata Handler 13241300x8000000000000000333379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:21.447{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{01BE4CFB-129A-452B-A209-F9D40B3B84A5}Microsoft PowerPoint Metadata Handler 13241300x8000000000000000333378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:21.447{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{33154C99-BF49-443D-A73C-303A23ABBE97}Microsoft Excel Metadata Handler 13241300x8000000000000000333377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:21.447{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E3956DCF-D1C7-4375-AAAA-22FF8191C479}Microsoft Access Metadata Handler 13241300x8000000000000000333376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.447{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{AB968F1E-E20B-403A-9EB8-72EB0EB6797E}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\msoxev.dll 13241300x8000000000000000333375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.447{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{EFBD9A69-66AF-4D44-BB36-D477E5014216}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\OSFROAMINGPROXY.DLL 13241300x8000000000000000333374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.447{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{5C615ED6-4F9F-48BE-8D84-17409196DE36}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\OSFPROXY.DLL 13241300x8000000000000000333373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:21.447{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Office\16.0\ClickToRunStore\HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\mso-minsb-roaming.16DWORD (0x00000000) 13241300x8000000000000000333372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.447{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{83C25742-A9F7-49FB-9138-434302C88D07}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL 13241300x8000000000000000333371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:21.447{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Office\16.0\ClickToRunStore\HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\mso-minsb.16DWORD (0x00000000) 13241300x8000000000000000333370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.431{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{42089D2D-912D-4018-9087-2B87803E93FB}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL 13241300x8000000000000000333369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:21.431{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Office\16.0\ClickToRunStore\HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\osf-roaming.16DWORD (0x00000000) 13241300x8000000000000000333368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.431{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{42089D2D-912D-4018-9087-2B87803E93FB}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL 13241300x8000000000000000333367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:21.431{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Office\16.0\ClickToRunStore\HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\osf.16DWORD (0x00000000) 13241300x8000000000000000333366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.431{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{5504BE45-A83B-4808-900A-3A5C36E7F77A}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL 13241300x8000000000000000333365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.431{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{68CED213-317D-3F27-9036-A33240DA522E}\InprocServer32\(Default)mscoree.dll 13241300x8000000000000000333364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.431{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{1227B818-7298-3D68-AC55-DDDA56EE56E1}\InprocServer32\(Default)mscoree.dll 13241300x8000000000000000333363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.431{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{07B06095-5687-4D13-9E32-12B4259C9813}\InprocServer32\(Default)mscoree.dll 13241300x8000000000000000333362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.431{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{CDEC13B2-0B3C-400E-B909-E27EE89C6799}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\Interceptor.dll 13241300x8000000000000000333361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.415{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll 13241300x8000000000000000333360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.415{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{9800F18F-3D86-4744-A7D0-540989C86D7B}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll 13241300x8000000000000000333359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.415{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{3B0BD075-929C-4E52-AAD1-458C81A10B24}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll 13241300x8000000000000000333358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.415{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{9ED13477-E909-45BC-BADC-2106D04D6BD7}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll 13241300x8000000000000000333357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.415{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{BDEADEF5-C265-11D0-BCED-00A0C90AB50F}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll 13241300x8000000000000000333356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.415{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{BDEADE9E-C265-11D0-BCED-00A0C90AB50F}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\Interceptor.dll 13241300x8000000000000000333355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.415{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{3FD37ABB-F90A-4DE5-AA38-179629E64C2F}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll 13241300x8000000000000000333354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.415{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{62B4D041-4667-40B6-BB50-4BC0A5043A73}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll 13241300x8000000000000000333353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.400{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{9203C2CB-1DC1-482D-967E-597AFF270F0D}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll 13241300x8000000000000000333352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.384{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{D0B22D03-D05D-4C6D-8AB7-9392E84A87B9}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\ACEDAO.DLL 13241300x8000000000000000333351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.384{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{D5EC4D34-77DA-4F7A-B8C4-8A910C1C1CFE}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\ACEDAO.DLL 13241300x8000000000000000333350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.384{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{805B7F91-C9CF-4EDF-ACA6-775664FDFB3E}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\ACEDAO.DLL 13241300x8000000000000000333349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.384{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{97A2762C-403C-4953-A121-7A75ABCE4373}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\ACEDAO.DLL 13241300x8000000000000000333348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.384{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{8D4F994C-EBBE-4F8D-BA4B-AE20CD36E72D}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\ACEDAO.DLL 13241300x8000000000000000333347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.384{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{A1EB89D6-0A9C-4575-A0AE-654A990A454C}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\ACEDAO.DLL 13241300x8000000000000000333346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.384{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{367E582C-F71C-4BF9-AA1B-9F62B793E9C5}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\ACEDAO.DLL 13241300x8000000000000000333345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.384{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{6F3DD387-5AF2-492B-BDE2-30FF2F451241}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\ACEDAO.DLL 13241300x8000000000000000333344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.384{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{CD7791B9-43FD-42C5-AE42-8DD2811F0419}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\ACEDAO.DLL 354300x8000000000000000448240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:19.216{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A61562- 354300x8000000000000000448239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:19.163{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A56716- 23542300x8000000000000000448238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:21.437{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EED537B9279FD691D7738A82847FA6ED,SHA256=2098942F1AA11CA763FB2DC8AC82CD043A4E2738B583EE06CB4DC7B0C78C1B1F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000333343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.369{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{3BE786A2-0366-4F5C-9434-25CF162E475F}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\ACEOLEDB.DLL 13241300x8000000000000000333342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.369{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{3BE786A2-0366-4F5C-9434-25CF162E475E}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\ACEOLEDB.DLL 13241300x8000000000000000333341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.369{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{3BE786A0-0366-4F5C-9434-25CF162E475F}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\ACEOLEDB.DLL 13241300x8000000000000000333340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.369{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{3BE786A0-0366-4F5C-9434-25CF162E475E}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\ACEOLEDB.DLL 13241300x8000000000000000333339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1183,IFEOSetValue2023-01-27 11:25:21.369{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordconv.exe\MitigationOptionsQWORD (0x00000000-0x00000100) 13241300x8000000000000000333338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1183,IFEOSetValue2023-01-27 11:25:21.369{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excelcnv.exe\MitigationOptionsQWORD (0x00000000-0x00000100) 13241300x8000000000000000333337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1183,IFEOSetValue2023-01-27 11:25:21.369{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe\MitigationOptionsQWORD (0x00000000-0x00000100) 13241300x8000000000000000333336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1183,IFEOSetValue2023-01-27 11:25:21.369{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msqry32.exe\MitigationOptionsQWORD (0x00000000-0x00000100) 13241300x8000000000000000333335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1183,IFEOSetValue2023-01-27 11:25:21.369{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setlang.exe\MitigationOptionsQWORD (0x00000000-0x00000100) 13241300x8000000000000000333334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1183,IFEOSetValue2023-01-27 11:25:21.369{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe\MitigationOptionsQWORD (0x00000000-0x00000100) 13241300x8000000000000000333333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1183,IFEOSetValue2023-01-27 11:25:21.369{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\selfcert.exe\MitigationOptionsQWORD (0x00000000-0x00000100) 13241300x8000000000000000333332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1183,IFEOSetValue2023-01-27 11:25:21.369{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\graph.exe\MitigationOptionsQWORD (0x00000000-0x00000100) 13241300x8000000000000000333331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1183,IFEOSetValue2023-01-27 11:25:21.369{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clview.exe\MitigationOptionsQWORD (0x00000000-0x00000100) 13241300x8000000000000000333330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.337{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{B8A3CFD8-6F13-4B39-8FE9-0CA01EF372E0}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\TecProxy.dll 13241300x8000000000000000333329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.337{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{DDE944C8-1C10-46AA-BF25-B8BAE99F2F64}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\Tec.dll 13241300x8000000000000000333328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.324{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{E2F5480E-ED5A-4DDE-B8A8-F9F297479F62}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\ODFFILT.DLL 13241300x8000000000000000333327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.324{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{4693FF15-B962-420A-9E5D-176F7D4B8321}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\ODFFILT.DLL 13241300x8000000000000000333326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.324{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\ODFFILT.DLL 13241300x8000000000000000333325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.324{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{20E823C2-62F3-4638-96BD-90F4F6784EBC}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\OFFFILTX.DLL 13241300x8000000000000000333324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.324{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{312AB530-ECC9-496E-AE0E-C9E6C5392499}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\OFFFILTX.DLL 13241300x8000000000000000333323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.324{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{F90DFE0C-CBDF-41FF-8598-EDD8F222A2C8}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\OFFFILTX.DLL 13241300x8000000000000000333322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.324{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{DDFE337F-4987-4EC8-BDE3-133FA63D5D85}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\OFFFILTX.DLL 13241300x8000000000000000333321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.324{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\OFFFILTX.DLL 13241300x8000000000000000333320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:21.324{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{4039B326-9F27-4B4A-B460-47A0C6A39D5C}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\MSGFILT.DLL 13241300x8000000000000000333319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:21.324{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\Applications\WINWORD.EXE\shell\edit\command\(Default)"C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "%%1" 13241300x8000000000000000333318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1183,IFEOSetValue2023-01-27 11:25:21.324{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\MitigationOptionsQWORD (0x00000000-0x00000100) 11241100x8000000000000000333317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:25:21.304{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeC:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe2023-01-27 11:25:21.304 10341000x8000000000000000333316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.221{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.221{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.206{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.174{72106695-B4A1-63D3-E803-00000000BD02}55485408C:\Windows\system32\conhost.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.174{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B4A1-63D3-E803-00000000BD02}5548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000333311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.174{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000333310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.174{72106695-B403-63D3-B103-00000000BD02}60924348C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1d10b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1cf33|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1cb9c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+11572b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+115592|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+3de808|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+66b66d|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+f8144|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+2e10d|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37e250|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37c243|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000333309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.160{72106695-B49E-63D3-E503-00000000BD02}4860NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\integrator.exe.db-walMD5=4EB95D55FD5E24045F8D3958752F10D7,SHA256=4FAD6BEE08BB395CD5FA6B2085C534FDC5C416BDC059D6FA79BB8719139EDFE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.160{72106695-B49E-63D3-E503-00000000BD02}4860NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\integrator.exe.db-shmMD5=EE622BB222AFA06641976C5CC9B09409,SHA256=148637217E44EEBFAAA9A732E37C2D24C27898BF8D546B7BBBB3DAB03B518DE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000333858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.973{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.973{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.973{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.973{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.973{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000333853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-DriverVerSetValue2023-01-27 11:25:22.973{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exeHKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-4\Send to Microsoft OneNote 16 Driver\DriverVersion16.0.7629.4000 11241100x8000000000000000333852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.957{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exeC:\Windows\System32\DriverStore\FileRepository\prnms006.inf_amd64_c3bdcb6fc975b614\prnms006.PNF2023-01-27 11:25:22.957 23542300x8000000000000000333851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.942{72106695-B4A2-63D3-FD03-00000000BD02}5892NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\Temp\{55523e75-4262-114e-b265-04f3c1fcdbba}\SendToOneNoteNames.gpdMD5=5047CEC9C08AA6B6CE46BDACCEFE986A,SHA256=551FED688509A5D587AB0082E1E612FC7D2485595F2B55BC300FDC5F83BB036B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.942{72106695-B4A2-63D3-FD03-00000000BD02}5892NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\Temp\{55523e75-4262-114e-b265-04f3c1fcdbba}\SendToOneNoteFilter.dllMD5=3662BF5C56E4DF7FEBDC3CFD08E9E4D5,SHA256=21BBCC0E7193755159A1D841BB6EE9A580A0FA4F1BBE95B4C2C36C118BCDF012,IMPHASH=AB24A902F724D73A3FC0AAF53CD78A28truefalse - insufficient disk space 23542300x8000000000000000333849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.942{72106695-B4A2-63D3-FD03-00000000BD02}5892NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\Temp\{55523e75-4262-114e-b265-04f3c1fcdbba}\SendToOneNote.gpdMD5=9D77694DAF3D4E5073633D0DAF5CD720,SHA256=B1B5E571607D91B5E1611E1310238C83F4E219C02AFF47608C289FE01D9C2D4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.942{72106695-B4A2-63D3-FD03-00000000BD02}5892NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\Temp\{55523e75-4262-114e-b265-04f3c1fcdbba}\SendToOneNote-pipelineconfig.xmlMD5=D7EF893DB4590A85390F72194D40C0B0,SHA256=5B437FD2A956337F71E8E69E9231D844F95BD5C6420DDF0C0155624E7D7168A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.942{72106695-B4A2-63D3-FD03-00000000BD02}5892NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\Temp\{55523e75-4262-114e-b265-04f3c1fcdbba}\SendToOneNote-manifest.iniMD5=91CE083419EBD92711946F7525E61835,SHA256=30AD3DDC45EFB0EC9D2557CBD226E522F2CA78C40A10CF7576B437F7F735EA38,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.942{72106695-B4A2-63D3-FD03-00000000BD02}5892NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\Temp\{55523e75-4262-114e-b265-04f3c1fcdbba}\prnSendToOneNote.catMD5=46617152A7D964CF3532EE008A4EAA19,SHA256=C73BE7A5E5B3D641EDD93AAD497B0C1AD0587AD9998F166229FCDC02668C481B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.942{72106695-B4A2-63D3-FD03-00000000BD02}5892NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\Temp\{55523e75-4262-114e-b265-04f3c1fcdbba}\prnms006.infMD5=F6BBD70FA6229EAC8AF2B7D62BDB2BB8,SHA256=378C6DA2C15D79A8F79EFF3AA4F5F13AE64EB9B760DC061E5A488992A1D874D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.942{72106695-9B85-63D3-1700-00000000BD02}1224NT AUTHORITY\NETWORK SERVICEC:\Windows\System32\svchost.exeC:\Windows\System32\CatRoot\TMP288A.tmpMD5=4A5F824EAF928C0A747638B6C35841B7,SHA256=B89BC9373DB494AC8E078AB18DC076DE0F67219CB9B13D98D4253A958878A5FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.942{72106695-9B85-63D3-1700-00000000BD02}1224NT AUTHORITY\NETWORK SERVICEC:\Windows\System32\svchost.exeC:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem22.catMD5=4A5F824EAF928C0A747638B6C35841B7,SHA256=B89BC9373DB494AC8E078AB18DC076DE0F67219CB9B13D98D4253A958878A5FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.942{72106695-9B85-63D3-1700-00000000BD02}1224NT AUTHORITY\NETWORK SERVICEC:\Windows\System32\svchost.exeC:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem22.catMD5=4A5F824EAF928C0A747638B6C35841B7,SHA256=B89BC9373DB494AC8E078AB18DC076DE0F67219CB9B13D98D4253A958878A5FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.928{72106695-9B85-63D3-1700-00000000BD02}1224NT AUTHORITY\NETWORK SERVICEC:\Windows\System32\svchost.exeC:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem22.catMD5=4A5F824EAF928C0A747638B6C35841B7,SHA256=B89BC9373DB494AC8E078AB18DC076DE0F67219CB9B13D98D4253A958878A5FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.928{72106695-9B85-63D3-1700-00000000BD02}1224NT AUTHORITY\NETWORK SERVICEC:\Windows\System32\svchost.exeC:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem22.catMD5=4A5F824EAF928C0A747638B6C35841B7,SHA256=B89BC9373DB494AC8E078AB18DC076DE0F67219CB9B13D98D4253A958878A5FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.928{72106695-9B85-63D3-1700-00000000BD02}1224NT AUTHORITY\NETWORK SERVICEC:\Windows\System32\svchost.exeC:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem22.catMD5=4A5F824EAF928C0A747638B6C35841B7,SHA256=B89BC9373DB494AC8E078AB18DC076DE0F67219CB9B13D98D4253A958878A5FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.928{72106695-9B85-63D3-1700-00000000BD02}1224NT AUTHORITY\NETWORK SERVICEC:\Windows\System32\svchost.exeC:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem22.catMD5=4A5F824EAF928C0A747638B6C35841B7,SHA256=B89BC9373DB494AC8E078AB18DC076DE0F67219CB9B13D98D4253A958878A5FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.928{72106695-9B85-63D3-1700-00000000BD02}1224NT AUTHORITY\NETWORK SERVICEC:\Windows\System32\svchost.exeC:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem22.catMD5=4A5F824EAF928C0A747638B6C35841B7,SHA256=B89BC9373DB494AC8E078AB18DC076DE0F67219CB9B13D98D4253A958878A5FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.928{72106695-9B85-63D3-1700-00000000BD02}1224NT AUTHORITY\NETWORK SERVICEC:\Windows\System32\svchost.exeC:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem22.catMD5=4A5F824EAF928C0A747638B6C35841B7,SHA256=B89BC9373DB494AC8E078AB18DC076DE0F67219CB9B13D98D4253A958878A5FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.928{72106695-9B85-63D3-1700-00000000BD02}1224NT AUTHORITY\NETWORK SERVICEC:\Windows\System32\svchost.exeC:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem22.catMD5=4A5F824EAF928C0A747638B6C35841B7,SHA256=B89BC9373DB494AC8E078AB18DC076DE0F67219CB9B13D98D4253A958878A5FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.928{72106695-9B85-63D3-1700-00000000BD02}1224NT AUTHORITY\NETWORK SERVICEC:\Windows\System32\svchost.exeC:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem22.catMD5=4A5F824EAF928C0A747638B6C35841B7,SHA256=B89BC9373DB494AC8E078AB18DC076DE0F67219CB9B13D98D4253A958878A5FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.928{72106695-9B85-63D3-1700-00000000BD02}1224NT AUTHORITY\NETWORK SERVICEC:\Windows\System32\svchost.exeC:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem22.catMD5=4A5F824EAF928C0A747638B6C35841B7,SHA256=B89BC9373DB494AC8E078AB18DC076DE0F67219CB9B13D98D4253A958878A5FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.928{72106695-9B85-63D3-1700-00000000BD02}1224NT AUTHORITY\NETWORK SERVICEC:\Windows\System32\svchost.exeC:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem22.catMD5=4A5F824EAF928C0A747638B6C35841B7,SHA256=B89BC9373DB494AC8E078AB18DC076DE0F67219CB9B13D98D4253A958878A5FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.928{72106695-9B85-63D3-1700-00000000BD02}1224NT AUTHORITY\NETWORK SERVICEC:\Windows\System32\svchost.exeC:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem22.catMD5=4A5F824EAF928C0A747638B6C35841B7,SHA256=B89BC9373DB494AC8E078AB18DC076DE0F67219CB9B13D98D4253A958878A5FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.928{72106695-9B85-63D3-1700-00000000BD02}1224NT AUTHORITY\NETWORK SERVICEC:\Windows\System32\svchost.exeC:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem22.catMD5=4A5F824EAF928C0A747638B6C35841B7,SHA256=B89BC9373DB494AC8E078AB18DC076DE0F67219CB9B13D98D4253A958878A5FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.928{72106695-9B85-63D3-1700-00000000BD02}1224NT AUTHORITY\NETWORK SERVICEC:\Windows\System32\svchost.exeC:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem22.catMD5=4A5F824EAF928C0A747638B6C35841B7,SHA256=B89BC9373DB494AC8E078AB18DC076DE0F67219CB9B13D98D4253A958878A5FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.928{72106695-9B85-63D3-1700-00000000BD02}1224NT AUTHORITY\NETWORK SERVICEC:\Windows\System32\svchost.exeC:\Windows\System32\CatRoot\TMP288A.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000333827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.892{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A2-63D3-FD03-00000000BD02}5892C:\Windows\system32\DrvInst.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.892{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A2-63D3-FD03-00000000BD02}5892C:\Windows\system32\DrvInst.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.892{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A2-63D3-FD03-00000000BD02}5892C:\Windows\system32\DrvInst.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 11241100x8000000000000000333824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.698{72106695-B4A2-63D3-FD03-00000000BD02}5892C:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\drvstore.tmp2023-01-27 11:25:22.698 11241100x8000000000000000333823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.693{72106695-B4A2-63D3-FD03-00000000BD02}5892C:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\prnms006.inf_amd64_c3bdcb6fc975b6142023-01-27 11:25:22.693 23542300x8000000000000000333822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.685{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B942FB5FBB4B029D92AF744B9C4326C,SHA256=F238A831087B8EAF8E5FDBAA37402033A5F111B1B54E5672C4210D8D65152994,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000333821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.618{72106695-B4A2-63D3-FD03-00000000BD02}58924412C:\Windows\system32\DrvInst.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\DrvInst.exe+dc1e|C:\Windows\system32\DrvInst.exe+11cf|C:\Windows\system32\DrvInst.exe+158cd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.602{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.602{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.602{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.602{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.602{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B4A2-63D3-FD03-00000000BD02}5892C:\Windows\system32\DrvInst.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000333815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.602{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B4A2-63D3-FD03-00000000BD02}5892C:\Windows\system32\DrvInst.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|c:\windows\system32\umpnpmgr.dll+a82c|c:\windows\system32\umpnpmgr.dll+9dc7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+268c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000333814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.607{72106695-B4A2-63D3-FD03-00000000BD02}5892C:\Windows\System32\drvinst.exe10.0.14393.0 (rs1_release.160715-1616)Driver Installation ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationDrvInst.EXEDrvInst.exe "4" "9" "C:\Program Files\Microsoft Office\root\Office16\OneNote\\prnms006.inf" "9" "44b58805b" "0000000000000B38" "Service-0x0-3e7$\Default" "0000000000000B3C" "208" "C:\Program Files\Microsoft Office\root\Office16\OneNote\"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=188CE3916E9FD3D123F38F01F8F8B93C,SHA256=C196086017725E8724DAB1DFDFABA9F4B7CFACD47A885BCC81984F8BC78D9F75,IMPHASH=35385286B2F23FB279C3D2868A503474{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x8000000000000000333813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.493{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3429990AFAE4ADB18C830A502CCFB1FB,SHA256=78C89B0A27D5A76F41118EF113E23D390FAF80623443D09487EE279C15F30624,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000333812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.446{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{D0B22D03-D05D-4C6D-8AB7-9392E84A87B9}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\ACEDAO.DLL 13241300x8000000000000000333811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.446{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{D5EC4D34-77DA-4F7A-B8C4-8A910C1C1CFE}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\ACEDAO.DLL 13241300x8000000000000000333810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.446{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{805B7F91-C9CF-4EDF-ACA6-775664FDFB3E}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\ACEDAO.DLL 13241300x8000000000000000333809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.446{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{97A2762C-403C-4953-A121-7A75ABCE4373}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\ACEDAO.DLL 13241300x8000000000000000333808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.446{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{8D4F994C-EBBE-4F8D-BA4B-AE20CD36E72D}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\ACEDAO.DLL 13241300x8000000000000000333807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.446{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{A1EB89D6-0A9C-4575-A0AE-654A990A454C}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\ACEDAO.DLL 13241300x8000000000000000333806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.446{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{367E582C-F71C-4BF9-AA1B-9F62B793E9C5}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\ACEDAO.DLL 13241300x8000000000000000333805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.446{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{6F3DD387-5AF2-492B-BDE2-30FF2F451241}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\ACEDAO.DLL 13241300x8000000000000000333804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.446{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{CD7791B9-43FD-42C5-AE42-8DD2811F0419}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\ACEDAO.DLL 13241300x8000000000000000333803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1183,IFEOSetValue2023-01-27 11:25:22.431{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msaccess.exe\MitigationOptionsQWORD (0x00000000-0x00000100) 23542300x8000000000000000333802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.431{72106695-B4A1-63D3-E703-00000000BD02}668NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\nslist.hxlMD5=2C3BBD50996DEDB7E2878754A4151736,SHA256=802B14C26A57BADB978BD6A6F67717F68AFD1A06BBD7CE8A7B664CDF3F20B5FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.431{72106695-B4A1-63D3-E703-00000000BD02}668NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\nslist.hxlMD5=4BBCC2945FF92C7EB947352238DC5D71,SHA256=C717B2F6ECBF0FFA128E5D8F7480BD9E0522A99A2975CF536815EC817789F7A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.415{72106695-B4A1-63D3-E703-00000000BD02}668NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\nslist.hxlMD5=21CE372E7E684D43529B284A5ABD026B,SHA256=EBD3BCA6FD32B1FE917DA5B1910719981389D183CFAF313AEF611DD4CA0DFDF9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000333799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.399{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{B8A3CFD8-6F13-4B39-8FE9-0CA01EF372E0}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\TecProxy.dll 13241300x8000000000000000333798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.399{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{DDE944C8-1C10-46AA-BF25-B8BAE99F2F64}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\Tec.dll 13241300x8000000000000000333797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.399{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{E2F5480E-ED5A-4DDE-B8A8-F9F297479F62}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\ODFFILT.DLL 13241300x8000000000000000333796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.399{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{4693FF15-B962-420A-9E5D-176F7D4B8321}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\ODFFILT.DLL 13241300x8000000000000000333795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.384{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\ODFFILT.DLL 13241300x8000000000000000333794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.384{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{20E823C2-62F3-4638-96BD-90F4F6784EBC}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\OFFFILTX.DLL 13241300x8000000000000000333793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.384{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{312AB530-ECC9-496E-AE0E-C9E6C5392499}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\OFFFILTX.DLL 13241300x8000000000000000333792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.384{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{F90DFE0C-CBDF-41FF-8598-EDD8F222A2C8}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\OFFFILTX.DLL 13241300x8000000000000000333791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.384{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{DDFE337F-4987-4EC8-BDE3-133FA63D5D85}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\OFFFILTX.DLL 13241300x8000000000000000333790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.384{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\OFFFILTX.DLL 13241300x8000000000000000333789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.384{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{4039B326-9F27-4B4A-B460-47A0C6A39D5C}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\MSGFILT.DLL 13241300x8000000000000000333788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1183,IFEOSetValue2023-01-27 11:25:22.384{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe\MitigationOptionsQWORD (0x00000000-0x00000100) 23542300x8000000000000000333787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.368{72106695-B4A1-63D3-E703-00000000BD02}668NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\nslist.hxlMD5=19420649C89AE553A33AD67792FC7834,SHA256=3CB9DD96A0FD3ECCCCCAFEFC99CED6652F80ED752E96956BDFCA8EB90400448B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000333786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212Context,DeviceConntectedOrUpdatedSetValue2023-01-27 11:25:22.352{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\IM Providers\Lync\FriendlyNameMicrosoft Lync 16 13241300x8000000000000000333785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.352{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{8AC780E1-BCDB-4816-A6EA-A88BCC064453}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\AutoHelper.dll 13241300x8000000000000000333784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.352{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{611B6CB4-ACE6-4655-8D60-15FAC4AD0952}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\AutoHelper.dll 13241300x8000000000000000333783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.337{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{8AC780E1-BCDB-4816-A6EA-A88BCC064453}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\AutoHelper.dll 13241300x8000000000000000333782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.337{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{611B6CB4-ACE6-4655-8D60-15FAC4AD0952}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\AutoHelper.dll 13241300x8000000000000000333781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.337{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ButtonTextLync Click to Call 13241300x8000000000000000333780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.337{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\NoExplorer1 13241300x8000000000000000333779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.337{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\(Default)Lync Click to Call BHO 13241300x8000000000000000333778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.337{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Office\16.0\ClickToRunStore\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}DWORD (0x00000000) 13241300x8000000000000000333777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.337{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\Default VisibleYes 13241300x8000000000000000333776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.337{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ClsidExtension{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} 13241300x8000000000000000333775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.337{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\CLSID{1FBA04EE-3024-11d2-8F1F-0000F87ABD16} 13241300x8000000000000000333774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.337{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\HotIconC:\Program Files\Microsoft Office\root\Office16\lync.exe,1 13241300x8000000000000000333773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.337{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\IconC:\Program Files\Microsoft Office\root\Office16\lync.exe,1 13241300x8000000000000000333772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.337{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\MenuTextLync Click to Call 13241300x8000000000000000333771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.337{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\(Default)Lync Click to Call 13241300x8000000000000000333770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.337{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Office\16.0\ClickToRunStore\HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}DWORD (0x00000000) 13241300x8000000000000000333769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.337{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\OCHelper.dll 13241300x8000000000000000333768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.337{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{10336656-40D7-4530-BCC0-86CD3D77D25F}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll 13241300x8000000000000000333767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.321{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{a6a2383f-ad50-4d52-8110-3508275e77f7}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\UCADDIN.DLL 13241300x8000000000000000333766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1137SetValue2023-01-27 11:25:22.321{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Office\Outlook\Addins\UCAddin.LyncAddin.1\LoadBehaviorDWORD (0x00000003) 13241300x8000000000000000333765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1137SetValue2023-01-27 11:25:22.321{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Office\Outlook\Addins\UCAddin.LyncAddin.1\FriendlyNameSkype Meeting Add-in for Microsoft Office 13241300x8000000000000000333764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1137SetValue2023-01-27 11:25:22.321{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Office\Outlook\Addins\UCAddin.LyncAddin.1\DescriptionSkype Meeting Add-in for Microsoft Office 13241300x8000000000000000333763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1137SetValue2023-01-27 11:25:22.321{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Office\Outlook\Addins\UCAddin.LyncAddin.1\FileNameC:\Program Files\Microsoft Office\root\Office16\UCADDIN.DLL 13241300x8000000000000000333762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1137SetValue2023-01-27 11:25:22.321{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Office\16.0\ClickToRunStore\HKLM\SOFTWARE\Microsoft\Office\Outlook\Addins\UCAddin.LyncAddin.1DWORD (0x00000000) 13241300x8000000000000000333761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1137SetValue2023-01-27 11:25:22.321{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Office\Outlook\Addins\UCAddin.UCAddin.1\LoadBehaviorDWORD (0x00000002) 13241300x8000000000000000333760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1137SetValue2023-01-27 11:25:22.321{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Office\16.0\ClickToRunStore\HKLM\SOFTWARE\Microsoft\Office\Outlook\Addins\UCAddin.UCAddin.1DWORD (0x00000000) 13241300x8000000000000000333759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1183,IFEOSetValue2023-01-27 11:25:22.321{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lync.exe\MitigationOptionsQWORD (0x00000000-0x00000100) 13241300x8000000000000000333758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:22.321{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\Lync\TypesSupportedDWORD (0x00000007) 13241300x8000000000000000333757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:22.321{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\Lync\EventMessageFileC:\Program Files\Microsoft Office\root\Office16\1033\UCCAPIRES.DLL 13241300x8000000000000000333756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:22.321{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\LyncPlatform\TypesSupportedDWORD (0x00000007) 13241300x8000000000000000333755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:22.321{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\LyncPlatform\EventMessageFileC:\Program Files\Microsoft Office\root\Office16\1033\LYNCDESKTOPRESOURCES.DLL 23542300x8000000000000000333754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.321{72106695-B4A1-63D3-E703-00000000BD02}668NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\nslist.hxlMD5=684D8DB5B94ACAF7D559CA649F346EBE,SHA256=148010617AC6B60AC2634A74538B0A0D8B70AA38C726B0836B18FB6C150D64A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.321{72106695-B4A1-63D3-E703-00000000BD02}668NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\nslist.hxlMD5=A4E38114D39163D23F6315FF12F30639,SHA256=41D387FB69B0212549F8EC8B53B5E48B87A608449EA497FA005F2CD25A030AA2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.321{72106695-B4A1-63D3-E703-00000000BD02}668NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\nslist.hxlMD5=247B62354B3DD2D26D2C4AD4ADFFF0BA,SHA256=4BEB125DD2EF3F138F11709EE749F440AED478F21D7EC191959FC61AA3E05337,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.321{72106695-B4A1-63D3-E703-00000000BD02}668NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\nslist.hxlMD5=D55FE4D9B0C5C90D982C612073120B6A,SHA256=BD2E64FFD714BFE28486391E0557DE95A9A13F3DE02640C9C42941F05BAA6F1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.306{72106695-B4A1-63D3-E703-00000000BD02}668NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\nslist.hxlMD5=C444F04094E93F5A71FF6E11A5467BD6,SHA256=91B891431FF0C0437D2250EE337C8F1FED7BF09EFE667936CAF761169B78C5A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.306{72106695-B4A1-63D3-E703-00000000BD02}668NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\nslist.hxlMD5=D29C041CE1803A43C2105740D1FB6840,SHA256=E25FD1FDA2562C0FC4B492005E46C3FFB723001C6B128BFE0D59D84C666E043F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.306{72106695-B4A1-63D3-E703-00000000BD02}668NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\nslist.hxlMD5=A5A592E713432D93DA2134CCA4FA65F3,SHA256=17F37FFF4A70700270F414E9BBCDDD76A556957A3D59C836008A687741E9D6ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.237{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BC9C08742A9603D10DC7F2E9388105F,SHA256=27C965D249CFA66071BBB60651767BA4D9932F944AD7C3E8526203629D762936,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000333746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.225{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{807583E5-5146-11D5-A672-00B0D022E945}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLMF.DLL 13241300x8000000000000000333745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.222{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{02BCC737-B171-4746-94C9-0D8A0B2C0089}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\IEAWSDC.DLL 13241300x8000000000000000333744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.221{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{355822FC-86F1-4BE8-B5F0-A33736789641}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\msoshext.dll 13241300x8000000000000000333743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.221{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{AFE9E2F0-5BBA-4169-A33B-EE3727AC3482}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\msoshext.dll 13241300x8000000000000000333742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.221{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{35C5242B-7455-4F9C-962B-369EA43ED6F3}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\msoshext.dll 13241300x8000000000000000333741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.220{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{72B66649-3DBF-429F-BD6F-7774A9784B78}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\msoshext.dll 13241300x8000000000000000333740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.220{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\msoshext.dll 13241300x8000000000000000333739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.219{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\msoshext.dll 13241300x8000000000000000333738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.219{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{5383EF74-273B-4278-AB0C-CDAA9FD5369E}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\msoshext.dll 13241300x8000000000000000333737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.219{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{01BE4CFB-129A-452B-A209-F9D40B3B84A5}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\msoshext.dll 13241300x8000000000000000333736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.218{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{33154C99-BF49-443D-A73C-303A23ABBE97}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\msoshext.dll 13241300x8000000000000000333735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.218{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{E3956DCF-D1C7-4375-AAAA-22FF8191C479}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\msoshext.dll 13241300x8000000000000000333734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:22.211{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{355822FC-86F1-4BE8-B5F0-A33736789641}Microsoft Word Thumbnail Handler 13241300x8000000000000000333733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:22.211{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{AFE9E2F0-5BBA-4169-A33B-EE3727AC3482}Microsoft Visio Thumbnail Handler 13241300x8000000000000000333732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:22.211{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{35C5242B-7455-4F9C-962B-369EA43ED6F3}Microsoft PowerPoint Thumbnail Handler 13241300x8000000000000000333731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:22.210{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{72B66649-3DBF-429F-BD6F-7774A9784B78}Microsoft Excel Thumbnail Handler 13241300x8000000000000000333730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:22.210{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}Microsoft Access Thumbnail Handler 13241300x8000000000000000333729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:22.209{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155}Microsoft Word Metadata Handler 13241300x8000000000000000333728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:22.209{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5383EF74-273B-4278-AB0C-CDAA9FD5369E}Microsoft Visio Metadata Handler 13241300x8000000000000000333727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:22.209{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{01BE4CFB-129A-452B-A209-F9D40B3B84A5}Microsoft PowerPoint Metadata Handler 13241300x8000000000000000333726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:22.208{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{33154C99-BF49-443D-A73C-303A23ABBE97}Microsoft Excel Metadata Handler 13241300x8000000000000000333725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:22.208{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E3956DCF-D1C7-4375-AAAA-22FF8191C479}Microsoft Access Metadata Handler 13241300x8000000000000000333724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.207{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{EFBD9A69-66AF-4D44-BB36-D477E5014216}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\OSFROAMINGPROXY.DLL 13241300x8000000000000000333723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.206{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{5C615ED6-4F9F-48BE-8D84-17409196DE36}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\OSFPROXY.DLL 13241300x8000000000000000333722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.205{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{83C25742-A9F7-49FB-9138-434302C88D07}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL 13241300x8000000000000000333721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.205{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{42089D2D-912D-4018-9087-2B87803E93FB}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL 13241300x8000000000000000333720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.204{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{42089D2D-912D-4018-9087-2B87803E93FB}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL 13241300x8000000000000000333719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.203{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{5504BE45-A83B-4808-900A-3A5C36E7F77A}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL 13241300x8000000000000000333718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.202{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ButtonTextLync Click to Call 13241300x8000000000000000333717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.202{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\NoExplorer1 13241300x8000000000000000333716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.202{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\(Default)Lync Click to Call BHO 13241300x8000000000000000333715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.202{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Office\16.0\ClickToRunStore\HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}DWORD (0x00000000) 13241300x8000000000000000333714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.202{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\Default VisibleYes 13241300x8000000000000000333713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.201{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ClsidExtension{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} 13241300x8000000000000000333712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.201{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\CLSID{1FBA04EE-3024-11d2-8F1F-0000F87ABD16} 13241300x8000000000000000333711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.201{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\HotIconC:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\lync.exe,1 13241300x8000000000000000333710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.201{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\IconC:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\lync.exe,1 13241300x8000000000000000333709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.201{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\MenuTextLync Click to Call 13241300x8000000000000000333708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.201{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\(Default)Lync Click to Call 13241300x8000000000000000333707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.201{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Office\16.0\ClickToRunStore\HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}DWORD (0x00000000) 13241300x8000000000000000333706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.198{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\OCHelper.dll 13241300x8000000000000000333705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.197{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\ClsidExtension{FFFDC614-B694-4AE6-AB38-5D6374584B52} 13241300x8000000000000000333704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.197{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\CLSID{1FBA04EE-3024-11d2-8F1F-0000F87ABD16} 13241300x8000000000000000333703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.197{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\IconC:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\ONBttnIELinkedNotes.dll,103 13241300x8000000000000000333702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.197{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\HotIconC:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\ONBttnIELinkedNotes.dll,103 13241300x8000000000000000333701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.197{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\ToolTipOneNote Linked Notes 13241300x8000000000000000333700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.197{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\MenuTextOneNote Lin&ked Notes 13241300x8000000000000000333699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.196{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\ButtonTextOneNote Lin&ked Notes 13241300x8000000000000000333698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.196{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\Default VisibleYes 13241300x8000000000000000333697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.196{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Office\16.0\ClickToRunStore\HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}DWORD (0x00000000) 13241300x8000000000000000333696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.196{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{FFFDC614-B694-4AE6-AB38-5D6374584B52}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\ONBttnIELinkedNotes.dll 13241300x8000000000000000333695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.193{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\ClsidExtension{48E73304-E1D6-4330-914C-F5F514E3486C} 13241300x8000000000000000333694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.193{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\CLSID{1FBA04EE-3024-11d2-8F1F-0000F87ABD16} 13241300x8000000000000000333693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.192{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\IconC:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\ONBttnIE.dll,103 13241300x8000000000000000333692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.192{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\HotIconC:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\ONBttnIE.dll,103 13241300x8000000000000000333691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.192{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\ToolTipSend to OneNote 13241300x8000000000000000333690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.192{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\MenuTextSe&nd to OneNote 13241300x8000000000000000333689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.192{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\ButtonTextSend to OneNote 13241300x8000000000000000333688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.192{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\Default VisibleYes 13241300x8000000000000000333687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.192{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Office\16.0\ClickToRunStore\HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}DWORD (0x00000000) 13241300x8000000000000000333686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.191{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{48E73304-E1D6-4330-914C-F5F514E3486C}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\ONBttnIE.dll 13241300x8000000000000000333685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.186{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{10336656-40D7-4530-BCC0-86CD3D77D25F}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\Interceptor.dll 13241300x8000000000000000333684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.185{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{68CED213-317D-3F27-9036-A33240DA522E}\InprocServer32\(Default)mscoree.dll 13241300x8000000000000000333683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.184{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{1227B818-7298-3D68-AC55-DDDA56EE56E1}\InprocServer32\(Default)mscoree.dll 13241300x8000000000000000333682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.183{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{07B06095-5687-4D13-9E32-12B4259C9813}\InprocServer32\(Default)mscoree.dll 13241300x8000000000000000333681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.183{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{CDEC13B2-0B3C-400E-B909-E27EE89C6799}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\Interceptor.dll 13241300x8000000000000000333680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.181{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\Interceptor.dll 13241300x8000000000000000333679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.180{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{9800F18F-3D86-4744-A7D0-540989C86D7B}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll 13241300x8000000000000000333678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.178{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{9800F18F-3D86-4744-A7D0-540989C86D7B}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\Interceptor.dll 13241300x8000000000000000333677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.177{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{3B0BD075-929C-4E52-AAD1-458C81A10B24}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll 13241300x8000000000000000333676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.175{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{3B0BD075-929C-4E52-AAD1-458C81A10B24}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\Interceptor.dll 13241300x8000000000000000333675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.174{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{9ED13477-E909-45BC-BADC-2106D04D6BD7}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll 13241300x8000000000000000333674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.173{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{9ED13477-E909-45BC-BADC-2106D04D6BD7}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\Interceptor.dll 13241300x8000000000000000333673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.171{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{BDEADEF5-C265-11D0-BCED-00A0C90AB50F}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll 13241300x8000000000000000333672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.169{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{BDEADEF5-C265-11D0-BCED-00A0C90AB50F}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\Interceptor.dll 13241300x8000000000000000333671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.169{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{BDEADE9E-C265-11D0-BCED-00A0C90AB50F}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\Interceptor.dll 13241300x8000000000000000333670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.168{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{3FD37ABB-F90A-4DE5-AA38-179629E64C2F}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll 13241300x8000000000000000333669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.167{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{3FD37ABB-F90A-4DE5-AA38-179629E64C2F}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\Interceptor.dll 13241300x8000000000000000333668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.166{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{62B4D041-4667-40B6-BB50-4BC0A5043A73}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll 13241300x8000000000000000333667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.165{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{62B4D041-4667-40B6-BB50-4BC0A5043A73}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\Interceptor.dll 10341000x8000000000000000333666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.163{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A1-63D3-E803-00000000BD02}5548C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000333665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.163{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A1-63D3-E803-00000000BD02}5548C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000333664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.163{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A1-63D3-E803-00000000BD02}5548C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 13241300x8000000000000000333663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.163{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{9203C2CB-1DC1-482D-967E-597AFF270F0D}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll 10341000x8000000000000000333662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.162{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000333661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.162{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000333660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.162{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 13241300x8000000000000000333659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.160{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{9203C2CB-1DC1-482D-967E-597AFF270F0D}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\Interceptor.dll 13241300x8000000000000000333658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.159{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{E7339A62-0E31-4A5E-BA3D-F2FEDFBF8BE5}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\Interceptor.dll 13241300x8000000000000000333657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1183,IFEOSetValue2023-01-27 11:25:22.158{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe\MitigationOptionsQWORD (0x00000000-0x00000100) 23542300x8000000000000000333656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.139{72106695-B4A1-63D3-E703-00000000BD02}668NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\nslist.hxlMD5=619F8831A47E4258AA7C4E3D0B8B0541,SHA256=064C7B1CE85D94C770ED795315B159BF496BE1B09721BD41F762B921217201D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.139{72106695-B4A1-63D3-E703-00000000BD02}668NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\nslist.hxlMD5=CAE1F563C0BB9B4F987B89768E96736B,SHA256=859BD912BBF46BE370FB5E8AA36F38B9F168A469CF360CC5CCAFDE234257618B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000333654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:22.105{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}Microsoft OneNote Namespace Extension for Windows Desktop Search 13241300x8000000000000000333653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.104{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\ONFILTER.DLL 13241300x8000000000000000333652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.102{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{6EE84065-8BA3-4a8a-9542-6EC8B56A3378}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\ONFILTER.DLL 13241300x8000000000000000333651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.100{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{C7DFFDF1-BD1F-450A-B98D-96B6D30BA4C1}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\ONFILTER.DLL 13241300x8000000000000000333650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.098{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{E2F5480E-ED5A-4DDE-B8A8-F9F297479F62}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\ODFFILT.DLL 13241300x8000000000000000333649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.098{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{4693FF15-B962-420A-9E5D-176F7D4B8321}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\ODFFILT.DLL 13241300x8000000000000000333648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.098{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\ODFFILT.DLL 13241300x8000000000000000333647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.097{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{20E823C2-62F3-4638-96BD-90F4F6784EBC}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\OFFFILTX.DLL 13241300x8000000000000000333646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.097{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{312AB530-ECC9-496E-AE0E-C9E6C5392499}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\OFFFILTX.DLL 13241300x8000000000000000333645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.097{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{F90DFE0C-CBDF-41FF-8598-EDD8F222A2C8}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\OFFFILTX.DLL 13241300x8000000000000000333644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.096{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{DDFE337F-4987-4EC8-BDE3-133FA63D5D85}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\OFFFILTX.DLL 13241300x8000000000000000333643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.096{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\OFFFILTX.DLL 13241300x8000000000000000333642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.095{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{4039B326-9F27-4B4A-B460-47A0C6A39D5C}\InProcServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Filters\MSGFILT.DLL 13241300x8000000000000000333641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.094{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\ClsidExtension{FFFDC614-B694-4AE6-AB38-5D6374584B52} 13241300x8000000000000000333640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.094{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\CLSID{1FBA04EE-3024-11d2-8F1F-0000F87ABD16} 13241300x8000000000000000333639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.094{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\IconC:\Program Files\Microsoft Office\root\Office16\ONBttnIELinkedNotes.dll,103 13241300x8000000000000000333638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.094{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\HotIconC:\Program Files\Microsoft Office\root\Office16\ONBttnIELinkedNotes.dll,103 13241300x8000000000000000333637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.094{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\ToolTipOneNote Linked Notes 13241300x8000000000000000333636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.094{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\MenuTextOneNote Lin&ked Notes 13241300x8000000000000000333635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.094{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\ButtonTextOneNote Lin&ked Notes 13241300x8000000000000000333634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.094{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\Default VisibleYes 13241300x8000000000000000333633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.094{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Office\16.0\ClickToRunStore\HKLM\Software\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}DWORD (0x00000000) 13241300x8000000000000000333632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.093{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{FFFDC614-B694-4AE6-AB38-5D6374584B52}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\ONBttnIELinkedNotes.dll 13241300x8000000000000000333631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.089{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\ClsidExtension{48E73304-E1D6-4330-914C-F5F514E3486C} 13241300x8000000000000000333630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.089{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\CLSID{1FBA04EE-3024-11d2-8F1F-0000F87ABD16} 13241300x8000000000000000333629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.089{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\IconC:\Program Files\Microsoft Office\root\Office16\ONBttnIE.dll,103 13241300x8000000000000000333628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.089{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\HotIconC:\Program Files\Microsoft Office\root\Office16\ONBttnIE.dll,103 13241300x8000000000000000333627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.089{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\ToolTipSend to OneNote 13241300x8000000000000000333626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.089{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\MenuTextSe&nd to OneNote 13241300x8000000000000000333625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.089{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\ButtonTextSend to OneNote 13241300x8000000000000000333624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.089{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\Default VisibleYes 13241300x8000000000000000333623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:25:22.089{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Office\16.0\ClickToRunStore\HKLM\Software\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}DWORD (0x00000000) 13241300x8000000000000000333622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:22.088{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{48E73304-E1D6-4330-914C-F5F514E3486C}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\ONBttnIE.dll 13241300x8000000000000000333621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1183,IFEOSetValue2023-01-27 11:25:22.080{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenotem.exe\MitigationOptionsQWORD (0x00000000-0x00000100) 13241300x8000000000000000333620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1183,IFEOSetValue2023-01-27 11:25:22.080{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenote.exe\MitigationOptionsQWORD (0x00000000-0x00000100) 23542300x8000000000000000333619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.074{72106695-B4A1-63D3-E703-00000000BD02}668NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\nslist.hxlMD5=28BE42651DBD1A4FFF59A5182C9E8E19,SHA256=5E4E80F3F60927EC7D88783863EC7ECC5CF60EBAAA54CB525CE8D2270665900B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x8000000000000000333618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T10532023-01-27 11:25:22.062{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack20162023-01-27 11:25:22.062 10341000x8000000000000000333617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.060{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B4A2-63D3-FB03-00000000BD02}5908C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.060{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B4A2-63D3-FB03-00000000BD02}5908C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.057{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B4A2-63D3-FB03-00000000BD02}5908C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000333614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.054{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FBEA1336929B600BAFECD99354D64E0,SHA256=5DC8F95718276126ED89A871AC2085F260D4B19DA797AE4E2D3CE37F28A98B26,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000333613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.044{72106695-B4A2-63D3-FC03-00000000BD02}58845828C:\Windows\system32\conhost.exe{72106695-B4A2-63D3-FB03-00000000BD02}5908C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.034{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B4A2-63D3-FC03-00000000BD02}5884C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000333611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.029{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.029{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.029{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B4A2-63D3-FB03-00000000BD02}5908C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000333608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.029{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.029{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.028{72106695-B4A1-63D3-E703-00000000BD02}6681584C:\Program Files\Microsoft Office\root\integration\integrator.exe{72106695-B4A2-63D3-FB03-00000000BD02}5908C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Microsoft Office\root\integration\integrator.exe+942b6|C:\Program Files\Microsoft Office\root\integration\integrator.exe+94464|C:\Program Files\Microsoft Office\root\integration\integrator.exe+94d1a|C:\Program Files\Microsoft Office\root\integration\integrator.exe+338006|C:\Program Files\Microsoft Office\root\integration\integrator.exe+32da93|C:\Program Files\Microsoft Office\root\integration\integrator.exe+14953|C:\Program Files\Microsoft Office\root\integration\integrator.exe+140d4|C:\Program Files\Microsoft Office\root\integration\integrator.exe+2aee6|C:\Program Files\Microsoft Office\root\integration\integrator.exe+37bca8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000333605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.029{72106695-B4A2-63D3-FB03-00000000BD02}5908C:\Windows\System32\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exeschtasks.exe /Create /tn "Microsoft\Office\OfficeTelemetryAgentFallBack2016" /XML "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=EEB7A2162E4DBE32B56BEB84658483AE,SHA256=A9A4FD9C1BB7C5CF8F77F761CAE60F4AC4AFB8DAEEBB46B3AD6983D5E599CDC1,IMPHASH=8AC94113AD25518D369E4EE37BEDAB4F{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\Integration\Integrator.exeintegrator.exe /I /Extension /Msi MsiName=C2RInt.16.msi,C2RIntLoc.en-us.16.msi,* /C2R PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files\Microsoft Office\root" 10341000x8000000000000000333604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.019{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-F903-00000000BD02}5836C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.004{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-F903-00000000BD02}5836C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.004{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B4A1-63D3-F903-00000000BD02}5836C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:21.988{72106695-B4A1-63D3-FA03-00000000BD02}46685872C:\Windows\system32\conhost.exe{72106695-B4A1-63D3-F903-00000000BD02}5836C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:22.995{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:22.984{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:22.973{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:22.949{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:22.942{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:22.930{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:22.925{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:22.924{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:22.921{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:22.918{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:22.917{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:22.915{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 23542300x8000000000000000448246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:22.512{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=582E2B83C24E60F00AE363E25CAA4A66,SHA256=866F040787E59EDF85EA069318C953F560B6E77C3B4C9AF5214489BB0FA4C7F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000448245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:22.400{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:22.399{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:22.397{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:22.385{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:22.377{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 13241300x8000000000000000333923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:23.869{72106695-B4A3-63D3-FE03-00000000BD02}4344C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\WordChannel\TypeDWORD (0x00000003) 13241300x8000000000000000333922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:23.869{72106695-B4A3-63D3-FE03-00000000BD02}4344C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\WordChannel\ChannelAccessO:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573) 13241300x8000000000000000333921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:23.869{72106695-B4A3-63D3-FE03-00000000BD02}4344C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\WordChannel\IsolationDWORD (0x00000000) 13241300x8000000000000000333920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:23.869{72106695-B4A3-63D3-FE03-00000000BD02}4344C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\WordChannel\EnabledDWORD (0x00000000) 13241300x8000000000000000333919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:23.869{72106695-B4A3-63D3-FE03-00000000BD02}4344C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\WordChannel\OwningPublisher{daf0b914-9c1c-450a-81b2-fea7244f6ffa} 10341000x8000000000000000333918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.859{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A3-63D3-FF03-00000000BD02}5600C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.859{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A3-63D3-FF03-00000000BD02}5600C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.859{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A3-63D3-FF03-00000000BD02}5600C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.858{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A3-63D3-FF03-00000000BD02}5600C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.858{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A3-63D3-FF03-00000000BD02}5600C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.858{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A3-63D3-FF03-00000000BD02}5600C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.853{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A3-63D3-FE03-00000000BD02}4344C:\Windows\System32\wevtutil.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.853{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A3-63D3-FE03-00000000BD02}4344C:\Windows\System32\wevtutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.853{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A3-63D3-FE03-00000000BD02}4344C:\Windows\System32\wevtutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.843{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A3-63D3-FE03-00000000BD02}4344C:\Windows\System32\wevtutil.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.843{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A3-63D3-FE03-00000000BD02}4344C:\Windows\System32\wevtutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000333907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.843{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A3-63D3-FE03-00000000BD02}4344C:\Windows\System32\wevtutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x8000000000000000333906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.747{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A6AEA13CE415B39D6CDEF27A052B2E8,SHA256=4619C0BD9CB014A12FDBA464A2C8881AA8CC2F6842A602E0BFCE885992841F22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000333905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.725{72106695-B4A3-63D3-FF03-00000000BD02}56006064C:\Windows\system32\conhost.exe{72106695-B4A3-63D3-FE03-00000000BD02}4344C:\Windows\System32\wevtutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000333904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.710{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=51E2550D80F1036FE867E599C2AF3489,SHA256=26D7119F1A3BB8B73948064C290CC962650B2AF8988F88740924180C40A50D3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000333903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:19.882{72106695-B49E-63D3-E503-00000000BD02}4860C:\Program Files\Microsoft Office\root\Integration\Integrator.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51014-false40.79.189.59-443https 10341000x8000000000000000333902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.608{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B4A3-63D3-FF03-00000000BD02}5600C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000333901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.593{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.593{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.593{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.593{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.593{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B4A3-63D3-FE03-00000000BD02}4344C:\Windows\System32\wevtutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000333896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.593{72106695-B4A1-63D3-E703-00000000BD02}6684336C:\Program Files\Microsoft Office\root\integration\integrator.exe{72106695-B4A3-63D3-FE03-00000000BD02}4344C:\Windows\System32\wevtutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Microsoft Office\root\integration\integrator.exe+942b6|C:\Program Files\Microsoft Office\root\integration\integrator.exe+94464|C:\Program Files\Microsoft Office\root\integration\integrator.exe+34b882|C:\Program Files\Microsoft Office\root\integration\integrator.exe+3410e5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000333895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.591{72106695-B4A3-63D3-FE03-00000000BD02}4344C:\Windows\System32\wevtutil.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Eventing Command Line UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwevtutil.exewevtutil.exe im "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\wordEtw.man" /rf:"C:\Program Files\Microsoft Office\root\Office16\wwlib.dll" /mf:"C:\Program Files\Microsoft Office\root\Office16\wwlib.dll"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=91803E340A7E7AFDF95A8031F6EF3F3E,SHA256=DCFD99FE08A5D46C52E810FE2F9CC15AC82008975C0A731A11773B11ADE0F3CC,IMPHASH=51FFA3B7FBD1EF82ECE0730B54406E64{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\Integration\Integrator.exeintegrator.exe /I /Extension /Msi MsiName=C2RInt.16.msi,C2RIntLoc.en-us.16.msi,* /C2R PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files\Microsoft Office\root" 23542300x8000000000000000333894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.530{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AD0252CAFE4902916DC77463BB6013F,SHA256=109C377574FD9786E65EA4803D7ABB56695E1B9CCFA33A275FC279643B9C02BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000333893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.278{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.278{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.278{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.186{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000333889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:23.186{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x00000e08) 13241300x8000000000000000333888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:23.186{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{228054D3-2386-45A0-B3AB-4C5015781977}v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files\Microsoft Office\root\Office16\UcMapi.exe|Name=Microsoft Lync UcMapi| 10341000x8000000000000000333887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.186{72106695-9B85-63D3-1300-00000000BD02}836928C:\Windows\system32\svchost.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\fwbase.dll+1594|c:\windows\system32\fwbase.dll+13f6|c:\windows\system32\mpssvc.dll+15d5a|c:\windows\system32\mpssvc.dll+2fb3e|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.186{72106695-9B85-63D3-1300-00000000BD02}836928C:\Windows\system32\svchost.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\fwbase.dll+1594|c:\windows\system32\fwbase.dll+13f6|c:\windows\system32\mpssvc.dll+2f625|c:\windows\system32\mpssvc.dll+2f53e|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000333885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:23.171{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x00000e07) 13241300x8000000000000000333884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:23.171{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{D6A6B03D-C5BA-413F-B17F-4F018E87E89F}v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files\Microsoft Office\root\Office16\UcMapi.exe|Name=Microsoft Lync UcMapi| 10341000x8000000000000000333883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.171{72106695-9B85-63D3-1300-00000000BD02}836928C:\Windows\system32\svchost.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\fwbase.dll+1594|c:\windows\system32\fwbase.dll+13f6|c:\windows\system32\mpssvc.dll+15d5a|c:\windows\system32\mpssvc.dll+2fb3e|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.171{72106695-9B85-63D3-1300-00000000BD02}836928C:\Windows\system32\svchost.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\fwbase.dll+1594|c:\windows\system32\fwbase.dll+13f6|c:\windows\system32\mpssvc.dll+2f625|c:\windows\system32\mpssvc.dll+2f53e|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000333881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:23.171{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x00000e06) 13241300x8000000000000000333880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:23.171{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{F3CAA39B-D0D9-404C-82AB-63AE7580D53B}v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files\Microsoft Office\root\Office16\Lync.exe|Name=Microsoft Lync| 10341000x8000000000000000333879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.171{72106695-9B85-63D3-1300-00000000BD02}836928C:\Windows\system32\svchost.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\fwbase.dll+1594|c:\windows\system32\fwbase.dll+13f6|c:\windows\system32\mpssvc.dll+15d5a|c:\windows\system32\mpssvc.dll+2fb3e|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.170{72106695-9B85-63D3-1300-00000000BD02}836928C:\Windows\system32\svchost.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\fwbase.dll+1594|c:\windows\system32\fwbase.dll+13f6|c:\windows\system32\mpssvc.dll+2f625|c:\windows\system32\mpssvc.dll+2f53e|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000333877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:23.162{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x00000e05) 13241300x8000000000000000333876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:23.161{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{B91084BE-C058-4084-BF6E-C83BE03D5FD9}v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files\Microsoft Office\root\Office16\Lync.exe|Name=Microsoft Lync| 10341000x8000000000000000333875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.161{72106695-9B85-63D3-1300-00000000BD02}8363904C:\Windows\system32\svchost.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\fwbase.dll+1594|c:\windows\system32\fwbase.dll+13f6|c:\windows\system32\mpssvc.dll+15d5a|c:\windows\system32\mpssvc.dll+2fb3e|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.161{72106695-9B85-63D3-1300-00000000BD02}8363904C:\Windows\system32\svchost.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\fwbase.dll+1594|c:\windows\system32\fwbase.dll+13f6|c:\windows\system32\mpssvc.dll+2f625|c:\windows\system32\mpssvc.dll+2f53e|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000333873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:23.150{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x00000e04) 13241300x8000000000000000333872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:23.150{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{C5008D4B-817C-4114-A116-D63DD268C354}v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|LPort=6004|App=C:\Program Files\Microsoft Office\root\Office16\outlook.exe|Name=Microsoft Office Outlook| 10341000x8000000000000000333871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.150{72106695-9B85-63D3-1300-00000000BD02}8364340C:\Windows\system32\svchost.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\fwbase.dll+1594|c:\windows\system32\fwbase.dll+13f6|c:\windows\system32\mpssvc.dll+15d5a|c:\windows\system32\mpssvc.dll+2fb3e|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.149{72106695-9B85-63D3-1300-00000000BD02}8364340C:\Windows\system32\svchost.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\fwbase.dll+1594|c:\windows\system32\fwbase.dll+13f6|c:\windows\system32\mpssvc.dll+2f625|c:\windows\system32\mpssvc.dll+2f53e|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.144{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-2000-00000000BD02}2000C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.133{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000333867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212Context,DeviceConntectedOrUpdatedSetValue2023-01-27 11:25:23.132{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exeHKLM\System\CurrentControlSet\Control\DeviceClasses\{0ecef634-6ef0-472a-8085-5ad023ecbccd}\##?#SWD#PRINTENUM#{D1A64E34-43C6-4E07-A2E6-208B0C3DBC85}#{0ecef634-6ef0-472a-8085-5ad023ecbccd}\#\Device Parameters\FriendlyNameOneNote (Desktop) 13241300x8000000000000000333866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212Context,DeviceConntectedOrUpdatedSetValue2023-01-27 11:25:23.130{72106695-9B82-63D3-0100-00000000BD02}4SystemHKLM\System\CurrentControlSet\Enum\SWD\PRINTENUM\{D1A64E34-43C6-4E07-A2E6-208B0C3DBC85}\FriendlyNameOneNote (Desktop) 13241300x8000000000000000333865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-DriverVerSetValue2023-01-27 11:25:23.129{72106695-9B82-63D3-0100-00000000BD02}4SystemHKLM\System\CurrentControlSet\Control\Class\{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}\0003\DriverVersion10.0.14393.0 13241300x8000000000000000333864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-DriverVerSetValue2023-01-27 11:25:23.122{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\OneNote (Desktop)\DsDriver\driverVersionDWORD (0x00000401) 23542300x8000000000000000333863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.020{72106695-9B85-63D3-1900-00000000BD02}1764NT AUTHORITY\SYSTEMC:\Windows\System32\spoolsv.exeC:\Windows\Temp\7B39C1EB-E5B6-4DA1-A4F5-7233450EE6ABMD5=9F2932366C24E3C8BD47F57B423D9CAD,SHA256=00F374EB2A4A3D70A34B82890AC68FE49448D581AEB6D0FDA1E9DA01BF4104ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.020{72106695-9B85-63D3-1900-00000000BD02}1764NT AUTHORITY\SYSTEMC:\Windows\System32\spoolsv.exeC:\Windows\Temp\166AD6AD-FED6-478A-BEC8-899016193D32MD5=F7DADDA9BA29ABE1952CC60F303DCEDC,SHA256=93DA1E68B1ABDC125383A62F78F6689124EE56B1B7ED41E5872B77EFA2159E00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.020{72106695-9B85-63D3-1900-00000000BD02}1764NT AUTHORITY\SYSTEMC:\Windows\System32\spoolsv.exeC:\Windows\Temp\1C059545-2601-46C7-B703-F295F24168EEMD5=0F1CC06EFAE5B93998BC7316AC547745,SHA256=DEEA94E0F6682EBF2047F7CC6398741FF84CF0D298146835C04C1CF5ED824545,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.020{72106695-9B85-63D3-1900-00000000BD02}1764NT AUTHORITY\SYSTEMC:\Windows\System32\spoolsv.exeC:\Windows\Temp\2F0EB7A7-2A15-41CB-99CE-30AC6D7514CAMD5=F7DADDA9BA29ABE1952CC60F303DCEDC,SHA256=93DA1E68B1ABDC125383A62F78F6689124EE56B1B7ED41E5872B77EFA2159E00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:23.020{72106695-9B85-63D3-1900-00000000BD02}1764NT AUTHORITY\SYSTEMC:\Windows\System32\spoolsv.exeC:\Windows\Temp\4CD3B424-CE9A-4F6D-86E6-B413675CFF60MD5=4733E16F3DA716636BBDE2A6157149AE,SHA256=CC302D12266FA0659147A760B888CA11B6A129C0E380514BC26628566826EC6C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:23.579{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=118D0CF10C4AC55BAD3724374BA500E8,SHA256=06CEE536CC0B4D02D0B93D359C7519AF2617E2E0BE2BE6696082701F2E162FA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000448261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:19.948{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52713-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000448260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:23.028{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:23.000{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 13241300x8000000000000000333991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:24.858{72106695-B4A4-63D3-0604-00000000BD02}5536C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\AirSpaceChannel\TypeDWORD (0x00000002) 13241300x8000000000000000333990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:24.858{72106695-B4A4-63D3-0604-00000000BD02}5536C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\AirSpaceChannel\IsolationDWORD (0x00000000) 13241300x8000000000000000333989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:24.858{72106695-B4A4-63D3-0604-00000000BD02}5536C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\AirSpaceChannel\OwningPublisher{f562bb8e-422d-4b5c-b20e-90d710f7d11c} 23542300x8000000000000000333988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.823{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07A4346BC58AE18689739D13D7F67647,SHA256=BC12160DD50D491F508E3A12635D2EF95F56D616DB31731D43B1C67F9E5DF786,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.806{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45F6CE94CCDDADE9989ADA8DEBF20961,SHA256=24B986E6A4CFEA2EE7F929D452671AC5AA8D1C96D636B24D1DDDF402FBF046C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.804{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C0ADD68749F416810468A12565CFC2A9,SHA256=416C37E604A07BDAA218F7184F932FD2D6B7F291C9B6BD9C96ED64F87EEE4AE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000333985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.779{72106695-B4A4-63D3-0704-00000000BD02}54563916C:\Windows\system32\conhost.exe{72106695-B4A4-63D3-0604-00000000BD02}5536C:\Windows\System32\wevtutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.771{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B4A4-63D3-0704-00000000BD02}5456C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000333983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.767{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.767{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.767{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.766{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.766{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B4A4-63D3-0604-00000000BD02}5536C:\Windows\System32\wevtutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000333978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.766{72106695-B4A1-63D3-E703-00000000BD02}6684336C:\Program Files\Microsoft Office\root\integration\integrator.exe{72106695-B4A4-63D3-0604-00000000BD02}5536C:\Windows\System32\wevtutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Microsoft Office\root\integration\integrator.exe+942b6|C:\Program Files\Microsoft Office\root\integration\integrator.exe+94464|C:\Program Files\Microsoft Office\root\integration\integrator.exe+34b882|C:\Program Files\Microsoft Office\root\integration\integrator.exe+3410e5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000333977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.766{72106695-B4A4-63D3-0604-00000000BD02}5536C:\Windows\System32\wevtutil.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Eventing Command Line UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwevtutil.exewevtutil.exe im "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man" /rf:"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\mso.dll" /mf:"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\mso.dll"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=91803E340A7E7AFDF95A8031F6EF3F3E,SHA256=DCFD99FE08A5D46C52E810FE2F9CC15AC82008975C0A731A11773B11ADE0F3CC,IMPHASH=51FFA3B7FBD1EF82ECE0730B54406E64{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\Integration\Integrator.exeintegrator.exe /I /Extension /Msi MsiName=C2RInt.16.msi,C2RIntLoc.en-us.16.msi,* /C2R PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files\Microsoft Office\root" 23542300x8000000000000000333976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.765{72106695-B4A1-63D3-E703-00000000BD02}668NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.manMD5=47E7AA43FC251A8D6E9481C6B511EB54,SHA256=AC00511ACFF3E5B47104CDAB01BBC6FA40D07C2E247854013F764FEBD5CB1B09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000333975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.574{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51015-false23.194.157.13a23-194-157-13.deploy.static.akamaitechnologies.com80http 13241300x8000000000000000333974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:24.615{72106695-B4A4-63D3-0404-00000000BD02}5636C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\WordChannel\TypeDWORD (0x00000003) 13241300x8000000000000000333973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:24.615{72106695-B4A4-63D3-0404-00000000BD02}5636C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\WordChannel\IsolationDWORD (0x00000000) 13241300x8000000000000000333972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:24.615{72106695-B4A4-63D3-0404-00000000BD02}5636C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\WordChannel\OwningPublisher{daf0b914-9c1c-450a-81b2-fea7244f6ffa} 10341000x8000000000000000333971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.506{72106695-B4A4-63D3-0504-00000000BD02}34765520C:\Windows\system32\conhost.exe{72106695-B4A4-63D3-0404-00000000BD02}5636C:\Windows\System32\wevtutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.491{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B4A4-63D3-0504-00000000BD02}3476C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000333969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.491{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.491{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.491{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.491{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.491{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B4A4-63D3-0404-00000000BD02}5636C:\Windows\System32\wevtutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000333964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.491{72106695-B4A1-63D3-E703-00000000BD02}6684336C:\Program Files\Microsoft Office\root\integration\integrator.exe{72106695-B4A4-63D3-0404-00000000BD02}5636C:\Windows\System32\wevtutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Microsoft Office\root\integration\integrator.exe+942b6|C:\Program Files\Microsoft Office\root\integration\integrator.exe+94464|C:\Program Files\Microsoft Office\root\integration\integrator.exe+34b882|C:\Program Files\Microsoft Office\root\integration\integrator.exe+3410e5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000333963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.501{72106695-B4A4-63D3-0404-00000000BD02}5636C:\Windows\System32\wevtutil.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Eventing Command Line UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwevtutil.exewevtutil.exe im "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\wordEtw.man" /rf:"C:\Program Files\Microsoft Office\root\Office16\wwlib.dll" /mf:"C:\Program Files\Microsoft Office\root\Office16\wwlib.dll"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=91803E340A7E7AFDF95A8031F6EF3F3E,SHA256=DCFD99FE08A5D46C52E810FE2F9CC15AC82008975C0A731A11773B11ADE0F3CC,IMPHASH=51FFA3B7FBD1EF82ECE0730B54406E64{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\Integration\Integrator.exeintegrator.exe /I /Extension /Msi MsiName=C2RInt.16.msi,C2RIntLoc.en-us.16.msi,* /C2R PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files\Microsoft Office\root" 23542300x8000000000000000333962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.491{72106695-B4A1-63D3-E703-00000000BD02}668NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\wordEtw.manMD5=5A7061C29C8BE143BF85D3380C15C266,SHA256=18C67F86332935A3C03BE856E886CD9310D64D5DA5E6334A0521D56D8E8B676B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000333961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:24.459{72106695-B4A4-63D3-0204-00000000BD02}4556C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\AirSpaceChannel\TypeDWORD (0x00000002) 13241300x8000000000000000333960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:24.459{72106695-B4A4-63D3-0204-00000000BD02}4556C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\AirSpaceChannel\ChannelAccessO:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573) 13241300x8000000000000000333959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:24.459{72106695-B4A4-63D3-0204-00000000BD02}4556C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\AirSpaceChannel\IsolationDWORD (0x00000000) 13241300x8000000000000000333958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:24.459{72106695-B4A4-63D3-0204-00000000BD02}4556C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\AirSpaceChannel\EnabledDWORD (0x00000000) 13241300x8000000000000000333957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:24.459{72106695-B4A4-63D3-0204-00000000BD02}4556C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\AirSpaceChannel\OwningPublisher{f562bb8e-422d-4b5c-b20e-90d710f7d11c} 10341000x8000000000000000333956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.365{72106695-B4A4-63D3-0304-00000000BD02}43883680C:\Windows\system32\conhost.exe{72106695-B4A4-63D3-0204-00000000BD02}4556C:\Windows\System32\wevtutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.350{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B4A4-63D3-0304-00000000BD02}4388C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000333954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.350{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.350{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.350{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B4A4-63D3-0204-00000000BD02}4556C:\Windows\System32\wevtutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000333951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.350{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.350{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.350{72106695-B4A1-63D3-E703-00000000BD02}6684336C:\Program Files\Microsoft Office\root\integration\integrator.exe{72106695-B4A4-63D3-0204-00000000BD02}4556C:\Windows\System32\wevtutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Microsoft Office\root\integration\integrator.exe+942b6|C:\Program Files\Microsoft Office\root\integration\integrator.exe+94464|C:\Program Files\Microsoft Office\root\integration\integrator.exe+34b882|C:\Program Files\Microsoft Office\root\integration\integrator.exe+3410e5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000333948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.359{72106695-B4A4-63D3-0204-00000000BD02}4556C:\Windows\System32\wevtutil.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Eventing Command Line UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwevtutil.exewevtutil.exe im "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man" /rf:"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\mso.dll" /mf:"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\mso.dll"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=91803E340A7E7AFDF95A8031F6EF3F3E,SHA256=DCFD99FE08A5D46C52E810FE2F9CC15AC82008975C0A731A11773B11ADE0F3CC,IMPHASH=51FFA3B7FBD1EF82ECE0730B54406E64{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\Integration\Integrator.exeintegrator.exe /I /Extension /Msi MsiName=C2RInt.16.msi,C2RIntLoc.en-us.16.msi,* /C2R PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files\Microsoft Office\root" 13241300x8000000000000000333947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:24.334{72106695-B4A4-63D3-0004-00000000BD02}4360C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\OfficeDebugChannel\TypeDWORD (0x00000003) 13241300x8000000000000000333946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:24.334{72106695-B4A4-63D3-0004-00000000BD02}4360C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\OfficeDebugChannel\ChannelAccessO:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573) 13241300x8000000000000000333945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:24.334{72106695-B4A4-63D3-0004-00000000BD02}4360C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\OfficeDebugChannel\IsolationDWORD (0x00000000) 13241300x8000000000000000333944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:24.334{72106695-B4A4-63D3-0004-00000000BD02}4360C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\OfficeDebugChannel\EnabledDWORD (0x00000000) 13241300x8000000000000000333943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:24.334{72106695-B4A4-63D3-0004-00000000BD02}4360C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\OfficeDebugChannel\OwningPublisher{8736922d-e8b2-47eb-8564-23e77e728cf3} 13241300x8000000000000000333942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:24.334{72106695-B4A4-63D3-0004-00000000BD02}4360C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\OfficeChannel\TypeDWORD (0x00000002) 13241300x8000000000000000333941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:24.334{72106695-B4A4-63D3-0004-00000000BD02}4360C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\OfficeChannel\ChannelAccessO:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573) 13241300x8000000000000000333940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:24.334{72106695-B4A4-63D3-0004-00000000BD02}4360C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\OfficeChannel\IsolationDWORD (0x00000000) 13241300x8000000000000000333939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:24.334{72106695-B4A4-63D3-0004-00000000BD02}4360C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\OfficeChannel\EnabledDWORD (0x00000000) 13241300x8000000000000000333938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:24.334{72106695-B4A4-63D3-0004-00000000BD02}4360C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\OfficeChannel\OwningPublisher{8736922d-e8b2-47eb-8564-23e77e728cf3} 13241300x8000000000000000333937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:24.272{72106695-B4A4-63D3-0004-00000000BD02}4360C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\General Logging\TypeDWORD (0x00000002) 13241300x8000000000000000333936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:24.272{72106695-B4A4-63D3-0004-00000000BD02}4360C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\General Logging\ChannelAccessO:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573) 13241300x8000000000000000333935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:24.272{72106695-B4A4-63D3-0004-00000000BD02}4360C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\General Logging\IsolationDWORD (0x00000000) 13241300x8000000000000000333934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:24.272{72106695-B4A4-63D3-0004-00000000BD02}4360C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\General Logging\EnabledDWORD (0x00000000) 13241300x8000000000000000333933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:24.272{72106695-B4A4-63D3-0004-00000000BD02}4360C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\General Logging\OwningPublisher{f50d9315-e17e-43c1-8370-3edf6cc057be} 10341000x8000000000000000333932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.211{72106695-B4A4-63D3-0104-00000000BD02}56081436C:\Windows\system32\conhost.exe{72106695-B4A4-63D3-0004-00000000BD02}4360C:\Windows\System32\wevtutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.195{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B4A4-63D3-0104-00000000BD02}5608C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000333930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.195{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.195{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.195{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000448263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:24.682{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F4AA3DA6C2F98DE0F9C207D7CE41E1B,SHA256=D1341E74F9D187652AE42FE479FFDA33706F67CC3EAB58AD3D2E1EC62EF20C8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000333927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.195{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.195{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B4A4-63D3-0004-00000000BD02}4360C:\Windows\System32\wevtutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000333925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.195{72106695-B4A1-63D3-E703-00000000BD02}6684336C:\Program Files\Microsoft Office\root\integration\integrator.exe{72106695-B4A4-63D3-0004-00000000BD02}4360C:\Windows\System32\wevtutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Microsoft Office\root\integration\integrator.exe+942b6|C:\Program Files\Microsoft Office\root\integration\integrator.exe+94464|C:\Program Files\Microsoft Office\root\integration\integrator.exe+34b882|C:\Program Files\Microsoft Office\root\integration\integrator.exe+3410e5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000333924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.198{72106695-B4A4-63D3-0004-00000000BD02}4360C:\Windows\System32\wevtutil.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Eventing Command Line UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwevtutil.exewevtutil.exe im "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\msoutilstat.etw.man" /rf:"C:\Program Files\Microsoft Office\root\Office16\msoetwres.dll" /mf:"C:\Program Files\Microsoft Office\root\Office16\msoetwres.dll"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=91803E340A7E7AFDF95A8031F6EF3F3E,SHA256=DCFD99FE08A5D46C52E810FE2F9CC15AC82008975C0A731A11773B11ADE0F3CC,IMPHASH=51FFA3B7FBD1EF82ECE0730B54406E64{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\Integration\Integrator.exeintegrator.exe /I /Extension /Msi MsiName=C2RInt.16.msi,C2RIntLoc.en-us.16.msi,* /C2R PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files\Microsoft Office\root" 10341000x8000000000000000334032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:25.981{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:25.981{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000448266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:25.771{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CABC263939C7D98D70CDEE1D58929FA,SHA256=1528C886D33D66C11D97C32AEC294179055C0373A56F59AF4B0C949D9F0899F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000334030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:25.981{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\620527.msiMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000334029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:25.950{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:25.950{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:25.950{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:25.950{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:25.950{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:25.950{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:25.950{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:25.950{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:25.950{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:25.950{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:25.950{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:25.950{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:25.950{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:25.950{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:25.950{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:25.950{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:25.950{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:25.950{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:25.950{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:25.950{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:25.950{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:25.950{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:25.950{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:25.950{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:25.950{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:25.950{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:25.950{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:25.950{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:25.950{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:25.950{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:25.950{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:25.950{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:25.950{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:25.950{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000333995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:25.872{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1884F92B03CF59D1740E6C54C44F9ED,SHA256=05A518B965D5762BE26250BDBF3C5188E504304F2A160E0AFCC5DE832FA88579,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000333994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:25.812{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B62AB5561E40FB321DE09BD082EECC9C,SHA256=3331D4827E21190FA3149C041B01D5340AE67BFF81B9907EA4B97FF605C5825F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000333993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.766{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51017-false23.194.157.13a23-194-157-13.deploy.static.akamaitechnologies.com80http 354300x8000000000000000333992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:22.685{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51016-false20.253.213.245-80http 354300x8000000000000000448265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:22.038{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A63850- 354300x8000000000000000448264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:22.004{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A55921- 23542300x8000000000000000334048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:26.915{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D8C9538DA0002ACD473BA9A0D658C2B,SHA256=B62E2C4BC4CF06E35CA6DE9D4880E423CCC82261138A1F29C188E3C3854F56C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:26.867{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C5B5328009887196041A6E0CBF8EB4,SHA256=D9EAD7B82DE514E98A73B795EBEFFDB16EF70C74C5E16B8DA206FB594867D9A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000334047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:26.830{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI34D2.tmpMD5=9CADBFA797783FF9E7FC60301DE9E1FF,SHA256=C1EDA5C42BE64CFC08408A276340C9082F424EC1A4E96E78F85E9F80D0634141,IMPHASH=652859BF844DA7396CCD2DCBC07B8FD2truefalse - insufficient disk space 10341000x8000000000000000334046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:26.819{72106695-B4A6-63D3-0804-00000000BD02}48606080C:\Windows\syswow64\MsiExec.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\syswow64\MsiExec.exe+7291|C:\Windows\syswow64\MsiExec.exe+7887|C:\Windows\syswow64\MsiExec.exe+9201|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000334045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:26.722{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B4A6-63D3-0804-00000000BD02}4860C:\Windows\syswow64\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000334044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:26.257{72106695-B4A1-63D3-E703-00000000BD02}668NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Windows\Temp\WIN-HOST-CTUS-A-20230127-1125b.logMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000334043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:26.135{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:26.135{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:26.135{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:26.134{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:26.134{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B4A6-63D3-0804-00000000BD02}4860C:\Windows\syswow64\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000334038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:26.134{72106695-B499-63D3-D903-00000000BD02}57762280C:\Windows\system32\msiexec.exe{72106695-B4A6-63D3-0804-00000000BD02}4860C:\Windows\syswow64\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Windows\system32\Msi.dll+ba748|C:\Windows\system32\Msi.dll+16e0a4|C:\Windows\system32\Msi.dll+16e71c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000334037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:26.133{72106695-B4A6-63D3-0804-00000000BD02}4860C:\Windows\SysWOW64\msiexec.exe5.0.14393.5648 (rs1_release.230105-1654)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A0936C8F38DEA396620A567807AD5A9A E Global\MSI0000C:\Windows\SysWOW64\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=0E6BA8C0B882285D2B4FD61D0688D65B,SHA256=6929777BD6CEDDDFFF86FC7F505374D5AC0FA0F63722DC1C88594E16FBAFFAD1,IMPHASH=B4730776DFCE61DBCD10D002E3D530E1{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\System32\msiexec.exeC:\Windows\system32\msiexec.exe /V 10341000x8000000000000000334036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:26.075{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:26.075{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:26.060{72106695-B499-63D3-D903-00000000BD02}57765652C:\Windows\system32\msiexec.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\apphelp.dll+20ffd|C:\Windows\system32\apphelp.dll+209c1|C:\Windows\system32\Msi.dll+19fbad|C:\Windows\system32\Msi.dll+2eb1e|C:\Windows\system32\Msi.dll+47575|C:\Windows\system32\Msi.dll+10b335|C:\Windows\system32\Msi.dll+10a556|C:\Windows\system32\Msi.dll+f4b1f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000334033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:26.060{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B76CC7699E2E9060690F39E85F0D9B1,SHA256=D4F2E09C47F5E6C77BB1F02316600E74C02849F2609C51819A3BAF9BCE8C76E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000448267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:23.361{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A64386- 10341000x8000000000000000334070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:27.860{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A7-63D3-0904-00000000BD02}5936C:\Windows\System32\MsiExec.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000334069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:27.858{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A7-63D3-0904-00000000BD02}5936C:\Windows\System32\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000334068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:27.858{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A7-63D3-0904-00000000BD02}5936C:\Windows\System32\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 354300x8000000000000000334067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:24.525{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51018-false10.0.1.12-8000- 23542300x8000000000000000334066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:27.455{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI3997.tmpMD5=E4702B7D3A1300EDB9A51E0E1809B8F7,SHA256=074803CD0C68175E93026B1263D0FF6BB4254BF591997E318876EC34A8F5BFCB,IMPHASH=13700DFD4585238683BF19951BD9C7A9truefalse - insufficient disk space 10341000x8000000000000000334065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:27.355{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A6-63D3-0804-00000000BD02}4860C:\Windows\syswow64\MsiExec.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000334064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:27.355{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A6-63D3-0804-00000000BD02}4860C:\Windows\syswow64\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000334063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:27.355{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A6-63D3-0804-00000000BD02}4860C:\Windows\syswow64\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000334062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:27.335{72106695-B4A7-63D3-0904-00000000BD02}59363008C:\Windows\System32\MsiExec.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\MsiExec.exe+6bca|C:\Windows\System32\MsiExec.exe+7184|C:\Windows\System32\MsiExec.exe+8e17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:27.321{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B4A7-63D3-0904-00000000BD02}5936C:\Windows\System32\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:27.298{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:27.298{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:27.298{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:27.298{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:27.298{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B4A7-63D3-0904-00000000BD02}5936C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000334055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:27.297{72106695-B499-63D3-D903-00000000BD02}57762280C:\Windows\system32\msiexec.exe{72106695-B4A7-63D3-0904-00000000BD02}5936C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Windows\system32\Msi.dll+ba748|C:\Windows\system32\Msi.dll+16e0a4|C:\Windows\system32\Msi.dll+16e71c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000334054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:27.298{72106695-B4A7-63D3-0904-00000000BD02}5936C:\Windows\System32\msiexec.exe5.0.14393.5648 (rs1_release.230105-1654)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeC:\Windows\System32\MsiExec.exe -Embedding 312DAEE19499FE25C57C06EA08EF9C9E E Global\MSI0000C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=9D709253D0D3EF4CBB4CF7BC10276AC7,SHA256=B2BE692D9794337588A16DB43A09371F3D18154E98171856CD4B739998C4D291,IMPHASH=C96E4BCFCDB1BA383604F04AB3452B2F{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\System32\msiexec.exeC:\Windows\system32\msiexec.exe /V 10341000x8000000000000000334053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:27.296{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:27.295{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000334051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:27.188{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI3929.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000334050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:27.186{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:27.186{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000448269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:24.383{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A64667- 10341000x8000000000000000334077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:28.395{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:28.395{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:28.395{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:28.395{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:28.395{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000334072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:28.192{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2C2C6266830C945B123C8D9C74CADC69,SHA256=61E24181EBB78C14F579C038A03418F57BE3264B86FC7A9E79AAE91615E1998B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:28.085{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1665ED5FA1602163111B52A23E4351A8,SHA256=908FCE0BDC617D4DD6FBAE632CFB2F9665D5582CD2902E38791230D00ED9970B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:28.061{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAFDCFBCB02BD40439B00489155FA945,SHA256=607DA9BAAEEF2F62EEB0564838E7B15563F6D9352DC4AC3CFCA679AF14A0E1B1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000334195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.995{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\C2TO69VR\Policy.11.0.Microsoft.Office.Interop.OutlookViewCtl.dll2023-01-27 11:25:29.995 11241100x8000000000000000334194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.979{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\XR48IQCI\Policy.11.0.Microsoft.Office.Interop.Outlook.dll2023-01-27 11:25:29.979 11241100x8000000000000000334193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.979{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\Y3OOFHNK\Policy.11.0.Microsoft.Office.Interop.Graph.dll2023-01-27 11:25:29.979 11241100x8000000000000000334192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.979{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\2ZMJ8ZUN\Policy.11.0.Microsoft.Office.Interop.Excel.dll2023-01-27 11:25:29.979 11241100x8000000000000000334191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.979{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\A01ZF4AA\Policy.11.0.Microsoft.Office.Interop.Access.dll2023-01-27 11:25:29.979 11241100x8000000000000000334190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.968{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\RM4E3EHE\OFFICE.DLL2023-01-27 11:25:29.968 11241100x8000000000000000334189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.964{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\RWAMNCKG\Microsoft.Vbe.Interop.dll2023-01-27 11:25:29.964 11241100x8000000000000000334188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.956{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\OKDB38M9\Microsoft.Vbe.Interop.Forms.dll2023-01-27 11:25:29.956 11241100x8000000000000000334187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.951{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\O8DDY5WY\Microsoft.Office.interop.access.dao.dll2023-01-27 11:25:29.951 11241100x8000000000000000334186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.920{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\8ZJPVCLU\Microsoft.Office.Interop.Word.dll2023-01-27 11:25:29.920 11241100x8000000000000000334185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.920{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\1ROIE6W8\Microsoft.Office.Interop.SmartTag.dll2023-01-27 11:25:29.920 11241100x8000000000000000334184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.905{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\FKN5YJ8W\Microsoft.Office.Interop.Publisher.dll2023-01-27 11:25:29.905 11241100x8000000000000000334183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.905{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\4OCD502D\Microsoft.Office.Interop.PowerPoint.dll2023-01-27 11:25:29.905 11241100x8000000000000000334182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.889{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\N9CLWRFC\Microsoft.Office.Interop.OutlookViewCtl.dll2023-01-27 11:25:29.889 11241100x8000000000000000334181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.874{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\Q2XGQA9M\Microsoft.Office.Interop.Outlook.dll2023-01-27 11:25:29.874 11241100x8000000000000000334180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.874{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\RJJZ01KV\Microsoft.Office.Interop.OneNote.dll2023-01-27 11:25:29.874 11241100x8000000000000000334179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.858{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\2UPUNUE7\Microsoft.Office.Interop.Graph.dll2023-01-27 11:25:29.858 11241100x8000000000000000334178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.842{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\L2BC5END\Microsoft.Office.Interop.Excel.dll2023-01-27 11:25:29.842 11241100x8000000000000000334177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.811{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\IERI6BT5\Microsoft.Office.Interop.Access.dll2023-01-27 11:25:29.811 11241100x8000000000000000334176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.795{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\L7GRV9QA\stdole.dll2023-01-27 11:25:29.795 11241100x8000000000000000334175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.795{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\L4JOZHYH\msdatasrc.dll2023-01-27 11:25:29.795 11241100x8000000000000000334174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.795{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\N5XNQ0QU\adodb.dll2023-01-27 11:25:29.795 11241100x8000000000000000334173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.795{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\45F5P2QL\Microsoft.stdformat.dll2023-01-27 11:25:29.795 11241100x8000000000000000334172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.686{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\NHV2XZZZ\Microsoft.mshtml.dll2023-01-27 11:25:29.686 11241100x8000000000000000334171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.686{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\stdole.dll2023-01-27 11:25:29.686 11241100x8000000000000000334170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.686{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\msdatasrc.dll2023-01-27 11:25:29.686 11241100x8000000000000000334169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.686{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\adodb.dll2023-01-27 11:25:29.686 11241100x8000000000000000334168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.686{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Microsoft.stdformat.dll2023-01-27 11:25:29.686 11241100x8000000000000000334167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.655{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll2023-01-27 11:25:29.655 11241100x8000000000000000334166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.655{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\GZ501NIZ\extensibility.dll2023-01-27 11:25:29.655 11241100x8000000000000000334165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.639{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\extensibility.dll2023-01-27 11:25:29.639 11241100x8000000000000000334164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.639{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\IVH4YHQB\Microsoft.VisualStudio.Tools.Office.Runtime.dll2023-01-27 11:25:29.639 11241100x8000000000000000334163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.624{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\NHU7W5VQ\Microsoft.VisualStudio.Tools.Office.Runtime.Internal.dll2023-01-27 11:25:29.624 11241100x8000000000000000334162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.624{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\GNAQHKFL\Microsoft.VisualStudio.Tools.Office.ContainerControl.dll2023-01-27 11:25:29.624 11241100x8000000000000000334161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.624{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\D8GH76HX\Microsoft.VisualStudio.Tools.Applications.ServerDocument.dll2023-01-27 11:25:29.624 11241100x8000000000000000334160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.608{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\NFRO3DFQ\Microsoft.VisualStudio.Tools.Applications.Runtime.dll2023-01-27 11:25:29.608 11241100x8000000000000000334159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.608{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\G1EK5FRN\Microsoft.VisualStudio.Tools.Applications.Hosting.dll2023-01-27 11:25:29.608 11241100x8000000000000000334158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.608{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\00RQGI8D\Microsoft.Office.Tools.v4.0.Framework.dll2023-01-27 11:25:29.608 11241100x8000000000000000334157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.592{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\2LAU06RS\Microsoft.Office.Tools.dll2023-01-27 11:25:29.592 11241100x8000000000000000334156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.592{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\CNDFF9WK\Microsoft.Office.Tools.Word.dll2023-01-27 11:25:29.592 11241100x8000000000000000334155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.577{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\K1C68IX9\Microsoft.Office.Tools.Word.Implementation.dll2023-01-27 11:25:29.577 11241100x8000000000000000334154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.577{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\4TRGFDMV\Microsoft.Office.Tools.Outlook.dll2023-01-27 11:25:29.577 11241100x8000000000000000334153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.561{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\D8A0LZBL\Microsoft.Office.Tools.Outlook.Implementation.dll2023-01-27 11:25:29.561 11241100x8000000000000000334152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.561{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\J6GIV7VZ\Microsoft.Office.Tools.Excel.dll2023-01-27 11:25:29.561 11241100x8000000000000000334151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.545{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\216AKGLC\Microsoft.Office.Tools.Excel.Implementation.dll2023-01-27 11:25:29.545 11241100x8000000000000000334150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.545{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\J7HTH2WI\Microsoft.Office.Tools.Common.dll2023-01-27 11:25:29.545 11241100x8000000000000000334149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.530{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\UC185VUH\Microsoft.Office.Tools.Common.Implementation.dll2023-01-27 11:25:29.530 11241100x8000000000000000334148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.530{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\BLEGF3F6\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll2023-01-27 11:25:29.530 11241100x8000000000000000334147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.514{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\PJTJPUXG\Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0.dll2023-01-27 11:25:29.514 11241100x8000000000000000334146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.514{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\56PZU62Y\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0.dll2023-01-27 11:25:29.514 11241100x8000000000000000334145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.499{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\6NZ5HZP3\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.dll2023-01-27 11:25:29.499 11241100x8000000000000000334144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.499{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\186PH9D2\Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0.dll2023-01-27 11:25:29.499 11241100x8000000000000000334143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.499{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\XN2V0WVX\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll2023-01-27 11:25:29.499 11241100x8000000000000000334142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.483{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\00BPQVBR\Microsoft.VisualStudio.Tools.Office.Runtime.v10.0.dll2023-01-27 11:25:29.483 11241100x8000000000000000334141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.483{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\NA7F8CTL\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll2023-01-27 11:25:29.483 11241100x8000000000000000334140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.467{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\G6E3MH9U\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.dll2023-01-27 11:25:29.467 11241100x8000000000000000334139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.467{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\IAM665Y5\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0.dll2023-01-27 11:25:29.467 11241100x8000000000000000334138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.452{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\BFR5FAFJ\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0.dll2023-01-27 11:25:29.452 11241100x8000000000000000334137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.452{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\ODO29KV0\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll2023-01-27 11:25:29.452 11241100x8000000000000000334136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.452{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\TPAG38UN\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll2023-01-27 11:25:29.452 11241100x8000000000000000334135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.452{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\98E7UOQ2\Microsoft.Office.Tools.v9.0.dll2023-01-27 11:25:29.452 11241100x8000000000000000334134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.436{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\ST0V2YLD\Microsoft.Office.Tools.Word.v9.0.dll2023-01-27 11:25:29.436 11241100x8000000000000000334133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.436{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\YWHK94GJ\Microsoft.Office.Tools.Outlook.v9.0.dll2023-01-27 11:25:29.436 11241100x8000000000000000334132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.420{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\2Q5343FD\Microsoft.Office.Tools.Excel.v9.0.dll2023-01-27 11:25:29.420 11241100x8000000000000000334131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.405{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\F91AY275\Microsoft.Office.Tools.Common.v9.0.dll2023-01-27 11:25:29.405 11241100x8000000000000000334130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.405{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll2023-01-27 11:25:29.405 11241100x8000000000000000334129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.405{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll2023-01-27 11:25:29.405 11241100x8000000000000000334128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.405{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOMessageProvider.dll2023-01-27 11:25:29.405 11241100x8000000000000000334127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.405{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll2023-01-27 11:25:29.405 254200x8000000000000000334126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T10992023-01-27 11:25:29.405{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe2002-02-01 18:02:02.0002023-01-27 11:25:29.389 11241100x8000000000000000334125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:25:29.389{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe2023-01-27 11:25:29.389 11241100x8000000000000000334124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.389{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll2023-01-27 11:25:29.389 11241100x8000000000000000334123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.389{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOLoaderUI.dll2023-01-27 11:25:29.389 11241100x8000000000000000334122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.389{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUI.dll2023-01-27 11:25:29.389 11241100x8000000000000000334121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.389{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll2023-01-27 11:25:29.389 11241100x8000000000000000334120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.374{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll2023-01-27 11:25:29.374 254200x8000000000000000334119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T10992023-01-27 11:25:29.374{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe2002-02-01 18:02:02.0002023-01-27 11:25:29.374 11241100x8000000000000000334118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:25:29.374{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe2023-01-27 11:25:29.374 11241100x8000000000000000334117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.374{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee.dll2023-01-27 11:25:29.374 11241100x8000000000000000334116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.374{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll2023-01-27 11:25:29.374 11241100x8000000000000000334115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.374{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll2023-01-27 11:25:29.374 11241100x8000000000000000334114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.374{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll2023-01-27 11:25:29.374 11241100x8000000000000000334113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.358{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll2023-01-27 11:25:29.358 11241100x8000000000000000334112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.358{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll2023-01-27 11:25:29.358 11241100x8000000000000000334111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.358{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\WJ2KOIDG\Microsoft.VisualStudio.Tools.Office.Word.AddInProxy.v9.0.dll2023-01-27 11:25:29.358 11241100x8000000000000000334110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.358{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\KQJDQM6C\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll2023-01-27 11:25:29.358 11241100x8000000000000000334109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.342{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\BFSQ422W\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll2023-01-27 11:25:29.342 11241100x8000000000000000334108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.342{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\SS5XUT0L\Microsoft.VisualStudio.Tools.Office.Excel.AddInProxy.v9.0.dll2023-01-27 11:25:29.342 11241100x8000000000000000334107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.342{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\KYX816QN\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll2023-01-27 11:25:29.342 11241100x8000000000000000334106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.342{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\T5M0T0A4\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll2023-01-27 11:25:29.342 11241100x8000000000000000334105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.328{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\V6I3TW0M\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll2023-01-27 11:25:29.328 11241100x8000000000000000334104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.328{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\4QY3ZS7I\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll2023-01-27 11:25:29.328 11241100x8000000000000000334103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.313{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\2F7ZWCBP\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll2023-01-27 11:25:29.313 11241100x8000000000000000334102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.313{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\Q2IL6WRV\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll2023-01-27 11:25:29.313 11241100x8000000000000000334101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.313{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\8YVSVDXW\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll2023-01-27 11:25:29.313 11241100x8000000000000000334100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.313{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\UY6HO4ED\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll2023-01-27 11:25:29.313 11241100x8000000000000000334099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.313{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\DB40LR3S\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll2023-01-27 11:25:29.313 11241100x8000000000000000334098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.311{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll2023-01-27 11:25:29.311 11241100x8000000000000000334097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.310{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll2023-01-27 11:25:29.309 10341000x8000000000000000334096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:29.309{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A7-63D3-0904-00000000BD02}5936C:\Windows\System32\MsiExec.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000334095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:29.309{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A7-63D3-0904-00000000BD02}5936C:\Windows\System32\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000334094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:29.309{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A7-63D3-0904-00000000BD02}5936C:\Windows\System32\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 11241100x8000000000000000334093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.293{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll2023-01-27 11:25:29.293 11241100x8000000000000000334092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.293{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll2023-01-27 11:25:29.293 11241100x8000000000000000334091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.293{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll2023-01-27 11:25:29.293 11241100x8000000000000000334090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.293{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll2023-01-27 11:25:29.293 11241100x8000000000000000334089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.293{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.Office.Tools.v9.0.dll2023-01-27 11:25:29.293 11241100x8000000000000000334088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.293{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll2023-01-27 11:25:29.293 11241100x8000000000000000334087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.293{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll2023-01-27 11:25:29.293 11241100x8000000000000000334086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.293{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll2023-01-27 11:25:29.293 11241100x8000000000000000334085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.278{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll2023-01-27 11:25:29.278 11241100x8000000000000000334084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.278{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll2023-01-27 11:25:29.278 11241100x8000000000000000334083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.278{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.dll2023-01-27 11:25:29.278 11241100x8000000000000000334082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.262{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\NWTMYY3O\MSCOMCTL.DLL2023-01-27 11:25:29.262 23542300x8000000000000000334081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:29.168{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1BCA948345CE8495AE44B57C488C7ED,SHA256=6F1478854EE69317F69536E41EADDD6FCEE5CD8A8C8FC0F49142B508FBC30A92,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:29.108{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Config.Msi\620529.rbsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:29.108{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFF143935697BB8517.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000334078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:29.108{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFC00C52AFB100D693.TMPMD5=96C0A5F8F7BEA1C0F159B136122BCBE8,SHA256=44CDC063075D5E20B6895118DEBB0D774B369D763F11DC9F3DFD6705FCC83B9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000448272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:25.903{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52714-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000448271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:29.150{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DDC57751BECD338F8E53D349F872280,SHA256=51A784430749A41A7DAE766738F32154F2795A18986B6F3C375E7B53E7A1D5E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000334230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:30.648{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1D3420D744FB4AF525D4734D822E282,SHA256=5530C7C995EAF70DD90C311EFA9742B0D79E7843263F529B5C278EEA1D3038C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x8000000000000000334229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:30.180{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\System32\msvcr100.dll2023-01-27 11:25:30.180 11241100x8000000000000000334228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:30.164{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\System32\msvcp100.dll2023-01-27 11:25:30.164 11241100x8000000000000000334227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:30.164{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\JKORHB5X\Microsoft.Office.Interop.OneNote.dll2023-01-27 11:25:30.164 11241100x8000000000000000334226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:30.164{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\JMLO7K5E\Policy.14.0.Office.dll2023-01-27 11:25:30.164 11241100x8000000000000000334225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:30.148{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\WRC4UD9G\Policy.14.0.Microsoft.Vbe.Interop.dll2023-01-27 11:25:30.148 11241100x8000000000000000334224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:30.148{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\KYYEU3BE\Policy.14.0.Microsoft.Office.Interop.Word.dll2023-01-27 11:25:30.148 11241100x8000000000000000334223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:30.148{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\72EF0X6X\Policy.14.0.Microsoft.Office.Interop.SmartTag.dll2023-01-27 11:25:30.148 11241100x8000000000000000334222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:30.133{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\A74MTYTE\Policy.14.0.Microsoft.Office.Interop.Publisher.dll2023-01-27 11:25:30.133 11241100x8000000000000000334221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:30.133{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\BTLEXUAL\Policy.14.0.Microsoft.Office.Interop.PowerPoint.dll2023-01-27 11:25:30.133 11241100x8000000000000000334220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:30.133{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\VI6OZDU9\Policy.14.0.Microsoft.Office.Interop.OutlookViewCtl.dll2023-01-27 11:25:30.133 23542300x8000000000000000448273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:30.234{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3557DEFF7BE8E1E725B5443D3E81AA9D,SHA256=B9DA750119783DEECB6BCF8DE4E5EB144F6CEDA8526D3A740256AC749E8A576F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000334219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:30.119{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\WAVKRGLP\Policy.14.0.Microsoft.Office.Interop.Outlook.dll2023-01-27 11:25:30.119 11241100x8000000000000000334218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:30.119{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\NVZSJ4GJ\Policy.14.0.Microsoft.Office.Interop.OneNote.dll2023-01-27 11:25:30.119 11241100x8000000000000000334217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:30.103{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\RATEMGKF\Policy.14.0.Microsoft.Office.Interop.Graph.dll2023-01-27 11:25:30.103 11241100x8000000000000000334216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:30.103{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\ON0L7EO2\Policy.14.0.Microsoft.Office.Interop.Excel.dll2023-01-27 11:25:30.103 11241100x8000000000000000334215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:30.103{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\NC2X7XXL\Policy.14.0.Microsoft.Office.Interop.Access.dll2023-01-27 11:25:30.103 11241100x8000000000000000334214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:30.087{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\YSF869SN\Policy.14.0.Microsoft.Office.Interop.Access.Dao.dll2023-01-27 11:25:30.087 11241100x8000000000000000334213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:30.087{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\J85TWLSD\Policy.12.0.Office.dll2023-01-27 11:25:30.087 11241100x8000000000000000334212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:30.087{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\2B3VUMOS\Policy.12.0.Microsoft.Vbe.Interop.dll2023-01-27 11:25:30.087 11241100x8000000000000000334211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:30.071{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\1QFHNL88\Policy.12.0.Microsoft.Office.Interop.Word.dll2023-01-27 11:25:30.071 11241100x8000000000000000334210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:30.071{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\4O7WVOA8\Policy.12.0.Microsoft.Office.Interop.SmartTag.dll2023-01-27 11:25:30.071 11241100x8000000000000000334209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:30.071{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\YSU5RB05\Policy.12.0.Microsoft.Office.Interop.Publisher.dll2023-01-27 11:25:30.071 11241100x8000000000000000334208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:30.055{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\KBB9DUCN\Policy.12.0.Microsoft.Office.Interop.PowerPoint.dll2023-01-27 11:25:30.055 11241100x8000000000000000334207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:30.055{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\F2C4NYTW\Policy.12.0.Microsoft.Office.Interop.OutlookViewCtl.dll2023-01-27 11:25:30.055 11241100x8000000000000000334206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:30.055{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\1P20WPCN\Policy.12.0.Microsoft.Office.Interop.Outlook.dll2023-01-27 11:25:30.055 11241100x8000000000000000334205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:30.040{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\GNQCALD8\Policy.12.0.Microsoft.Office.Interop.Graph.dll2023-01-27 11:25:30.040 11241100x8000000000000000334204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:30.040{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\J937JX49\Policy.12.0.Microsoft.Office.Interop.Excel.dll2023-01-27 11:25:30.040 11241100x8000000000000000334203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:30.040{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\M57H6HZ1\Policy.12.0.Microsoft.Office.Interop.Access.dll2023-01-27 11:25:30.040 11241100x8000000000000000334202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:30.040{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\KCYAWZXR\Policy.12.0.Microsoft.Office.Interop.Access.Dao.dll2023-01-27 11:25:30.040 11241100x8000000000000000334201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:30.024{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\F5KO39LO\Policy.11.0.Office.dll2023-01-27 11:25:30.024 11241100x8000000000000000334200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:30.008{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\TZ4JIVZ1\Policy.11.0.Microsoft.Vbe.Interop.dll2023-01-27 11:25:30.008 11241100x8000000000000000334199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:30.008{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\32QJYNNB\Policy.11.0.Microsoft.Office.Interop.Word.dll2023-01-27 11:25:30.008 11241100x8000000000000000334198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:30.008{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\WG7G1YCU\Policy.11.0.Microsoft.Office.Interop.SmartTag.dll2023-01-27 11:25:30.008 11241100x8000000000000000334197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.995{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\7ZQYQMSX\Policy.11.0.Microsoft.Office.Interop.Publisher.dll2023-01-27 11:25:29.995 11241100x8000000000000000334196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:25:29.995{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Windows\assembly\tmp\3C0E3ZRG\Policy.11.0.Microsoft.Office.Interop.PowerPoint.dll2023-01-27 11:25:29.995 23542300x8000000000000000334231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:31.372{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=714083316EF54E36B60A421E58AEEF4B,SHA256=CAA4385B51D443C937E6660F3A9A06AF30E09F0CD9C8ECD9D61EC9053970B191,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:31.319{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6C4866CA089059B2397CF8D2CF87CAF,SHA256=B45126F12CC6D1DB90F332688B45A095AB3E5B49E8B5BF8CA5420250A7ECD107,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000334252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:30.387{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51019-false10.0.1.12-8000- 13241300x8000000000000000334251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:32.901{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\vstoee.dll\UseURLDWORD (0x00000001) 13241300x8000000000000000334250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:32.885{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\VSTO 4.0\TypesSupportedDWORD (0x00000001) 13241300x8000000000000000334249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:32.885{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\VSTO 4.0\EventMessageFileC:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll 13241300x8000000000000000334248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:32.869{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKCR\WOW6432Node\CLSID\{A37BBB42-E8C1-4E09-B9CA-F009CE620C08}\InprocServer32\(Default)C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee.dll 13241300x8000000000000000334247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:32.869{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKCR\WOW6432Node\CLSID\{274C2936-A842-45f3-A457-FB4BA4ED1BA2}\InprocServer32\(Default)C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee.dll 13241300x8000000000000000334246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:32.854{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKCR\WOW6432Node\CLSID\{99E0D1EC-0A0D-4E50-B8A1-82A8B6ECE5CB}\InprocServer32\(Default)C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee.dll 13241300x8000000000000000334245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:32.854{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKCR\WOW6432Node\CLSID\{3133A7FE-BC5F-4D81-BF02-184ECC88D66E}\InprocServer32\(Default)C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee.dll 13241300x8000000000000000334244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:32.854{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKCR\WOW6432Node\CLSID\{4E3C66D5-58D4-491E-A7D4-64AF99AF6E8B}\InprocServer32\(Default)C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee.dll 13241300x8000000000000000334243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:32.854{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKCR\WOW6432Node\CLSID\{99D651D7-5F7C-470E-8A3B-774D5D9536AC}\InprocServer32\(Default)C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee.dll 13241300x8000000000000000334242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:32.854{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKCR\WOW6432Node\CLSID\{83081C08-382C-4ED4-ACCF-DCBECA021010}\InprocServer32\(Default)C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee.dll 13241300x8000000000000000334241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:32.854{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKCR\WOW6432Node\CLSID\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}\InprocServer32\(Default)C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee.dll 13241300x8000000000000000334240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:32.854{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKCR\WOW6432Node\CLSID\{EC04D82C-AA59-4ba4-96B1-27BE3FF05E00}\InprocServer32\(Default)C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee.dll 13241300x8000000000000000334239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:32.854{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKCR\SystemFileAssociations\.vsto\shell\open\command\(Default)rundll32.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee.dll",InstallVstoSolution %%1 13241300x8000000000000000334238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:32.854{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKCR\SystemFileAssociations\.vsto\shell\edit\command\(Default)notepad.exe %%1 13241300x8000000000000000334237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:25:32.854{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKCR\bootstrap.vsto.1\shell\open\command\(Default)rundll32.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee.dll",InstallVstoSolution %%1 13241300x8000000000000000334236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:32.838{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKCR\WOW6432Node\CLSID\{F09D237B-3FD1-4900-BEF2-3471CA68142D}\InprocServer32\(Default)C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll 13241300x8000000000000000334235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:32.838{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKCR\WOW6432Node\CLSID\{64654B35-A024-4807-89D3-C6FDB5A260C7}\InprocServer32\(Default)C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll 13241300x8000000000000000334234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:32.838{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKCR\WOW6432Node\CLSID\{A249E9F6-5B28-4ED1-8AF0-C9B9C5195486}\InprocServer32\(Default)C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll 13241300x8000000000000000334233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:32.838{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKCR\WOW6432Node\CLSID\{760681E7-B985-41CE-BCBE-2985A1DFC61C}\InprocServer32\(Default)C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll 23542300x8000000000000000334232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:32.631{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21EA3427B53F94BCFCD57AFCDB16F3C2,SHA256=3318D4B0114DD621F5C06259DD61560A8A8EF249CA4749F1C236F1F429A00A06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:32.420{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=536C578C1E3FAC80180CED1C94A0C52F,SHA256=0203E8F4EF4273FF3E58E83C11EEC9653DADB427783984C9A5C89C9632BAC950,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000448276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:33.517{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4CCAF4C1E36FE4C24E8E1D618B70600,SHA256=72DB65D3CE749572A4475CD5F0DF03A27457FAE3A19DA2512229BEEBF071F508,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000334253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:33.696{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=398DE1EF554D17918BD3C54FB118C6B6,SHA256=06CC50F74CE7DAC1B03C72AB1C485FA27371A19843DFB0FE4874DC663D428EF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:34.616{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C94A6F9081765D502FFF1ACF144136A,SHA256=199E21AA0D43BBDF108E8BAA987D05790988F17A3DB699738CEE409A181EC27A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000334663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.783{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D1127CCB790AD776B1B093ED7D2794B,SHA256=CB8FAA188EF8ACB8AE503F05FEDC510FC99D19A3F9F4E005FB1B40A490DE97F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.768{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E271EFAC932919283BE29F28EC849C43,SHA256=6E972E9E5C4FBED0AA4A01A07DB6CD7F57D0032B962801F76C011027513139B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000448278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:31.798{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52715-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000448277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:34.163{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000334661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.607{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI5619.tmpMD5=85C03E236D63A5C3DE41B6BCB457EA0C,SHA256=AEB30AA394D0A057AA919C2DF3ABEE1DFDEC55A3C1765AD906D486B6CE692E50,IMPHASH=498DF585AEB91C1602F9486FAB464874truefalse - insufficient disk space 10341000x8000000000000000334660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.592{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.592{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.592{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.592{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.592{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.592{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.592{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.592{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.592{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.592{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.592{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.592{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.592{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.592{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.592{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.592{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.592{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.592{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.592{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.592{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.592{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.592{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.592{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.592{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.576{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.576{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.576{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.576{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.576{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.576{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.576{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.576{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.576{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.576{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.576{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.576{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.576{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.576{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.576{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.576{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.576{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.576{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.576{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.576{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.576{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.576{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.576{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.576{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.576{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.576{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.560{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000334533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=974983FD28234F27858E4020C2536AF9,SHA256=CD45BE1CACD1C2921CF896FB34FF4E4B5D0E815AE1E68CC6E5FA068CA405EE21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000334532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.545{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.529{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.529{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.529{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.529{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.529{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.529{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.529{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.529{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.529{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.529{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.529{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.529{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.529{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.529{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.529{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.529{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.529{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.529{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.529{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.529{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.529{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.529{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.529{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.529{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.529{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.529{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.529{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.529{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.529{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.529{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.529{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.529{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.529{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.529{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.529{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.529{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.529{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.529{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.529{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.515{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.515{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.515{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.515{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.515{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.515{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.515{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.515{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.515{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.515{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.515{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.515{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.515{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.515{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.515{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.515{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.515{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.515{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.515{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.515{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.515{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.515{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.515{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.515{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.515{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.515{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.515{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.515{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.515{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.515{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.515{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.515{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.515{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.515{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.515{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.515{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.500{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.500{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.500{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.500{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.500{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.500{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.500{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.500{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.500{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.500{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.500{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.500{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.500{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.500{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.500{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.500{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.500{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.500{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.500{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.500{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.500{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.500{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.500{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.500{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.500{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.500{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.500{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.500{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.500{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.500{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.500{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.500{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.500{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.500{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.500{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.500{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.500{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.499{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.497{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.497{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.497{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.497{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.497{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.497{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.496{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.496{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.496{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.496{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.494{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.491{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.491{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.491{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.490{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.490{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.489{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.489{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.488{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.488{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.488{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.487{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.487{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.487{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.486{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.486{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.486{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.485{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.485{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.484{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.484{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.483{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.483{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.483{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.482{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.482{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.481{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.481{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.480{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.480{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.479{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.479{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.479{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.478{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.478{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.477{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.477{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.477{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.476{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.476{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.475{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.475{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.474{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.474{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.473{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.474{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.473{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.472{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.472{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.472{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.471{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.471{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.470{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.470{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.469{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.469{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.468{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.468{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.467{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.467{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.466{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.466{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.465{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.465{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.464{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.464{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.463{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.463{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.463{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.463{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.462{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.462{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.458{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.458{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.457{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.457{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.456{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.456{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.448{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.448{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.448{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.448{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.448{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.448{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.448{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.448{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.448{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.448{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.448{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.448{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.448{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.448{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.448{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.448{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.448{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.433{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.433{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.433{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.433{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.433{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.433{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.433{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.433{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.433{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.433{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.433{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.433{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.433{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.433{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.433{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.433{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.433{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.433{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.433{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.433{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.433{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.433{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.433{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.433{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.433{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.433{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.433{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000334279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:34.433{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}\URLUpdateInfo(Empty) 13241300x8000000000000000334278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:25:34.433{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}\PublisherMicrosoft Corporation 13241300x8000000000000000334277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:34.433{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}\InstallSourceC:\Program Files\Microsoft Office\root\Integration\ 10341000x8000000000000000334276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.433{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.433{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.433{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.433{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.417{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.417{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000334270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:34.402{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\vstoee.dll\UseURLDWORD (0x00000001) 13241300x8000000000000000334269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:34.402{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\VSTO 4.0\TypesSupportedDWORD (0x00000001) 13241300x8000000000000000334268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:25:34.402{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\VSTO 4.0\EventMessageFileC:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll 13241300x8000000000000000334267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:34.370{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKCR\CLSID\{A37BBB42-E8C1-4E09-B9CA-F009CE620C08}\InprocServer32\(Default)C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll 13241300x8000000000000000334266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:34.370{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKCR\CLSID\{274C2936-A842-45f3-A457-FB4BA4ED1BA2}\InprocServer32\(Default)C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll 13241300x8000000000000000334265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:34.370{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKCR\CLSID\{99E0D1EC-0A0D-4E50-B8A1-82A8B6ECE5CB}\InprocServer32\(Default)C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll 13241300x8000000000000000334264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:34.370{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKCR\CLSID\{3133A7FE-BC5F-4D81-BF02-184ECC88D66E}\InprocServer32\(Default)C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll 13241300x8000000000000000334263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:34.370{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKCR\CLSID\{4E3C66D5-58D4-491E-A7D4-64AF99AF6E8B}\InprocServer32\(Default)C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll 13241300x8000000000000000334262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:34.370{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKCR\CLSID\{99D651D7-5F7C-470E-8A3B-774D5D9536AC}\InprocServer32\(Default)C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll 13241300x8000000000000000334261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:34.370{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKCR\CLSID\{83081C08-382C-4ED4-ACCF-DCBECA021010}\InprocServer32\(Default)C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll 13241300x8000000000000000334260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:34.355{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKCR\CLSID\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}\InprocServer32\(Default)C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll 13241300x8000000000000000334259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:34.355{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKCR\CLSID\{EC04D82C-AA59-4ba4-96B1-27BE3FF05E00}\InprocServer32\(Default)C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll 13241300x8000000000000000334258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:34.355{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKCR\CLSID\{F09D237B-3FD1-4900-BEF2-3471CA68142D}\InprocServer32\(Default)C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll 13241300x8000000000000000334257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:34.355{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKCR\CLSID\{64654B35-A024-4807-89D3-C6FDB5A260C7}\InprocServer32\(Default)C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll 13241300x8000000000000000334256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:34.355{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKCR\CLSID\{A249E9F6-5B28-4ED1-8AF0-C9B9C5195486}\InprocServer32\(Default)C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll 13241300x8000000000000000334255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:25:34.355{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKCR\CLSID\{760681E7-B985-41CE-BCBE-2985A1DFC61C}\InprocServer32\(Default)C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll 23542300x8000000000000000334254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:34.229{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3904CBB33B82A431EB3E0B13E30E5F72,SHA256=A7E5FBE4AB11000BDFA98131BEF362C4385BD7113EAC9BD26450795D112FC76F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:35.708{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D28073637CA764F35F51DC9CE8F0640,SHA256=063BF4BE4C5353E9C5DE298FCF51F13362D144BC19C918904ACF945DD8DF6ECB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000334672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:35.860{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B6961284D67B9477099C31CFC03530B,SHA256=F6547C63A3B31AF83883A68D978094239AABF01DBD1695F32B32228681D7280B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000448283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:35.599{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:35.599{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:35.599{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000448280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:32.847{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52716-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000334671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:35.610{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0D9VN0377B\System.Xml.ni.dll.auxMD5=14534856F5BFC8845800D7A0C0021323,SHA256=DF0C74610B1D9ED7885858C67522DCC363520C33C02C892266B6EDAA443F20EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:35.610{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0D9VN0377B\System.Xml.ni.dllMD5=A49A9BCFBC3F880CAEA2B5E8D0DB3087,SHA256=E45A8FC2DBDF0D096F4763E4816346B46C4DCC752E1E7A5AA6569B1D2099D70E,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:35.243{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\02B3H7TFAW\System.Transactions.ni.dll.auxMD5=41883768C7D7479B1DB43486DB643490,SHA256=1BAEDD2A3F1CF3E8A6609E785516D4FE12A0A385C609C883D2E4C93C7A3CA1D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:35.242{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\02B3H7TFAW\System.Transactions.ni.dllMD5=633F934076A97D4532D53B525E93F9C7,SHA256=6E7917F3008778C89D0ADE04E311B5DE8E70E49881A956E4135A1835EF932960,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:35.140{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\01D4JKN8X2\System.DirectoryServices.ni.dll.auxMD5=265F04E5825B5E1A073A49E9FD6F94D8,SHA256=A8B6EC43DD3C84912112E802A37DD9A21A55A71E3BDD72B2669BA444C67F3505,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:35.138{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\01D4JKN8X2\System.DirectoryServices.ni.dllMD5=990497BD43A6D44F67F276C3330502C9,SHA256=C2964C860251228AAB56F30AFE308B638E28FF5F8289D29E270DB5B63DDB82F7,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:35.080{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\00GK4F0QPQ\Microsoft.CSharp.ni.dll.auxMD5=EB4785C2429B2B2476EBE6AB2084F672,SHA256=1BCC0F38DB61E46E9E968F4B4624F497592E279FDA5EA0B1EDD9C028644D991C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:35.080{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\00GK4F0QPQ\Microsoft.CSharp.ni.dllMD5=4E9BE00A9F462A816DA023E507CE4BD9,SHA256=71E146A9D8DA013E1212381F3B4093BC99B320B4BD0D6A9D8C398D5C2577DDA5,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000448285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:36.807{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=808E7995481A37C782398B6622A18416,SHA256=46B4AA8351164EF9EAF648BFAA7F75F2345B1B9A46E42091EE2B10140C65D762,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000334680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:36.950{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B51E79E660985B837BD9C06A53598484,SHA256=9381C4FD5B0037414F83ED00FF930245C0EAC6557A7580FAEF5F6BF2163048FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:36.903{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0IZ8NR8A1G\System.Windows.Forms.ni.dll.auxMD5=EF3404CCFC20B97E804E0921508A9D33,SHA256=96FC2BED83705325F3FB0EBD088F15F4B90203B3525DA008C76F09F3F931A533,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:36.903{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0IZ8NR8A1G\System.Windows.Forms.ni.dllMD5=089EC05F8A337F413F5E95DEB1BCBD99,SHA256=DCA25114BD4BFDC0692778471FA8AF3CEC539D4DD8CE5F0596C5AFCA04A27303,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000334677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:36.372{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000334676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:36.280{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0IXBLZUCUP\WindowsBase.ni.dll.auxMD5=E33608F1B3F27E222E8CCBEE83F6B308,SHA256=9E1BFCC2D052D2C2602B51A13572380146B3F8BE1314A63DAF62802891FC3E28,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:36.280{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0IXBLZUCUP\WindowsBase.ni.dllMD5=DC15FA2CDF75F6DCE76450BF6B9D0C83,SHA256=3B453301E43ECFEA60292E93A2C11DF997F611180B79FD9C9D9077ACD9B75916,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:36.167{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0E4TZ04QXN\System.Core.ni.dll.auxMD5=B4E398E15608DCB07F1486AB39A3E46C,SHA256=3EF6CC8395192E32A8C2176D8BD0F7100312E12F0DB88CAF5CD329862B015D85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:36.164{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0E4TZ04QXN\System.Core.ni.dllMD5=E5EE25E4B6D6DB3EEC31B05A37819267,SHA256=5250251530332F00CFA4A4D4E52C3A3A94E2302C34019F133834119F5DC7CC55,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000448286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:37.905{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A4C3529289C8AFC06A71D4A24EA2765,SHA256=9EE37EF0FE4F30167596166ED9B7B9DA88B9D28F9CC768208D2231DBEA5E2D22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000334684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:37.880{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0QG8HSQLNT\System.ni.dll.auxMD5=84B8ACC5B13C06E48410687ADC7579D0,SHA256=CB2EC2B2788E5069BB12B9308159586E291BDF30E214CEF871EA1E6B2BEBB118,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:37.880{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0QG8HSQLNT\System.ni.dllMD5=07887F94F904CF7FC14E9019CA4DA2BD,SHA256=200501E0564697E7A0FC680722FA4FEDADB9D012D65E7B0AA2080EF94FDDED43,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:37.443{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0OA7EB1HBU\System.ni.dll.auxMD5=9B60B2BBB90F47837198E6E98D82A4A6,SHA256=CF985A3477DD0F499F52050F169ACD88D7F2A767641C25774428BB2755123181,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:37.443{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0OA7EB1HBU\System.ni.dllMD5=81C5B20AF92CE8DA61786746DFBBDA67,SHA256=0EC73A4C7D61C98547AAB5B48244022F241D02B1EA7030163D13F9E038D6F96D,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000448287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:38.986{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C84D22628E491401922052EC8F8921A6,SHA256=961D309274B0247E07BC577418C4C34FDD353047829BB3E33ACEEEBE5EB2A665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000334693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:38.834{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:38.803{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0X54ME6ANH\System.Windows.Forms.ni.dll.auxMD5=4617D052309AFAEF26D5F4D8D4E23AE7,SHA256=0540CD44C52538002758AB0338A2DCFF1C1A02C362FE580545905B1106C75FDF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:38.803{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0X54ME6ANH\System.Windows.Forms.ni.dllMD5=1473B7ACF38D8269436DADE7A3A8C5A1,SHA256=9424F4B954C713E8D9562D1809B029DA51618BF6436C9D8B8CF704E354D034CC,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:38.115{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0VFIRUF5ZE\System.Numerics.ni.dll.auxMD5=B112B901DBE457D5C44431DEF8018CE7,SHA256=E8A9B868DAAA55B69C61BE12D2C8D3EA8BB1F99EB970230BB6A867B65586B41D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:38.115{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0VFIRUF5ZE\System.Numerics.ni.dllMD5=3C15EEC6D52A4674FE204A7E3610D46E,SHA256=95EBC4E4BF44CE09D29EC4505D7B8548DA661278D4DF53F887CC357557F45A80,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 354300x8000000000000000334688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:35.453{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51020-false10.0.1.12-8000- 23542300x8000000000000000334687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:38.083{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0QP33TMGRB\ReachFramework.ni.dll.auxMD5=DAEC93A488F5EF6251A6E8AB4BC9CEE9,SHA256=C7AFA23811C9D3802CCBA70EC318BEEC6C450D6C67DEEF8807F09F9E2C644FB8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:38.083{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0QP33TMGRB\ReachFramework.ni.dllMD5=82343881FB9E180397874C3F01AE53A1,SHA256=51D1705CC0F8B4C4A5D2DE0F4DD850AC0F5E2F3252352653C21A7A70B3EB1BA1,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:38.038{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D72D3B095306A5AA0279474F3C48976A,SHA256=BCDFE7BEB3CB512C74F365DCE994C4B3F62F89CC0CDDBED46A18D4C21ACF849D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000448306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:39.748{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:39.727{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:39.712{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:39.706{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:39.704{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:39.699{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:39.650{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:39.639{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:39.621{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:39.612{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:39.597{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:39.576{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:39.553{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:39.524{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:39.502{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:39.477{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:39.453{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:39.318{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000448288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:39.310{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000334700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:39.608{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\13TOZAELWQ\System.Numerics.ni.dll.auxMD5=F3C267CE9D1C3FB6394036F4E7D8E785,SHA256=A32A8CDFBDC610D9D6F3973CBF9D2DD972EDA72B86EF870D3A235737A6429578,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:39.608{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\13TOZAELWQ\System.Numerics.ni.dllMD5=91E874513E4D5B367AB69CA603378A7C,SHA256=704C43518065008070ADC26CDA82847024C7C543FA22971D67EEBDEB9528C966,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:39.608{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\131O3PASVK\System.Data.ni.dll.auxMD5=A3A8748F52344D3636E50B0BB9AB7D0F,SHA256=635747067A5AC1FD1103FB026C5B6EE09183ADAFED601ACB4599BD077256F424,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:39.608{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\131O3PASVK\System.Data.ni.dllMD5=204D54FBEFB0BF86FB890801766AA43B,SHA256=9EAAF66BA0FE1FD62107F8BFE02C633D8DC1000CB6BAB3152A4ECE13028E4670,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:39.162{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0YWQ59HI7D\System.Xml.ni.dll.auxMD5=369EFABDD4D345DD17D7F6E96CCD5E41,SHA256=793116A843DC9D67DE87EC0A2ABF11E47A922664B267410098AD7B65AD4430D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:39.162{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0YWQ59HI7D\System.Xml.ni.dllMD5=B08D3457D316715E513E092A4E1F1B22,SHA256=A679587BF2CAC9D31CDDB246811E683C3F8C5237A7E497EC44ACEEBECE5BB901,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:39.130{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4445D4B06F1DCD7392D3AEC136D3C29D,SHA256=A029E1CF654E579A1873036023ADA1A771F21ACCAD6DB8046D9F9E4FA55206A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000448313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:40.493{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000448312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:40.488{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000448311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:40.486{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000448310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:40.483{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000448309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:40.481{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 354300x8000000000000000448308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:37.795{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52717-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000448307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:40.032{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88E2BA1ED67CF0E788244E7334F28F95,SHA256=2C0FB11FBEE07CF1E11B411D9EFB85B72FA223C04EB333E2168F77C5D10326E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000334762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.928{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A7-63D3-0904-00000000BD02}5936C:\Windows\System32\MsiExec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.927{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A6-63D3-0804-00000000BD02}4860C:\Windows\syswow64\MsiExec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.926{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A1-63D3-E803-00000000BD02}5548C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.922{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.913{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.912{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.910{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.899{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.887{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.871{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.866{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.849{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.833{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 23542300x8000000000000000334749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.804{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\1ALOP7Y5ZS\System.Configuration.ni.dll.auxMD5=8792652766DB709E279C97CC11F9D75D,SHA256=8E4C1DFC695795E673FCA461BA3B6279D2706A69F74844220486F483001920A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.802{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\1ALOP7Y5ZS\System.Configuration.ni.dllMD5=6874BA87C64A9BF0F5A5305D25654DE0,SHA256=B624880F49BC068F6766153AD605D4BBAF8ECFDC43A6335C3D2F0464764E9260,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000334747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.800{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.797{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 23542300x8000000000000000334745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.761{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\18ATSMREB9\Microsoft.CSharp.ni.dll.auxMD5=BCCA60143E9395CBD98ABC97FAF648D1,SHA256=799DD94DC299F621AF5D70AC9D47731415435028A5A9B625D44C5611C77D14DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.759{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\18ATSMREB9\Microsoft.CSharp.ni.dllMD5=B9E34CEC4D766AFE6195FCDD5C265721,SHA256=E1D7D03019EFE1A8247C17C2575F647A7FF7E0B6C9CB9996BA29EBB8F9A8C303,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000334743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.704{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.694{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.678{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 23542300x8000000000000000334740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.672{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\17N3ZVH06M\System.Transactions.ni.dll.auxMD5=999D14BCEA16BC6927359881D4D39D58,SHA256=E951F9BEEAFE791DF0F3CB3AFE9BD07BDE358EE20E01DC5F2018DDDB466EEC96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.670{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\17N3ZVH06M\System.Transactions.ni.dllMD5=069D6E12D3CAB923FD4E8AC75EE89BA1,SHA256=F4957C4BFCF882B16615546FCA8A910B09508E5520C62914203915BA51DC3DF1,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000334738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.668{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.666{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.662{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.659{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.655{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.649{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.648{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.646{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.645{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.643{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.639{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.621{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 23542300x8000000000000000334726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.620{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\16LD33LLVQ\System.Core.ni.dll.auxMD5=CCAD9FB37273BAEBE3F5FA188E00C517,SHA256=67F0D2F9036FA94E2C9FA5EFB2D3D041BBFBE59378A4D2A5BFA52E7821ADC2B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.617{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\16LD33LLVQ\System.Core.ni.dllMD5=6BE5BA854610D494C606FCE794962FB3,SHA256=95729D65C54D3EC524E4C11C51147EAB34F0F0523983715CD62D741CB94BE626,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000334724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.605{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.599{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.587{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.584{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.568{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.549{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.545{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.536{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.501{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.494{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.485{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.477{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 23542300x8000000000000000334712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.469{72106695-B49D-63D3-E403-00000000BD02}1088NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\sppsvc.exeC:\Windows\System32\spp\store\2.0\tokens.dat.bakMD5=1CC8C1FD4BCE8FE5FA2F769B33EBA25C,SHA256=BE51D1FF4B5A4FD77DD5141C0DBD85128626AB09CF64BC78187577D3C51F7F24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000334711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.433{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.411{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.379{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.359{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.347{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.330{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000334705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.325{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 23542300x8000000000000000334704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.220{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AFB7F5A7182F4BAE1C0D754E293022E,SHA256=042058FB34CA39916FE18F1F613E5A71EB1ED79B529B433DFAA0F33A82B1FC24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000334703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:38.082{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51021-false10.0.1.12-8089- 23542300x8000000000000000334702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.185{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\14J7AS46N3\System.Core.ni.dll.auxMD5=0D59346ED726744FEA0E19160BD691D5,SHA256=77169350D0B655C78CE5B6ACE4BA8B2542B952D2566D0EB2BFE7CA3AA919E965,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:40.185{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\14J7AS46N3\System.Core.ni.dllMD5=FC3DE6187226828D53AF86A55AEFE990,SHA256=41B7A76F0DD86CFFE6D0CA3DC832FC4BC49BBF1B91AD8522A80A686C78FA8CB0,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000448314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:41.076{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13085E2E39CA35A43ADD9B349DD23489,SHA256=40F70C31F68B762715039AA8601EC38B1192D462853818E58CAE77B777211869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000334774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:41.968{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\1GMLPJ6UVG\System.Windows.Forms.ni.dll.auxMD5=EF3404CCFC20B97E804E0921508A9D33,SHA256=96FC2BED83705325F3FB0EBD088F15F4B90203B3525DA008C76F09F3F931A533,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:41.968{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\1GMLPJ6UVG\System.Windows.Forms.ni.dllMD5=089EC05F8A337F413F5E95DEB1BCBD99,SHA256=DCA25114BD4BFDC0692778471FA8AF3CEC539D4DD8CE5F0596C5AFCA04A27303,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:41.390{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B27F4E1D0981B0C8BB951AD9AB92F418,SHA256=3071AA93B3A30F230350E3A52FCB84CE4851B7EF066C885852A4CC0005D69909,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:41.390{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=358D85133C669EFAA62E1CAF1AB20BCA,SHA256=78E88EB0FE251073F66E3531B48133D43CD8537DE0BD962C89B3177C84C44F2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:41.278{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\1E2NUQCFVL\System.Management.ni.dll.auxMD5=83395B6DD141355A0A6D915F0932A40B,SHA256=EA1954B436D4ACCDB0B87E2E905C65F869C55E2D9C97CE863685E95F1E5235BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:41.276{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\1E2NUQCFVL\System.Management.ni.dllMD5=7384EBEA462ECB51CB546CCDD3EF4581,SHA256=D22F98651591A06CD56123DAE7835EFCF60B6283D307FD7EC00E894FADE923DB,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:41.212{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\1AMJ6XH9ZS\System.Xml.ni.dll.auxMD5=D29538F54E146DACA6A1D7E68B48829A,SHA256=D472E44502185F6EFA8EF2F24B7D25DF4EF31AA7229841672DD34F78B2A1242B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:41.212{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\1AMJ6XH9ZS\System.Xml.ni.dllMD5=FE982F628A5787029F86C592E37326C3,SHA256=3067EB0023C9EF9AA2101FC0153CF6ADFF4EDD956EEE6028F80673439B5E391A,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000334766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:41.104{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:41.104{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:41.104{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000334763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:41.104{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 23542300x8000000000000000334777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:42.508{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\1UFVWVQJBN\System.ni.dll.auxMD5=28BED03F73DC4744FB49D7F20F049F10,SHA256=8483EC49A05339DBB4833BD234194E62DBF6E372CAF3E701874DE793FDB68996,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:42.508{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\1UFVWVQJBN\System.ni.dllMD5=88C6A31917BA9F2506E523DA037CC8DF,SHA256=15CD43739560489AEC0A752ACF5403A467319AC8E978DE279C702C74E792C5F2,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:42.263{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48A2EB41F8F2A3DB6DE7B096B740F06A,SHA256=9E1809F05323CD8FAEAE9CE93820BF1317CE5F707F4414EB7E456257BAF347D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000448321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:42.553{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000448320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:42.552{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000448319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:42.551{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000448318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:42.539{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000448317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:42.531{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000448316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:42.345{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-3000-00000000BC02}2848C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000448315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:42.141{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E46EB67A64A8D64F838CE51ECC19B68,SHA256=DFC2BF7D70D70478C194109A12F63CC521EDD40EA93C759061B19AD846B05E4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000334784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:43.633{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\2250KRECTB\System.Drawing.ni.dll.auxMD5=DCEFC8B9CB7245B90F2A6AA4084A0F71,SHA256=3760AFB996B9C1860A13167C3DA5FD6B019EE185076145A71387745DC8DA24A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:43.633{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\2250KRECTB\System.Drawing.ni.dllMD5=E8956B039DFD94E1EDBD129DE56F3F2D,SHA256=1DAC647C4642EB0A13A5135BCAF254A30E477CD5DF6BD7DF978F2065CAF5BFE2,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:43.524{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\1XUIY9CJL0\System.Core.ni.dll.auxMD5=9D25DB6F29813D2D1FA827D77A12D1BD,SHA256=829105ADBF1A5F782DF9E98B29CD106AE1D27988D05B162A5702069C31282417,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:43.524{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\1XUIY9CJL0\System.Core.ni.dllMD5=2FF381DDFCDD26492D228199E5348106,SHA256=381EBF60EC44E82FE34BAC17A1856C95E766E9260604747F71547133C1C550C2,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:43.352{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F13A8DC107A5F547D56B92A306B35317,SHA256=6D4F6EE9BBF98A29DDF1D1FB0289130EA6B4D0C4D9C89B89CF5A2FB34698AFDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:43.203{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2BB2D65D43A24AA908EC32B0FC1410F,SHA256=72D54D3A4BF63352844DB92079B9EB9FAD002BF319A5FB007EBDB691D5823B40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000448335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:43.200{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000448334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:43.169{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000448333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:43.164{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000448332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:43.151{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 23542300x8000000000000000334779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:43.091{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\1WN61CHW5A\System.Windows.Forms.ni.dll.auxMD5=F6C231606A7F2DD887BFA24437925F26,SHA256=9A5409CD669694C142B59861B4C92B3F90AFBD4046E46888C8EA80D99826B199,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:43.088{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\1WN61CHW5A\System.Windows.Forms.ni.dllMD5=431FC5E8180083E6FA1E00FF64B88ADE,SHA256=4FB1BA0C6AA024526594B04095FD9179A547D1C44053360A99CD463D11D3916D,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000448331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:43.137{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000448330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:43.098{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000448329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:43.092{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000448328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:43.081{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000448327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:43.073{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000448326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:43.070{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000448325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:43.067{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000448324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:43.064{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000448323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:43.063{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000448322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:43.059{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 23542300x8000000000000000334788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:44.446{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F520841B4B9DDCBF394E37BD4E365DF5,SHA256=E24AB1B8F88501B4FD114E9D609A9E2512625F0838748EDC05DEAB31A29A0358,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:44.193{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=830B7903481306B8F25BA12953F19588,SHA256=E2B4F74AF19D4B89064CEAA514E1D43837DF5DE7ABD85748D52E14CC21A6DCCD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000334787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:41.324{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51022-false10.0.1.12-8000- 23542300x8000000000000000334786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:44.307{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\22WTK6S38H\System.Web.ni.dll.auxMD5=FD01F2FC3BB9C77DE65D7FE41BB7E3FA,SHA256=176DC7D281B5059ACA290E90B90480786F1AC745C1953B30BF63E39B63FCDD3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:44.307{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\22WTK6S38H\System.Web.ni.dllMD5=70FDF94CA68090BFC787A336F54A1F7B,SHA256=5804590DDB304F2DE4AB2E9E48C281FBB1EE09CB9C711DCD5FCE424CBB970636,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000448347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:45.938{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B4B9-63D3-D103-00000000BC02}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:45.938{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:45.938{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:45.938{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:45.938{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:45.938{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B4B9-63D3-D103-00000000BC02}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000448341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:45.938{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B4B9-63D3-D103-00000000BC02}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000448340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:45.938{45AAC21C-B4B9-63D3-D103-00000000BC02}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000448339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:42.891{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52718-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000448338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:45.282{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED0ACAD397C945A7C247726FBC786F98,SHA256=587D688CF5AF47471B48FB9313157B84486695A3A2A1DF32991F48784C1CEFA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000334808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:45.959{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\32RCXYVBGB\System.Core.ni.dll.auxMD5=5BC3A9D40323A2B04F4E1902734E283C,SHA256=CFF89802D8AC21E1BCDB723259BCB27CC029712A021861269F65FB5551CBF55E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:45.959{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\32RCXYVBGB\System.Core.ni.dllMD5=849D0AA44BCEBD9D08A5FCD6C4880A59,SHA256=B34E567DCB7A031BD7B4F35B6DB317203674C0CF030AA7492E0937D3A31AE861,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:45.537{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98EA6D19CAB17673C5F9E802D0022C46,SHA256=B3A39499C253A647E580AF8CAAB1A1B9804C08BEF38D1A03FE3502A8335D659F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:45.459{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\2P1W0ABRMV\System.Drawing.ni.dll.auxMD5=FC5F26849EFBF982445B480BFF804638,SHA256=727468BAE2F554E06B8D2CBE4B73E98EC2235F69B034064CE4367C539E48EB1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:45.459{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\2P1W0ABRMV\System.Drawing.ni.dllMD5=C20190DA3D4B77A1662F026118F06968,SHA256=61EA726F02F345255C81371B7B124DB2FA9B4234BBE14E4DF8784DB752BD3D89,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000334803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:45.443{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:45.443{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:45.443{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:45.443{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:45.443{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000334798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:45.396{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\2IQRHGJ2BB\Microsoft.PowerShell.Security.ni.dll.auxMD5=4EB9227BB637E780E8F7DF7FCF9521BB,SHA256=85359F19A0C43A36D367152C8FF3E16945BE11977580D932393228C5205274E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:45.396{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\2IQRHGJ2BB\Microsoft.PowerShell.Security.ni.dllMD5=BD6C8E90A966C97639BF0EB1443ABF91,SHA256=4D44EB761C67298767D5419BCA1C6001D187F7E48A7C20C56FB678F4F8D141D9,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:45.350{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\2HPT45PVI7\System.Drawing.ni.dll.auxMD5=6C52FA11480271A7CA24597B93F7BB04,SHA256=61F5983290D91AB3DF009F8C874FA8FE2746C9AB30195650831EE3035CB71CCF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:45.350{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\2HPT45PVI7\System.Drawing.ni.dllMD5=C0CD3B953E9ADDA2C2CA1B521CAC444A,SHA256=792530B90A2559951E4A2DBECBE5B4B3FDC08CB4140A89FC252E49C9FD342359,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:45.226{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\2H6M26K2DZ\CustomMarshalers.ni.dll.auxMD5=F94B57E068DD500ABA0BA5FDFB1F99DC,SHA256=C9618464E1B126EFB862BB840281F3FC6B71D8721BAD650EF3944A1D206FF57B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:45.226{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\2H6M26K2DZ\CustomMarshalers.ni.dllMD5=E2F88DB130BF5EC0A882463150F2C9F8,SHA256=5C509C888EEEB5696B1067D523860FEB49AB8BCAC1B5B0C29F41B3034C8F2635,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:45.195{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\2G2Y49NC2J\System.Configuration.Install.ni.dll.auxMD5=08DAC8470A6071A6F9D300CCECE11FDC,SHA256=F21F4F9BD5BEBE704971BBC058A01C007211FABC2BF86E2BDFF504394E89A5F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:45.195{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\2G2Y49NC2J\System.Configuration.Install.ni.dllMD5=6CEF29BBBE3A64E8EDA58C8614B58316,SHA256=D6B4C973DAA83DB08F6D1013643F3A287BE92A3DF7629A06421EA2370B126C58,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:45.148{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\27Y7R3T92H\System.ni.dll.auxMD5=97D37AFB390992CE3C6F1D4E1112CAA5,SHA256=E9BE5584192A17CDF882242AB2C104E2A185B276E589F81AEC50663E4BA6F881,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:45.148{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\27Y7R3T92H\System.ni.dllMD5=709A692740777021A1BC08A50B61C807,SHA256=AD85D06B3912A64986318D87202BDCAD748D6E68E3B693D37459EF9874889CCF,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:46.974{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\3CINU4ZU93\System.Web.Extensions.ni.dll.auxMD5=964C12F7EDE4473648291D5C6D52CA5B,SHA256=09CD7BFB8C8470190592716E3BF441DAF0C0EC6DF889077E122A1463BFCEDA1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:46.974{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\3CINU4ZU93\System.Web.Extensions.ni.dllMD5=5F68656D96F957624F2094DD871627C3,SHA256=263A84209803C9AF4C4317A5C5FB37BE22885FFC93EF4C906AAF0C627D8EC0FD,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:46.786{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\3ANFF7D5F1\System.Xml.ni.dll.auxMD5=ED9496CE2223D4E1A165BEFC8A495F49,SHA256=4F40C0EB01C6D669BAD474D8A1EFA20E9875920DDBCB1E521BBFEFEE2ACC0FA1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:46.786{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\3ANFF7D5F1\System.Xml.ni.dllMD5=37E129A04ED511528A4B868C33DA4466,SHA256=ADF060A953F940FFAC3B248DE75B69860F955197BEABB73C56CF26EB8705E668,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:46.537{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47585B3E5420A62762A2300DE2C0D52C,SHA256=214586D702332FD876AE545B32DBBA95B62043A747DE283D520BB3898D70F282,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:46.986{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B69B113511DE21E4A6AE0DC6311266E,SHA256=BA7D9DCAEC36B2BA2CDE5EB22EA42EFD03E4689CBE780FC530B57143819006FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000448357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:46.613{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B4BA-63D3-D203-00000000BC02}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:46.612{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:46.611{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:46.611{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:46.611{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:46.611{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B4BA-63D3-D203-00000000BC02}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000448351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:46.611{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B4BA-63D3-D203-00000000BC02}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000448350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:46.610{45AAC21C-B4BA-63D3-D203-00000000BC02}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000448349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:46.359{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD2C041DD0F556DBBA0974D34412FEA5,SHA256=E20EF699B455E43FEF78E4846B1C2E4D3D1B358399E9BFFBB0E51BAD755E0110,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000448348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:46.344{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D490CE277ED4A31FF8E2C427669FD751,SHA256=0C58A515AD6972049F2F0B7E7626EB91CF6B62E3C97D74D1933A17F64CA6A4AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000334814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:46.398{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\35M7W2QEE8\System.Security.ni.dll.auxMD5=A8E16B0835C7BA8888173106EDFD7698,SHA256=7D44F7630D8C42C9BCBA5DB5C74B36391E11FC17D4FAF6D26C452C1BD3E359EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:46.398{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\35M7W2QEE8\System.Security.ni.dllMD5=B92BEE33B09857E5DB60DF34BED170CA,SHA256=C07B57EDCAACD9E9B6CA2340A8DAB75CCF3BE99EDDF063804E73FFB74CDE645D,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:46.382{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\33D9J6HTDF\System.Management.ni.dll.auxMD5=7D6F927C57131D4BA4B817D14B0535F2,SHA256=52385B8582CF7D6A24B9EFAC81F672546D9B8D7BF12236F32018928DAD7DCD6D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:46.382{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\33D9J6HTDF\System.Management.ni.dllMD5=E1D15AA9A521A2D3ADEC3D6F2943EA21,SHA256=325EC61F44C3C45853BC9745B783F8AC15BC905D13671FB2B531BAA3547DD7C7,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:46.288{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\32RU3KCHH6\System.Core.ni.dll.auxMD5=1D9AC23D3A528EC83A241C675B3BD0BA,SHA256=2DB7B57944D8B43359DE41CBDA59DA1228B2D57A86AF3B323F402CA87F457F08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:46.288{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\32RU3KCHH6\System.Core.ni.dllMD5=E7D8816D0A6FA8D8748E1BAE0B4A6875,SHA256=A0D3EA7A34C4EAEF847DD511D3BFE0E783EEF75A63A6FEFCD03C2F6B9AAE4F68,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:47.625{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4506954787D50B21002F09217E8E225,SHA256=394E0D34B01C0D808E0898FEDE46D950145CEA41D5264A7391D3E96B66756578,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:47.968{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=97992E48D977337AC45046AB702CF5C0,SHA256=676C437B9398084891C95BFDD4448CB7389D9DA74E60E748565FD0F364C45E9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000448368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:47.530{45AAC21C-B4BB-63D3-D303-00000000BC02}45642192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000448367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:47.468{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5094F6AFED5968325D06BEDD75739184,SHA256=A2B0C505EF5304A80759A6DC2E4F234100946B7D085B670D4FB094A0BC375B30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000334821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:47.098{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\3FOEDWZA8Z\System.Workflow.Runtime.ni.dll.auxMD5=040239C14D5A341296313A0B119D0215,SHA256=73642217BEE646BAEB72AEEA21CFCC2633676DF009AB80E219652D2673BDC181,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:47.098{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\3FOEDWZA8Z\System.Workflow.Runtime.ni.dllMD5=D408A74E1C9098119DB08603F750BB6B,SHA256=03B089D23C013938AA5CB20B90B028AFD85E28CC77E6E3CB9492ACAAAD2AB3C5,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000448366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:47.297{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B4BB-63D3-D303-00000000BC02}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:47.295{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:47.294{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:47.294{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:47.294{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:47.294{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B4BB-63D3-D303-00000000BC02}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000448360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:47.293{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B4BB-63D3-D303-00000000BC02}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000448359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:47.293{45AAC21C-B4BB-63D3-D303-00000000BC02}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000334825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:48.813{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\3HJ6TL7K6A\System.Management.Automation.ni.dll.auxMD5=92EEDF88C57E4A589B74ABBBC3CBCDFD,SHA256=FA25C7EA1ACAD1E6A8923A91F48F4CF29515368D7B70B98F74040BFDB6D91C55,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:48.797{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\3HJ6TL7K6A\System.Management.Automation.ni.dllMD5=6546813573EE163A63C2B51A533C0DDF,SHA256=D36590DCAFB3D385470142AB898B6216F05371E75C9AF490C40BF63744B212AA,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:48.735{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A708E53DF609CBDBA9FCE8E80393580,SHA256=2273E016014B48F9E7452C89F40868A873B74E4EA0CD36B90BCFB5185363C7E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:48.579{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1874EC2D284E638E1BB387E0BE8FCDA1,SHA256=D0EB66B3E97C6C88B0564F7AB69C7D4514D368B5C211D92C4F831CC7ECD4D261,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000334836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:49.817{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63676316F526B5BB57D5A0B76199993E,SHA256=317CC4572B9650CC7F8CB56BDD8426C73352A01B4919D5F0E4156D8AD5FA1858,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000448393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:46.276{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52719-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000448392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:46.276{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52719-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 10341000x8000000000000000448391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:49.767{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B4BD-63D3-D503-00000000BC02}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:49.767{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:49.767{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:49.767{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:49.767{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:49.767{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B4BD-63D3-D503-00000000BC02}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000448385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:49.767{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B4BD-63D3-D503-00000000BC02}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000448384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:49.769{45AAC21C-B4BD-63D3-D503-00000000BC02}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000448383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:49.658{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795CBB2358BB5F2B49A046EA995CDFF0,SHA256=0210DB10128E5A3FE662869F49C34779330A757461ECEDD85E877D99BE9E1DE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000334835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:49.755{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\3YC0J5TJBN\System.DirectoryServices.ni.dll.auxMD5=5BE283A9E68591B32773566F147A211F,SHA256=83CFFD1BAEA158353574578F2145C054F207526C8E544F114652C4EF01713BAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:49.755{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\3YC0J5TJBN\System.DirectoryServices.ni.dllMD5=8CE05080E8212D45575DB5EC52382363,SHA256=B2960982ADB25974561E8356470B1234CDEC00F5FDBAFDC39F221B37F914433E,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:49.676{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\3VG6AMB4F8\System.Windows.Forms.ni.dll.auxMD5=E3FDDB4363F61FA6ECF05EF9D89BD30B,SHA256=C40FAD1510C2553B3D76ADB76B516845FD5E9A74D32CA3CE5E4602E7AD693FE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:49.676{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\3VG6AMB4F8\System.Windows.Forms.ni.dllMD5=D20A578549DCDD6D330722B853964A2B,SHA256=692A13CC85A50913AF66AF2CDE9F8D6CEA450B82AB49BFC2F5729E133B355B6B,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 354300x8000000000000000334831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:46.423{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51023-false10.0.1.12-8000- 23542300x8000000000000000334830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:49.094{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\3SN3JHS6KB\System.DirectoryServices.ni.dll.auxMD5=6E2FE7A4355DAE72B2A560B93997D344,SHA256=39C8A0903E4C7697FCA69012253AA0A79981CCC8C8C3C53C097A9C753233643D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:49.094{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\3SN3JHS6KB\System.DirectoryServices.ni.dllMD5=CDCED7F4E698C3DE8142E81A1A46A9AB,SHA256=6DC7DB265A13AA4C6A8DFCA621CD76C374D0269564732D7FE0097A9404A0CDF7,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:49.094{72106695-B49D-63D3-E403-00000000BD02}1088NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\sppsvc.exeC:\Windows\System32\spp\store\2.0\cache\cache.datMD5=63B56C46DE17551567A6BEC7839A8E6F,SHA256=E63DF839B329C3EBDE4D95439BDABD9098830F6BA2CE86144CBF68FAE494EF4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:49.001{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\3M6KGO24OM\System.Web.Extensions.ni.dll.auxMD5=EA373B89C0FD4F1EE90998C42C3A4FD2,SHA256=A88BEF9CF305003D6B1E713629F962CE4B81079FF4F665D6F8A59A5C8C2E565E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:49.001{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\3M6KGO24OM\System.Web.Extensions.ni.dllMD5=08FAFE195EAA21633B7E1910E5E5685D,SHA256=3FA1D9C02A067D54B12F7BDC8333C0173B1BB42919BDFD9A76F189F57855FEBC,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000448382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:49.439{45AAC21C-B4BD-63D3-D403-00000000BC02}4184436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:49.347{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B4BD-63D3-D403-00000000BC02}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000448380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:49.347{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B4BD-63D3-D403-00000000BC02}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000448379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:49.347{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B4BD-63D3-D403-00000000BC02}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000448378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:49.233{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B4BD-63D3-D403-00000000BC02}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:49.233{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:49.233{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:49.233{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:49.233{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:49.233{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B4BD-63D3-D403-00000000BC02}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000448372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:49.233{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B4BD-63D3-D403-00000000BC02}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000448371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:49.234{45AAC21C-B4BD-63D3-D403-00000000BC02}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000334846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:50.901{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12D7769064D5B954BBDD5C5132BA3C58,SHA256=4B007020BA24108D859338AAD4445A13891F696888681B22772F40309A726A56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:50.600{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\462ZHJYZC4\System.Data.ni.dll.auxMD5=8FCC2EE96B70B1E199296AA08F552881,SHA256=7E07C208B5E6821522A164E9D150847BB76257E57ECBA7977E21E322E91A96F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:50.598{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\462ZHJYZC4\System.Data.ni.dllMD5=C4CCBB5ADD5B68DFA852E1A0E5B5E761,SHA256=22BB815B793F6DC45E200FC4346920DC22A54A70BCC652346171BF86DFCB9B43,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:50.477{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=266FF3A9E7EA408C24E3B928D4E2DA9C,SHA256=FE4DC7C3EEF23228549A09BDAE3717B98385B52736BBAE63A6AD431C65A4F723,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000334842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:50.379{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B49D-63D3-E403-00000000BD02}1088C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26bca|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:50.379{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B49D-63D3-E403-00000000BD02}1088C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000334840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:50.083{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\45O1CVQW9C\System.Numerics.ni.dll.auxMD5=B112B901DBE457D5C44431DEF8018CE7,SHA256=E8A9B868DAAA55B69C61BE12D2C8D3EA8BB1F99EB970230BB6A867B65586B41D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:50.083{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\45O1CVQW9C\System.Numerics.ni.dllMD5=3C15EEC6D52A4674FE204A7E3610D46E,SHA256=95EBC4E4BF44CE09D29EC4505D7B8548DA661278D4DF53F887CC357557F45A80,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:50.083{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\3ZIZF1QT8S\System.Core.ni.dll.auxMD5=857C3C633078A0FF327EC1F905FAE10D,SHA256=31B50CA26261C58BCF0E35A0BFE7B4B13E7FD05F7DA3C20DFCA4E7C85C169ABF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:50.083{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\3ZIZF1QT8S\System.Core.ni.dllMD5=45F542E6DDC2861FF2D6E1C16E05A4E1,SHA256=162BC0CC8560FAEC6AF395BE24D66124DF49F6FD8F21FA90A445BE4F34BC931B,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000448409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:50.470{45AAC21C-B4BE-63D3-D603-00000000BC02}41005464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:50.369{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B4BE-63D3-D603-00000000BC02}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000448407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:50.369{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B4BE-63D3-D603-00000000BC02}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000448406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:50.369{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B4BE-63D3-D603-00000000BC02}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000448405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:50.368{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B4BE-63D3-D603-00000000BC02}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000448404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:50.368{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B4BE-63D3-D603-00000000BC02}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000448403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:50.368{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B4BE-63D3-D603-00000000BC02}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000448402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:50.266{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B4BE-63D3-D603-00000000BC02}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:50.266{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:50.266{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:50.266{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:50.266{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:50.266{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B4BE-63D3-D603-00000000BC02}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000448396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:50.266{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B4BE-63D3-D603-00000000BC02}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000448395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:50.267{45AAC21C-B4BE-63D3-D603-00000000BC02}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000448394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:50.017{45AAC21C-B4BD-63D3-D503-00000000BC02}28324732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000334856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:51.977{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CAB684EA0F9CD2DA6873BD2B4D1FA6A,SHA256=6B1194A56DB7A47DA3824CE5A1955E678994E9A432E6A6199E1EECD791841238,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000448419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:48.905{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52720-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000448418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:51.615{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B4BF-63D3-D703-00000000BC02}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:51.615{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:51.615{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:51.615{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:51.615{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:51.615{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B4BF-63D3-D703-00000000BC02}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000448412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:51.615{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B4BF-63D3-D703-00000000BC02}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000448411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:51.616{45AAC21C-B4BF-63D3-D703-00000000BC02}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000448410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:51.000{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B47544EBCFD8CC273838E09E8386B219,SHA256=4F7B865557445AB678C32606FC236B01159050278C27348C9489BB5DCFB40ACD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000334855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:51.650{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=FEF0AA76D728C76D6FE434C9C2A7622A,SHA256=69D06CF59B0D2BA0AA964FB4B74CE28F455A5AB88DE551C268193A1D7BB810E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:51.525{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\4B8HNLQETZ\System.Drawing.ni.dll.auxMD5=6C52FA11480271A7CA24597B93F7BB04,SHA256=61F5983290D91AB3DF009F8C874FA8FE2746C9AB30195650831EE3035CB71CCF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:51.525{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\4B8HNLQETZ\System.Drawing.ni.dllMD5=C0CD3B953E9ADDA2C2CA1B521CAC444A,SHA256=792530B90A2559951E4A2DBECBE5B4B3FDC08CB4140A89FC252E49C9FD342359,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:51.462{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\4AO21YV8QB\Microsoft.Management.Infrastructure.ni.dll.auxMD5=6D2157C463A55F2AF94B20168A6455E6,SHA256=2F5702CFE886C0757B6C97C01231505E793014ECA47D814F034AFC0DDE2DD524,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:51.462{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\4AO21YV8QB\Microsoft.Management.Infrastructure.ni.dllMD5=68674C09A6E083CBDAA7A8E99A60D16B,SHA256=072FA88A9F1EB8FF17D3306C84C73CB91294659068B95629B7165448E9E4E879,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:51.447{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\49OAMDCR3N\System.Management.ni.dll.auxMD5=C2198BB3A427A79CEAC2BA77C9D0C7EA,SHA256=60369509C2526BD29714E83A68FC2274983F545D39F23171D68184A8D422B5AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:51.447{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\49OAMDCR3N\System.Management.ni.dllMD5=6F21DC360242F38389A416C54A78EC73,SHA256=E5CD935F728CBC8D6939CD9B71458EBEE0550664F3EE8BDB9D17ABCD7F249D0E,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:51.353{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\46ZWMVXHQK\System.Web.ni.dll.auxMD5=4B4864D2BDD3887862604DE92C828002,SHA256=58CC8C85446792E57BD9A8C69881CD5E66A5EA5624DCB0B9704E7C356BE58950,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:51.353{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\46ZWMVXHQK\System.Web.ni.dllMD5=B38253FDADDC16D1C0B919A2E89DBD1C,SHA256=270074EFA57847FF994319B6D696A0F1D4AD07564FB1A8D2FDC3BBC28C1AFEFD,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:52.925{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\4ERW8I4R26\System.Core.ni.dll.auxMD5=A98DB149D4B203758BEB5F96A140A2CB,SHA256=8C80B0BEAE2897470929AAF8D8ECD47C042C89484B2C8C014DF6F46EE5F192EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:52.925{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\4ERW8I4R26\System.Core.ni.dllMD5=5C38785415209D6344AEF2A339984B31,SHA256=34EA806479AE7447AF18CA40830BB7604C8FB0B1ABB251317D9F8833DBBFCCBD,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:52.255{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\4BHOAKYV38\System.Web.Extensions.ni.dll.auxMD5=A2B9117BAB40D191A4A4C676C1522A3E,SHA256=8FA129D4F6E2D279293FAE1B540AA24EF707872F4A1068D1943EFA9985C4C662,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:52.255{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\4BHOAKYV38\System.Web.Extensions.ni.dllMD5=1A64A51A5F23FECB410B8F6DA83BA7C9,SHA256=C24A3F0FCD0934E99C5618017FB048125C11D231BACA1CEEC6836F6D776C6655,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:52.103{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\4BD2OLDW4N\System.Data.ni.dll.auxMD5=EDB7CB075A217959013CD75CE405CCD2,SHA256=240A71F1AF20552B564ACE0F494BDFFCA2B3982D62D762D1E71E6E1535797972,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:52.103{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\4BD2OLDW4N\System.Data.ni.dllMD5=7ABB236413DDD5D4953BB3A2C663E53F,SHA256=D14A3A1F1851D9FD244CBF574F22A3B94B05FBBBC6147381E68F694AD59574E3,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000448421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:52.750{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C48F31C50CFD9CE8C1D8CC87A1474113,SHA256=88C25BAD52352527236A7C51DEF98D0F865D0DDFEEB1BAE58616598BDE7B5697,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000448420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:52.099{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92FCB2B8B6FA2F7029B814FE2AC5E90E,SHA256=4550FF7386ABF1A4F6E9C54DAD3AA91ACCDFAB59752C4038EC06BAF2ECDFF03D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000448422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:53.172{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3002BDD584400FA9F2FB8FD4CC33B53E,SHA256=D6BE0387B3241870607C6278B58C8D4E15037D0DDC6FDBD4FED29691188A50EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000334876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:53.963{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4C1-63D3-0A04-00000000BD02}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000334875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:53.963{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4C1-63D3-0A04-00000000BD02}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000334874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:53.963{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4C1-63D3-0A04-00000000BD02}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000334873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:53.548{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B4C1-63D3-0A04-00000000BD02}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:53.548{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:53.548{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:53.548{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:53.548{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:53.548{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B4C1-63D3-0A04-00000000BD02}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000334867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:53.548{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B4C1-63D3-0A04-00000000BD02}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000334866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:53.548{72106695-B4C1-63D3-0A04-00000000BD02}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000334865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:53.469{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\4IVCVXRB1D\System.ni.dll.auxMD5=0FE2DA91CA727C5FDFB9683466098809,SHA256=DE9F5C5937D844B72D91CF96C0AF781757C79DA906EB3F5E9C80C79CDE977E1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:53.469{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\4IVCVXRB1D\System.ni.dllMD5=2FAB64A8785560F3831C0C7A07105E56,SHA256=F511E0987071071C6932C33C02B2C6F3D379482690813FA5212CA5E646068662,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:53.080{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=933F8492704B9F97135346FB0949DDCE,SHA256=2A81F3B44F64D537B67B33035740F94AC5A0AA31B2A49FDA63631503A20675EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:54.271{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F466D23FCE804ED8ACFD84D8E7BECA1,SHA256=953E194D12F83D75A3E7613BF67D0E624332FF7F24167ACC10BCFAD5DD00479E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000334909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:54.917{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\55AU8J2B0D\System.Transactions.ni.dll.auxMD5=560017ABB720E97EBD29B91F1B0C94BE,SHA256=F031EA98BD2D59AA0BDA9C4D330A42BA25C58F5717F1830AA77F2768471B23B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:54.917{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\55AU8J2B0D\System.Transactions.ni.dllMD5=F684A57BDF29DB0382B45635BA7B61C6,SHA256=377A2C8E71B2FF28495C441089A4ACC7F57BDCC2BBBC295802DC3A5831DF8A98,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:54.870{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\503UQ183RF\System.Transactions.ni.dll.auxMD5=BABAF56BC4E7ED7F5936B9CDA05FB949,SHA256=472049805F257AF427D88C0CC081CA4CF33192FB0418912FDB75CAE1A5D97EF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:54.870{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\503UQ183RF\System.Transactions.ni.dllMD5=0D4D6EFF8A0B941FA83A237F34282E25,SHA256=0B923E73C01D4448E476244603A9B8AF337DCF9342352A2E215EAA6844AA380B,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000334905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:54.839{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B4C2-63D3-0C04-00000000BD02}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000334904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:54.839{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\4XBM0LREMU\System.Core.ni.dll.auxMD5=1D332A2AB96D39725A924B0F7AC5C9E3,SHA256=F7639920830FE768FDE77D0F7AA837CC6A2A620CC2864ABEF06F2D81AE5FF3C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000334903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:54.839{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:54.839{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:54.839{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:54.839{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:54.839{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B4C2-63D3-0C04-00000000BD02}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000334898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:54.839{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B4C2-63D3-0C04-00000000BD02}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000334897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:54.839{72106695-B4C2-63D3-0C04-00000000BD02}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000334896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:54.839{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\4XBM0LREMU\System.Core.ni.dllMD5=4F8E92D7B2085AC07167893113B7EE37,SHA256=E5F3FF00F876CB67661B9838A89CBB71C4B5B61AE03D19B6B6020527A58F7691,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:54.621{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BE8DEDA00CE1F3DE075CC0DBC1CFA00,SHA256=B64323FADE3178AC47DBD45AB9436BA0DACE5B0F9339AF9A4350EB62DBA4EACA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000334894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:51.489{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51024-false10.0.1.12-8000- 10341000x8000000000000000334893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:54.371{72106695-B4C2-63D3-0B04-00000000BD02}60404552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000334892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:54.309{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\4WWTF7EZVX\System.Numerics.ni.dll.auxMD5=4DA08C47B1FD592045CE9C49E1CAB84A,SHA256=42B04A7F53796869C67104A9BEF30AD7E1FC9B5DDF2DA6C2ADB16173212E3928,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:54.309{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\4WWTF7EZVX\System.Numerics.ni.dllMD5=E89DD3BB5A05BECF57343CB897726E53,SHA256=6875C3CA5102C47223504AD1E16751B7B128AE4B6AE9385A24E7520D2E0B63F9,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:54.293{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\4ULIQ1UBZG\CustomMarshalers.ni.dll.auxMD5=0B245CA991030D611F28243B92D78856,SHA256=06397295AD580A500DEA3F4506E040698BDE7A3257DD7CF984342B8D39F9677C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:54.293{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\4ULIQ1UBZG\CustomMarshalers.ni.dllMD5=80373965F95EC496E34085E864E66067,SHA256=8D50218FD9D8013DB004EC8E411A13FD19C1CCD41518A28E7FB489CD2D46A650,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:54.246{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\4L80Y8S27S\System.Windows.Forms.ni.dll.auxMD5=AB1FCBE377A6A30943BF24192D913F66,SHA256=1E7B1434F1E86E83CBFD081E03FC9AD1452D6EAEF768D18F35F90360F4AC6CBA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:54.215{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\4L80Y8S27S\System.Windows.Forms.ni.dllMD5=DFFF6CA588881F5D87FAE30E754C1D6E,SHA256=B900C0634566D824EB4823FD9AD1CD8C69B65E143978E2F92B6707F9283BBF52,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:54.184{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02D42218EE1F40DF76D4000ABDC93634,SHA256=F01B1C73A945C65E36D79E3C50FB9F983DA3DE644E997404B8759C6CBB2DF255,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000334885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:54.168{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B4C2-63D3-0B04-00000000BD02}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:54.168{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:54.168{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:54.168{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:54.168{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:54.168{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B4C2-63D3-0B04-00000000BD02}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000334879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:54.168{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B4C2-63D3-0B04-00000000BD02}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000334878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:54.169{72106695-B4C2-63D3-0B04-00000000BD02}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000334877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:54.108{72106695-B4C1-63D3-0A04-00000000BD02}24565316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000448424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:55.370{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C2B38F73E139345EFE56F187130E1CA,SHA256=C7791D232A6FA2CD883AFA6E2C37A85163C18402E92EA3855670BDEE45867510,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000334930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:55.830{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\5F6R84K9DX\System.Numerics.ni.dll.auxMD5=7498484D2E7FD785FA532DB7139D4C0D,SHA256=D6FD9362B956709DB3F8C9184D1F8B3E52993121DA5A437FC523B2A71C0EF3A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:55.830{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\5F6R84K9DX\System.Numerics.ni.dllMD5=3F7CB439388CDE4109829B47B69E53EB,SHA256=87DF519A1570E4A7DC96D21E67FD4F16120CD0EFEF35854EF277C4C059B226A1,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:55.814{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\5BS1TMOGQB\System.Numerics.ni.dll.auxMD5=EB049ABA5517841C734115079F8BD603,SHA256=2877312EFE8951A61700B5A8981F42E506060308E5D402F8E5FC7F879EDAC5FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:55.814{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\5BS1TMOGQB\System.Numerics.ni.dllMD5=D282D2158C31BBF5B31EE855F7B15EC7,SHA256=72E1074D33DC23AB1D680257B353F3C2210E1C9095D3284570DC678FA3E93907,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:55.799{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\5BNKHD1SJE\PresentationFramework.ni.dll.auxMD5=38E8ADE9E0688FD47657D287405BBDCD,SHA256=B99D40817535CF6545496FCB664250BA12C81D29E667C33EC2895DB9EB9FF778,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:55.799{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\5BNKHD1SJE\PresentationFramework.ni.dllMD5=832765ACFF25ADB4632F6FE6DCA76EE4,SHA256=70661C532C93A7F6C639697FB4CDF5EE4DC53D875CCFE50DE1449EF60D0379BD,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000334924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:55.705{72106695-B4C3-63D3-0D04-00000000BD02}46925852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:55.501{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B4C3-63D3-0D04-00000000BD02}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:55.501{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:55.501{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:55.501{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:55.501{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:55.501{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B4C3-63D3-0D04-00000000BD02}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000334917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:55.501{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B4C3-63D3-0D04-00000000BD02}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000334916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:55.502{72106695-B4C3-63D3-0D04-00000000BD02}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000334915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:55.298{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBC600239982DC93263BD404702188A7,SHA256=AC3B037094AFAA60D1AFA8226770EBC079556D986AF2CAAE51497D736F65AF28,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:55.147{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\respondent-20230127093815-104MD5=FAFF531EDF0CFC03BCEBADF518BA5361,SHA256=88BF976C27BC6DB398DABD588375EB870CCDB2E8695A85E73E9E0CF078A2553A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:55.049{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\5AHEMKTSFR\System.Configuration.Install.ni.dll.auxMD5=0CBC2C9737233F80F1C8DD57CE1AE88C,SHA256=6E18B2C2DFA32D6F4925D1BBE903FD9049472C36261FEBA8DD59628E8C6A9F30,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:55.046{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\5AHEMKTSFR\System.Configuration.Install.ni.dllMD5=2582241664CA944A32E31176A66CF0C6,SHA256=B7C2F435943924E46E604D1D35C1835920CC706BF320D85179E53CA0F84354FF,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:55.002{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\58ZB3SVF2L\System.Transactions.ni.dll.auxMD5=560017ABB720E97EBD29B91F1B0C94BE,SHA256=F031EA98BD2D59AA0BDA9C4D330A42BA25C58F5717F1830AA77F2768471B23B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:54.999{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\58ZB3SVF2L\System.Transactions.ni.dllMD5=F684A57BDF29DB0382B45635BA7B61C6,SHA256=377A2C8E71B2FF28495C441089A4ACC7F57BDCC2BBBC295802DC3A5831DF8A98,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000448425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:56.465{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7D8C8C980167FDC4EFFE9B9B736C045,SHA256=E1072150B2E707F2D1236E4C10922FD63A278E1AE5EAFD711E878CC19A56A2B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000334959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:56.957{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\6AQO6G68DS\Microsoft.CSharp.ni.dll.auxMD5=47E268156ACDA1AC47111ED9B7EBD269,SHA256=E08EDF2CC1C73FCFF183B729BCB9123AA5BD4FA0375D3DE77D36FC7AE81E193A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:56.955{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\6AQO6G68DS\Microsoft.CSharp.ni.dllMD5=5F9939CF8E3680218554FD483ECB6CCD,SHA256=20FA3AA93BAF831BB13EE7A02769F5947BCD7108E5C413C4ADD4BED59134E0BC,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000334957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:56.851{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B4C4-63D3-0F04-00000000BD02}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:56.851{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:56.851{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:56.851{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:56.851{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:56.851{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B4C4-63D3-0F04-00000000BD02}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000334951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:56.851{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B4C4-63D3-0F04-00000000BD02}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000334950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:56.851{72106695-B4C4-63D3-0F04-00000000BD02}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000334949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:56.804{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\634WY9951U\System.Numerics.ni.dll.auxMD5=EB049ABA5517841C734115079F8BD603,SHA256=2877312EFE8951A61700B5A8981F42E506060308E5D402F8E5FC7F879EDAC5FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:56.804{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\634WY9951U\System.Numerics.ni.dllMD5=D282D2158C31BBF5B31EE855F7B15EC7,SHA256=72E1074D33DC23AB1D680257B353F3C2210E1C9095D3284570DC678FA3E93907,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:56.773{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\5VCF4Y9RRU\System.Numerics.ni.dll.auxMD5=46C8A979AD3266DDEF725C7E593B0EC9,SHA256=44F41AE20DFD28ABE6EE0E04898C519AD9709FA50D948409B2ECD81BB20D3D37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:56.773{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\5VCF4Y9RRU\System.Numerics.ni.dllMD5=63A9B260BCFCC94E75F0B012DE2B32EF,SHA256=3BFD410197EBDCE1914F9CA077D5B2BE75A664A54D5D9B05169694327EC86CE3,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:56.710{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\5UWCLCE3O0\Microsoft.PowerShell.Commands.Utility.ni.dll.auxMD5=51FA6895C0628E937DE3245B107B368C,SHA256=6872E0B6F34C008A7F48F7B09F6D9F0E9DB06AC973C7394DADB11559840459FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:56.710{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\5UWCLCE3O0\Microsoft.PowerShell.Commands.Utility.ni.dllMD5=93EA3CBB745B8715C46D4225E579C461,SHA256=06BF40065259E94D31D1CA0B17D381CE2C3B491EA8DF43337D566F0637C9FB36,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000334943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:56.360{72106695-B4C4-63D3-0E04-00000000BD02}57645788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000334942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:56.268{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBE324153DC981DB23CA52B9D5E0BE86,SHA256=D6FA926B7ECD3EF68DA8474C1292693B9C956CEAAC3433C2329DA8B443D9489A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:56.252{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\5HU7H716YY\System.Data.ni.dll.auxMD5=8FCC2EE96B70B1E199296AA08F552881,SHA256=7E07C208B5E6821522A164E9D150847BB76257E57ECBA7977E21E322E91A96F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:56.252{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\5HU7H716YY\System.Data.ni.dllMD5=C4CCBB5ADD5B68DFA852E1A0E5B5E761,SHA256=22BB815B793F6DC45E200FC4346920DC22A54A70BCC652346171BF86DFCB9B43,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000334939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:56.177{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B4C4-63D3-0E04-00000000BD02}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:56.177{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:56.177{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:56.177{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:56.177{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:56.177{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B4C4-63D3-0E04-00000000BD02}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000334933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:56.177{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B4C4-63D3-0E04-00000000BD02}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000334932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:56.177{72106695-B4C4-63D3-0E04-00000000BD02}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000334931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:56.159{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230127093814-105MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000448427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:54.803{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52721-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000448426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:57.565{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D654F6F5DB21EAA6A66B1EA6DC18518F,SHA256=F2A1AC24989A4C075A07FAA7FD3107B998547212C10EFCDC03FE216995B9FC38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000334987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:57.858{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\6POLT6AMCK\System.Xml.ni.dll.auxMD5=C6B8D9FAFDC12F9D667B132D1BD24D04,SHA256=C2FC89CA115F96A788E5EA364A753E2D685A65BFEFE13145B138AE0309D2A99C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:57.858{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\6POLT6AMCK\System.Xml.ni.dllMD5=71BC2F8235C4E463DE58A0B06A7CC6E9,SHA256=D311CB68072B7387AF7CBF476708618CFD88A950AA11C17C74D0281AE97DB612,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:57.593{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76282C642B71670DF5700F454F03A1F6,SHA256=F9C9076CBF27472B4E6EBE69AC23E892B8232C087F1C03049C956C3E4C7CDE44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:57.562{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=99E7341DCE4121DAE7E18B92564A2313,SHA256=445A7A150D4B2C768B7194573AB017AF7A93A2BB0A17940CC858C9C68993F7D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000334983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:57.515{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B4C5-63D3-1004-00000000BD02}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:57.515{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:57.515{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:57.515{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:57.515{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:57.515{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B4C5-63D3-1004-00000000BD02}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000334977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:57.515{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B4C5-63D3-1004-00000000BD02}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000334976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:57.516{72106695-B4C5-63D3-1004-00000000BD02}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000334975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:57.453{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\6PMTPRCX9S\System.ServiceProcess.ni.dll.auxMD5=3BE355F7C741659AC9143FE240563390,SHA256=53584243F91BEFFE8C60395404133B9E0965D4BAA27412A3CB14C43C99ADE994,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:57.453{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\6PMTPRCX9S\System.ServiceProcess.ni.dllMD5=E7DDC2DB27A745FD9B904E90978E7F57,SHA256=A598609D6B4C0BE721FD06140AF13828706CC526845C19CCA7B50B3F7C6F8AB6,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:57.437{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\6K0EN3K398\System.Configuration.Install.ni.dll.auxMD5=C5A5EE304B157AD73B399EEC1C149C5A,SHA256=2985F60A3A50391631B4FEDB991FEF9F62A50EEC9D330A3DDA849CFEF98AC12D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:57.437{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\6K0EN3K398\System.Configuration.Install.ni.dllMD5=CB87DD3AA3057A9FD8F84DF6009382FD,SHA256=EF8F038BF1E9A8DD133E2975BF233040688ECFC89EF2B35269B61D0F1C625F53,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:57.437{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\6EKNOZY95G\System.Core.ni.dll.auxMD5=F4EE59A6A7DF01044CE9C604A9FE9577,SHA256=259135ED0A30492BB6DA0A4DFF4817D91BC610D1F7CD89A1B0A863CCB3B936EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:57.437{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\6EKNOZY95G\System.Core.ni.dllMD5=3A31931D0C2ED79A7D5DAA5EFFF0F6E7,SHA256=5941CBC9C68A2416AB0513002DC388760D7956E487C50BFC5CE2103FB9B89939,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:57.094{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\6CGGQDM20N\System.Security.ni.dll.auxMD5=8BA8863BEEC87568AAC3B366897D0D32,SHA256=D0E77250356D5D825C484FEE34BBC25BD06C6D1AECC9292A0E3B3DD14FF4B081,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:57.094{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\6CGGQDM20N\System.Security.ni.dllMD5=E050C5A89D23FE6EED7B86C3271787F5,SHA256=1045BCADAF25EAA099C264222B8AB242EC71EF1500EE5C524B2F2D6232D4F3C1,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:57.034{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\6C9DNXNCG4\System.Configuration.ni.dll.auxMD5=606A2790C740857716526360BA88602A,SHA256=B15A96066C9F545B826B491504F39A1460EFF5392D80DE4B1F5E75BBC86661D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:57.034{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\6C9DNXNCG4\System.Configuration.ni.dllMD5=934AD64C1561413D426D12F22B82DEF8,SHA256=4446DC25DA1EEA3B37DD99082A3D73CBCD8F334C79A60337C79564416E895C26,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000334965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:57.018{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4C4-63D3-0F04-00000000BD02}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000334964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:57.018{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4C4-63D3-0F04-00000000BD02}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000334963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:57.018{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4C4-63D3-0F04-00000000BD02}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000334962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:57.017{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4C4-63D3-0F04-00000000BD02}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000334961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:57.017{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4C4-63D3-0F04-00000000BD02}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000334960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:57.017{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4C4-63D3-0F04-00000000BD02}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x8000000000000000448428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:58.742{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AC48154A8CDA136BF7EECB6DEA1E7CF,SHA256=463471101CBE4F1B52A0B13BFCF563D4008C37C3B14A7F9B7EC8A72676ECE101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000334994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:58.752{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\78YXI48AHZ\System.ni.dll.auxMD5=38FB7500511703557B2A490D76E5F3AF,SHA256=82F46FA003FED0DBA41032CD924E47376658DD9F6EF6F9949BC9A853AE793FDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:58.737{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\78YXI48AHZ\System.ni.dllMD5=7FC9BC6F3421B57FEB848576BC809437,SHA256=F25EB9DBCC000D600320A0964A9EBF678A2220481AEC9C0284A5EDBD6ACAFE6C,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:58.559{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5002433A7D4BFB83302584DBFB7D1794,SHA256=9236F17DCE87808688C16F59E2F09300B9166A70D3FC4A3BCF632E6FA41124F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:58.293{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\75XAJX6YAS\System.Management.ni.dll.auxMD5=7D6F927C57131D4BA4B817D14B0535F2,SHA256=52385B8582CF7D6A24B9EFAC81F672546D9B8D7BF12236F32018928DAD7DCD6D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:58.293{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\75XAJX6YAS\System.Management.ni.dllMD5=E1D15AA9A521A2D3ADEC3D6F2943EA21,SHA256=325EC61F44C3C45853BC9745B783F8AC15BC905D13671FB2B531BAA3547DD7C7,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000334989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:58.246{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\6Y3OKT3QPY\System.ni.dll.auxMD5=E5FCD42C7D3662F69C906AEC226AF5B8,SHA256=48129DC1F2155ECD4BAEBCFB148120DA8AADD6520BE1BCE9D3B59DCF651906E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:58.246{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\6Y3OKT3QPY\System.ni.dllMD5=F2D17CA8803D8FF69D707964F3EE292F,SHA256=C7D8AFBFB161B83E2211721336DAB1E6C3FD5F5C0E973C8152063FD1AFB89E16,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000448448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:59.804{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62831B97FD9E5A41A5EFE29898B76A61,SHA256=4EE0B7C5D67FFBD171EFDBE16E9CB7E13981017AA7784880B82722783ACC7A0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000335000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:59.874{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\7GLC5VRCGI\System.Windows.Forms.ni.dll.auxMD5=34426FE35F3F017E54EC87ABACFE7506,SHA256=826E1F78E36AB352C0DC0AD7184ADF7841849D388EE8E103D0E42BD3C0BFC006,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:59.874{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\7GLC5VRCGI\System.Windows.Forms.ni.dllMD5=41EFB0FD1133E96080FB5CB7B4F341D4,SHA256=9614C6A5C7E41DC5590C696DF0CBDB28F2A71A3D8F14F38E1C5273BE796B98C6,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 354300x8000000000000000334998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:57.524{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51025-false10.0.1.12-8000- 23542300x8000000000000000334997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:59.671{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D801053F2B334405C7E53F9FE0B168D,SHA256=7303F6C27FF5A273A35F5AF56D5FD9AD003571B5B8D871333F3CB6026BBBD338,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000448447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:59.605{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:59.590{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:59.583{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:59.579{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:59.575{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:59.572{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:59.516{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:59.495{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:59.474{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:59.464{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:59.439{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:59.420{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:59.407{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:59.386{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:59.378{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:59.362{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:59.353{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:59.307{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:59.305{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000334996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:59.296{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\7D1S6WJRIJ\System.Web.ni.dll.auxMD5=0F3C7B662FBC079F29C3EF02690771DF,SHA256=FA432BD61A221C689873F7123B62039D1CA3CA2DA09E90F87CA1C939F3FAE4A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000334995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:25:59.296{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\7D1S6WJRIJ\System.Web.ni.dllMD5=8E96EC1FB2ED02BAACD1964616C6C37B,SHA256=9EEE12F5A918A691006264A2479B713E832CC7DD8F292F6F65D8BFEC3C6F0130,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000448454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:00.867{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2AE9624AB99EC4BE1307BCCE10E08BE,SHA256=64F2E558E11C563830644DA0885C23EDD6C6C9373EBD17B3E353A12BEE98966E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000335035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:00.999{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:00.982{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:00.976{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:00.969{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:00.957{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:00.952{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:00.930{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:00.926{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:00.910{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:00.908{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:00.907{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:00.903{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:00.895{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 23542300x8000000000000000335022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:00.876{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\7GTLY186Q3\PresentationFramework.ni.dll.auxMD5=47D8164F6B5704DE03EE18C8BD6B1507,SHA256=0AA5F90BD35E835B70F375A5E5A4D7BB5E8FCD38BA34BA17F1F4B24598044389,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:00.872{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\7GTLY186Q3\PresentationFramework.ni.dllMD5=6FF3D4E13A7F80E99CF8C87B2E2EA61E,SHA256=4B5DEC8E153D241755C9B804B32DC41D865A93F1D12A59533E07574524A528B6,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000335020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:00.845{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 23542300x8000000000000000335019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:00.833{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4196C5A5F8DB08AC1AE2D8F4E02BA0DF,SHA256=38968589AF74EDE745A42833CB4DA659A26089144A5B768A9E2A54967499870E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000335018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:00.822{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000448453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:00.205{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:00.201{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:00.196{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:00.193{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:00.184{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000335017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:00.786{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:00.767{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:00.728{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:00.654{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:00.643{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:00.591{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:00.528{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:00.510{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:00.484{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:00.456{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:00.425{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:00.415{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:00.393{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:00.367{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:00.352{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:00.336{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:00.333{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 23542300x8000000000000000335055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:01.971{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD38486917D0864A0BB24EEFC3F1DDD0,SHA256=DA0ED0C7FCD5F6A9900B3473C23CE1708F43316F03E2E535349996A9BC9EFC7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:01.947{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B0EBDD002FE295FADBAA10A9F479743,SHA256=A485E0B4C2E15BAEA77CAECC654BCBEBA6A23613879860641866A9CF3DB1B939,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000335054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:01.242{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A7-63D3-0904-00000000BD02}5936C:\Windows\System32\MsiExec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:01.241{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A6-63D3-0804-00000000BD02}4860C:\Windows\syswow64\MsiExec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:01.237{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A1-63D3-E803-00000000BD02}5548C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:01.227{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:01.218{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:01.217{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 23542300x8000000000000000335048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:01.213{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\7K6F2KWFLK\System.Core.ni.dll.auxMD5=34557D491F925C33B9579E2AE5BD4017,SHA256=AD30F4DA8CFDDF64D38E65145696AF7233CD5ABA10C244B882ABAFB770D7E608,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000335047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:01.212{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 23542300x8000000000000000335046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:01.211{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\7K6F2KWFLK\System.Core.ni.dllMD5=19160F5E64B830DD9B54C49057A68163,SHA256=F18AEDE0C9B8E6ADA6BF9FCBD86239712F1C420E1BAEF0FF02339F2F15F8BB81,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000335045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:01.195{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:01.181{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:01.172{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:01.168{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:01.158{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:01.150{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:01.119{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:01.117{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:01.032{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000335036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:01.021{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000448474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:02.896{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:02.865{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:02.859{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:02.849{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:02.832{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:02.795{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:02.785{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:02.765{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:02.757{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:02.755{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:02.752{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:02.750{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:02.749{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:02.745{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:02.242{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:02.240{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:02.239{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:02.229{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:02.218{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 354300x8000000000000000448476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:25:59.847{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52722-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000448475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:03.120{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=503D83A7E213E46BBD8C8B3DACE670F0,SHA256=C762C16A68F2BD3B33CF07D8D1FB1AE7CFFF17C9CE2F1B9C9373CC48E78308A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000335062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:03.553{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\7NT18X4UQX\Microsoft.PowerShell.Commands.Management.ni.dll.auxMD5=1942DA283FEF89494A51CD2FCB624798,SHA256=97787393C04D3FC5E5F8FC72185EC988120F49FC3F4D7DCA5C8A9C47FE90D3A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:03.553{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\7NT18X4UQX\Microsoft.PowerShell.Commands.Management.ni.dllMD5=A950069EA0681E896BEBF0405C914863,SHA256=0C54F39A27E53CB9354C1730A24A9E16F1558CDCB756625E876467B8987F4041,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:03.459{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\7MD8IVCZR2\System.Core.ni.dll.auxMD5=B225A19F296B0ECD1D1B392680FE2ECA,SHA256=13DDFD5D8376A89C1093FBAC5411C18B0C31CFAF74DC837A801543F97F8C11CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:03.459{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\7MD8IVCZR2\System.Core.ni.dllMD5=5E743F98387AB777164D537C3E6E38BF,SHA256=C788C70FB1B508C57587EF0A50B233D9D318C72353EB935DF282EF69776E2A8E,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:03.098{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14A1321EC5598DDE2677D7D63975E90E,SHA256=59BD5951CE43B4C49925FE162FFB4D1E033AC5594850C08A4333496C508D98EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:03.082{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\7M0RNKZGH2\System.Management.Automation.ni.dll.auxMD5=A802C9808719866A397EC5B2D1089D5C,SHA256=5789889447C95B623C4E35587957C8FE26232D17F28366F9835F785052A3C733,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:03.082{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\7M0RNKZGH2\System.Management.Automation.ni.dllMD5=4E6AF42BE0D26C0EFD83E32B0AF3DD55,SHA256=2CF85D9E475A4EF43A4A23FAB8E8F2D9281E8035056AC68A8818B2E7A78CD054,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000448477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:04.217{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECFF7AC5D4D75E6F91580466CBB50C45,SHA256=E0D75BED9F46D88DABD0DD4196770E7FE58E9C6B970C60C8350B4BB7D91A97D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000335069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:04.558{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\86ZK3PZNGC\System.Data.ni.dll.auxMD5=46118C86D328D88B6F91C26546A765E0,SHA256=A0EB022EADD199678C3DDFDCE0C792A0D49511753E7F7245B6A374288C121D4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:04.542{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\86ZK3PZNGC\System.Data.ni.dllMD5=5880059EC43D513D3D2B58BB915ADE73,SHA256=338F7838E9D1CD563FD832A382B9CCB1591D59A7280FC7001D29D912909CBBBE,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:04.192{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B91E3A471DBB13516E46EC921D8976D,SHA256=2CED0A9C33A62FB79EBCDAFC1B4D440CA0302E23E03D4679111E1EC02F64DF90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:04.161{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\7YUC82S01Z\System.DirectoryServices.ni.dll.auxMD5=23CE0A6869F02084866C6CC84FA560DB,SHA256=F15EB39D61DD8F94B50F723B8A7E468224B3A6802EA5D8FD475C3E47B31B5EF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:04.161{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\7YUC82S01Z\System.DirectoryServices.ni.dllMD5=05D15B1B56CA953CA35E6738883CB557,SHA256=68DA3DBA92F2FFE1AAD95B46E65186EE16FC700AF01738E838732EF0B94F1A98,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:04.069{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\7RXE5DQMLS\System.Xml.ni.dll.auxMD5=5455B6AB44C604037C740B50E5FFC5C6,SHA256=F6DEC63B038D0EA9732A1BE14CA36195B168C591E314A84F91E708C39298BFB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:04.069{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\7RXE5DQMLS\System.Xml.ni.dllMD5=304F547F46EE61270FFA0DAD2DF6912B,SHA256=37CDD607A795FAB4BE194AB6EACECC81903EC2EC9ED2DDD4C4D24276A01E9F96,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000448478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:05.326{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ADC82CA3876991865380B6C43908A9A,SHA256=E28E43C522EC5A51E74463EA58E34CB52D83A4DB88D40CCDB12F4063AD59491D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000335080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:05.755{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\8GIDQYGDZ6\System.Core.ni.dll.auxMD5=B225A19F296B0ECD1D1B392680FE2ECA,SHA256=13DDFD5D8376A89C1093FBAC5411C18B0C31CFAF74DC837A801543F97F8C11CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:05.755{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\8GIDQYGDZ6\System.Core.ni.dllMD5=5E743F98387AB777164D537C3E6E38BF,SHA256=C788C70FB1B508C57587EF0A50B233D9D318C72353EB935DF282EF69776E2A8E,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000335078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:05.458{72106695-B4CD-63D3-1204-00000000BD02}43724328C:\Windows\system32\conhost.exe{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000335077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:05.442{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B4CD-63D3-1204-00000000BD02}4372C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000335076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:05.442{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000335075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:05.442{72106695-9B85-63D3-1200-00000000BD02}1000496C:\Windows\System32\svchost.exe{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|c:\windows\system32\pcasvc.dll+43591|c:\windows\system32\pcasvc.dll+22bed|C:\Windows\SYSTEM32\ntdll.dll+7de2d|C:\Windows\SYSTEM32\ntdll.dll+3a979|C:\Windows\SYSTEM32\ntdll.dll+1e87f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000335074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:05.395{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\8CW0TLLI6C\System.Xml.ni.dll.auxMD5=040DE208CE1EB5D0024CE936E00E3392,SHA256=33953292338BFB6EE2756974051377A824A6C6DA3BA533A3FBA6D86218957BEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:05.395{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\8CW0TLLI6C\System.Xml.ni.dllMD5=6644706835E5D443B9822C53AED1B87C,SHA256=14CFCA3962038FEEFF28F93571BDA791D9DAF2FB8E34C066E027DBEF1D07F5F7,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:05.286{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32101D5AA81DC91C219B49C69EFF4AC3,SHA256=46FC121456747EC0422A856BF7E270C172C7956747461152B312E5C1A5B9CFE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:05.026{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\8CD8UZC6MZ\System.Core.ni.dll.auxMD5=013277D926600FEE37F6DE6655FB40B3,SHA256=95B4838E806B9231A478DE12CE63D595A691B9E9E3AD073B2FF0962385464A97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:05.011{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\8CD8UZC6MZ\System.Core.ni.dllMD5=A9F9876DFDF47CA3FDB3CBB3326D13EA,SHA256=DF6D6A1345DC974C0D5DF039403DE65156918A4D4EB08343A2ADE6256597B1D4,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:06.855{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\8YSMTK89XY\System.Transactions.ni.dll.auxMD5=799D1D6903AEF7B551CD4A4C6B265AA9,SHA256=EAE828D0DC70B8C0CADC0F2FB1EB4DAB7A5E36C371C4B8A27C807DE7C0974339,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:06.855{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\8YSMTK89XY\System.Transactions.ni.dllMD5=8D18FAAB7987602078CF848438C95F88,SHA256=AB760B68DE4E3D55C85FBC48423AC7C47C8A8C34FC3964E0473DA960D0BC3C5D,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:06.809{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\8WWG4NYYD0\System.Management.ni.dll.auxMD5=C01ECF7E635ACE095C407D20F703DED5,SHA256=8FAF355B875FE7A537D651283A77C77B5A95982427C0D520A99268846EFDFD84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:06.809{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\8WWG4NYYD0\System.Management.ni.dllMD5=F1A2535A0424F3F86C727E007F7A6F03,SHA256=8429E3661DD8E26425E938C735597BB4545AAE73AC1EA8A6490140A4D9CB6AFA,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:06.699{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\8U1UQETKXN\System.Numerics.ni.dll.auxMD5=B112B901DBE457D5C44431DEF8018CE7,SHA256=E8A9B868DAAA55B69C61BE12D2C8D3EA8BB1F99EB970230BB6A867B65586B41D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:06.699{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\8U1UQETKXN\System.Numerics.ni.dllMD5=3C15EEC6D52A4674FE204A7E3610D46E,SHA256=95EBC4E4BF44CE09D29EC4505D7B8548DA661278D4DF53F887CC357557F45A80,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:06.699{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\8K7YUX8LS3\Microsoft.PowerShell.ConsoleHost.ni.dll.auxMD5=05EC2D19A4225789291F320682489A57,SHA256=2B6C244708614C8D2922DA12CA614C78E0FEE8091C03F8DA368515449B70F8CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:06.684{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\8K7YUX8LS3\Microsoft.PowerShell.ConsoleHost.ni.dllMD5=6D71203E0AAA754C83FA98EA9748505D,SHA256=2C5785BCE015ED9CB2301E96253CC881E83B2161F24267E662274E6FCD952511,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:06.684{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\8JIPYYTGS7\PresentationFramework.ni.dll.auxMD5=5AC47BDFF85309943EFE3B48015AE6CC,SHA256=B954B0424A3B86859EDEB4E1844EAA13FED43EDC3E64022F93D28850E174AF61,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:06.668{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\8JIPYYTGS7\PresentationFramework.ni.dllMD5=8C13DC1C231C74434BE8B18DD5D86480,SHA256=1E1471068E3390B52D4DEA0BBF6532C3CD4FF8B396835933FBEDC7B9ADBE11B4,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000335101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:06.591{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000335100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:06.497{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5211D826072D68100219FAADBF96160F,SHA256=C62990249900B816731478D65CF6E1924351FB5E79AA565204650A1751BDEE49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:06.372{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDA092925F1AC6AF8627E04C962FD3E9,SHA256=797120E38CCD5A16B4BB542390E1D97BCA3100BFC9EA67A7B43242C25AC26DE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:06.422{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=460CF835C2A8A5204E85D248C28F1BCA,SHA256=1E7BB5F235F9C7B23461DC325699053DE9F40B75B556D1447C1D1BC4C58D2E63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000335098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:06.257{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4CD-63D3-1204-00000000BD02}4372C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000335097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:06.257{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4CD-63D3-1204-00000000BD02}4372C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000335096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:06.257{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4CD-63D3-1204-00000000BD02}4372C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000335095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:06.256{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4CD-63D3-1204-00000000BD02}4372C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000335094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:06.256{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4CD-63D3-1204-00000000BD02}4372C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000335093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:06.256{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4CD-63D3-1204-00000000BD02}4372C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000335092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:06.250{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000335091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:06.250{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000335090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:06.250{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000335089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:06.247{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0700-00000000BD02}484C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000335088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:06.247{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0700-00000000BD02}484C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000335087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:06.247{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0700-00000000BD02}484C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000335086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:06.245{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000335085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:06.245{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000335084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:06.245{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000335083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:06.242{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000335082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:06.242{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000335081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:06.241{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x8000000000000000335122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:07.593{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\91IMSHSDIG\System.ni.dll.auxMD5=7DD398E1F54483024723F548DF792CB0,SHA256=A7026CD139C728B800FA59762320D814AD5C3AE6E7EFA5E053FC7B1A3ED0DDCC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:07.593{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\91IMSHSDIG\System.ni.dllMD5=7700F069ABFDAA40EFDA30B79098A64F,SHA256=9AA41741F785FF3CB5F3CDEC8C5CA34EEAC8F7F76DCB0133FCFE9B189E08EA88,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 13241300x8000000000000000335120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:07.546{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplication\000027bb02f51e48dc3e0db3390b300af68d00000904\PublisherCN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US 23542300x8000000000000000335119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:07.502{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB353C77C4DB4E26595416769331B493,SHA256=7C50813195D0E8E21E4ADBCEDAC209E108475CA8A23144FB7723DF367A17A9E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000335118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:07.473{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4CD-63D3-1204-00000000BD02}4372C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000335117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:07.473{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4CD-63D3-1204-00000000BD02}4372C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000335116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:07.473{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4CD-63D3-1204-00000000BD02}4372C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000335115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:07.472{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000335114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:07.472{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000335113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:07.472{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 23542300x8000000000000000448480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:07.514{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61070DE8A9C6AD2FC709EE73D6EFEE5C,SHA256=BC0006DA3C152E21F51E6D0BBD3F23630443128C913ECB4A697499947EDFDACE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000335112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:03.488{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51026-false10.0.1.12-8000- 23542300x8000000000000000335134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:08.688{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0377AC5F8E4E92071E16B93D560EDBA8,SHA256=12C9368DD57CB0C725F6AB5E3788B8718EB186C6E45196A9B8BDFDBDF66ACFDF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:08.624{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9CX24I1PAE\System.ni.dll.auxMD5=5EDEB7CB71D6AFF9F7615368262F0EDB,SHA256=A2F1D764B84B3222C7E77D8A9BB17EB369BEBA8DC915B549647C7D1331644E59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:08.624{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9CX24I1PAE\System.ni.dllMD5=CE8C60E7028F27055C4A6C327FA97113,SHA256=4A235FCBCAC5F3713DF6A2BC0636A0FE5F12CA49B3CA2DD18034902FD4C129C0,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:08.608{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\DeviceMetadataCache\OLDCACHE.000MD5=26F52F7232F7DD2811849A2550DAED6F,SHA256=C66BA393219D5C51A2A2E35D1808CB4B24DC3B2657B82688B4D1E1C35CCF83C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:08.581{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=616DA1C11D4E913DED65D76F76E43328,SHA256=CAB9DF678903C9C9F64B2E0EF96414D4AE0259904D67212619F4CD3AA7D2CFD8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000335130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:08.577{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplication\000068583dc536ea8c3daf81bdbdf12127d400000904\PublisherCN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US 23542300x8000000000000000335129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:08.137{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\99J3FV03MK\System.Management.ni.dll.auxMD5=C2198BB3A427A79CEAC2BA77C9D0C7EA,SHA256=60369509C2526BD29714E83A68FC2274983F545D39F23171D68184A8D422B5AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:08.137{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\99J3FV03MK\System.Management.ni.dllMD5=6F21DC360242F38389A416C54A78EC73,SHA256=E5CD935F728CBC8D6939CD9B71458EBEE0550664F3EE8BDB9D17ABCD7F249D0E,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:08.076{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\97OYL2KPHP\CustomMarshalers.ni.dll.auxMD5=9864756A5F687EB1558819FC8F61D502,SHA256=DDF3F3B61C5D426E096D405F9171AFAC0361F79E775478A3FD1B95614AD767A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:08.076{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\97OYL2KPHP\CustomMarshalers.ni.dllMD5=C2A4AA56F7B26996223DCC63EC2B33F1,SHA256=50E2E6075BC71C3FDAE18139033F0552DEC58A32B25134DDF339790FD97B3102,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:08.076{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\96CHNE9KEV\System.Xml.ni.dll.auxMD5=3A2FF34743BE9234A2C896E3C7A8EA0E,SHA256=1F1647BAB2A25AF7215FCDC9C03F88D0A2CB1EAA1E61CEB6288D28B69E59D546,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:08.061{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\96CHNE9KEV\System.Xml.ni.dllMD5=4BEBFFC9DAFC484D7BDA244385B9518C,SHA256=0B08FD59C9CF52A30AE65B34CD40378B906A1169456709207CA365A5783DBCD7,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 13241300x8000000000000000335123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:08.047{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplication\000070aa163b48d93a6fb1c459f613fcd65f00000904\PublisherCN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US 354300x8000000000000000448481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:04.872{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52723-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000335154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:09.962{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9ZPZ8SRZBF\System.Numerics.ni.dll.auxMD5=4554DB58691601FBD376774956021AD0,SHA256=C97E662629BE150ADEDC669040A735BF6BE5C8F4DC6B1007F4F041A1E4CC2969,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:09.962{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9ZPZ8SRZBF\System.Numerics.ni.dllMD5=277A874D3C7FAF514D476913C562779E,SHA256=B0EBBA50E089358BBE363BB14DE6D80AB1F92F52C30C8FE13BC4358C8BB252B1,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:09.947{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9YME0DIJZO\System.ni.dll.auxMD5=9651A4D69D091A91F7509B493895084C,SHA256=7F97FFC6DBCF14DEF386747D99B2204F6C0BE9C123F585888BF0BC23B424155B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:09.947{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9YME0DIJZO\System.ni.dllMD5=0D511A145E1BEFBF8048E4958B18EF8C,SHA256=5B4E622B50F3659A09BC10F7047FB5AECD568565E358232DBD8B85B615F42FB0,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 13241300x8000000000000000335150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:09.915{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplication\00003312f700c3d03614c2c9f93e32df9af300000904\PublisherCN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US 23542300x8000000000000000335149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:09.665{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BE0A26927DEC568ECE2F697E64ED7FF,SHA256=498F0C3D4C0E02F79650819E0CAA26B06426F520FB54930968162C476689E199,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:09.634{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2D10C239BB6568D8A91464D2552A49AF,SHA256=CA8F57AC4B52076D95D78307A91E49E50C0A41B5461BDC4FAF02F9D42F037864,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:09.781{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=067A514D63B44040B8798D35DDA7A5A9,SHA256=0F26A03671CC83E314FA0D595C6381EDF77B0A03BF09D93AED25EBA3228B28AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000335147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:09.353{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9Y9I29WN2V\System.DirectoryServices.ni.dll.auxMD5=8451615FB68C5792747E6B9F17CA39FB,SHA256=F36CB4DA58C61B9521D0B82E1AF455BC583B717FA5D13195E5D3E465B4745764,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:09.353{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9Y9I29WN2V\System.DirectoryServices.ni.dllMD5=C2B7030570684F5C7BAF333C9C6DB4B5,SHA256=1C938CA0C98F20F6200B9EEBD2895CE9CA98DD6500A25B734C0D5D7442CDC641,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:09.309{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9U3CQM5TCF\System.ServiceProcess.ni.dll.auxMD5=9046DC8AF57A689737E35673E1FEBE4D,SHA256=0718FB2272D8BDA1BE26978BC6F3F271E3E73EF81782F75BD593C4B5273F8388,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:09.308{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9U3CQM5TCF\System.ServiceProcess.ni.dllMD5=B4E93247C9175B5C117FD4A0B662D510,SHA256=60596192CD9252FE839884860D51FAA078887038E91EAEAB3E04E563E6F66ADB,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:09.258{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9MTJ7KUB8S\System.Transactions.ni.dll.auxMD5=27BA9FD22B5A3545C667BC304FA929F2,SHA256=37D33F6BB00D092AB9E8658CE9824B6752EC369A41F26937283252917621A015,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:09.258{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9MTJ7KUB8S\System.Transactions.ni.dllMD5=C9B87F3CCE52382C2F785874EF10A895,SHA256=5EA0E414F61FDF71B1C3ABAA77F0BF9629F268C802E88ADB6033185A89E83734,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:09.211{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9IY6J183BS\System.Numerics.ni.dll.auxMD5=EB049ABA5517841C734115079F8BD603,SHA256=2877312EFE8951A61700B5A8981F42E506060308E5D402F8E5FC7F879EDAC5FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:09.211{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9IY6J183BS\System.Numerics.ni.dllMD5=D282D2158C31BBF5B31EE855F7B15EC7,SHA256=72E1074D33DC23AB1D680257B353F3C2210E1C9095D3284570DC678FA3E93907,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:09.211{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9ILKVTSEI7\System.Security.ni.dll.auxMD5=BC3DDDB5F07C162D92B2037E6880680C,SHA256=4B74A1D3FF9277CA53DCF8D3541DADA05ED4A1B570F67D2B7C45957DF366448F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:09.211{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9ILKVTSEI7\System.Security.ni.dllMD5=87E23D848DCDA15E4AB088D7471A99D2,SHA256=55FE1EAC63C9A18285EB2C4CF0CCF1FC54C4DDBE4AC3A5E661889E7C22AEF598,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:09.196{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9E7FE8BE9W\System.ni.dll.auxMD5=97D37AFB390992CE3C6F1D4E1112CAA5,SHA256=E9BE5584192A17CDF882242AB2C104E2A185B276E589F81AEC50663E4BA6F881,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:09.196{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9E7FE8BE9W\System.ni.dllMD5=709A692740777021A1BC08A50B61C807,SHA256=AD85D06B3912A64986318D87202BDCAD748D6E68E3B693D37459EF9874889CCF,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 13241300x8000000000000000335135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:09.149{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplication\00004ee7114ba1c474f7bbd42f8c9f930b0700000904\PublisherCN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US 23542300x8000000000000000448484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:10.958{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=008F275B311015A498F0311AFAAF1A7C,SHA256=9F92FBC5CF052E6B8F283866F9D22570F24B85505A529ADFE17066F54ACB152E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000335183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:10.679{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\AAJJT00YQC\System.DirectoryServices.ni.dll.auxMD5=C868E3CE49BA0E024BA044791DD8B901,SHA256=019CED5A20050041A0B1C6A7259A71BC867DF0A952D36A451E86472359A39D42,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:10.679{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\AAJJT00YQC\System.DirectoryServices.ni.dllMD5=950230DF069FC31756D6F15EE8C95D84,SHA256=951D336C2A06FAE7FF8B42CE8F293B2A226DD338A2C36A233CFDD55C05FDA763,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:10.585{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\A7YUES1U1S\System.Configuration.ni.dll.auxMD5=0056AAE6263694AECA005FB9F4CFB72D,SHA256=12D06CC2F2616FC7265D9C9E30DCA481DC24D79EA4442FFA9B0DF6BD5BD0086C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:10.585{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\A7YUES1U1S\System.Configuration.ni.dllMD5=25EBFB35A3C0117023CBE947C69E27B5,SHA256=D9139DCB06B272BD35568F6C1496B1323311CF71BED1E7979CEC3D6B63287C73,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:10.494{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\A4BUAW1MXG\Microsoft.CSharp.ni.dll.auxMD5=657E82B143F4F6D421E3F26CB2555B1C,SHA256=CF20F8BE62BBD1EF68F1E5A13ED8A3C52E95DA8E14988BDDF138B2EC84DE7FF0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:10.494{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\A4BUAW1MXG\Microsoft.CSharp.ni.dllMD5=CC0828C993E26F7CC65662065ABCA3ED,SHA256=102D1A9C79B7B0264F81B7C73B5658990739312CCEE7C22F39BDE28E38991E1C,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:10.416{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\A410O5K4VN\System.Core.ni.dll.auxMD5=D0325488413187592F5E2E4B03A2B55F,SHA256=3621EEC32897E03A80F1ED5B7D4F96C3C492C611D0688225EADB8ABC8683004D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:10.414{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\A410O5K4VN\System.Core.ni.dllMD5=9D157C15904F94E7FE0F7153425B2B7D,SHA256=FC0BC5198652B9137CC55C074FF1CDB1CA0D6C5EB99DF5B6DEA0E76240B8AE48,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 13241300x8000000000000000335175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:10.394{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\uninstall.exe|987e0404a196a19e\BinProductVersion22.1.0.0 13241300x8000000000000000335174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:10.394{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\uninstall.exe|987e0404a196a19e\LinkDate07/15/2022 16:00:00 13241300x8000000000000000335173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:10.393{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\uninstall.exe|987e0404a196a19e\Publisherigor pavlov 13241300x8000000000000000335172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:10.393{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\uninstall.exe|987e0404a196a19e\LowerCaseLongPathc:\program files\7-zip\uninstall.exe 13241300x8000000000000000335171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:10.393{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\7zg.exe|66a2193c8967c10d\BinProductVersion22.1.0.0 13241300x8000000000000000335170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:10.393{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\7zg.exe|66a2193c8967c10d\LinkDate07/15/2022 14:00:00 13241300x8000000000000000335169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:10.393{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\7zg.exe|66a2193c8967c10d\Publisherigor pavlov 13241300x8000000000000000335168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:10.393{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\7zg.exe|66a2193c8967c10d\LowerCaseLongPathc:\program files\7-zip\7zg.exe 13241300x8000000000000000335167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:10.393{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\7zfm.exe|56d287950815a745\BinProductVersion22.1.0.0 13241300x8000000000000000335166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:10.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\7zfm.exe|56d287950815a745\LinkDate07/15/2022 14:00:00 13241300x8000000000000000335165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:10.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\7zfm.exe|56d287950815a745\Publisherigor pavlov 13241300x8000000000000000335164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:10.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\7zfm.exe|56d287950815a745\LowerCaseLongPathc:\program files\7-zip\7zfm.exe 13241300x8000000000000000335163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:10.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\7z.exe|afe683e0fa522625\BinProductVersion22.1.0.0 13241300x8000000000000000335162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:10.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\7z.exe|afe683e0fa522625\LinkDate07/15/2022 14:00:00 13241300x8000000000000000335161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:10.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\7z.exe|afe683e0fa522625\Publisherigor pavlov 13241300x8000000000000000335160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:10.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\7z.exe|afe683e0fa522625\LowerCaseLongPathc:\program files\7-zip\7z.exe 13241300x8000000000000000335159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:10.390{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplication\000024680c81dac170d7db33cc787caea7320000ffff\PublisherIgor Pavlov 23542300x8000000000000000335158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:10.105{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\A1LJGPPVH3\System.Numerics.ni.dll.auxMD5=5CC4A69861ADC3DC96AB2ACD2D9149CA,SHA256=8841D1CD4ABC260B2B0EE69E209E0F06023FE3C6D9D50A65510BDD29676904F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:10.105{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\A1LJGPPVH3\System.Numerics.ni.dllMD5=47D30AB50B1102E8FFEE9922F95C588B,SHA256=1FE316D9EADB703A05165965739493B8826C19A7C084EC53B50502A3231970F1,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:10.057{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\A1150KSMAP\System.DirectoryServices.ni.dll.auxMD5=91B2F2790B225E9B80B1642A87D19DA5,SHA256=F23B64863222A016CF4439EEDC90057CFEC21BC75A0D7D8118CE8996F42E8B98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:10.057{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\A1150KSMAP\System.DirectoryServices.ni.dllMD5=EB699F153BF3322C608FA8EC593641AC,SHA256=C88E1D58C19711E2951ACAD7EFB6D6F420D52D13C93B77B4E80B36396EB5AF10,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:11.146{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\AARSWFE6RE\System.Xml.ni.dll.auxMD5=C6B8D9FAFDC12F9D667B132D1BD24D04,SHA256=C2FC89CA115F96A788E5EA364A753E2D685A65BFEFE13145B138AE0309D2A99C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:11.146{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\AARSWFE6RE\System.Xml.ni.dllMD5=71BC2F8235C4E463DE58A0B06A7CC6E9,SHA256=D311CB68072B7387AF7CBF476708618CFD88A950AA11C17C74D0281AE97DB612,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:11.054{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B3D79ED21AB2F06F5F5B23F6291AD1C,SHA256=ED00C991CBD1762CE6FAE6A5529B488C9FA48FFA41D26EBD5C983C2D2E799B55,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:12.290{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\B02F7Q3CLJ\Microsoft.CSharp.ni.dll.auxMD5=991C7B904D3FB55B10661A499F5D7A36,SHA256=C68E4BF8D5070A137CD8D557EB244888E37CDAC60F64013454075FF2AA30512C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:12.290{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\B02F7Q3CLJ\Microsoft.CSharp.ni.dllMD5=C2B2381957175D1524BAEE9BFF953A5E,SHA256=E1864F928D11FB8E55C9C0AFCEA6B698A969257A7E7FD6728B3A4186C892C852,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:12.196{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\AVV4QXBNHE\System.DirectoryServices.ni.dll.auxMD5=59C110736777D69755BD9640210D5DBD,SHA256=ACBCFE5DF9F4481CB736A5EAD30EAA17287FE36A2A93EFEB7E6A563099100F71,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:12.196{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\AVV4QXBNHE\System.DirectoryServices.ni.dllMD5=0D805B76A05F5CE550EF1D8FFEF30169,SHA256=589EF92923F29A1D6169A89FD617812D186CE924E66E6061CA72EF73C28496BE,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 354300x8000000000000000335194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:09.336{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51027-false10.0.1.12-8000- 23542300x8000000000000000335193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:12.105{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\AKFWMUL61D\System.Numerics.ni.dll.auxMD5=7498484D2E7FD785FA532DB7139D4C0D,SHA256=D6FD9362B956709DB3F8C9184D1F8B3E52993121DA5A437FC523B2A71C0EF3A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:12.105{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\AKFWMUL61D\System.Numerics.ni.dllMD5=3F7CB439388CDE4109829B47B69E53EB,SHA256=87DF519A1570E4A7DC96D21E67FD4F16120CD0EFEF35854EF277C4C059B226A1,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:12.105{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\AJR4CNNP1H\System.Drawing.ni.dll.auxMD5=69DDCED53EB62AD5F23BABFB8BA6D163,SHA256=C5164F9DAFB6224D0280E449DA8D85EE507145BA79652D1C0E5994B86E4903F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:12.105{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\AJR4CNNP1H\System.Drawing.ni.dllMD5=2C489C8D4AF62D27FD4C18640F69CF5A,SHA256=09FDE2E93271A1BAD108E78FF0AD6662086D86D4095ED412E7064C9C50EC0117,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:12.088{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8F74B0E207CD823CF99E9CF88C5050D,SHA256=B4C69780EB4A1EA7E475F2D1076A0A4BEDE9FD23297E98A71EA3BCF15888FFB2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:12.046{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EE37FB6F3BD8D11AB5BA7D7C97F3A38,SHA256=27B5918102F97F1656D23589C74B06023A5A3DBC5D401B4799A3FA205503036A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000335188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:12.027{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\AIYX3MQ2PH\System.ServiceModel.ni.dll.auxMD5=BC5B8E9098BCB0FBD5B0BB3F67D6FA39,SHA256=EBC59D5A5922EAA498E84B02C3F7179FC2CBABDB24D64995DDC1D46FFB0939A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:12.010{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\AIYX3MQ2PH\System.ServiceModel.ni.dllMD5=17015EDD211E2B3F88EA4398394359C3,SHA256=9DB2318A0C2A57C66DA61C7D698A02480B64D635E332EEBD9CE461F7F65B4476,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000448487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:13.241{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1C700660A4000AF7D9118B829F9DA0C,SHA256=8A962E0E746A63B57D0808B05AAE2B7E12C787934461C13BFA89D4C0122F751F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000448486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:13.207{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\respondent-20230127093833-104MD5=ABD21C848C86C8C4C327246443A18885,SHA256=621828FF48080C628607F27990B50D4C7839DD5149D1A5B05A104AE9C04F6CF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000335207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:13.952{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\B73LG8HPP7\System.Core.ni.dll.auxMD5=64587669804C40B42668C205BA33BFC3,SHA256=A64B53800449804B0AD2FE567C89585B112A273E4CA44ACE927D4B9D1214AEEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:13.952{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\B73LG8HPP7\System.Core.ni.dllMD5=C788288F4C40D6EC0EC7DE2DE199DBB5,SHA256=13D04D49CC42A92B5157A661DCEFBEF44B6B23777B3B8AB5AE92CA523E673DFC,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:13.408{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\B5ZN0CRY12\System.Xml.ni.dll.auxMD5=3EC54DEE44368C49379AC078874C7D69,SHA256=57BB02ECC01EC1AA52BCC116D735901E137A77E9943552D01B2E6493AF320307,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:13.392{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\B5ZN0CRY12\System.Xml.ni.dllMD5=D0E98E24CEAD9C2E25CFA692EC9250E5,SHA256=8A4926A4947088F44C02986196531D0D409F46A3D45974B17CA0A33EB0857457,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:13.176{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AC4E158F560990A9193DDFADFDEA1B1,SHA256=084659CBE1A97ECAF15B880D9947F4F99E7A6801ABDA550B6F5ACFDF1DA62FE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:13.071{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\B4RS9CUO8N\System.Configuration.Install.ni.dll.auxMD5=35A313588DD8BF1C4A5557EAA79D2888,SHA256=8C1A5F0899AC55E471D0A266242CB849FA7A827C6DFB151597B962F19439A003,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:13.070{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\B4RS9CUO8N\System.Configuration.Install.ni.dllMD5=E6EAB74B0CC7C40180FA4FE64126C927,SHA256=2B84A2239A9EADFF8DDEDB693D7C2DB00821062A8A2330814592705446E34CA6,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:13.064{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\B3Q0WSI9WO\System.Windows.Forms.ni.dll.auxMD5=D446BDCD7E3BFA151BD38417CA52BBB4,SHA256=DC1794960B5836EC691C2DC58B068E76C8FE07B8A1293373ED30ED08A02887B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:13.060{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\B3Q0WSI9WO\System.Windows.Forms.ni.dllMD5=EBA141EB6870A5CE8F381C7423130E8C,SHA256=60BF35B16E89046C8D5D49C3FE8D73AF63226FA1A4C865B96EE067035A3C21A8,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:14.910{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BE7ZHF1NHM\System.ServiceModel.ni.dll.auxMD5=E3B93DB9969E47579EF3CD308AD6F525,SHA256=57D5CB25CAA75CD1DE2F24CF07C558C8EAC60FBA70B71B5ADDA6CF3EBFF051F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:14.910{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BE7ZHF1NHM\System.ServiceModel.ni.dllMD5=FE7C04F63CBEA73272C0FF5DE1E67B31,SHA256=16280704304C7361CCDB7C088C00D94F72CF2B83E18186D96029EF12C8CBE1A1,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:14.368{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E03D1B222A866C08A73636DD8E4EAC,SHA256=6E9B786F104DF2305D53CF47B91B3E4EDE9BDDFDF8B671A8F2C3408F20E953A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:14.329{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D327759FB9081A96F3C3A775274E0FF,SHA256=89593F2E4230EE4A5FE499164ECE3D39E88D9FB158533AB9F0F0417A33597FA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000448489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:10.886{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52724-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000448488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:14.205{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\surveyor-20230127093831-105MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000335213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:14.077{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BE2C6QQZTD\System.Configuration.Install.ni.dll.auxMD5=35A313588DD8BF1C4A5557EAA79D2888,SHA256=8C1A5F0899AC55E471D0A266242CB849FA7A827C6DFB151597B962F19439A003,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:14.077{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BE2C6QQZTD\System.Configuration.Install.ni.dllMD5=E6EAB74B0CC7C40180FA4FE64126C927,SHA256=2B84A2239A9EADFF8DDEDB693D7C2DB00821062A8A2330814592705446E34CA6,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:14.077{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BB1M9YGO38\System.Transactions.ni.dll.auxMD5=AB84AEBEB050F5121DF68F4F87C7F5FD,SHA256=2EE998C217D1F54077A19AC1FBAF734FF45F6F8AC712A23D80BBCD2D72B110F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:14.077{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BB1M9YGO38\System.Transactions.ni.dllMD5=0D4FEEEE0FD448095C4CDA07EF4A24A1,SHA256=05DFF969368D90716F7F7DB92A4B0DD3792C5FF93034B299B5A30C4D89185B5A,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:13.999{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\B9QGKQMG77\Microsoft.CSharp.ni.dll.auxMD5=991C7B904D3FB55B10661A499F5D7A36,SHA256=C68E4BF8D5070A137CD8D557EB244888E37CDAC60F64013454075FF2AA30512C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:13.999{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\B9QGKQMG77\Microsoft.CSharp.ni.dllMD5=C2B2381957175D1524BAEE9BFF953A5E,SHA256=E1864F928D11FB8E55C9C0AFCEA6B698A969257A7E7FD6728B3A4186C892C852,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000448491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:15.417{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C55A96A72311AA0A32980F9639E19234,SHA256=8D0E56781D900E63005CB0A622BE743E58CA91EE9EADAB27036F4E7ABFA99326,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000335229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:15.479{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB74CBB6D46B354890C1694211CD6D38,SHA256=4B6EBD8CE7D243600D61113A229B1D9E348C377D0A4B10D12498B2D4E37140CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:15.419{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BG859LY4JA\System.ni.dll.auxMD5=C4730B6A55D190A4DBF04E66F071626C,SHA256=6CC8AF52FD8F807A5DB3DEA7FE2FDE042772BB6BF401E70438FDC785170742FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:15.419{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BG859LY4JA\System.ni.dllMD5=00248C9DAA0CD4F85D375CDF673D8581,SHA256=67D7D7935E525B620FB235CAB6565AC7A0C42D0013C03BAE6FB7301B7B5DE71C,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 13241300x8000000000000000335226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:26:15.393{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000335225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:26:15.393{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0062f57f) 13241300x8000000000000000335224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:26:15.393{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d93239-0xc8e030d3) 13241300x8000000000000000335223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:26:15.393{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d93242-0x2aa498d3) 13241300x8000000000000000335222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:26:15.393{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d9324a-0x8c6900d3) 13241300x8000000000000000335221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:26:15.393{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000335220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:26:15.393{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0062f57f) 13241300x8000000000000000335219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:26:15.393{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d93239-0xc8e030d3) 13241300x8000000000000000335218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:26:15.393{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d93242-0x2aa498d3) 13241300x8000000000000000335217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:26:15.393{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d9324a-0x8c6900d3) 23542300x8000000000000000448493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:16.507{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=206CEBCA72A6CFCF8960BC10CAA2AB0F,SHA256=EE5CCA6F155521F9CCC30A7152DEE3D5172021024138565F90CE93419EC66B1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000335237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:16.585{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BVEF6A5NPX\System.Configuration.ni.dll.auxMD5=3748821F7E7DB1DD92C4C5575D6B6964,SHA256=9B707027DB2E45E9A550952164290F845AABB230B7E79A8231FA735944A87FA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:16.570{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BVEF6A5NPX\System.Configuration.ni.dllMD5=AAE590481F01707BA3682F70184D1048,SHA256=B012C15153EB2B47FE2EFD7D13B689E342ED5DDD9D9EE55E59FC68D927193736,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:16.477{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BVCGLHZC07\System.Xml.ni.dll.auxMD5=9E8273197F9A02B9A721032C9C46FE6C,SHA256=AC968645F5D30BF892E8CD366F36A8DF8B40B65FD7940D3F24C1EEDCE414AEDF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:16.477{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BVCGLHZC07\System.Xml.ni.dllMD5=5323B8A12366F102A9AFAFEE81B107AB,SHA256=5EACFEB8E0B0C4F166DBFF9B5116A4A371C6652F451A310F30133D1D8680CEE0,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:16.460{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8453183D00B286BAFEBB4DB00C1E1ED,SHA256=1BCAA12E95E240602EEF25D8DED6FD2A1481C3985DE5AA90870F4448089818CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:16.241{45AAC21C-9B85-63D3-1000-00000000BC02}368NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=7E4C7F3F655ABE6FBEBFDA9FDCD56F48,SHA256=22D727E725D6EBC0739F0EFCFBDED090E2BBB5093586EDFB96795AF50B5C4592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000335232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:16.227{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BUKVN9YJPN\PresentationFramework.ni.dll.auxMD5=6B885B68C6B0ECCBB2E89A4D73DF63C3,SHA256=D6BB1EE81B79CB0C8DD4C8B39704859B055B9C056478043C924D695876543007,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:16.227{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BUKVN9YJPN\PresentationFramework.ni.dllMD5=E5E779E851434195EAF586B414E1AB14,SHA256=453BD0B221BFBE7C7C19FD48797DC174A231A8489E5E2A60C82D72F6637CB1BC,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:16.149{72106695-9B85-63D3-1100-00000000BD02}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4068D6CC08C5916B03B7A12DDBC972B7,SHA256=31682E2D6EA3476B72196757AA980FF837FD20000D517C9DA07679EE2E653657,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:17.594{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=127FCC5C9390810FC1EFB9A48B3818FE,SHA256=B1B91F09E5C1DF22526C93250CE6059D63CEA49D47CA4D3F914F5F47BFBBBAB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000335247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:17.849{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BXY70745SW\System.Numerics.ni.dll.auxMD5=6D550B69BDC7D89EC2E3554A3DDB4667,SHA256=7CF8E63A66C6685A48A43466D8842DE966699265AF5DDA14CF5EE7EA2398B019,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:17.849{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BXY70745SW\System.Numerics.ni.dllMD5=AF5901179DD8427F1BCE805FC1C60542,SHA256=976A8BC3D65758BF022E26BC0F8BEC1B908D58665A99B6DB45FD5004809E16C5,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:17.818{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BXXR0JSD6L\System.Xml.ni.dll.auxMD5=5455B6AB44C604037C740B50E5FFC5C6,SHA256=F6DEC63B038D0EA9732A1BE14CA36195B168C591E314A84F91E708C39298BFB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:17.818{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BXXR0JSD6L\System.Xml.ni.dllMD5=304F547F46EE61270FFA0DAD2DF6912B,SHA256=37CDD607A795FAB4BE194AB6EACECC81903EC2EC9ED2DDD4C4D24276A01E9F96,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:17.583{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5887ABC9D860236EABF75C812A69B21,SHA256=AB484AC25BA4932FD3E7D578E6E2C3788A73B871DACF8B650F5490FEAC898001,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:17.380{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BWKEHQK02Z\System.DirectoryServices.ni.dll.auxMD5=D066D00C8E7C849DE48D0165F24F981A,SHA256=3A34EFC6138171BFE5597B3C487BBC6EB15EC7AE047A2C3A0E9E7E8431A98848,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:17.364{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BWKEHQK02Z\System.DirectoryServices.ni.dllMD5=B58D524466EF69DA6C881E615B256AD2,SHA256=212679F1EA4BDA27FE199CD9B9E1D7770C96B3F275B7319393DD3D8331257E64,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:17.317{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BWHTE99QJC\System.Windows.Forms.ni.dll.auxMD5=0057D8C02F52278E2D88E0C434C9FB67,SHA256=C3E4ED40898F69A430845210C1C1F6F46FB3382B871EC2264963243B4CEA8BE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:17.317{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BWHTE99QJC\System.Windows.Forms.ni.dllMD5=309216E457DECA1FDDFB036BF6ABA05F,SHA256=59A0802383424FB2D07728867DA0A79D6657E2380406D998BCF2630A7966AE38,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 354300x8000000000000000335238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:14.392{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51028-false10.0.1.12-8000- 23542300x8000000000000000448496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:18.770{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE183BB1D3999FBFFC11959FAD0D8FFF,SHA256=96D78858BD3B3B5DE09C0A1FDB159855743B90495A80C2E796579F306A70DD40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000335260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:18.760{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\C7PHD2QTO0\System.Web.Extensions.ni.dll.auxMD5=3387DD5DFBE5A69E658A1287F3C08628,SHA256=EB1B324EF21E4D9A1DADA4D9A4F519C76D1C862CA16E11725BA97420CFDF6D18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:18.760{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\C7PHD2QTO0\System.Web.Extensions.ni.dllMD5=C11869C1D2B9720BECE21325C4F88BED,SHA256=01E2262DC5D082948478B80C22833216555622B5D23040996F3A9A5AE4E956BC,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:18.672{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6909E0DCBBF9AAB1D0B62D497BD64BC,SHA256=782D731B35DECE011752D8CDC125CD7998D6804B3B6A5EEB952D1F623D831961,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:18.116{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=23A4955BC5FFCD1695E83A35FFA7E3C8,SHA256=39CCD5AA6E89E7E82711188AB4241F693A4E4162020F40DE5D8979B0E7593D7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000335257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:18.582{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\C76HWU6JFT\System.Configuration.ni.dll.auxMD5=0726536434B1F4CFF6E32E5A04A405E4,SHA256=CA81014EA85BB7A87C6D421D4492658D1ED3693C5E81E194FC9A55A56916500D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:18.582{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\C76HWU6JFT\System.Configuration.ni.dllMD5=7847E113AF6ED71691FA241B2F092C61,SHA256=B54E3F593F0379C5B679C200EA5BEF842BD6B69EC88E49F89297CAA66E04E7A6,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:18.504{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\C4N70GKTFI\System.Configuration.Install.ni.dll.auxMD5=20FF2F0A0D70F5CFEFDC3CAE5854BFC7,SHA256=03A72C9FDF9596376C7B0E4584A822D01BC8F7EF5AE4C8E5748E79665383DB7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:18.504{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\C4N70GKTFI\System.Configuration.Install.ni.dllMD5=BA7270337571525AA0F643C2A10B5BF6,SHA256=E8419C27066C1F18E6B97F3E082D170E3F05683D625CD191F4CF3AEF691D5852,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:18.504{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\C2HK51K4M7\System.Management.ni.dll.auxMD5=616FFBD02D10F157448EFABE441FF022,SHA256=4BE5225D3C62FBF39F40FCB7DD918B1385D4F9F241EDE312FA7ED87385911F15,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:18.504{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\C2HK51K4M7\System.Management.ni.dllMD5=2EE900B41105DC12B81C9BB8227A3F93,SHA256=95D205DF219148F9871702FCA45AF8400CD3C370ECF4834726698B58938E8187,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:18.426{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\C0TCGUWA79\System.DirectoryServices.ni.dll.auxMD5=2BEEB7989E153026455A91546700FDA5,SHA256=63A95441B52371EEE7EAE9605B312F82B498BC927E85C516C19984D5B629AE97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:18.426{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\C0TCGUWA79\System.DirectoryServices.ni.dllMD5=04A28498B7718E00A2FAA9797FCE2F17,SHA256=47C6A18965FDCE1FA4609406A47B48F689D0B3828CCBF3A73A70B55A3AEB04D1,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:18.348{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\C0EYCB98O8\System.ni.dll.auxMD5=3E37F06FB38530095A5E52EDFAA8D60E,SHA256=2929FBBD5565E1EC8D3B2CD52A903C76F4203019FF8650FA442F4C2E4DFD70AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:18.335{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\C0EYCB98O8\System.ni.dllMD5=7F0A5DBF2075D53BE5881B6557331A1D,SHA256=7EEEF2EC1F43BBAB9E50783C6F3333BA9DBDF55A626B20A9D9CC595AE89DE89F,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000448517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:19.873{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBF89CE09030CB753241DBDD1465F3C8,SHA256=8DEBCBDA219223B66C7ADE9F603D2C6434464B54A3E502E9AAB0CF615B836E1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000335275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:19.920{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\CIMLWLYT6V\CustomMarshalers.ni.dll.auxMD5=0B245CA991030D611F28243B92D78856,SHA256=06397295AD580A500DEA3F4506E040698BDE7A3257DD7CF984342B8D39F9677C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:19.920{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\CIMLWLYT6V\CustomMarshalers.ni.dllMD5=80373965F95EC496E34085E864E66067,SHA256=8D50218FD9D8013DB004EC8E411A13FD19C1CCD41518A28E7FB489CD2D46A650,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:19.920{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\CILV3IC51G\System.ServiceProcess.ni.dll.auxMD5=571E3F17881029282382BE17223D6354,SHA256=FB244CCB45FB0E5E0804EFB9B8B38B750F1A50D5DE93999CFC8186084ED8A54B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:19.905{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\CILV3IC51G\System.ServiceProcess.ni.dllMD5=DB9C179552E1BBCB89C995B53E534A39,SHA256=F9A810E75F910AB614771109BF323517A1E21348E177C03113DFE4F9D00A8255,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:19.905{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\CHDQ1MMO1R\System.ServiceProcess.ni.dll.auxMD5=9046DC8AF57A689737E35673E1FEBE4D,SHA256=0718FB2272D8BDA1BE26978BC6F3F271E3E73EF81782F75BD593C4B5273F8388,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:19.905{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\CHDQ1MMO1R\System.ServiceProcess.ni.dllMD5=B4E93247C9175B5C117FD4A0B662D510,SHA256=60596192CD9252FE839884860D51FAA078887038E91EAEAB3E04E563E6F66ADB,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:19.905{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\CF9B4UFFWU\System.Transactions.ni.dll.auxMD5=AB84AEBEB050F5121DF68F4F87C7F5FD,SHA256=2EE998C217D1F54077A19AC1FBAF734FF45F6F8AC712A23D80BBCD2D72B110F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:19.905{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\CF9B4UFFWU\System.Transactions.ni.dllMD5=0D4FEEEE0FD448095C4CDA07EF4A24A1,SHA256=05DFF969368D90716F7F7DB92A4B0DD3792C5FF93034B299B5A30C4D89185B5A,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:19.858{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\CENXN2KILP\System.DirectoryServices.ni.dll.auxMD5=91B2F2790B225E9B80B1642A87D19DA5,SHA256=F23B64863222A016CF4439EEDC90057CFEC21BC75A0D7D8118CE8996F42E8B98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:19.858{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\CENXN2KILP\System.DirectoryServices.ni.dllMD5=EB699F153BF3322C608FA8EC593641AC,SHA256=C88E1D58C19711E2951ACAD7EFB6D6F420D52D13C93B77B4E80B36396EB5AF10,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:19.780{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\CB35XAA0GR\System.Configuration.ni.dll.auxMD5=CDBF47C48FE3C43FA6FDFFC27E7BF502,SHA256=97E156C1F3781604ACACB6E3BCEE094F94B0322FAE5CBE336C46763CCCAB3459,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:19.766{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\CB35XAA0GR\System.Configuration.ni.dllMD5=D3E5AF2CE2FD8C43D74F414B7A63E66F,SHA256=5A239C00CEE27D28EB600819739E67F051F8D96AA44094DB453034062461A935,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:19.751{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBFFDA4207BA8255CAA1B6592CC6D0F0,SHA256=1C351C8C675FC557990B2E4D0535D104FE45513444D558676FAFDB63E4283FA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:19.702{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\C9VNGI8112\PresentationFramework.ni.dll.auxMD5=E52B8B92200A182613A6D465C8002B70,SHA256=F474210BE1FEE708AE79D9263C73FF92C511B644F04430988D9A0E430AE6491B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:19.698{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\C9VNGI8112\PresentationFramework.ni.dllMD5=9C68AC0EBB9EBD1A36DDB3459C2AEF6A,SHA256=E3858BC89A5E129F3661AE6CCEF8F10A4BBD6A83A2AD2E623AEBA49413795171,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000448516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:19.652{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000448515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:19.633{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000448514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:19.621{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000448513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:19.615{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000448512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:19.611{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000448511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:19.607{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000448510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:19.564{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000448509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:19.551{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000448508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:19.529{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000448507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:19.521{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000448506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:19.509{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000448505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:19.484{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000448504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:19.471{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 354300x8000000000000000448503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:16.877{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52725-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000448502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:19.444{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000448501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:19.436{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000448500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:19.416{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000448499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:19.397{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000448498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:19.317{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000448497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:19.312{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 23542300x8000000000000000335340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.992{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\D2S9RPSSNJ\Microsoft.CSharp.ni.dllMD5=48AA9752C04C314A19620753925A436D,SHA256=F212554A016D8C679B6A819D79BE0D9292A6A8A63141E4C84F69F50CEBA6174B,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.961{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86704EEF43FDAC210B6A9DA7291BC37F,SHA256=5AD7A4FAE41B0F3DA1350CB3AFEAD20D67BFC2A9617AC2F4486E1B6314C1F8AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.867{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\D2GAXII973\System.Xml.ni.dll.auxMD5=5455B6AB44C604037C740B50E5FFC5C6,SHA256=F6DEC63B038D0EA9732A1BE14CA36195B168C591E314A84F91E708C39298BFB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.867{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\D2GAXII973\System.Xml.ni.dllMD5=304F547F46EE61270FFA0DAD2DF6912B,SHA256=37CDD607A795FAB4BE194AB6EACECC81903EC2EC9ED2DDD4C4D24276A01E9F96,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000335336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.732{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4CD-63D3-1204-00000000BD02}4372C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.731{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.725{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A7-63D3-0904-00000000BD02}5936C:\Windows\System32\MsiExec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.721{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A6-63D3-0804-00000000BD02}4860C:\Windows\syswow64\MsiExec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.721{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A1-63D3-E803-00000000BD02}5548C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.713{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000448522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:20.463{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000448521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:20.453{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000448520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:20.450{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000448519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:20.446{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000448518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:20.437{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000335330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.689{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.688{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.687{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.678{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.668{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.661{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.659{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.653{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.645{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.635{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.633{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.598{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.592{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.582{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.578{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.576{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.574{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.573{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.571{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.568{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.567{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.565{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.564{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.564{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.562{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.546{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.536{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.533{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.527{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.525{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.518{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.505{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.504{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.495{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.469{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.463{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.456{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 23542300x8000000000000000335293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.452{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\D28ES9ZTZ7\System.Xml.ni.dll.auxMD5=5455B6AB44C604037C740B50E5FFC5C6,SHA256=F6DEC63B038D0EA9732A1BE14CA36195B168C591E314A84F91E708C39298BFB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000335292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.446{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 23542300x8000000000000000335291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.434{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\D28ES9ZTZ7\System.Xml.ni.dllMD5=304F547F46EE61270FFA0DAD2DF6912B,SHA256=37CDD607A795FAB4BE194AB6EACECC81903EC2EC9ED2DDD4C4D24276A01E9F96,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000335290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.421{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.402{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.395{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.378{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.370{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.359{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000335284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.334{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 23542300x8000000000000000335283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.061{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\CSPPX91JE9\System.Configuration.ni.dll.auxMD5=8792652766DB709E279C97CC11F9D75D,SHA256=8E4C1DFC695795E673FCA461BA3B6279D2706A69F74844220486F483001920A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.061{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\CSPPX91JE9\System.Configuration.ni.dllMD5=6874BA87C64A9BF0F5A5305D25654DE0,SHA256=B624880F49BC068F6766153AD605D4BBAF8ECFDC43A6335C3D2F0464764E9260,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.045{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\CREGJ3YNBI\CustomMarshalers.ni.dll.auxMD5=0B245CA991030D611F28243B92D78856,SHA256=06397295AD580A500DEA3F4506E040698BDE7A3257DD7CF984342B8D39F9677C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.045{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\CREGJ3YNBI\CustomMarshalers.ni.dllMD5=80373965F95EC496E34085E864E66067,SHA256=8D50218FD9D8013DB004EC8E411A13FD19C1CCD41518A28E7FB489CD2D46A650,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.014{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\COJRNMA6KY\System.ServiceProcess.ni.dll.auxMD5=3BE355F7C741659AC9143FE240563390,SHA256=53584243F91BEFFE8C60395404133B9E0965D4BAA27412A3CB14C43C99ADE994,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.014{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\COJRNMA6KY\System.ServiceProcess.ni.dllMD5=E7DDC2DB27A745FD9B904E90978E7F57,SHA256=A598609D6B4C0BE721FD06140AF13828706CC526845C19CCA7B50B3F7C6F8AB6,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:19.998{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\COFS6LUIDI\System.Configuration.ni.dll.auxMD5=8D0583C77ACE82C3E643AE3854D36DE9,SHA256=871A475BE6D3FE79956C2D871F2D3769E97BC0034E8038C480BD5F65C25E6882,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:19.998{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\COFS6LUIDI\System.Configuration.ni.dllMD5=5117A030A5154DF2D9C227CEBBCA7A71,SHA256=9F8F836E994452F38F2B71F5795078C7FD64C1374E0DDDD57CF494840AA81191,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:21.904{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\D8R9OZT8IA\System.Xml.ni.dll.auxMD5=D139F7C46452B340FA1AAB6824F0ADAA,SHA256=D890E796CBA8EDC709F63D916746F2F00C90562CDCC1E36D8310CC15CF0C63B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:21.888{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\D8R9OZT8IA\System.Xml.ni.dllMD5=1D4B0B23D6D67D7249959F4C1C9BE816,SHA256=5FE8862C6007516E2BD43E2801E1BDB58B91ED8E29D744F6B37363C313FA747F,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:21.724{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D191AB034FFF7ECC67E44D2F37A85E3D,SHA256=E78ABB7D57A0E6B6B088BF260AC9E640ED3BD834F6F12DAC6466A333278C2A3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:21.028{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF89BC2A4E3EE4DA8B820E4369C0036E,SHA256=6D30FB08EC67095558005A918A0C0C5598FC8DBC25C1D22B2D3362100CD57C3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000335345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:21.446{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\D7QMP4RP4H\Microsoft.CSharp.ni.dll.auxMD5=44C2FF397CFEB86DD428E4CF568B831C,SHA256=46CCEF5A71FD83EBC060F4FEDBA1CF020854B869925579E8746490E3216B2B75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:21.446{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\D7QMP4RP4H\Microsoft.CSharp.ni.dllMD5=DE433F18A8FD0648DD97F67E3D35EA9E,SHA256=023315339F40899CDF291BE690A5F9C2481F5126D8D3A44B81746F7BCADC00C7,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:21.368{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\D4A3US24EG\System.Core.ni.dll.auxMD5=93D95F2F680B38DF44FFA68C5FF94F18,SHA256=72A85819D2E502E7D38481242C3E198DE388A4979E762BF18B8DBAA4458E8445,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:21.368{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\D4A3US24EG\System.Core.ni.dllMD5=E0BFA251DF4F05EF0F0567845B91DECA,SHA256=C8DFF5085A37FFCAB934033B038500806EBD5AA39DF275F743480B6D729BCA5A,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.992{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\D2S9RPSSNJ\Microsoft.CSharp.ni.dll.auxMD5=F6FB7708778B24569079915A980A250B,SHA256=BB455BE0C6696DEAC54DFBFD3F9A2EB92EC6BB926F83B3BF861306D6CF64F6B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:22.813{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A0D17F85522347898C640728835111,SHA256=59BB3F68EAFEC2A3CCC1AC76E6F0AC700D46941631174C05D1DA6FDDA3286346,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000448529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:22.520{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000448528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:22.519{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000448527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:22.517{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000448526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:22.509{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000448525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:22.499{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 23542300x8000000000000000448524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:22.122{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AC7D9C341CC4CB103DBDA693DFCEB10,SHA256=621C45CDDDB7202733953BE9A3EC812BD05063A6CF34C571187C08ADC6214D48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000335360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:22.696{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\DKA1IUKHFB\System.Management.ni.dll.auxMD5=9E113C3F173739443B36B19DD5C6669B,SHA256=E6D1A62EA7C191912AA011D805E8000EE89FE7281E888EF7A398F4FBA9AC4182,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:22.696{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\DKA1IUKHFB\System.Management.ni.dllMD5=545B093E8C7408982436090E8E13BA3C,SHA256=CFFD545D318D02B523B06E28AFD09A3649D013965B45986CFCAEE54A07AF0C1A,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:22.602{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\DFL33BDURP\System.DirectoryServices.ni.dll.auxMD5=91B2F2790B225E9B80B1642A87D19DA5,SHA256=F23B64863222A016CF4439EEDC90057CFEC21BC75A0D7D8118CE8996F42E8B98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:22.602{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\DFL33BDURP\System.DirectoryServices.ni.dllMD5=EB699F153BF3322C608FA8EC593641AC,SHA256=C88E1D58C19711E2951ACAD7EFB6D6F420D52D13C93B77B4E80B36396EB5AF10,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:22.539{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\DF4KZD5CX5\System.ServiceProcess.ni.dll.auxMD5=FB48CBD15429C7B1F9A14E82CDF8B24D,SHA256=E11D297738EB6EFD68E74B919FC25F124C6CC4AE3E1C7595BB224BF4567C30FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:22.539{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\DF4KZD5CX5\System.ServiceProcess.ni.dllMD5=52E1C1642839FB780CD29C337867C549,SHA256=5823F6CC6549B5FE1FDFF03DCF1B95DFAFDE9D381C04D3C8F5BDCC636A053E54,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:22.539{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\DCL9B0KZEP\System.Numerics.ni.dll.auxMD5=99540E1E3A9909352ABF7EDB826D045E,SHA256=F9B8E4FDAD0D00F99477CAB1080EEB88ED7734977705F01A76302EDC40975074,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:22.539{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\DCL9B0KZEP\System.Numerics.ni.dllMD5=6D610EC50E9D1F98CCCF19BD425D76B4,SHA256=3E9EEE1D3B6D758587018798C57A5139CA16CE3F4E4442EFEA09BE3F214A4FDD,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:22.492{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\DCA6J3LQZZ\System.Configuration.Install.ni.dll.auxMD5=22196DA6CAA793E0616864B9E8E06643,SHA256=86EFE97B8AA4DF629552A36B9B701A6CD96D95EE747F1BA761E6A5A0843BF33F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:22.492{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\DCA6J3LQZZ\System.Configuration.Install.ni.dllMD5=01A04115F66EDC890D89E9961D365FE4,SHA256=FA2900C83867BCB722E6481BB9070C704EF1D68ED20252F7D1EB3B6DAA320439,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:22.446{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\D98CT5T0HL\System.ni.dll.auxMD5=D1633EB12C3BA6976EC07A4F63B7C5D2,SHA256=FA5EA8271FEEF900EBBA55412AEC8CFE63AB04812C2277AB6C43A89807631658,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:22.446{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\D98CT5T0HL\System.ni.dllMD5=E6629F608804427DCE9CA7252AA92C23,SHA256=B6699D00ACE64600A90372DFA28089254BE1430D11AA8906B8E7B8C7884E0CBA,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:23.879{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EEDF678FC087C0B16C06FDAC155EA5F,SHA256=7214AB117CA20310F3C9C0BD4B2AC2DB9083854CC15A5EBC9E4B2E077880305E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:23.220{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07856B5D943864401BC52B2703A9C849,SHA256=166988564CE40E88BC64FEC71B6B242960FB3AB7A6F4DE51DA2916347D7C972B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000448543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:23.130{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 23542300x8000000000000000335373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:23.660{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EABENLFM6M\System.DirectoryServices.ni.dll.auxMD5=3F78814829D895D032A8BD034ACE4450,SHA256=A2410DA4E27BDAB67B07FAA49D57B73FAFD6C9DABBEBB8331FF6EE5CA5FFFA6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:23.660{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EABENLFM6M\System.DirectoryServices.ni.dllMD5=1F105E423E686DDFAD34327F2AF3859B,SHA256=0874D66BCBCEAD079A9FCFCAFEE49B361520D911054D0AB30933CE1E42178235,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:23.613{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EA4WB7CUU7\System.Numerics.ni.dll.auxMD5=7498484D2E7FD785FA532DB7139D4C0D,SHA256=D6FD9362B956709DB3F8C9184D1F8B3E52993121DA5A437FC523B2A71C0EF3A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:23.613{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EA4WB7CUU7\System.Numerics.ni.dllMD5=3F7CB439388CDE4109829B47B69E53EB,SHA256=87DF519A1570E4A7DC96D21E67FD4F16120CD0EFEF35854EF277C4C059B226A1,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:23.613{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\DSPKCSD3YG\System.ni.dll.auxMD5=38FB7500511703557B2A490D76E5F3AF,SHA256=82F46FA003FED0DBA41032CD924E47376658DD9F6EF6F9949BC9A853AE793FDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:23.613{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\DSPKCSD3YG\System.ni.dllMD5=7FC9BC6F3421B57FEB848576BC809437,SHA256=F25EB9DBCC000D600320A0964A9EBF678A2220481AEC9C0284A5EDBD6ACAFE6C,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:23.209{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\DQ0CTC4XJA\System.Management.ni.dll.auxMD5=254EF8FA44D2C6C2AD30F0C72E5FEA4A,SHA256=2091BB513D8D335CDA0E9879BDCE2623ADB6DFA2EB4DA62A22A611D750AE0289,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:23.209{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\DQ0CTC4XJA\System.Management.ni.dllMD5=1D3FD15AB1501C7E7C5C71E84216E0FB,SHA256=CA07A2DF2BC440D714F53F4F9DA622C0797587E77677C1A9C4B6B01BE01E07ED,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 354300x8000000000000000335365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:20.352{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51029-false10.0.1.12-8000- 23542300x8000000000000000335364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:23.160{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\DPC8FPFA3T\System.Core.ni.dll.auxMD5=FDA50D4CE7FC07631769347F85539342,SHA256=7034F74B32BE9485869D7566F871E350E02932A891D6B4FEA3E6DF4D197336DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:23.160{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\DPC8FPFA3T\System.Core.ni.dllMD5=29770439BEA641DEBBA91C7D41441573,SHA256=1330CD418EE411FA4DD34742DBB3F14F03B466DF88DB97D6992F655FE7778257,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000335362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:23.144{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-2000-00000000BD02}2000C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:23.110{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000448541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:23.107{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000448540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:23.101{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000448539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:23.090{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000448538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:23.062{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000448537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:23.051{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000448536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:23.042{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000448535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:23.037{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000448534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:23.035{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000448533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:23.032{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000448532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:23.030{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000448531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:23.029{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000448530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:23.025{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 23542300x8000000000000000335381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:24.976{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F993AE9AF662A7F9ED9DA5A0F613CB1B,SHA256=CE84183884BDF8FCB4844E42AE96C9F34DDA6E18ABF730F7D0730FB65B47743F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:24.320{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA2A622ADE2FE05A806299772C0CC7A9,SHA256=69899503BF313CD900D40AE6CE7A6E92EE52C48633D868BAE13634423000A741,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000335380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:24.612{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EGLT3PRJUH\System.Core.ni.dll.auxMD5=93CFDFB36E761AA0B6C3ADC11A2C46E0,SHA256=2B8ECA23F8DA6C818FE4E2460C108256C61FE679C8760D6BFB4327B6988A0F6D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:24.612{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EGLT3PRJUH\System.Core.ni.dllMD5=CAAB6B3CF270EE20A458C44716D1520B,SHA256=0EDF194D75C7D1C570A29B963B1C6DC3B2ECD4DF69DCF473051A090DF6C6C343,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:24.284{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EEXH79HD8Y\System.Core.ni.dll.auxMD5=9D25DB6F29813D2D1FA827D77A12D1BD,SHA256=829105ADBF1A5F782DF9E98B29CD106AE1D27988D05B162A5702069C31282417,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:24.284{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EEXH79HD8Y\System.Core.ni.dllMD5=2FF381DDFCDD26492D228199E5348106,SHA256=381EBF60EC44E82FE34BAC17A1856C95E766E9260604747F71547133C1C550C2,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000335376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:24.035{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EAYU1JY9XH\System.Data.ni.dll.auxMD5=5CC55A1FB0ED0B2E4990B312C4B725FE,SHA256=E4F07260DA1EDD653B5722AD4A712DB0C80D31B1FF8D5BFA1E84C9C9EBD19604,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:24.035{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EAYU1JY9XH\System.Data.ni.dllMD5=917B1F2CBE25C534CE4664A904F7190E,SHA256=6380182C7F6247A0367F455C729212CEF38C5889E7D510AD2DBB52AF8A4C4621,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 13241300x8000000000000000335758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-am.exe|4f482c30f10b83a7\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-am.exe 13241300x8000000000000000335757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-add.exe|cbf55eec74d083b3\BinProductVersion2.39.1.1 13241300x8000000000000000335756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-add.exe|cbf55eec74d083b3\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-add.exe|cbf55eec74d083b3\Publisherthe git development community 13241300x8000000000000000335754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-add.exe|cbf55eec74d083b3\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-add.exe 13241300x8000000000000000335753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gettext.exe|8596cb6c6d32afb4\BinProductVersion0.21.0.0 13241300x8000000000000000335752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gettext.exe|8596cb6c6d32afb4\LinkDate01/01/1970 00:00:00 13241300x8000000000000000335751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gettext.exe|8596cb6c6d32afb4\Publisherfree software foundation 13241300x8000000000000000335750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gettext.exe|8596cb6c6d32afb4\LowerCaseLongPathc:\program files\git\usr\bin\gettext.exe 13241300x8000000000000000335749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gettext.exe|3980488749a39656\BinProductVersion0.21.0.0 13241300x8000000000000000335748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gettext.exe|3980488749a39656\LinkDate01/01/1970 00:00:00 13241300x8000000000000000335747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gettext.exe|3980488749a39656\Publisherfree software foundation 13241300x8000000000000000335746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gettext.exe|3980488749a39656\LowerCaseLongPathc:\program files\git\mingw64\bin\gettext.exe 13241300x8000000000000000335745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\getprocaddr64.ex|683e30977215239e\BinProductVersion(Empty) 13241300x8000000000000000335744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\getprocaddr64.ex|683e30977215239e\LinkDate09/05/2022 20:35:40 13241300x8000000000000000335743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\getprocaddr64.ex|683e30977215239e\Publisher(Empty) 13241300x8000000000000000335742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\getprocaddr64.ex|683e30977215239e\LowerCaseLongPathc:\program files\git\usr\libexec\getprocaddr64.exe 13241300x8000000000000000335741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\getprocaddr32.ex|11de5925d9c6baa7\BinProductVersion(Empty) 13241300x8000000000000000335740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\getprocaddr32.ex|11de5925d9c6baa7\LinkDate09/05/2022 20:35:39 13241300x8000000000000000335739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\getprocaddr32.ex|11de5925d9c6baa7\Publisher(Empty) 13241300x8000000000000000335738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\getprocaddr32.ex|11de5925d9c6baa7\LowerCaseLongPathc:\program files\git\usr\libexec\getprocaddr32.exe 13241300x8000000000000000335737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\getopt.exe|b37205341d75e599\BinProductVersion(Empty) 13241300x8000000000000000335736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\getopt.exe|b37205341d75e599\LinkDate10/22/2022 18:35:44 13241300x8000000000000000335735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\getopt.exe|b37205341d75e599\Publisher(Empty) 13241300x8000000000000000335734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\getopt.exe|b37205341d75e599\LowerCaseLongPathc:\program files\git\usr\bin\getopt.exe 13241300x8000000000000000335733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\getfacl.exe|69b0f93924f494f7\BinProductVersion(Empty) 13241300x8000000000000000335732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\getfacl.exe|69b0f93924f494f7\LinkDate09/05/2022 20:36:29 13241300x8000000000000000335731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\getfacl.exe|69b0f93924f494f7\Publisher(Empty) 13241300x8000000000000000335730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\getfacl.exe|69b0f93924f494f7\LowerCaseLongPathc:\program files\git\usr\bin\getfacl.exe 13241300x8000000000000000335729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\getconf.exe|c7f6d864684a6d19\BinProductVersion(Empty) 13241300x8000000000000000335728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\getconf.exe|c7f6d864684a6d19\LinkDate09/05/2022 20:36:28 13241300x8000000000000000335727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\getconf.exe|c7f6d864684a6d19\Publisher(Empty) 13241300x8000000000000000335726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\getconf.exe|c7f6d864684a6d19\LowerCaseLongPathc:\program files\git\usr\bin\getconf.exe 13241300x8000000000000000335725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gencat.exe|89f29a911ad31f09\BinProductVersion(Empty) 13241300x8000000000000000335724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gencat.exe|89f29a911ad31f09\LinkDate09/05/2022 20:36:28 13241300x8000000000000000335723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gencat.exe|89f29a911ad31f09\Publisher(Empty) 13241300x8000000000000000335722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gencat.exe|89f29a911ad31f09\LowerCaseLongPathc:\program files\git\usr\bin\gencat.exe 13241300x8000000000000000335721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gawk.exe|33613608746cae13\BinProductVersion(Empty) 13241300x8000000000000000335720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gawk.exe|33613608746cae13\LinkDate01/01/1970 00:00:00 13241300x8000000000000000335719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gawk.exe|33613608746cae13\Publisher(Empty) 13241300x8000000000000000335718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gawk.exe|33613608746cae13\LowerCaseLongPathc:\program files\git\usr\bin\gawk.exe 13241300x8000000000000000335717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gawk-5.0.0.exe|709e9d005b0b4928\BinProductVersion(Empty) 13241300x8000000000000000335716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gawk-5.0.0.exe|709e9d005b0b4928\LinkDate01/01/1970 00:00:00 13241300x8000000000000000335715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gawk-5.0.0.exe|709e9d005b0b4928\Publisher(Empty) 13241300x8000000000000000335714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gawk-5.0.0.exe|709e9d005b0b4928\LowerCaseLongPathc:\program files\git\usr\bin\gawk-5.0.0.exe 13241300x8000000000000000335713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\funzip.exe|8d9537366e67e65c\BinProductVersion(Empty) 13241300x8000000000000000335712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\funzip.exe|8d9537366e67e65c\LinkDate05/08/2031 18:06:26 13241300x8000000000000000335711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\funzip.exe|8d9537366e67e65c\Publisher(Empty) 13241300x8000000000000000335710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\funzip.exe|8d9537366e67e65c\LowerCaseLongPathc:\program files\git\usr\bin\funzip.exe 13241300x8000000000000000335709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\frcode.exe|c02ff0fb50c67deb\BinProductVersion(Empty) 13241300x8000000000000000335708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\frcode.exe|c02ff0fb50c67deb\LinkDate01/01/1970 00:00:00 13241300x8000000000000000335707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\frcode.exe|c02ff0fb50c67deb\Publisher(Empty) 13241300x8000000000000000335706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\frcode.exe|c02ff0fb50c67deb\LowerCaseLongPathc:\program files\git\usr\libexec\frcode.exe 13241300x8000000000000000335705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\fold.exe|84163f1e2201dd71\BinProductVersion(Empty) 13241300x8000000000000000335704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\fold.exe|84163f1e2201dd71\LinkDate11/15/2022 17:18:48 13241300x8000000000000000335703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\fold.exe|84163f1e2201dd71\Publisher(Empty) 13241300x8000000000000000335702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\fold.exe|84163f1e2201dd71\LowerCaseLongPathc:\program files\git\usr\bin\fold.exe 13241300x8000000000000000335701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\fmt.exe|74780154d3c66e14\BinProductVersion(Empty) 13241300x8000000000000000335700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\fmt.exe|74780154d3c66e14\LinkDate11/15/2022 17:18:47 13241300x8000000000000000335699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\fmt.exe|74780154d3c66e14\Publisher(Empty) 13241300x8000000000000000335698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\fmt.exe|74780154d3c66e14\LowerCaseLongPathc:\program files\git\usr\bin\fmt.exe 13241300x8000000000000000335697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\find.exe|d79fa77470677f17\BinProductVersion(Empty) 13241300x8000000000000000335696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\find.exe|d79fa77470677f17\LinkDate01/01/1970 00:00:00 13241300x8000000000000000335695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\find.exe|d79fa77470677f17\Publisher(Empty) 13241300x8000000000000000335694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\find.exe|d79fa77470677f17\LowerCaseLongPathc:\program files\git\usr\bin\find.exe 13241300x8000000000000000335693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\file.exe|9412a967e2d15f0f\BinProductVersion(Empty) 13241300x8000000000000000335692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\file.exe|9412a967e2d15f0f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000335691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\file.exe|9412a967e2d15f0f\Publisher(Empty) 13241300x8000000000000000335690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\file.exe|9412a967e2d15f0f\LowerCaseLongPathc:\program files\git\usr\bin\file.exe 13241300x8000000000000000335689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\false.exe|8d9fec6786dfc816\BinProductVersion(Empty) 13241300x8000000000000000335688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\false.exe|8d9fec6786dfc816\LinkDate11/15/2022 17:18:47 13241300x8000000000000000335687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\false.exe|8d9fec6786dfc816\Publisher(Empty) 13241300x8000000000000000335686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\false.exe|8d9fec6786dfc816\LowerCaseLongPathc:\program files\git\usr\bin\false.exe 13241300x8000000000000000335685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\factor.exe|b56619397de59334\BinProductVersion(Empty) 13241300x8000000000000000335684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\factor.exe|b56619397de59334\LinkDate11/15/2022 17:18:47 13241300x8000000000000000335683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\factor.exe|b56619397de59334\Publisher(Empty) 13241300x8000000000000000335682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\factor.exe|b56619397de59334\LowerCaseLongPathc:\program files\git\usr\bin\factor.exe 13241300x8000000000000000335681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\expr.exe|2052e3951d88a155\BinProductVersion(Empty) 13241300x8000000000000000335680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\expr.exe|2052e3951d88a155\LinkDate11/15/2022 17:18:46 13241300x8000000000000000335679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\expr.exe|2052e3951d88a155\Publisher(Empty) 13241300x8000000000000000335678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\expr.exe|2052e3951d88a155\LowerCaseLongPathc:\program files\git\usr\bin\expr.exe 13241300x8000000000000000335677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\expand.exe|48fc5987fb05c50d\BinProductVersion(Empty) 13241300x8000000000000000335676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\expand.exe|48fc5987fb05c50d\LinkDate11/15/2022 17:18:46 13241300x8000000000000000335675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\expand.exe|48fc5987fb05c50d\Publisher(Empty) 13241300x8000000000000000335674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\expand.exe|48fc5987fb05c50d\LowerCaseLongPathc:\program files\git\usr\bin\expand.exe 13241300x8000000000000000335673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ex.exe|a5705edbed8fc6c4\BinProductVersion(Empty) 13241300x8000000000000000335672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ex.exe|a5705edbed8fc6c4\LinkDate01/01/1970 00:00:00 13241300x8000000000000000335671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ex.exe|a5705edbed8fc6c4\Publisher(Empty) 13241300x8000000000000000335670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ex.exe|a5705edbed8fc6c4\LowerCaseLongPathc:\program files\git\usr\bin\ex.exe 13241300x8000000000000000335669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\envsubst.exe|eadcd0623e89b9ae\BinProductVersion0.21.0.0 13241300x8000000000000000335668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\envsubst.exe|eadcd0623e89b9ae\LinkDate01/01/1970 00:00:00 13241300x8000000000000000335667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\envsubst.exe|eadcd0623e89b9ae\Publisherfree software foundation 13241300x8000000000000000335666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\envsubst.exe|eadcd0623e89b9ae\LowerCaseLongPathc:\program files\git\mingw64\bin\envsubst.exe 13241300x8000000000000000335665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\envsubst.exe|660c72e4fd95bfd4\BinProductVersion0.21.0.0 13241300x8000000000000000335664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\envsubst.exe|660c72e4fd95bfd4\LinkDate01/01/1970 00:00:00 13241300x8000000000000000335663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\envsubst.exe|660c72e4fd95bfd4\Publisherfree software foundation 13241300x8000000000000000335662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\envsubst.exe|660c72e4fd95bfd4\LowerCaseLongPathc:\program files\git\usr\bin\envsubst.exe 13241300x8000000000000000335661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\env.exe|7508509d7b06f998\BinProductVersion(Empty) 13241300x8000000000000000335660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\env.exe|7508509d7b06f998\LinkDate11/15/2022 17:18:46 13241300x8000000000000000335659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\env.exe|7508509d7b06f998\Publisher(Empty) 13241300x8000000000000000335658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\env.exe|7508509d7b06f998\LowerCaseLongPathc:\program files\git\usr\bin\env.exe 13241300x8000000000000000335657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\edit_test_dll.ex|2cd5024859c22e2e\BinProductVersion(Empty) 13241300x8000000000000000335656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\edit_test_dll.ex|2cd5024859c22e2e\LinkDate01/01/1970 00:00:00 13241300x8000000000000000335655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\edit_test_dll.ex|2cd5024859c22e2e\Publisher(Empty) 13241300x8000000000000000335654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\edit_test_dll.ex|2cd5024859c22e2e\LowerCaseLongPathc:\program files\git\mingw64\bin\edit_test_dll.exe 13241300x8000000000000000335653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\edit_test.exe|e47ad3e671162baa\BinProductVersion(Empty) 13241300x8000000000000000335652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\edit_test.exe|e47ad3e671162baa\LinkDate01/01/1970 00:00:00 13241300x8000000000000000335651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\edit_test.exe|e47ad3e671162baa\Publisher(Empty) 13241300x8000000000000000335650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\edit_test.exe|e47ad3e671162baa\LowerCaseLongPathc:\program files\git\mingw64\bin\edit_test.exe 13241300x8000000000000000335649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\edit-git-bash.ex|c4b83d4312564a9\BinProductVersion(Empty) 13241300x8000000000000000335648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\edit-git-bash.ex|c4b83d4312564a9\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\edit-git-bash.ex|c4b83d4312564a9\Publisher(Empty) 13241300x8000000000000000335646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\edit-git-bash.ex|c4b83d4312564a9\LowerCaseLongPathc:\program files\git\mingw64\share\git\edit-git-bash.exe 13241300x8000000000000000335645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\echo.exe|263446599120623a\BinProductVersion(Empty) 13241300x8000000000000000335644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\echo.exe|263446599120623a\LinkDate11/15/2022 17:18:46 13241300x8000000000000000335643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\echo.exe|263446599120623a\Publisher(Empty) 13241300x8000000000000000335642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\echo.exe|263446599120623a\LowerCaseLongPathc:\program files\git\usr\bin\echo.exe 13241300x8000000000000000335641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dumpsexp.exe|45a2659c07e3df2c\BinProductVersion(Empty) 13241300x8000000000000000335640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dumpsexp.exe|45a2659c07e3df2c\LinkDate01/01/1970 00:00:00 13241300x8000000000000000335639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dumpsexp.exe|45a2659c07e3df2c\Publisher(Empty) 13241300x8000000000000000335638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dumpsexp.exe|45a2659c07e3df2c\LowerCaseLongPathc:\program files\git\usr\bin\dumpsexp.exe 13241300x8000000000000000335637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\du.exe|2b10b32847099da7\BinProductVersion(Empty) 13241300x8000000000000000335636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\du.exe|2b10b32847099da7\LinkDate11/15/2022 17:18:45 13241300x8000000000000000335635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\du.exe|2b10b32847099da7\Publisher(Empty) 13241300x8000000000000000335634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\du.exe|2b10b32847099da7\LowerCaseLongPathc:\program files\git\usr\bin\du.exe 13241300x8000000000000000335633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dos2unix.exe|e819f56941027f1c\BinProductVersion(Empty) 13241300x8000000000000000335632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dos2unix.exe|e819f56941027f1c\LinkDate01/01/1970 00:00:00 13241300x8000000000000000335631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dos2unix.exe|e819f56941027f1c\Publisher(Empty) 13241300x8000000000000000335630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dos2unix.exe|e819f56941027f1c\LowerCaseLongPathc:\program files\git\usr\bin\dos2unix.exe 13241300x8000000000000000335629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dirname.exe|b029038512034ced\BinProductVersion(Empty) 13241300x8000000000000000335628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dirname.exe|b029038512034ced\LinkDate11/15/2022 17:18:45 13241300x8000000000000000335627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dirname.exe|b029038512034ced\Publisher(Empty) 13241300x8000000000000000335626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dirname.exe|b029038512034ced\LowerCaseLongPathc:\program files\git\usr\bin\dirname.exe 13241300x8000000000000000335625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dirmngr.exe|fe24969724873327\BinProductVersion(Empty) 13241300x8000000000000000335624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dirmngr.exe|fe24969724873327\LinkDate01/01/1970 00:00:00 13241300x8000000000000000335623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dirmngr.exe|fe24969724873327\Publisher(Empty) 13241300x8000000000000000335622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dirmngr.exe|fe24969724873327\LowerCaseLongPathc:\program files\git\usr\bin\dirmngr.exe 13241300x8000000000000000335621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dirmngr-client.e|d59c8fc399717975\BinProductVersion(Empty) 13241300x8000000000000000335620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dirmngr-client.e|d59c8fc399717975\LinkDate01/01/1970 00:00:00 13241300x8000000000000000335619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dirmngr-client.e|d59c8fc399717975\Publisher(Empty) 13241300x8000000000000000335618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dirmngr-client.e|d59c8fc399717975\LowerCaseLongPathc:\program files\git\usr\bin\dirmngr-client.exe 13241300x8000000000000000335617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dircolors.exe|2c054bf1c4846ccd\BinProductVersion(Empty) 13241300x8000000000000000335616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dircolors.exe|2c054bf1c4846ccd\LinkDate11/15/2022 17:18:45 13241300x8000000000000000335615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dircolors.exe|2c054bf1c4846ccd\Publisher(Empty) 13241300x8000000000000000335614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dircolors.exe|2c054bf1c4846ccd\LowerCaseLongPathc:\program files\git\usr\bin\dircolors.exe 13241300x8000000000000000335613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dir.exe|100b2e6a725becca\BinProductVersion(Empty) 13241300x8000000000000000335612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dir.exe|100b2e6a725becca\LinkDate11/15/2022 17:18:44 13241300x8000000000000000335611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dir.exe|100b2e6a725becca\Publisher(Empty) 13241300x8000000000000000335610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dir.exe|100b2e6a725becca\LowerCaseLongPathc:\program files\git\usr\bin\dir.exe 13241300x8000000000000000335609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\diff3.exe|db0f57bb42b2e275\BinProductVersion(Empty) 13241300x8000000000000000335608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\diff3.exe|db0f57bb42b2e275\LinkDate11/13/2022 11:50:45 13241300x8000000000000000335607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\diff3.exe|db0f57bb42b2e275\Publisher(Empty) 13241300x8000000000000000335606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\diff3.exe|db0f57bb42b2e275\LowerCaseLongPathc:\program files\git\usr\bin\diff3.exe 13241300x8000000000000000335605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\diff.exe|c7ecb5c4d9c537e1\BinProductVersion(Empty) 13241300x8000000000000000335604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\diff.exe|c7ecb5c4d9c537e1\LinkDate11/13/2022 11:50:44 13241300x8000000000000000335603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\diff.exe|c7ecb5c4d9c537e1\Publisher(Empty) 13241300x8000000000000000335602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\diff.exe|c7ecb5c4d9c537e1\LowerCaseLongPathc:\program files\git\usr\bin\diff.exe 13241300x8000000000000000335601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\df.exe|65dd80792ce5f665\BinProductVersion(Empty) 13241300x8000000000000000335600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\df.exe|65dd80792ce5f665\LinkDate11/15/2022 17:18:44 13241300x8000000000000000335599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\df.exe|65dd80792ce5f665\Publisher(Empty) 13241300x8000000000000000335598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\df.exe|65dd80792ce5f665\LowerCaseLongPathc:\program files\git\usr\bin\df.exe 13241300x8000000000000000335597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dd.exe|d6bffb363596af3e\BinProductVersion(Empty) 13241300x8000000000000000335596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dd.exe|d6bffb363596af3e\LinkDate11/15/2022 17:18:44 13241300x8000000000000000335595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dd.exe|d6bffb363596af3e\Publisher(Empty) 13241300x8000000000000000335594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dd.exe|d6bffb363596af3e\LowerCaseLongPathc:\program files\git\usr\bin\dd.exe 13241300x8000000000000000335593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\date.exe|15400b5e3ba75572\BinProductVersion(Empty) 13241300x8000000000000000335592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\date.exe|15400b5e3ba75572\LinkDate11/15/2022 17:18:44 13241300x8000000000000000335591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\date.exe|15400b5e3ba75572\Publisher(Empty) 13241300x8000000000000000335590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\date.exe|15400b5e3ba75572\LowerCaseLongPathc:\program files\git\usr\bin\date.exe 13241300x8000000000000000335589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dash.exe|d7e7d55ce6ee5457\BinProductVersion(Empty) 13241300x8000000000000000335588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dash.exe|d7e7d55ce6ee5457\LinkDate01/01/1970 00:00:00 13241300x8000000000000000335587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dash.exe|d7e7d55ce6ee5457\Publisher(Empty) 23542300x8000000000000000335586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:25.584{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EIJ3YY2MF2\System.ni.dllMD5=355F6BCC3F1F0142682CAE2AE9AD5128,SHA256=04A3A69D1F5E94F84A13485DE67472FAE17746F6D655E051C378723343B734FF,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 13241300x8000000000000000335585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dash.exe|d7e7d55ce6ee5457\LowerCaseLongPathc:\program files\git\usr\bin\dash.exe 13241300x8000000000000000335584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\d2u.exe|9a42254ebeca6f7a\BinProductVersion(Empty) 13241300x8000000000000000335583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\d2u.exe|9a42254ebeca6f7a\LinkDate01/01/1970 00:00:00 13241300x8000000000000000335582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\d2u.exe|9a42254ebeca6f7a\Publisher(Empty) 13241300x8000000000000000335581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\d2u.exe|9a42254ebeca6f7a\LowerCaseLongPathc:\program files\git\usr\bin\d2u.exe 13241300x8000000000000000335580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cygwin-console-h|5323f22aa324e252\BinProductVersion(Empty) 13241300x8000000000000000335579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cygwin-console-h|5323f22aa324e252\LinkDate09/05/2022 20:35:39 13241300x8000000000000000335578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cygwin-console-h|5323f22aa324e252\Publisher(Empty) 13241300x8000000000000000335577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cygwin-console-h|5323f22aa324e252\LowerCaseLongPathc:\program files\git\usr\bin\cygwin-console-helper.exe 13241300x8000000000000000335576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cygpath.exe|89e407d49466bcd8\BinProductVersion(Empty) 13241300x8000000000000000335575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cygpath.exe|89e407d49466bcd8\LinkDate09/05/2022 20:36:27 13241300x8000000000000000335574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cygpath.exe|89e407d49466bcd8\Publisher(Empty) 13241300x8000000000000000335573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cygpath.exe|89e407d49466bcd8\LowerCaseLongPathc:\program files\git\usr\bin\cygpath.exe 13241300x8000000000000000335572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cygcheck.exe|6a2038f6387fe2d8\BinProductVersion(Empty) 13241300x8000000000000000335571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cygcheck.exe|6a2038f6387fe2d8\LinkDate09/05/2022 20:35:38 13241300x8000000000000000335570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cygcheck.exe|6a2038f6387fe2d8\Publisher(Empty) 13241300x8000000000000000335569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cygcheck.exe|6a2038f6387fe2d8\LowerCaseLongPathc:\program files\git\usr\bin\cygcheck.exe 13241300x8000000000000000335568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cut.exe|19b3f09ad648b49b\BinProductVersion(Empty) 13241300x8000000000000000335567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cut.exe|19b3f09ad648b49b\LinkDate11/15/2022 17:18:43 13241300x8000000000000000335566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cut.exe|19b3f09ad648b49b\Publisher(Empty) 13241300x8000000000000000335565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cut.exe|19b3f09ad648b49b\LowerCaseLongPathc:\program files\git\usr\bin\cut.exe 13241300x8000000000000000335564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\curl.exe|34ac32e380c639e7\BinProductVersion7.87.0.0 13241300x8000000000000000335563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\curl.exe|34ac32e380c639e7\LinkDate01/11/2023 21:47:52 13241300x8000000000000000335562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\curl.exe|34ac32e380c639e7\Publishercurl, https://curl.se/ 13241300x8000000000000000335561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\curl.exe|34ac32e380c639e7\LowerCaseLongPathc:\program files\git\mingw64\bin\curl.exe 13241300x8000000000000000335560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\csplit.exe|86edd40dc8e531c1\BinProductVersion(Empty) 13241300x8000000000000000335559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\csplit.exe|86edd40dc8e531c1\LinkDate11/15/2022 17:18:43 13241300x8000000000000000335558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\csplit.exe|86edd40dc8e531c1\Publisher(Empty) 13241300x8000000000000000335557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\csplit.exe|86edd40dc8e531c1\LowerCaseLongPathc:\program files\git\usr\bin\csplit.exe 13241300x8000000000000000335556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\create-shortcut.|7be1e57c6a9b6d74\BinProductVersion(Empty) 13241300x8000000000000000335555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\create-shortcut.|7be1e57c6a9b6d74\LinkDate11/29/2022 16:06:30 13241300x8000000000000000335554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\create-shortcut.|7be1e57c6a9b6d74\Publisher(Empty) 13241300x8000000000000000335553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\create-shortcut.|7be1e57c6a9b6d74\LowerCaseLongPathc:\program files\git\mingw64\bin\create-shortcut.exe 13241300x8000000000000000335552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cp.exe|a9aa2ba1cc55a1d1\BinProductVersion(Empty) 13241300x8000000000000000335551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cp.exe|a9aa2ba1cc55a1d1\LinkDate11/15/2022 17:18:43 13241300x8000000000000000335550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cp.exe|a9aa2ba1cc55a1d1\Publisher(Empty) 13241300x8000000000000000335549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cp.exe|a9aa2ba1cc55a1d1\LowerCaseLongPathc:\program files\git\usr\bin\cp.exe 13241300x8000000000000000335548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\connect.exe|98a1b69f7698c1b1\BinProductVersion(Empty) 13241300x8000000000000000335547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\connect.exe|98a1b69f7698c1b1\LinkDate10/29/2022 11:37:13 13241300x8000000000000000335546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\connect.exe|98a1b69f7698c1b1\Publisher(Empty) 13241300x8000000000000000335545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\connect.exe|98a1b69f7698c1b1\LowerCaseLongPathc:\program files\git\mingw64\bin\connect.exe 13241300x8000000000000000335544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\compat-bash.exe|2353d7f66f7d8a47\BinProductVersion2.39.1.1 13241300x8000000000000000335543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\compat-bash.exe|2353d7f66f7d8a47\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\compat-bash.exe|2353d7f66f7d8a47\Publisherthe git development community 13241300x8000000000000000335541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\compat-bash.exe|2353d7f66f7d8a47\LowerCaseLongPathc:\program files\git\mingw64\share\git\compat-bash.exe 13241300x8000000000000000335540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\comm.exe|9b9df3e9f04bb630\BinProductVersion(Empty) 13241300x8000000000000000335539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\comm.exe|9b9df3e9f04bb630\LinkDate11/15/2022 17:18:43 13241300x8000000000000000335538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\comm.exe|9b9df3e9f04bb630\Publisher(Empty) 13241300x8000000000000000335537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\comm.exe|9b9df3e9f04bb630\LowerCaseLongPathc:\program files\git\usr\bin\comm.exe 13241300x8000000000000000335536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\column.exe|a0a6e93c07d1168\BinProductVersion(Empty) 13241300x8000000000000000335535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\column.exe|a0a6e93c07d1168\LinkDate10/22/2022 18:35:42 13241300x8000000000000000335534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\column.exe|a0a6e93c07d1168\Publisher(Empty) 13241300x8000000000000000335533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\column.exe|a0a6e93c07d1168\LowerCaseLongPathc:\program files\git\usr\bin\column.exe 13241300x8000000000000000335532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cmp.exe|de6ed9764cfeeb7f\BinProductVersion(Empty) 13241300x8000000000000000335531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cmp.exe|de6ed9764cfeeb7f\LinkDate11/13/2022 11:50:44 13241300x8000000000000000335530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cmp.exe|de6ed9764cfeeb7f\Publisher(Empty) 13241300x8000000000000000335529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cmp.exe|de6ed9764cfeeb7f\LowerCaseLongPathc:\program files\git\usr\bin\cmp.exe 13241300x8000000000000000335528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\clear.exe|23d1f6608a1d3194\BinProductVersion(Empty) 13241300x8000000000000000335527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\clear.exe|23d1f6608a1d3194\LinkDate01/01/1970 00:00:00 13241300x8000000000000000335526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\clear.exe|23d1f6608a1d3194\Publisher(Empty) 13241300x8000000000000000335525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\clear.exe|23d1f6608a1d3194\LowerCaseLongPathc:\program files\git\usr\bin\clear.exe 13241300x8000000000000000335524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cldr-plurals.exe|acec4b705bc23965\BinProductVersion(Empty) 13241300x8000000000000000335523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cldr-plurals.exe|acec4b705bc23965\LinkDate01/01/1970 00:00:00 13241300x8000000000000000335522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cldr-plurals.exe|acec4b705bc23965\Publisher(Empty) 13241300x8000000000000000335521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.584{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cldr-plurals.exe|acec4b705bc23965\LowerCaseLongPathc:\program files\git\usr\lib\gettext\cldr-plurals.exe 13241300x8000000000000000335520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cksum.exe|877b1cc41ae31cae\BinProductVersion(Empty) 13241300x8000000000000000335519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cksum.exe|877b1cc41ae31cae\LinkDate11/15/2022 17:18:42 13241300x8000000000000000335518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cksum.exe|877b1cc41ae31cae\Publisher(Empty) 13241300x8000000000000000335517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cksum.exe|877b1cc41ae31cae\LowerCaseLongPathc:\program files\git\usr\bin\cksum.exe 13241300x8000000000000000335516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\chroot.exe|699e7ae138a98a36\BinProductVersion(Empty) 13241300x8000000000000000335515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\chroot.exe|699e7ae138a98a36\LinkDate11/15/2022 17:18:42 13241300x8000000000000000335514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\chroot.exe|699e7ae138a98a36\Publisher(Empty) 13241300x8000000000000000335513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\chroot.exe|699e7ae138a98a36\LowerCaseLongPathc:\program files\git\usr\bin\chroot.exe 13241300x8000000000000000335512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\chown.exe|6e51d9aedefdf80f\BinProductVersion(Empty) 13241300x8000000000000000335511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\chown.exe|6e51d9aedefdf80f\LinkDate11/15/2022 17:18:42 13241300x8000000000000000335510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\chown.exe|6e51d9aedefdf80f\Publisher(Empty) 13241300x8000000000000000335509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\chown.exe|6e51d9aedefdf80f\LowerCaseLongPathc:\program files\git\usr\bin\chown.exe 13241300x8000000000000000335508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\chmod.exe|e3ddbff0fcd6c5e6\BinProductVersion(Empty) 13241300x8000000000000000335507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\chmod.exe|e3ddbff0fcd6c5e6\LinkDate11/15/2022 17:18:41 13241300x8000000000000000335506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\chmod.exe|e3ddbff0fcd6c5e6\Publisher(Empty) 13241300x8000000000000000335505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\chmod.exe|e3ddbff0fcd6c5e6\LowerCaseLongPathc:\program files\git\usr\bin\chmod.exe 13241300x8000000000000000335504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\chgrp.exe|bb039b4cd0c6f545\BinProductVersion(Empty) 13241300x8000000000000000335503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\chgrp.exe|bb039b4cd0c6f545\LinkDate11/15/2022 17:18:41 13241300x8000000000000000335502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\chgrp.exe|bb039b4cd0c6f545\Publisher(Empty) 13241300x8000000000000000335501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\chgrp.exe|bb039b4cd0c6f545\LowerCaseLongPathc:\program files\git\usr\bin\chgrp.exe 13241300x8000000000000000335500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\chcon.exe|8f0fac908d5773b6\BinProductVersion(Empty) 13241300x8000000000000000335499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\chcon.exe|8f0fac908d5773b6\LinkDate11/15/2022 17:18:41 13241300x8000000000000000335498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\chcon.exe|8f0fac908d5773b6\Publisher(Empty) 13241300x8000000000000000335497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\chcon.exe|8f0fac908d5773b6\LowerCaseLongPathc:\program files\git\usr\bin\chcon.exe 13241300x8000000000000000335496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\chattr.exe|29db3d1af543269b\BinProductVersion(Empty) 13241300x8000000000000000335495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\chattr.exe|29db3d1af543269b\LinkDate09/05/2022 20:36:27 13241300x8000000000000000335494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\chattr.exe|29db3d1af543269b\Publisher(Empty) 13241300x8000000000000000335493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\chattr.exe|29db3d1af543269b\LowerCaseLongPathc:\program files\git\usr\bin\chattr.exe 13241300x8000000000000000335492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cat.exe|c9bdbcd78462df5e\BinProductVersion(Empty) 13241300x8000000000000000335491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cat.exe|c9bdbcd78462df5e\LinkDate11/15/2022 17:18:41 23542300x8000000000000000448546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:25.414{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB61BD1F43A8369FC98DEA1572ABB81C,SHA256=BA35A8CB7A7B65014D796FCCFE16754339B6B98DCEFD2BDDF3F3577D3F7B95AF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000335490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cat.exe|c9bdbcd78462df5e\Publisher(Empty) 13241300x8000000000000000335489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cat.exe|c9bdbcd78462df5e\LowerCaseLongPathc:\program files\git\usr\bin\cat.exe 13241300x8000000000000000335488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\captoinfo.exe|ae170334068304db\BinProductVersion(Empty) 13241300x8000000000000000335487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\captoinfo.exe|ae170334068304db\LinkDate01/01/1970 00:00:00 13241300x8000000000000000335486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\captoinfo.exe|ae170334068304db\Publisher(Empty) 13241300x8000000000000000335485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\captoinfo.exe|ae170334068304db\LowerCaseLongPathc:\program files\git\usr\bin\captoinfo.exe 13241300x8000000000000000335484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bzip2recover.exe|7b4916700fd7fa54\BinProductVersion(Empty) 13241300x8000000000000000335483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bzip2recover.exe|7b4916700fd7fa54\LinkDate01/01/1970 00:00:00 13241300x8000000000000000335482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bzip2recover.exe|7b4916700fd7fa54\Publisher(Empty) 13241300x8000000000000000335481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bzip2recover.exe|7b4916700fd7fa54\LowerCaseLongPathc:\program files\git\mingw64\bin\bzip2recover.exe 13241300x8000000000000000335480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bzip2recover.exe|6fb043bab87a8c4c\BinProductVersion(Empty) 13241300x8000000000000000335479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bzip2recover.exe|6fb043bab87a8c4c\LinkDate01/01/1970 00:00:00 13241300x8000000000000000335478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bzip2recover.exe|6fb043bab87a8c4c\Publisher(Empty) 13241300x8000000000000000335477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bzip2recover.exe|6fb043bab87a8c4c\LowerCaseLongPathc:\program files\git\usr\bin\bzip2recover.exe 13241300x8000000000000000335476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bzip2.exe|cecf80293919b675\BinProductVersion(Empty) 13241300x8000000000000000335475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bzip2.exe|cecf80293919b675\LinkDate01/01/1970 00:00:00 13241300x8000000000000000335474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bzip2.exe|cecf80293919b675\Publisher(Empty) 13241300x8000000000000000335473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bzip2.exe|cecf80293919b675\LowerCaseLongPathc:\program files\git\mingw64\bin\bzip2.exe 13241300x8000000000000000335472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bzip2.exe|6e87155dac2f4c04\BinProductVersion(Empty) 13241300x8000000000000000335471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bzip2.exe|6e87155dac2f4c04\LinkDate01/01/1970 00:00:00 13241300x8000000000000000335470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bzip2.exe|6e87155dac2f4c04\Publisher(Empty) 13241300x8000000000000000335469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bzip2.exe|6e87155dac2f4c04\LowerCaseLongPathc:\program files\git\usr\bin\bzip2.exe 13241300x8000000000000000335468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bzcat.exe|5bd95ec17b3dd431\BinProductVersion(Empty) 13241300x8000000000000000335467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bzcat.exe|5bd95ec17b3dd431\LinkDate01/01/1970 00:00:00 13241300x8000000000000000335466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bzcat.exe|5bd95ec17b3dd431\Publisher(Empty) 13241300x8000000000000000335465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bzcat.exe|5bd95ec17b3dd431\LowerCaseLongPathc:\program files\git\usr\bin\bzcat.exe 13241300x8000000000000000335464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bzcat.exe|22efe6404fe377ef\BinProductVersion(Empty) 13241300x8000000000000000335463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bzcat.exe|22efe6404fe377ef\LinkDate01/01/1970 00:00:00 13241300x8000000000000000335462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bzcat.exe|22efe6404fe377ef\Publisher(Empty) 13241300x8000000000000000335461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bzcat.exe|22efe6404fe377ef\LowerCaseLongPathc:\program files\git\mingw64\bin\bzcat.exe 13241300x8000000000000000335460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bunzip2.exe|e3db3453bc608648\BinProductVersion(Empty) 13241300x8000000000000000335459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bunzip2.exe|e3db3453bc608648\LinkDate01/01/1970 00:00:00 13241300x8000000000000000335458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bunzip2.exe|e3db3453bc608648\Publisher(Empty) 13241300x8000000000000000335457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bunzip2.exe|e3db3453bc608648\LowerCaseLongPathc:\program files\git\mingw64\bin\bunzip2.exe 13241300x8000000000000000335456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bunzip2.exe|9ac74d590cb04f1a\BinProductVersion(Empty) 13241300x8000000000000000335455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bunzip2.exe|9ac74d590cb04f1a\LinkDate01/01/1970 00:00:00 13241300x8000000000000000335454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bunzip2.exe|9ac74d590cb04f1a\Publisher(Empty) 13241300x8000000000000000335453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bunzip2.exe|9ac74d590cb04f1a\LowerCaseLongPathc:\program files\git\usr\bin\bunzip2.exe 13241300x8000000000000000335452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\brotli.exe|31204f639af895eb\BinProductVersion(Empty) 13241300x8000000000000000335451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\brotli.exe|31204f639af895eb\LinkDate01/01/1970 00:00:00 13241300x8000000000000000335450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\brotli.exe|31204f639af895eb\Publisher(Empty) 13241300x8000000000000000335449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\brotli.exe|31204f639af895eb\LowerCaseLongPathc:\program files\git\mingw64\bin\brotli.exe 13241300x8000000000000000335448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\blocked-file-uti|26a5d90fb1352887\BinProductVersion(Empty) 13241300x8000000000000000335447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\blocked-file-uti|26a5d90fb1352887\LinkDate11/29/2022 16:06:30 13241300x8000000000000000335446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\blocked-file-uti|26a5d90fb1352887\Publisher(Empty) 13241300x8000000000000000335445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\blocked-file-uti|26a5d90fb1352887\LowerCaseLongPathc:\program files\git\mingw64\bin\blocked-file-util.exe 13241300x8000000000000000335444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bash.exe|82493e8a87323f44\BinProductVersion2.39.1.1 13241300x8000000000000000335443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bash.exe|82493e8a87323f44\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bash.exe|82493e8a87323f44\Publisherthe git development community 13241300x8000000000000000335441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bash.exe|82493e8a87323f44\LowerCaseLongPathc:\program files\git\bin\bash.exe 13241300x8000000000000000335440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bash.exe|5f326cb536e85740\BinProductVersion(Empty) 13241300x8000000000000000335439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bash.exe|5f326cb536e85740\LinkDate11/24/2022 23:19:19 13241300x8000000000000000335438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bash.exe|5f326cb536e85740\Publisher(Empty) 13241300x8000000000000000335437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\bash.exe|5f326cb536e85740\LowerCaseLongPathc:\program files\git\usr\bin\bash.exe 13241300x8000000000000000335436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\basenc.exe|441974f40d711257\BinProductVersion(Empty) 13241300x8000000000000000335435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\basenc.exe|441974f40d711257\LinkDate11/15/2022 17:18:40 13241300x8000000000000000335434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\basenc.exe|441974f40d711257\Publisher(Empty) 13241300x8000000000000000335433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\basenc.exe|441974f40d711257\LowerCaseLongPathc:\program files\git\usr\bin\basenc.exe 13241300x8000000000000000335432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\basename.exe|47ada093d5bb600a\BinProductVersion(Empty) 13241300x8000000000000000335431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\basename.exe|47ada093d5bb600a\LinkDate11/15/2022 17:18:40 13241300x8000000000000000335430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\basename.exe|47ada093d5bb600a\Publisher(Empty) 13241300x8000000000000000335429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\basename.exe|47ada093d5bb600a\LowerCaseLongPathc:\program files\git\usr\bin\basename.exe 13241300x8000000000000000335428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\base64.exe|962b95c6244d4b06\BinProductVersion(Empty) 13241300x8000000000000000335427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\base64.exe|962b95c6244d4b06\LinkDate11/15/2022 17:18:40 13241300x8000000000000000335426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\base64.exe|962b95c6244d4b06\Publisher(Empty) 13241300x8000000000000000335425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\base64.exe|962b95c6244d4b06\LowerCaseLongPathc:\program files\git\usr\bin\base64.exe 13241300x8000000000000000335424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\base32.exe|a314ab833a8613c9\BinProductVersion(Empty) 13241300x8000000000000000335423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\base32.exe|a314ab833a8613c9\LinkDate11/15/2022 17:18:40 13241300x8000000000000000335422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\base32.exe|a314ab833a8613c9\Publisher(Empty) 13241300x8000000000000000335421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\base32.exe|a314ab833a8613c9\LowerCaseLongPathc:\program files\git\usr\bin\base32.exe 13241300x8000000000000000335420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\b2sum.exe|29b37ad7ebd1394a\BinProductVersion(Empty) 13241300x8000000000000000335419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\b2sum.exe|29b37ad7ebd1394a\LinkDate11/15/2022 17:18:39 13241300x8000000000000000335418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\b2sum.exe|29b37ad7ebd1394a\Publisher(Empty) 13241300x8000000000000000335417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\b2sum.exe|29b37ad7ebd1394a\LowerCaseLongPathc:\program files\git\usr\bin\b2sum.exe 13241300x8000000000000000335416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\awk.exe|283395e55c831d1d\BinProductVersion(Empty) 13241300x8000000000000000335415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\awk.exe|283395e55c831d1d\LinkDate01/01/1970 00:00:00 13241300x8000000000000000335414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\awk.exe|283395e55c831d1d\Publisher(Empty) 13241300x8000000000000000335413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\awk.exe|283395e55c831d1d\LowerCaseLongPathc:\program files\git\usr\bin\awk.exe 13241300x8000000000000000335412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\atlassian.bitbuc|b93909779179097a\BinProductVersion2.0.886.0 13241300x8000000000000000335411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\atlassian.bitbuc|b93909779179097a\LinkDate09/16/2041 20:44:17 13241300x8000000000000000335410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\atlassian.bitbuc|b93909779179097a\Publisheratlassian.bitbucket.ui 13241300x8000000000000000335409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\atlassian.bitbuc|b93909779179097a\LowerCaseLongPathc:\program files\git\mingw64\bin\atlassian.bitbucket.ui.exe 13241300x8000000000000000335408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\arch.exe|6cd29c8ee920e833\BinProductVersion(Empty) 13241300x8000000000000000335407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\arch.exe|6cd29c8ee920e833\LinkDate11/15/2022 17:18:39 13241300x8000000000000000335406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\arch.exe|6cd29c8ee920e833\Publisher(Empty) 13241300x8000000000000000335405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\arch.exe|6cd29c8ee920e833\LowerCaseLongPathc:\program files\git\usr\bin\arch.exe 13241300x8000000000000000335404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\antiword.exe|f9989c5a06cca46c\BinProductVersion(Empty) 13241300x8000000000000000335403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\antiword.exe|f9989c5a06cca46c\LinkDate10/29/2022 11:36:08 13241300x8000000000000000335402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\antiword.exe|f9989c5a06cca46c\Publisher(Empty) 13241300x8000000000000000335401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\antiword.exe|f9989c5a06cca46c\LowerCaseLongPathc:\program files\git\mingw64\bin\antiword.exe 13241300x8000000000000000335400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ahost.exe|40c7db6e62088170\BinProductVersion(Empty) 13241300x8000000000000000335399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ahost.exe|40c7db6e62088170\LinkDate01/01/1970 00:00:00 13241300x8000000000000000335398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ahost.exe|40c7db6e62088170\Publisher(Empty) 13241300x8000000000000000335397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ahost.exe|40c7db6e62088170\LowerCaseLongPathc:\program files\git\mingw64\bin\ahost.exe 13241300x8000000000000000335396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\adig.exe|8c2dc2d7e3156644\BinProductVersion(Empty) 13241300x8000000000000000335395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\adig.exe|8c2dc2d7e3156644\LinkDate01/01/1970 00:00:00 13241300x8000000000000000335394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\adig.exe|8c2dc2d7e3156644\Publisher(Empty) 13241300x8000000000000000335393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\adig.exe|8c2dc2d7e3156644\LowerCaseLongPathc:\program files\git\mingw64\bin\adig.exe 13241300x8000000000000000335392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\acountry.exe|45550c852fce5231\BinProductVersion(Empty) 13241300x8000000000000000335391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\acountry.exe|45550c852fce5231\LinkDate01/01/1970 00:00:00 13241300x8000000000000000335390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\acountry.exe|45550c852fce5231\Publisher(Empty) 13241300x8000000000000000335389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\acountry.exe|45550c852fce5231\LowerCaseLongPathc:\program files\git\mingw64\bin\acountry.exe 13241300x8000000000000000335388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\[.exe|b6eac39997c90239\BinProductVersion(Empty) 13241300x8000000000000000335387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\[.exe|b6eac39997c90239\LinkDate11/15/2022 17:19:09 13241300x8000000000000000335386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\[.exe|b6eac39997c90239\Publisher(Empty) 13241300x8000000000000000335385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.568{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\[.exe|b6eac39997c90239\LowerCaseLongPathc:\program files\git\usr\bin\[.exe 13241300x8000000000000000335384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.553{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplication\0000c3242589e1ebe07fdf8e6c50c1a9b0a60000ffff\PublisherThe Git Development Community 23542300x8000000000000000335383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:25.131{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EHOK4E7N9M\System.ni.dll.auxMD5=3DF95B0C71238F8146AA10A2DAD2FF34,SHA256=37835EDC93EF2E6E5A3DCCEB99509FE5DBFB049D835C64B2D74B792024156EA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000335382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:25.131{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EHOK4E7N9M\System.ni.dllMD5=88C9F3A6A000DB567901CC188925D7C0,SHA256=5E1C43C87ACA9EEB778AC9BF91CBB976049A472F3AE41BAA6F82E498803796B8,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 13241300x8000000000000000336776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\nproc.exe|4b998916d3f3a9c7\LinkDate11/15/2022 17:18:54 13241300x8000000000000000336775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\nproc.exe|4b998916d3f3a9c7\Publisher(Empty) 13241300x8000000000000000336774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\nproc.exe|4b998916d3f3a9c7\LowerCaseLongPathc:\program files\git\usr\bin\nproc.exe 13241300x8000000000000000336773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\nohup.exe|b6d740d02d8e649a\BinProductVersion(Empty) 13241300x8000000000000000336772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\nohup.exe|b6d740d02d8e649a\LinkDate11/15/2022 17:18:54 13241300x8000000000000000336771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\nohup.exe|b6d740d02d8e649a\Publisher(Empty) 13241300x8000000000000000336770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\nohup.exe|b6d740d02d8e649a\LowerCaseLongPathc:\program files\git\usr\bin\nohup.exe 13241300x8000000000000000336769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\nl.exe|a11f2aa66e5f8174\BinProductVersion(Empty) 13241300x8000000000000000336768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\nl.exe|a11f2aa66e5f8174\LinkDate11/15/2022 17:18:54 13241300x8000000000000000336767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\nl.exe|a11f2aa66e5f8174\Publisher(Empty) 13241300x8000000000000000336766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\nl.exe|a11f2aa66e5f8174\LowerCaseLongPathc:\program files\git\usr\bin\nl.exe 13241300x8000000000000000336765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\nice.exe|d195556bd0ad811f\BinProductVersion(Empty) 13241300x8000000000000000336764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\nice.exe|d195556bd0ad811f\LinkDate11/15/2022 17:18:53 13241300x8000000000000000336763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\nice.exe|d195556bd0ad811f\Publisher(Empty) 13241300x8000000000000000336762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\nice.exe|d195556bd0ad811f\LowerCaseLongPathc:\program files\git\usr\bin\nice.exe 13241300x8000000000000000336761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ngettext.exe|b3b7f8b500cfd995\BinProductVersion0.21.0.0 13241300x8000000000000000336760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ngettext.exe|b3b7f8b500cfd995\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ngettext.exe|b3b7f8b500cfd995\Publisherfree software foundation 13241300x8000000000000000336758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ngettext.exe|b3b7f8b500cfd995\LowerCaseLongPathc:\program files\git\usr\bin\ngettext.exe 13241300x8000000000000000336757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\nettle-pbkdf2.ex|97ba977fde0c62d6\BinProductVersion(Empty) 13241300x8000000000000000336756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\nettle-pbkdf2.ex|97ba977fde0c62d6\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\nettle-pbkdf2.ex|97ba977fde0c62d6\Publisher(Empty) 13241300x8000000000000000336754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\nettle-pbkdf2.ex|97ba977fde0c62d6\LowerCaseLongPathc:\program files\git\usr\bin\nettle-pbkdf2.exe 13241300x8000000000000000336753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\nettle-lfib-stre|884dcfac9ef75867\BinProductVersion(Empty) 13241300x8000000000000000336752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\nettle-lfib-stre|884dcfac9ef75867\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\nettle-lfib-stre|884dcfac9ef75867\Publisher(Empty) 13241300x8000000000000000336750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\nettle-lfib-stre|884dcfac9ef75867\LowerCaseLongPathc:\program files\git\usr\bin\nettle-lfib-stream.exe 13241300x8000000000000000336749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\nettle-hash.exe|b53503615f207ffa\BinProductVersion(Empty) 13241300x8000000000000000336748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\nettle-hash.exe|b53503615f207ffa\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\nettle-hash.exe|b53503615f207ffa\Publisher(Empty) 13241300x8000000000000000336746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\nettle-hash.exe|b53503615f207ffa\LowerCaseLongPathc:\program files\git\usr\bin\nettle-hash.exe 13241300x8000000000000000336745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\nano.exe|b50a21634bf0fc7\BinProductVersion(Empty) 13241300x8000000000000000336744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\nano.exe|b50a21634bf0fc7\LinkDate12/19/2022 21:25:14 13241300x8000000000000000336743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\nano.exe|b50a21634bf0fc7\Publisher(Empty) 13241300x8000000000000000336742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\nano.exe|b50a21634bf0fc7\LowerCaseLongPathc:\program files\git\usr\bin\nano.exe 13241300x8000000000000000336741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mv.exe|929878a0fb05584e\BinProductVersion(Empty) 13241300x8000000000000000336740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mv.exe|929878a0fb05584e\LinkDate11/15/2022 17:18:53 13241300x8000000000000000336739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mv.exe|929878a0fb05584e\Publisher(Empty) 13241300x8000000000000000336738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mv.exe|929878a0fb05584e\LowerCaseLongPathc:\program files\git\usr\bin\mv.exe 13241300x8000000000000000336737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msguniq.exe|630e939fcdce570c\BinProductVersion(Empty) 13241300x8000000000000000336736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msguniq.exe|630e939fcdce570c\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msguniq.exe|630e939fcdce570c\Publisher(Empty) 13241300x8000000000000000336734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msguniq.exe|630e939fcdce570c\LowerCaseLongPathc:\program files\git\usr\bin\msguniq.exe 13241300x8000000000000000336733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgunfmt.exe|e224c743b2bfe999\BinProductVersion(Empty) 13241300x8000000000000000336732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgunfmt.exe|e224c743b2bfe999\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgunfmt.exe|e224c743b2bfe999\Publisher(Empty) 13241300x8000000000000000336730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgunfmt.exe|e224c743b2bfe999\LowerCaseLongPathc:\program files\git\usr\bin\msgunfmt.exe 13241300x8000000000000000336729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgmerge.exe|70a7277cc4533b58\BinProductVersion(Empty) 13241300x8000000000000000336728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgmerge.exe|70a7277cc4533b58\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgmerge.exe|70a7277cc4533b58\Publisher(Empty) 13241300x8000000000000000336726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgmerge.exe|70a7277cc4533b58\LowerCaseLongPathc:\program files\git\usr\bin\msgmerge.exe 13241300x8000000000000000336725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msginit.exe|5aa0cd7045e63438\BinProductVersion(Empty) 13241300x8000000000000000336724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msginit.exe|5aa0cd7045e63438\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msginit.exe|5aa0cd7045e63438\Publisher(Empty) 13241300x8000000000000000336722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msginit.exe|5aa0cd7045e63438\LowerCaseLongPathc:\program files\git\usr\bin\msginit.exe 13241300x8000000000000000336721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msggrep.exe|983cdb3b51d722e3\BinProductVersion(Empty) 13241300x8000000000000000336720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msggrep.exe|983cdb3b51d722e3\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msggrep.exe|983cdb3b51d722e3\Publisher(Empty) 13241300x8000000000000000336718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msggrep.exe|983cdb3b51d722e3\LowerCaseLongPathc:\program files\git\usr\bin\msggrep.exe 13241300x8000000000000000336717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgfmt.exe|b876ce85e126a312\BinProductVersion(Empty) 13241300x8000000000000000336716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgfmt.exe|b876ce85e126a312\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgfmt.exe|b876ce85e126a312\Publisher(Empty) 13241300x8000000000000000336714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgfmt.exe|b876ce85e126a312\LowerCaseLongPathc:\program files\git\usr\bin\msgfmt.exe 13241300x8000000000000000336713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgfilter.exe|aaac2b93f137f1ae\BinProductVersion(Empty) 13241300x8000000000000000336712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgfilter.exe|aaac2b93f137f1ae\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgfilter.exe|aaac2b93f137f1ae\Publisher(Empty) 13241300x8000000000000000336710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgfilter.exe|aaac2b93f137f1ae\LowerCaseLongPathc:\program files\git\usr\bin\msgfilter.exe 13241300x8000000000000000336709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgexec.exe|9c976ab4ff6e1c54\BinProductVersion(Empty) 13241300x8000000000000000336708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgexec.exe|9c976ab4ff6e1c54\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgexec.exe|9c976ab4ff6e1c54\Publisher(Empty) 13241300x8000000000000000336706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgexec.exe|9c976ab4ff6e1c54\LowerCaseLongPathc:\program files\git\usr\bin\msgexec.exe 13241300x8000000000000000336705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgen.exe|da6af5ac56e9716\BinProductVersion(Empty) 13241300x8000000000000000336704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgen.exe|da6af5ac56e9716\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgen.exe|da6af5ac56e9716\Publisher(Empty) 13241300x8000000000000000336702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgen.exe|da6af5ac56e9716\LowerCaseLongPathc:\program files\git\usr\bin\msgen.exe 13241300x8000000000000000336701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgconv.exe|be24512a01e4ec35\BinProductVersion(Empty) 13241300x8000000000000000336700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgconv.exe|be24512a01e4ec35\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgconv.exe|be24512a01e4ec35\Publisher(Empty) 13241300x8000000000000000336698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgconv.exe|be24512a01e4ec35\LowerCaseLongPathc:\program files\git\usr\bin\msgconv.exe 13241300x8000000000000000336697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgcomm.exe|6ef471fb1825a1cd\BinProductVersion(Empty) 13241300x8000000000000000336696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgcomm.exe|6ef471fb1825a1cd\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgcomm.exe|6ef471fb1825a1cd\Publisher(Empty) 13241300x8000000000000000336694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgcomm.exe|6ef471fb1825a1cd\LowerCaseLongPathc:\program files\git\usr\bin\msgcomm.exe 13241300x8000000000000000336693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgcmp.exe|7c2e229e6e1c68a8\BinProductVersion(Empty) 13241300x8000000000000000336692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgcmp.exe|7c2e229e6e1c68a8\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgcmp.exe|7c2e229e6e1c68a8\Publisher(Empty) 13241300x8000000000000000336690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgcmp.exe|7c2e229e6e1c68a8\LowerCaseLongPathc:\program files\git\usr\bin\msgcmp.exe 13241300x8000000000000000336689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgcat.exe|5596b37e57e3e044\BinProductVersion(Empty) 13241300x8000000000000000336688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgcat.exe|5596b37e57e3e044\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgcat.exe|5596b37e57e3e044\Publisher(Empty) 13241300x8000000000000000336686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgcat.exe|5596b37e57e3e044\LowerCaseLongPathc:\program files\git\usr\bin\msgcat.exe 13241300x8000000000000000336685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgattrib.exe|ef0e87f6c6fba86f\BinProductVersion(Empty) 13241300x8000000000000000336684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgattrib.exe|ef0e87f6c6fba86f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgattrib.exe|ef0e87f6c6fba86f\Publisher(Empty) 13241300x8000000000000000336682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msgattrib.exe|ef0e87f6c6fba86f\LowerCaseLongPathc:\program files\git\usr\bin\msgattrib.exe 13241300x8000000000000000336681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mpicalc.exe|f96ca699905a957b\BinProductVersion(Empty) 13241300x8000000000000000336680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mpicalc.exe|f96ca699905a957b\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mpicalc.exe|f96ca699905a957b\Publisher(Empty) 13241300x8000000000000000336678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mpicalc.exe|f96ca699905a957b\LowerCaseLongPathc:\program files\git\usr\bin\mpicalc.exe 13241300x8000000000000000336677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mount.exe|9be5c50fa3ad3871\BinProductVersion(Empty) 13241300x8000000000000000336676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mount.exe|9be5c50fa3ad3871\LinkDate09/05/2022 20:36:31 13241300x8000000000000000336675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mount.exe|9be5c50fa3ad3871\Publisher(Empty) 13241300x8000000000000000336674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.725{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mount.exe|9be5c50fa3ad3871\LowerCaseLongPathc:\program files\git\usr\bin\mount.exe 13241300x8000000000000000336673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mktemp.exe|f571057b3b322073\BinProductVersion(Empty) 13241300x8000000000000000336672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mktemp.exe|f571057b3b322073\LinkDate11/15/2022 17:18:53 13241300x8000000000000000336671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mktemp.exe|f571057b3b322073\Publisher(Empty) 13241300x8000000000000000336670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mktemp.exe|f571057b3b322073\LowerCaseLongPathc:\program files\git\usr\bin\mktemp.exe 13241300x8000000000000000336669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mkpasswd.exe|73ea587603f838db\BinProductVersion(Empty) 13241300x8000000000000000336668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mkpasswd.exe|73ea587603f838db\LinkDate09/05/2022 20:36:30 13241300x8000000000000000336667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mkpasswd.exe|73ea587603f838db\Publisher(Empty) 13241300x8000000000000000336666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mkpasswd.exe|73ea587603f838db\LowerCaseLongPathc:\program files\git\usr\bin\mkpasswd.exe 13241300x8000000000000000336665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mknod.exe|1c9cc79f3ba29852\BinProductVersion(Empty) 13241300x8000000000000000336664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mknod.exe|1c9cc79f3ba29852\LinkDate11/15/2022 17:18:53 13241300x8000000000000000336663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mknod.exe|1c9cc79f3ba29852\Publisher(Empty) 13241300x8000000000000000336662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mknod.exe|1c9cc79f3ba29852\LowerCaseLongPathc:\program files\git\usr\bin\mknod.exe 13241300x8000000000000000336661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mkgroup.exe|b0fed08db39d16e4\BinProductVersion(Empty) 13241300x8000000000000000336660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mkgroup.exe|b0fed08db39d16e4\LinkDate09/05/2022 20:36:30 13241300x8000000000000000336659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mkgroup.exe|b0fed08db39d16e4\Publisher(Empty) 13241300x8000000000000000336658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mkgroup.exe|b0fed08db39d16e4\LowerCaseLongPathc:\program files\git\usr\bin\mkgroup.exe 13241300x8000000000000000336657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mkfifo.exe|1676140672f1cfe0\BinProductVersion(Empty) 13241300x8000000000000000336656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mkfifo.exe|1676140672f1cfe0\LinkDate11/15/2022 17:18:52 13241300x8000000000000000336655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mkfifo.exe|1676140672f1cfe0\Publisher(Empty) 13241300x8000000000000000336654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mkfifo.exe|1676140672f1cfe0\LowerCaseLongPathc:\program files\git\usr\bin\mkfifo.exe 13241300x8000000000000000336653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mkdir.exe|d166f5452ec8d3f1\BinProductVersion(Empty) 13241300x8000000000000000336652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mkdir.exe|d166f5452ec8d3f1\LinkDate11/15/2022 17:18:52 13241300x8000000000000000336651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mkdir.exe|d166f5452ec8d3f1\Publisher(Empty) 13241300x8000000000000000336650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mkdir.exe|d166f5452ec8d3f1\LowerCaseLongPathc:\program files\git\usr\bin\mkdir.exe 13241300x8000000000000000336649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mintty.exe|49e751352c5fb46d\BinProductVersion0.0.0.0 13241300x8000000000000000336648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mintty.exe|49e751352c5fb46d\LinkDate12/18/2022 14:10:49 13241300x8000000000000000336647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mintty.exe|49e751352c5fb46d\Publisherthomas wolff, andy koppe 13241300x8000000000000000336646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mintty.exe|49e751352c5fb46d\LowerCaseLongPathc:\program files\git\usr\bin\mintty.exe 13241300x8000000000000000336645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\minidumper.exe|54796dc6e15198fd\BinProductVersion(Empty) 13241300x8000000000000000336644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\minidumper.exe|54796dc6e15198fd\LinkDate09/05/2022 20:36:30 13241300x8000000000000000336643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\minidumper.exe|54796dc6e15198fd\Publisher(Empty) 13241300x8000000000000000336642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\minidumper.exe|54796dc6e15198fd\LowerCaseLongPathc:\program files\git\usr\bin\minidumper.exe 13241300x8000000000000000336641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\md5sum.exe|24d7cfd4f0a567ad\BinProductVersion(Empty) 13241300x8000000000000000336640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\md5sum.exe|24d7cfd4f0a567ad\LinkDate11/15/2022 17:18:52 13241300x8000000000000000336639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\md5sum.exe|24d7cfd4f0a567ad\Publisher(Empty) 13241300x8000000000000000336638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\md5sum.exe|24d7cfd4f0a567ad\LowerCaseLongPathc:\program files\git\usr\bin\md5sum.exe 13241300x8000000000000000336637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mac2unix.exe|fa8c232fc2ace248\BinProductVersion(Empty) 13241300x8000000000000000336636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mac2unix.exe|fa8c232fc2ace248\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mac2unix.exe|fa8c232fc2ace248\Publisher(Empty) 13241300x8000000000000000336634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mac2unix.exe|fa8c232fc2ace248\LowerCaseLongPathc:\program files\git\usr\bin\mac2unix.exe 13241300x8000000000000000336633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\lzmainfo.exe|3070267691718925\BinProductVersion5.2.9.0 13241300x8000000000000000336632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\lzmainfo.exe|3070267691718925\LinkDate12/01/2022 09:26:17 13241300x8000000000000000336631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\lzmainfo.exe|3070267691718925\Publisherthe tukaani project <https://tukaani.org/> 13241300x8000000000000000336630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\lzmainfo.exe|3070267691718925\LowerCaseLongPathc:\program files\git\mingw64\bin\lzmainfo.exe 13241300x8000000000000000336629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\lzmadec.exe|d4a4f5d09de2ad9f\BinProductVersion5.2.9.0 13241300x8000000000000000336628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\lzmadec.exe|d4a4f5d09de2ad9f\LinkDate12/01/2022 09:26:17 13241300x8000000000000000336627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\lzmadec.exe|d4a4f5d09de2ad9f\Publisherthe tukaani project <https://tukaani.org/> 13241300x8000000000000000336626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\lzmadec.exe|d4a4f5d09de2ad9f\LowerCaseLongPathc:\program files\git\mingw64\bin\lzmadec.exe 13241300x8000000000000000336625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\lsattr.exe|e9598ad07d9f1abe\BinProductVersion(Empty) 13241300x8000000000000000336624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\lsattr.exe|e9598ad07d9f1abe\LinkDate09/05/2022 20:36:29 13241300x8000000000000000336623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\lsattr.exe|e9598ad07d9f1abe\Publisher(Empty) 13241300x8000000000000000336622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\lsattr.exe|e9598ad07d9f1abe\LowerCaseLongPathc:\program files\git\usr\bin\lsattr.exe 13241300x8000000000000000336621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ls.exe|dfaab3a81c3b31c6\BinProductVersion(Empty) 13241300x8000000000000000336620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ls.exe|dfaab3a81c3b31c6\LinkDate11/15/2022 17:18:52 13241300x8000000000000000336619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ls.exe|dfaab3a81c3b31c6\Publisher(Empty) 13241300x8000000000000000336618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ls.exe|dfaab3a81c3b31c6\LowerCaseLongPathc:\program files\git\usr\bin\ls.exe 13241300x8000000000000000336617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\logname.exe|12359a62b40825c8\BinProductVersion(Empty) 13241300x8000000000000000336616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\logname.exe|12359a62b40825c8\LinkDate11/15/2022 17:18:51 13241300x8000000000000000336615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\logname.exe|12359a62b40825c8\Publisher(Empty) 13241300x8000000000000000336614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\logname.exe|12359a62b40825c8\LowerCaseLongPathc:\program files\git\usr\bin\logname.exe 13241300x8000000000000000336613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\locate.exe|62a0c84839d4a077\BinProductVersion(Empty) 13241300x8000000000000000336612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\locate.exe|62a0c84839d4a077\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\locate.exe|62a0c84839d4a077\Publisher(Empty) 13241300x8000000000000000336610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\locate.exe|62a0c84839d4a077\LowerCaseLongPathc:\program files\git\usr\bin\locate.exe 13241300x8000000000000000336609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\locale.exe|5d75359b8fae4864\BinProductVersion(Empty) 13241300x8000000000000000336608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\locale.exe|5d75359b8fae4864\LinkDate09/05/2022 20:36:29 13241300x8000000000000000336607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\locale.exe|5d75359b8fae4864\Publisher(Empty) 13241300x8000000000000000336606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\locale.exe|5d75359b8fae4864\LowerCaseLongPathc:\program files\git\usr\bin\locale.exe 13241300x8000000000000000336605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ln.exe|79dda9f517ff22bc\BinProductVersion(Empty) 13241300x8000000000000000336604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ln.exe|79dda9f517ff22bc\LinkDate11/15/2022 17:18:51 13241300x8000000000000000336603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ln.exe|79dda9f517ff22bc\Publisher(Empty) 13241300x8000000000000000336602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ln.exe|79dda9f517ff22bc\LowerCaseLongPathc:\program files\git\usr\bin\ln.exe 13241300x8000000000000000336601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\link.exe|293c50e422886ac8\BinProductVersion(Empty) 13241300x8000000000000000336600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\link.exe|293c50e422886ac8\LinkDate11/15/2022 17:18:50 13241300x8000000000000000336599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\link.exe|293c50e422886ac8\Publisher(Empty) 13241300x8000000000000000336598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\link.exe|293c50e422886ac8\LowerCaseLongPathc:\program files\git\usr\bin\link.exe 13241300x8000000000000000336597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\lesskey.exe|6d817558b9a5216\BinProductVersion(Empty) 13241300x8000000000000000336596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\lesskey.exe|6d817558b9a5216\LinkDate10/23/2022 12:10:12 13241300x8000000000000000336595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\lesskey.exe|6d817558b9a5216\Publisher(Empty) 13241300x8000000000000000336594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\lesskey.exe|6d817558b9a5216\LowerCaseLongPathc:\program files\git\usr\bin\lesskey.exe 13241300x8000000000000000336593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\lessecho.exe|3b7a4aa7df4af94e\BinProductVersion(Empty) 13241300x8000000000000000336592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\lessecho.exe|3b7a4aa7df4af94e\LinkDate10/23/2022 12:10:12 13241300x8000000000000000336591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\lessecho.exe|3b7a4aa7df4af94e\Publisher(Empty) 13241300x8000000000000000336590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\lessecho.exe|3b7a4aa7df4af94e\LowerCaseLongPathc:\program files\git\usr\bin\lessecho.exe 13241300x8000000000000000336589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\less.exe|a02ef69e95f97e25\BinProductVersion(Empty) 13241300x8000000000000000336588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\less.exe|a02ef69e95f97e25\LinkDate10/23/2022 12:10:12 13241300x8000000000000000336587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\less.exe|a02ef69e95f97e25\Publisher(Empty) 13241300x8000000000000000336586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\less.exe|a02ef69e95f97e25\LowerCaseLongPathc:\program files\git\usr\bin\less.exe 13241300x8000000000000000336585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ldh.exe|da4d63a2fca071c0\BinProductVersion(Empty) 13241300x8000000000000000336584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ldh.exe|da4d63a2fca071c0\LinkDate09/05/2022 20:35:39 13241300x8000000000000000336583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ldh.exe|da4d63a2fca071c0\Publisher(Empty) 13241300x8000000000000000336582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ldh.exe|da4d63a2fca071c0\LowerCaseLongPathc:\program files\git\usr\bin\ldh.exe 13241300x8000000000000000336581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ldd.exe|15068ec08ef3ecfc\BinProductVersion(Empty) 13241300x8000000000000000336580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ldd.exe|15068ec08ef3ecfc\LinkDate09/05/2022 20:36:29 13241300x8000000000000000336579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ldd.exe|15068ec08ef3ecfc\Publisher(Empty) 13241300x8000000000000000336578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ldd.exe|15068ec08ef3ecfc\LowerCaseLongPathc:\program files\git\usr\bin\ldd.exe 13241300x8000000000000000336577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\kill.exe|4bade27621c021e4\BinProductVersion(Empty) 13241300x8000000000000000336576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\kill.exe|4bade27621c021e4\LinkDate09/05/2022 20:36:29 13241300x8000000000000000336575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\kill.exe|4bade27621c021e4\Publisher(Empty) 13241300x8000000000000000336574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\kill.exe|4bade27621c021e4\LowerCaseLongPathc:\program files\git\usr\bin\kill.exe 13241300x8000000000000000336573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\kbxutil.exe|1308e71e0c8d3207\BinProductVersion(Empty) 13241300x8000000000000000336572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\kbxutil.exe|1308e71e0c8d3207\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\kbxutil.exe|1308e71e0c8d3207\Publisher(Empty) 13241300x8000000000000000336570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\kbxutil.exe|1308e71e0c8d3207\LowerCaseLongPathc:\program files\git\usr\bin\kbxutil.exe 13241300x8000000000000000336569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\join.exe|dc913e518f010b9e\BinProductVersion(Empty) 13241300x8000000000000000336568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\join.exe|dc913e518f010b9e\LinkDate11/15/2022 17:18:50 13241300x8000000000000000336567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\join.exe|dc913e518f010b9e\Publisher(Empty) 13241300x8000000000000000336566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\join.exe|dc913e518f010b9e\LowerCaseLongPathc:\program files\git\usr\bin\join.exe 13241300x8000000000000000336565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\install.exe|6fbae492ae887311\BinProductVersion(Empty) 13241300x8000000000000000336564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\install.exe|6fbae492ae887311\LinkDate11/15/2022 17:18:50 13241300x8000000000000000336563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\install.exe|6fbae492ae887311\Publisher(Empty) 13241300x8000000000000000336562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\install.exe|6fbae492ae887311\LowerCaseLongPathc:\program files\git\usr\bin\install.exe 13241300x8000000000000000336561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\infotocap.exe|b30daf4370dfb24c\BinProductVersion(Empty) 13241300x8000000000000000336560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\infotocap.exe|b30daf4370dfb24c\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\infotocap.exe|b30daf4370dfb24c\Publisher(Empty) 13241300x8000000000000000336558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\infotocap.exe|b30daf4370dfb24c\LowerCaseLongPathc:\program files\git\usr\bin\infotocap.exe 13241300x8000000000000000336557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\infocmp.exe|bf56519423b7f5b4\BinProductVersion(Empty) 13241300x8000000000000000336556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\infocmp.exe|bf56519423b7f5b4\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\infocmp.exe|bf56519423b7f5b4\Publisher(Empty) 13241300x8000000000000000336554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\infocmp.exe|bf56519423b7f5b4\LowerCaseLongPathc:\program files\git\usr\bin\infocmp.exe 13241300x8000000000000000336553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\id.exe|58d5aeed1760e581\BinProductVersion(Empty) 13241300x8000000000000000336552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\id.exe|58d5aeed1760e581\LinkDate11/15/2022 17:18:49 13241300x8000000000000000336551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\id.exe|58d5aeed1760e581\Publisher(Empty) 13241300x8000000000000000336550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\id.exe|58d5aeed1760e581\LowerCaseLongPathc:\program files\git\usr\bin\id.exe 13241300x8000000000000000336549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\iconv.exe|aa01f87ce2558a5a\BinProductVersion1.17.0.0 13241300x8000000000000000336548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\iconv.exe|aa01f87ce2558a5a\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\iconv.exe|aa01f87ce2558a5a\Publisherfree software foundation 13241300x8000000000000000336546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\iconv.exe|aa01f87ce2558a5a\LowerCaseLongPathc:\program files\git\usr\bin\iconv.exe 13241300x8000000000000000336545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\hostname.exe|87d3101f283dd346\BinProductVersion(Empty) 13241300x8000000000000000336544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\hostname.exe|87d3101f283dd346\LinkDate11/15/2022 17:18:49 13241300x8000000000000000336543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\hostname.exe|87d3101f283dd346\Publisher(Empty) 13241300x8000000000000000336542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\hostname.exe|87d3101f283dd346\LowerCaseLongPathc:\program files\git\usr\bin\hostname.exe 13241300x8000000000000000336541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\hostname.exe|810b252b242085fc\BinProductVersion(Empty) 13241300x8000000000000000336540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\hostname.exe|810b252b242085fc\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\hostname.exe|810b252b242085fc\Publisher(Empty) 13241300x8000000000000000336538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\hostname.exe|810b252b242085fc\LowerCaseLongPathc:\program files\git\usr\lib\gettext\hostname.exe 13241300x8000000000000000336537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\hostid.exe|6d4143f0897c8d41\BinProductVersion(Empty) 13241300x8000000000000000336536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\hostid.exe|6d4143f0897c8d41\LinkDate11/15/2022 17:18:49 13241300x8000000000000000336535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\hostid.exe|6d4143f0897c8d41\Publisher(Empty) 13241300x8000000000000000336534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.709{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\hostid.exe|6d4143f0897c8d41\LowerCaseLongPathc:\program files\git\usr\bin\hostid.exe 13241300x8000000000000000336533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\hmac256.exe|32958ea17350316\BinProductVersion(Empty) 13241300x8000000000000000336532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\hmac256.exe|32958ea17350316\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\hmac256.exe|32958ea17350316\Publisher(Empty) 13241300x8000000000000000336530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\hmac256.exe|32958ea17350316\LowerCaseLongPathc:\program files\git\usr\bin\hmac256.exe 13241300x8000000000000000336529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\headless-git.exe|785e29ace5e8bd40\BinProductVersion2.39.1.1 13241300x8000000000000000336528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\headless-git.exe|785e29ace5e8bd40\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\headless-git.exe|785e29ace5e8bd40\Publisherthe git development community 13241300x8000000000000000336526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\headless-git.exe|785e29ace5e8bd40\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\headless-git.exe 13241300x8000000000000000336525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\head.exe|fc7ddc9982db949a\BinProductVersion(Empty) 13241300x8000000000000000336524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\head.exe|fc7ddc9982db949a\LinkDate11/15/2022 17:18:48 13241300x8000000000000000336523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\head.exe|fc7ddc9982db949a\Publisher(Empty) 13241300x8000000000000000336522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\head.exe|fc7ddc9982db949a\LowerCaseLongPathc:\program files\git\usr\bin\head.exe 13241300x8000000000000000336521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gzip.exe|5579843dbc752d44\BinProductVersion(Empty) 13241300x8000000000000000336520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gzip.exe|5579843dbc752d44\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gzip.exe|5579843dbc752d44\Publisher(Empty) 13241300x8000000000000000336518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gzip.exe|5579843dbc752d44\LowerCaseLongPathc:\program files\git\usr\bin\gzip.exe 13241300x8000000000000000336517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\groups.exe|2cd133bd6998e5fb\BinProductVersion(Empty) 13241300x8000000000000000336516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\groups.exe|2cd133bd6998e5fb\LinkDate11/15/2022 17:18:48 13241300x8000000000000000336515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\groups.exe|2cd133bd6998e5fb\Publisher(Empty) 13241300x8000000000000000336514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\groups.exe|2cd133bd6998e5fb\LowerCaseLongPathc:\program files\git\usr\bin\groups.exe 13241300x8000000000000000336513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\grep.exe|e40de301f2861b6e\BinProductVersion(Empty) 13241300x8000000000000000336512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\grep.exe|e40de301f2861b6e\LinkDate11/15/2022 17:31:52 13241300x8000000000000000336511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\grep.exe|e40de301f2861b6e\Publisher(Empty) 13241300x8000000000000000336510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\grep.exe|e40de301f2861b6e\LowerCaseLongPathc:\program files\git\usr\bin\grep.exe 13241300x8000000000000000336509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\grcat.exe|dafb27ccdda3446f\BinProductVersion(Empty) 13241300x8000000000000000336508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\grcat.exe|dafb27ccdda3446f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\grcat.exe|dafb27ccdda3446f\Publisher(Empty) 13241300x8000000000000000336506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\grcat.exe|dafb27ccdda3446f\LowerCaseLongPathc:\program files\git\usr\lib\awk\grcat.exe 13241300x8000000000000000336505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpgv.exe|3e8076918b3dc637\BinProductVersion(Empty) 13241300x8000000000000000336504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpgv.exe|3e8076918b3dc637\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpgv.exe|3e8076918b3dc637\Publisher(Empty) 13241300x8000000000000000336502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpgv.exe|3e8076918b3dc637\LowerCaseLongPathc:\program files\git\usr\bin\gpgv.exe 13241300x8000000000000000336501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpgtar.exe|83e2bc192363db05\BinProductVersion(Empty) 13241300x8000000000000000336500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpgtar.exe|83e2bc192363db05\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpgtar.exe|83e2bc192363db05\Publisher(Empty) 13241300x8000000000000000336498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpgtar.exe|83e2bc192363db05\LowerCaseLongPathc:\program files\git\usr\bin\gpgtar.exe 13241300x8000000000000000336497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpgsplit.exe|87bafc2530c840f0\BinProductVersion(Empty) 13241300x8000000000000000336496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpgsplit.exe|87bafc2530c840f0\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpgsplit.exe|87bafc2530c840f0\Publisher(Empty) 13241300x8000000000000000336494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpgsplit.exe|87bafc2530c840f0\LowerCaseLongPathc:\program files\git\usr\bin\gpgsplit.exe 13241300x8000000000000000336493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpgsm.exe|c489439d65554f2c\BinProductVersion(Empty) 13241300x8000000000000000336492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpgsm.exe|c489439d65554f2c\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpgsm.exe|c489439d65554f2c\Publisher(Empty) 13241300x8000000000000000336490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpgsm.exe|c489439d65554f2c\LowerCaseLongPathc:\program files\git\usr\bin\gpgsm.exe 13241300x8000000000000000336489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpgscm.exe|afd870348aad8e2b\BinProductVersion(Empty) 13241300x8000000000000000336488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpgscm.exe|afd870348aad8e2b\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpgscm.exe|afd870348aad8e2b\Publisher(Empty) 13241300x8000000000000000336486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpgscm.exe|afd870348aad8e2b\LowerCaseLongPathc:\program files\git\usr\bin\gpgscm.exe 13241300x8000000000000000336485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpgparsemail.exe|a1d04daf32233825\BinProductVersion(Empty) 13241300x8000000000000000336484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpgparsemail.exe|a1d04daf32233825\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpgparsemail.exe|a1d04daf32233825\Publisher(Empty) 13241300x8000000000000000336482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpgparsemail.exe|a1d04daf32233825\LowerCaseLongPathc:\program files\git\usr\bin\gpgparsemail.exe 13241300x8000000000000000336481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpgconf.exe|871b799717455ba3\BinProductVersion(Empty) 13241300x8000000000000000336480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpgconf.exe|871b799717455ba3\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpgconf.exe|871b799717455ba3\Publisher(Empty) 13241300x8000000000000000336478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpgconf.exe|871b799717455ba3\LowerCaseLongPathc:\program files\git\usr\bin\gpgconf.exe 13241300x8000000000000000336477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpg.exe|6cedb1e2633436b0\BinProductVersion(Empty) 13241300x8000000000000000336476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpg.exe|6cedb1e2633436b0\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpg.exe|6cedb1e2633436b0\Publisher(Empty) 13241300x8000000000000000336474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpg.exe|6cedb1e2633436b0\LowerCaseLongPathc:\program files\git\usr\bin\gpg.exe 13241300x8000000000000000336473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpg-wks-server.e|61034539dd4597ca\BinProductVersion(Empty) 13241300x8000000000000000336472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpg-wks-server.e|61034539dd4597ca\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpg-wks-server.e|61034539dd4597ca\Publisher(Empty) 13241300x8000000000000000336470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpg-wks-server.e|61034539dd4597ca\LowerCaseLongPathc:\program files\git\usr\bin\gpg-wks-server.exe 13241300x8000000000000000336469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpg-wks-client.e|2e2d230f1afcaaed\BinProductVersion(Empty) 13241300x8000000000000000336468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpg-wks-client.e|2e2d230f1afcaaed\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpg-wks-client.e|2e2d230f1afcaaed\Publisher(Empty) 13241300x8000000000000000336466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpg-wks-client.e|2e2d230f1afcaaed\LowerCaseLongPathc:\program files\git\usr\lib\gnupg\gpg-wks-client.exe 13241300x8000000000000000336465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpg-protect-tool|5c31ebeff73373e2\BinProductVersion(Empty) 13241300x8000000000000000336464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpg-protect-tool|5c31ebeff73373e2\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpg-protect-tool|5c31ebeff73373e2\Publisher(Empty) 13241300x8000000000000000336462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpg-protect-tool|5c31ebeff73373e2\LowerCaseLongPathc:\program files\git\usr\lib\gnupg\gpg-protect-tool.exe 13241300x8000000000000000336461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpg-preset-passp|fd30c53215b384cf\BinProductVersion(Empty) 13241300x8000000000000000336460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpg-preset-passp|fd30c53215b384cf\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpg-preset-passp|fd30c53215b384cf\Publisher(Empty) 13241300x8000000000000000336458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpg-preset-passp|fd30c53215b384cf\LowerCaseLongPathc:\program files\git\usr\lib\gnupg\gpg-preset-passphrase.exe 13241300x8000000000000000336457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpg-error.exe|5a340ac79026d48f\BinProductVersion(Empty) 13241300x8000000000000000336456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpg-error.exe|5a340ac79026d48f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpg-error.exe|5a340ac79026d48f\Publisher(Empty) 13241300x8000000000000000336454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpg-error.exe|5a340ac79026d48f\LowerCaseLongPathc:\program files\git\usr\bin\gpg-error.exe 13241300x8000000000000000336453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpg-connect-agen|faaecb1ec9697c58\BinProductVersion(Empty) 13241300x8000000000000000336452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpg-connect-agen|faaecb1ec9697c58\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpg-connect-agen|faaecb1ec9697c58\Publisher(Empty) 13241300x8000000000000000336450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpg-connect-agen|faaecb1ec9697c58\LowerCaseLongPathc:\program files\git\usr\bin\gpg-connect-agent.exe 13241300x8000000000000000336449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpg-check-patter|e2542f724e45af1f\BinProductVersion(Empty) 13241300x8000000000000000336448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpg-check-patter|e2542f724e45af1f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpg-check-patter|e2542f724e45af1f\Publisher(Empty) 13241300x8000000000000000336446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpg-check-patter|e2542f724e45af1f\LowerCaseLongPathc:\program files\git\usr\lib\gnupg\gpg-check-pattern.exe 13241300x8000000000000000336445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpg-agent.exe|a7286887843abc16\BinProductVersion(Empty) 13241300x8000000000000000336444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpg-agent.exe|a7286887843abc16\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpg-agent.exe|a7286887843abc16\Publisher(Empty) 13241300x8000000000000000336442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gpg-agent.exe|a7286887843abc16\LowerCaseLongPathc:\program files\git\usr\bin\gpg-agent.exe 13241300x8000000000000000336441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gmondump.exe|7581b15ccb19a5a1\BinProductVersion(Empty) 13241300x8000000000000000336440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gmondump.exe|7581b15ccb19a5a1\LinkDate09/05/2022 20:36:29 13241300x8000000000000000336439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gmondump.exe|7581b15ccb19a5a1\Publisher(Empty) 13241300x8000000000000000336438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gmondump.exe|7581b15ccb19a5a1\LowerCaseLongPathc:\program files\git\usr\bin\gmondump.exe 13241300x8000000000000000336437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gkill.exe|16f69740130f5810\BinProductVersion(Empty) 13241300x8000000000000000336436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gkill.exe|16f69740130f5810\LinkDate11/15/2022 17:18:48 13241300x8000000000000000336435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gkill.exe|16f69740130f5810\Publisher(Empty) 13241300x8000000000000000336434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gkill.exe|16f69740130f5810\LowerCaseLongPathc:\program files\git\usr\bin\gkill.exe 13241300x8000000000000000336433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gitlab.ui.exe|9a66482d76ed4734\BinProductVersion2.0.886.0 13241300x8000000000000000336432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gitlab.ui.exe|9a66482d76ed4734\LinkDate12/06/2056 22:35:34 13241300x8000000000000000336431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gitlab.ui.exe|9a66482d76ed4734\Publishergitlab.ui 13241300x8000000000000000336430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gitlab.ui.exe|9a66482d76ed4734\LowerCaseLongPathc:\program files\git\mingw64\bin\gitlab.ui.exe 13241300x8000000000000000336429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gitk.exe|f586b11c21ec8a1b\BinProductVersion2.39.1.1 13241300x8000000000000000336428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gitk.exe|f586b11c21ec8a1b\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gitk.exe|f586b11c21ec8a1b\Publisherthe git development community 13241300x8000000000000000336426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gitk.exe|f586b11c21ec8a1b\LowerCaseLongPathc:\program files\git\cmd\gitk.exe 13241300x8000000000000000336425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\github.ui.exe|6358465b4ca82605\BinProductVersion2.0.886.0 13241300x8000000000000000336424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\github.ui.exe|6358465b4ca82605\LinkDate04/14/2085 15:19:29 13241300x8000000000000000336423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\github.ui.exe|6358465b4ca82605\Publishergithub.ui 13241300x8000000000000000336422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\github.ui.exe|6358465b4ca82605\LowerCaseLongPathc:\program files\git\mingw64\bin\github.ui.exe 13241300x8000000000000000336421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git.exe|f578b1fba462cbf9\BinProductVersion2.39.1.1 13241300x8000000000000000336420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git.exe|f578b1fba462cbf9\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git.exe|f578b1fba462cbf9\Publisherthe git development community 13241300x8000000000000000336418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git.exe|f578b1fba462cbf9\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git.exe 13241300x8000000000000000336417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git.exe|ce9561cbd46d08cb\BinProductVersion2.39.1.1 13241300x8000000000000000336416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git.exe|ce9561cbd46d08cb\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git.exe|ce9561cbd46d08cb\Publisherthe git development community 13241300x8000000000000000336414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git.exe|ce9561cbd46d08cb\LowerCaseLongPathc:\program files\git\bin\git.exe 13241300x8000000000000000336413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git.exe|5a45dbb5af7f9d72\BinProductVersion2.39.1.1 13241300x8000000000000000336412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git.exe|5a45dbb5af7f9d72\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git.exe|5a45dbb5af7f9d72\Publisherthe git development community 13241300x8000000000000000336410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git.exe|5a45dbb5af7f9d72\LowerCaseLongPathc:\program files\git\mingw64\bin\git.exe 13241300x8000000000000000336409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git.exe|52b02c4a618839ad\BinProductVersion2.39.1.1 13241300x8000000000000000336408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git.exe|52b02c4a618839ad\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git.exe|52b02c4a618839ad\Publisherthe git development community 13241300x8000000000000000336406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git.exe|52b02c4a618839ad\LowerCaseLongPathc:\program files\git\cmd\git.exe 13241300x8000000000000000336405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-write-tree.e|792c1951a5d77083\BinProductVersion2.39.1.1 13241300x8000000000000000336404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-write-tree.e|792c1951a5d77083\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-write-tree.e|792c1951a5d77083\Publisherthe git development community 13241300x8000000000000000336402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-write-tree.e|792c1951a5d77083\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-write-tree.exe 13241300x8000000000000000336401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-wrapper.exe|76f08d89fd716e41\BinProductVersion2.39.1.1 13241300x8000000000000000336400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.693{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-wrapper.exe|76f08d89fd716e41\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-wrapper.exe|76f08d89fd716e41\Publisherthe git development community 13241300x8000000000000000336398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-wrapper.exe|76f08d89fd716e41\LowerCaseLongPathc:\program files\git\mingw64\share\git\git-wrapper.exe 13241300x8000000000000000336397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-worktree.exe|334239d9fbdc7a11\BinProductVersion2.39.1.1 13241300x8000000000000000336396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-worktree.exe|334239d9fbdc7a11\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-worktree.exe|334239d9fbdc7a11\Publisherthe git development community 13241300x8000000000000000336394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-worktree.exe|334239d9fbdc7a11\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-worktree.exe 13241300x8000000000000000336393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-whatchanged.|b8fb62958eb786da\BinProductVersion2.39.1.1 13241300x8000000000000000336392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-whatchanged.|b8fb62958eb786da\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-whatchanged.|b8fb62958eb786da\Publisherthe git development community 13241300x8000000000000000336390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-whatchanged.|b8fb62958eb786da\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-whatchanged.exe 13241300x8000000000000000336389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-version.exe|db6fe60d78a4ca45\BinProductVersion2.39.1.1 13241300x8000000000000000336388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-version.exe|db6fe60d78a4ca45\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-version.exe|db6fe60d78a4ca45\Publisherthe git development community 13241300x8000000000000000336386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-version.exe|db6fe60d78a4ca45\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-version.exe 13241300x8000000000000000336385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-verify-tag.e|d492b12e36f71329\BinProductVersion2.39.1.1 13241300x8000000000000000336384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-verify-tag.e|d492b12e36f71329\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-verify-tag.e|d492b12e36f71329\Publisherthe git development community 13241300x8000000000000000336382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-verify-tag.e|d492b12e36f71329\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-verify-tag.exe 13241300x8000000000000000336381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-verify-pack.|d565dfc7b34b65aa\BinProductVersion2.39.1.1 13241300x8000000000000000336380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-verify-pack.|d565dfc7b34b65aa\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-verify-pack.|d565dfc7b34b65aa\Publisherthe git development community 13241300x8000000000000000336378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-verify-pack.|d565dfc7b34b65aa\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-verify-pack.exe 13241300x8000000000000000336377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-verify-commi|f37a5e9bd2f4578a\BinProductVersion2.39.1.1 13241300x8000000000000000336376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-verify-commi|f37a5e9bd2f4578a\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-verify-commi|f37a5e9bd2f4578a\Publisherthe git development community 13241300x8000000000000000336374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-verify-commi|f37a5e9bd2f4578a\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-verify-commit.exe 13241300x8000000000000000336373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-var.exe|751104bdaadb1181\BinProductVersion2.39.1.1 13241300x8000000000000000336372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-var.exe|751104bdaadb1181\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-var.exe|751104bdaadb1181\Publisherthe git development community 13241300x8000000000000000336370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-var.exe|751104bdaadb1181\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-var.exe 13241300x8000000000000000336369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-upload-pack.|e0593a4774ace4ad\BinProductVersion2.39.1.1 13241300x8000000000000000336368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-upload-pack.|e0593a4774ace4ad\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-upload-pack.|e0593a4774ace4ad\Publisherthe git development community 13241300x8000000000000000336366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-upload-pack.|e0593a4774ace4ad\LowerCaseLongPathc:\program files\git\mingw64\bin\git-upload-pack.exe 13241300x8000000000000000336365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-upload-pack.|4bc571ea2cc47819\BinProductVersion2.39.1.1 13241300x8000000000000000336364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-upload-pack.|4bc571ea2cc47819\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-upload-pack.|4bc571ea2cc47819\Publisherthe git development community 13241300x8000000000000000336362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-upload-pack.|4bc571ea2cc47819\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-upload-pack.exe 13241300x8000000000000000336361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-upload-archi|f4cda268b43d63d5\BinProductVersion2.39.1.1 13241300x8000000000000000336360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-upload-archi|f4cda268b43d63d5\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-upload-archi|f4cda268b43d63d5\Publisherthe git development community 13241300x8000000000000000336358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-upload-archi|f4cda268b43d63d5\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-upload-archive.exe 13241300x8000000000000000336357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-upload-archi|970cdd550165a34b\BinProductVersion2.39.1.1 13241300x8000000000000000336356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-upload-archi|970cdd550165a34b\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-upload-archi|970cdd550165a34b\Publisherthe git development community 13241300x8000000000000000336354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-upload-archi|970cdd550165a34b\LowerCaseLongPathc:\program files\git\mingw64\bin\git-upload-archive.exe 13241300x8000000000000000336353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-update-serve|d3496551fcee326\BinProductVersion2.39.1.1 13241300x8000000000000000336352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-update-serve|d3496551fcee326\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-update-serve|d3496551fcee326\Publisherthe git development community 13241300x8000000000000000336350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-update-serve|d3496551fcee326\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-update-server-info.exe 13241300x8000000000000000336349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-update-ref.e|636e33b932a7ad4\BinProductVersion2.39.1.1 13241300x8000000000000000336348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-update-ref.e|636e33b932a7ad4\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-update-ref.e|636e33b932a7ad4\Publisherthe git development community 13241300x8000000000000000336346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-update-ref.e|636e33b932a7ad4\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-update-ref.exe 13241300x8000000000000000336345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-update-index|cc5c84a1add7114d\BinProductVersion2.39.1.1 13241300x8000000000000000336344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-update-index|cc5c84a1add7114d\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-update-index|cc5c84a1add7114d\Publisherthe git development community 13241300x8000000000000000336342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-update-index|cc5c84a1add7114d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-update-index.exe 13241300x8000000000000000336341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-unpack-objec|93ac7618bed9528f\BinProductVersion2.39.1.1 13241300x8000000000000000336340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-unpack-objec|93ac7618bed9528f\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-unpack-objec|93ac7618bed9528f\Publisherthe git development community 13241300x8000000000000000336338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-unpack-objec|93ac7618bed9528f\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-unpack-objects.exe 13241300x8000000000000000336337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-unpack-file.|7756b160cc2cfb66\BinProductVersion2.39.1.1 13241300x8000000000000000336336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-unpack-file.|7756b160cc2cfb66\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-unpack-file.|7756b160cc2cfb66\Publisherthe git development community 13241300x8000000000000000336334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-unpack-file.|7756b160cc2cfb66\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-unpack-file.exe 13241300x8000000000000000336333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-tag.exe|7666d39e6cc8f3cc\BinProductVersion2.39.1.1 13241300x8000000000000000336332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-tag.exe|7666d39e6cc8f3cc\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-tag.exe|7666d39e6cc8f3cc\Publisherthe git development community 13241300x8000000000000000336330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-tag.exe|7666d39e6cc8f3cc\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-tag.exe 13241300x8000000000000000336329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-symbolic-ref|ce473368350d320a\BinProductVersion2.39.1.1 13241300x8000000000000000336328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-symbolic-ref|ce473368350d320a\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-symbolic-ref|ce473368350d320a\Publisherthe git development community 13241300x8000000000000000336326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-symbolic-ref|ce473368350d320a\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-symbolic-ref.exe 13241300x8000000000000000336325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-switch.exe|ff6e85f065529228\BinProductVersion2.39.1.1 13241300x8000000000000000336324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-switch.exe|ff6e85f065529228\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-switch.exe|ff6e85f065529228\Publisherthe git development community 13241300x8000000000000000336322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-switch.exe|ff6e85f065529228\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-switch.exe 13241300x8000000000000000336321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-submodule--h|a577781a96a63623\BinProductVersion2.39.1.1 13241300x8000000000000000336320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-submodule--h|a577781a96a63623\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-submodule--h|a577781a96a63623\Publisherthe git development community 13241300x8000000000000000336318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-submodule--h|a577781a96a63623\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-submodule--helper.exe 13241300x8000000000000000336317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-stripspace.e|7f2324fbc967deaa\BinProductVersion2.39.1.1 13241300x8000000000000000336316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-stripspace.e|7f2324fbc967deaa\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-stripspace.e|7f2324fbc967deaa\Publisherthe git development community 13241300x8000000000000000336314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-stripspace.e|7f2324fbc967deaa\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-stripspace.exe 13241300x8000000000000000336313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-status.exe|f379629630fb27d9\BinProductVersion2.39.1.1 13241300x8000000000000000336312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-status.exe|f379629630fb27d9\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-status.exe|f379629630fb27d9\Publisherthe git development community 13241300x8000000000000000336310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-status.exe|f379629630fb27d9\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-status.exe 13241300x8000000000000000336309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-stash.exe|a40e77c71ac2aede\BinProductVersion2.39.1.1 13241300x8000000000000000336308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-stash.exe|a40e77c71ac2aede\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-stash.exe|a40e77c71ac2aede\Publisherthe git development community 13241300x8000000000000000336306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-stash.exe|a40e77c71ac2aede\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-stash.exe 13241300x8000000000000000336305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-stage.exe|f500735b2eec0385\BinProductVersion2.39.1.1 13241300x8000000000000000336304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-stage.exe|f500735b2eec0385\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.678{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-stage.exe|f500735b2eec0385\Publisherthe git development community 13241300x8000000000000000336302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-stage.exe|f500735b2eec0385\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-stage.exe 13241300x8000000000000000336301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-sparse-check|f4825f9ae19d20b3\BinProductVersion2.39.1.1 13241300x8000000000000000336300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-sparse-check|f4825f9ae19d20b3\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-sparse-check|f4825f9ae19d20b3\Publisherthe git development community 13241300x8000000000000000336298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-sparse-check|f4825f9ae19d20b3\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-sparse-checkout.exe 13241300x8000000000000000336297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-show.exe|6e9a2dd47e6867ba\BinProductVersion2.39.1.1 13241300x8000000000000000336296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-show.exe|6e9a2dd47e6867ba\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-show.exe|6e9a2dd47e6867ba\Publisherthe git development community 13241300x8000000000000000336294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-show.exe|6e9a2dd47e6867ba\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-show.exe 13241300x8000000000000000336293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-show-ref.exe|f7f4cf76175660d6\BinProductVersion2.39.1.1 13241300x8000000000000000336292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-show-ref.exe|f7f4cf76175660d6\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-show-ref.exe|f7f4cf76175660d6\Publisherthe git development community 13241300x8000000000000000336290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-show-ref.exe|f7f4cf76175660d6\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-show-ref.exe 13241300x8000000000000000336289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-show-index.e|8286f2c5e311f4dd\BinProductVersion2.39.1.1 13241300x8000000000000000336288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-show-index.e|8286f2c5e311f4dd\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-show-index.e|8286f2c5e311f4dd\Publisherthe git development community 13241300x8000000000000000336286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-show-index.e|8286f2c5e311f4dd\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-show-index.exe 13241300x8000000000000000336285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-show-branch.|e7aa2817ea598ca5\BinProductVersion2.39.1.1 13241300x8000000000000000336284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-show-branch.|e7aa2817ea598ca5\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-show-branch.|e7aa2817ea598ca5\Publisherthe git development community 13241300x8000000000000000336282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-show-branch.|e7aa2817ea598ca5\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-show-branch.exe 13241300x8000000000000000336281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-shortlog.exe|6690a566fa773a48\BinProductVersion2.39.1.1 13241300x8000000000000000336280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-shortlog.exe|6690a566fa773a48\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-shortlog.exe|6690a566fa773a48\Publisherthe git development community 13241300x8000000000000000336278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-shortlog.exe|6690a566fa773a48\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-shortlog.exe 13241300x8000000000000000336277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-sh-i18n--env|4053f372896ace9d\BinProductVersion2.39.1.1 13241300x8000000000000000336276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-sh-i18n--env|4053f372896ace9d\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-sh-i18n--env|4053f372896ace9d\Publisherthe git development community 13241300x8000000000000000336274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-sh-i18n--env|4053f372896ace9d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-sh-i18n--envsubst.exe 13241300x8000000000000000336273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-send-pack.ex|da651d512f55be29\BinProductVersion2.39.1.1 13241300x8000000000000000336272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-send-pack.ex|da651d512f55be29\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-send-pack.ex|da651d512f55be29\Publisherthe git development community 13241300x8000000000000000336270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-send-pack.ex|da651d512f55be29\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-send-pack.exe 13241300x8000000000000000336269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-rm.exe|8e86f766b6479aa7\BinProductVersion2.39.1.1 13241300x8000000000000000336268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-rm.exe|8e86f766b6479aa7\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-rm.exe|8e86f766b6479aa7\Publisherthe git development community 13241300x8000000000000000336266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-rm.exe|8e86f766b6479aa7\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-rm.exe 13241300x8000000000000000336265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-revert.exe|7aa27432655fad81\BinProductVersion2.39.1.1 13241300x8000000000000000336264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-revert.exe|7aa27432655fad81\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-revert.exe|7aa27432655fad81\Publisherthe git development community 13241300x8000000000000000336262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-revert.exe|7aa27432655fad81\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-revert.exe 13241300x8000000000000000336261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-rev-parse.ex|d6a8e773756ed1d6\BinProductVersion2.39.1.1 13241300x8000000000000000336260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-rev-parse.ex|d6a8e773756ed1d6\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-rev-parse.ex|d6a8e773756ed1d6\Publisherthe git development community 13241300x8000000000000000336258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-rev-parse.ex|d6a8e773756ed1d6\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-rev-parse.exe 13241300x8000000000000000336257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-rev-list.exe|269a9e57005af766\BinProductVersion2.39.1.1 13241300x8000000000000000336256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-rev-list.exe|269a9e57005af766\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-rev-list.exe|269a9e57005af766\Publisherthe git development community 13241300x8000000000000000336254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-rev-list.exe|269a9e57005af766\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-rev-list.exe 13241300x8000000000000000336253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-restore.exe|8e7fc8b24c23bae3\BinProductVersion2.39.1.1 13241300x8000000000000000336252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-restore.exe|8e7fc8b24c23bae3\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-restore.exe|8e7fc8b24c23bae3\Publisherthe git development community 13241300x8000000000000000336250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-restore.exe|8e7fc8b24c23bae3\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-restore.exe 13241300x8000000000000000336249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-reset.exe|36c5794b3e41dd77\BinProductVersion2.39.1.1 13241300x8000000000000000336248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-reset.exe|36c5794b3e41dd77\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-reset.exe|36c5794b3e41dd77\Publisherthe git development community 13241300x8000000000000000336246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-reset.exe|36c5794b3e41dd77\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-reset.exe 13241300x8000000000000000336245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-rerere.exe|fc745b45c205e431\BinProductVersion2.39.1.1 13241300x8000000000000000336244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-rerere.exe|fc745b45c205e431\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-rerere.exe|fc745b45c205e431\Publisherthe git development community 13241300x8000000000000000336242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-rerere.exe|fc745b45c205e431\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-rerere.exe 13241300x8000000000000000336241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-replace.exe|3cfc7710e33c88bb\BinProductVersion2.39.1.1 13241300x8000000000000000336240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-replace.exe|3cfc7710e33c88bb\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-replace.exe|3cfc7710e33c88bb\Publisherthe git development community 13241300x8000000000000000336238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-replace.exe|3cfc7710e33c88bb\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-replace.exe 13241300x8000000000000000336237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-repack.exe|b1385c9cee9c0160\BinProductVersion2.39.1.1 13241300x8000000000000000336236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-repack.exe|b1385c9cee9c0160\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-repack.exe|b1385c9cee9c0160\Publisherthe git development community 13241300x8000000000000000336234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-repack.exe|b1385c9cee9c0160\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-repack.exe 13241300x8000000000000000336233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-remote.exe|2eac402aac5dd179\BinProductVersion2.39.1.1 13241300x8000000000000000336232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-remote.exe|2eac402aac5dd179\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-remote.exe|2eac402aac5dd179\Publisherthe git development community 13241300x8000000000000000336230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-remote.exe|2eac402aac5dd179\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-remote.exe 13241300x8000000000000000336229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-remote-https|726221edb644a582\BinProductVersion2.39.1.1 13241300x8000000000000000336228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-remote-https|726221edb644a582\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-remote-https|726221edb644a582\Publisherthe git development community 13241300x8000000000000000336226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-remote-https|726221edb644a582\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-remote-https.exe 13241300x8000000000000000336225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-remote-http.|7c133653a586f83\BinProductVersion2.39.1.1 13241300x8000000000000000336224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-remote-http.|7c133653a586f83\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-remote-http.|7c133653a586f83\Publisherthe git development community 13241300x8000000000000000336222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-remote-http.|7c133653a586f83\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-remote-http.exe 13241300x8000000000000000336221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-remote-ftps.|3aad054899c73a4b\BinProductVersion2.39.1.1 13241300x8000000000000000336220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-remote-ftps.|3aad054899c73a4b\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-remote-ftps.|3aad054899c73a4b\Publisherthe git development community 13241300x8000000000000000336218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-remote-ftps.|3aad054899c73a4b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-remote-ftps.exe 13241300x8000000000000000336217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-remote-ftp.e|a2604470889ec908\BinProductVersion2.39.1.1 13241300x8000000000000000336216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-remote-ftp.e|a2604470889ec908\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-remote-ftp.e|a2604470889ec908\Publisherthe git development community 13241300x8000000000000000336214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-remote-ftp.e|a2604470889ec908\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-remote-ftp.exe 13241300x8000000000000000336213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-remote-fd.ex|e557f81c4381d7b0\BinProductVersion2.39.1.1 13241300x8000000000000000336212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-remote-fd.ex|e557f81c4381d7b0\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-remote-fd.ex|e557f81c4381d7b0\Publisherthe git development community 13241300x8000000000000000336210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-remote-fd.ex|e557f81c4381d7b0\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-remote-fd.exe 13241300x8000000000000000336209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-remote-ext.e|bd6596e1f05a9659\BinProductVersion2.39.1.1 13241300x8000000000000000336208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-remote-ext.e|bd6596e1f05a9659\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-remote-ext.e|bd6596e1f05a9659\Publisherthe git development community 13241300x8000000000000000336206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-remote-ext.e|bd6596e1f05a9659\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-remote-ext.exe 13241300x8000000000000000336205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-reflog.exe|34db507846fa6f12\BinProductVersion2.39.1.1 13241300x8000000000000000336204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-reflog.exe|34db507846fa6f12\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-reflog.exe|34db507846fa6f12\Publisherthe git development community 13241300x8000000000000000336202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-reflog.exe|34db507846fa6f12\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-reflog.exe 13241300x8000000000000000336201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-receive-pack|8e78e4fb26db059a\BinProductVersion2.39.1.1 13241300x8000000000000000336200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.662{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-receive-pack|8e78e4fb26db059a\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-receive-pack|8e78e4fb26db059a\Publisherthe git development community 13241300x8000000000000000336198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-receive-pack|8e78e4fb26db059a\LowerCaseLongPathc:\program files\git\mingw64\bin\git-receive-pack.exe 13241300x8000000000000000336197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-receive-pack|4bf4387fd198488d\BinProductVersion2.39.1.1 13241300x8000000000000000336196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-receive-pack|4bf4387fd198488d\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-receive-pack|4bf4387fd198488d\Publisherthe git development community 13241300x8000000000000000336194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-receive-pack|4bf4387fd198488d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-receive-pack.exe 13241300x8000000000000000336193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-rebase.exe|80d1b0e35c07195b\BinProductVersion2.39.1.1 13241300x8000000000000000336192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-rebase.exe|80d1b0e35c07195b\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-rebase.exe|80d1b0e35c07195b\Publisherthe git development community 13241300x8000000000000000336190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-rebase.exe|80d1b0e35c07195b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-rebase.exe 13241300x8000000000000000336189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-read-tree.ex|22941f40e639aef1\BinProductVersion2.39.1.1 13241300x8000000000000000336188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-read-tree.ex|22941f40e639aef1\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-read-tree.ex|22941f40e639aef1\Publisherthe git development community 13241300x8000000000000000336186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-read-tree.ex|22941f40e639aef1\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-read-tree.exe 13241300x8000000000000000336185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-range-diff.e|27a041f8d99ea5e9\BinProductVersion2.39.1.1 13241300x8000000000000000336184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-range-diff.e|27a041f8d99ea5e9\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-range-diff.e|27a041f8d99ea5e9\Publisherthe git development community 13241300x8000000000000000336182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-range-diff.e|27a041f8d99ea5e9\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-range-diff.exe 13241300x8000000000000000336181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-push.exe|6b8bbc843881b879\BinProductVersion2.39.1.1 13241300x8000000000000000336180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-push.exe|6b8bbc843881b879\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-push.exe|6b8bbc843881b879\Publisherthe git development community 13241300x8000000000000000336178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-push.exe|6b8bbc843881b879\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-push.exe 13241300x8000000000000000336177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-pull.exe|5c528221eaacce43\BinProductVersion2.39.1.1 13241300x8000000000000000336176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-pull.exe|5c528221eaacce43\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-pull.exe|5c528221eaacce43\Publisherthe git development community 13241300x8000000000000000336174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-pull.exe|5c528221eaacce43\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-pull.exe 13241300x8000000000000000336173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-prune.exe|8dd360f83decd04c\BinProductVersion2.39.1.1 13241300x8000000000000000336172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-prune.exe|8dd360f83decd04c\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-prune.exe|8dd360f83decd04c\Publisherthe git development community 13241300x8000000000000000336170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-prune.exe|8dd360f83decd04c\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-prune.exe 13241300x8000000000000000336169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-prune-packed|7ea14beb272e20eb\BinProductVersion2.39.1.1 13241300x8000000000000000336168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-prune-packed|7ea14beb272e20eb\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-prune-packed|7ea14beb272e20eb\Publisherthe git development community 13241300x8000000000000000336166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-prune-packed|7ea14beb272e20eb\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-prune-packed.exe 13241300x8000000000000000336165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-patch-id.exe|280f7dfabbed9aa0\BinProductVersion2.39.1.1 13241300x8000000000000000336164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-patch-id.exe|280f7dfabbed9aa0\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-patch-id.exe|280f7dfabbed9aa0\Publisherthe git development community 13241300x8000000000000000336162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-patch-id.exe|280f7dfabbed9aa0\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-patch-id.exe 13241300x8000000000000000336161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-pack-refs.ex|a72849c27ec32acf\BinProductVersion2.39.1.1 13241300x8000000000000000336160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-pack-refs.ex|a72849c27ec32acf\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-pack-refs.ex|a72849c27ec32acf\Publisherthe git development community 13241300x8000000000000000336158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-pack-refs.ex|a72849c27ec32acf\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-pack-refs.exe 13241300x8000000000000000336157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-pack-redunda|3bea7e0b47bae351\BinProductVersion2.39.1.1 13241300x8000000000000000336156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-pack-redunda|3bea7e0b47bae351\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-pack-redunda|3bea7e0b47bae351\Publisherthe git development community 13241300x8000000000000000336154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-pack-redunda|3bea7e0b47bae351\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-pack-redundant.exe 13241300x8000000000000000336153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-pack-objects|b6ba6e682d1328e9\BinProductVersion2.39.1.1 13241300x8000000000000000336152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-pack-objects|b6ba6e682d1328e9\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-pack-objects|b6ba6e682d1328e9\Publisherthe git development community 13241300x8000000000000000336150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-pack-objects|b6ba6e682d1328e9\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-pack-objects.exe 13241300x8000000000000000336149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-notes.exe|cadb47a79807ad03\BinProductVersion2.39.1.1 13241300x8000000000000000336148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-notes.exe|cadb47a79807ad03\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-notes.exe|cadb47a79807ad03\Publisherthe git development community 13241300x8000000000000000336146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-notes.exe|cadb47a79807ad03\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-notes.exe 13241300x8000000000000000336145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-name-rev.exe|7b3ad17acd0ba124\BinProductVersion2.39.1.1 13241300x8000000000000000336144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-name-rev.exe|7b3ad17acd0ba124\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-name-rev.exe|7b3ad17acd0ba124\Publisherthe git development community 13241300x8000000000000000336142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-name-rev.exe|7b3ad17acd0ba124\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-name-rev.exe 13241300x8000000000000000336141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-mv.exe|e80e8664561f73b6\BinProductVersion2.39.1.1 13241300x8000000000000000336140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-mv.exe|e80e8664561f73b6\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-mv.exe|e80e8664561f73b6\Publisherthe git development community 13241300x8000000000000000336138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-mv.exe|e80e8664561f73b6\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-mv.exe 13241300x8000000000000000336137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-multi-pack-i|b0da66b3239cc0aa\BinProductVersion2.39.1.1 13241300x8000000000000000336136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-multi-pack-i|b0da66b3239cc0aa\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-multi-pack-i|b0da66b3239cc0aa\Publisherthe git development community 13241300x8000000000000000336134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-multi-pack-i|b0da66b3239cc0aa\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-multi-pack-index.exe 13241300x8000000000000000336133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-mktree.exe|9fb15060439194e9\BinProductVersion2.39.1.1 13241300x8000000000000000336132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-mktree.exe|9fb15060439194e9\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-mktree.exe|9fb15060439194e9\Publisherthe git development community 13241300x8000000000000000336130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-mktree.exe|9fb15060439194e9\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-mktree.exe 13241300x8000000000000000336129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-mktag.exe|f9ff9b0e12a2d151\BinProductVersion2.39.1.1 13241300x8000000000000000336128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-mktag.exe|f9ff9b0e12a2d151\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-mktag.exe|f9ff9b0e12a2d151\Publisherthe git development community 13241300x8000000000000000336126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-mktag.exe|f9ff9b0e12a2d151\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-mktag.exe 13241300x8000000000000000336125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-merge.exe|882533b7baebdf26\BinProductVersion2.39.1.1 13241300x8000000000000000336124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-merge.exe|882533b7baebdf26\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-merge.exe|882533b7baebdf26\Publisherthe git development community 13241300x8000000000000000336122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-merge.exe|882533b7baebdf26\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge.exe 13241300x8000000000000000336121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-merge-tree.e|2091c16f572d3b68\BinProductVersion2.39.1.1 13241300x8000000000000000336120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-merge-tree.e|2091c16f572d3b68\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-merge-tree.e|2091c16f572d3b68\Publisherthe git development community 13241300x8000000000000000336118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-merge-tree.e|2091c16f572d3b68\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge-tree.exe 13241300x8000000000000000336117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-merge-subtre|334ec69ba0fedd6f\BinProductVersion2.39.1.1 13241300x8000000000000000336116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-merge-subtre|334ec69ba0fedd6f\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-merge-subtre|334ec69ba0fedd6f\Publisherthe git development community 13241300x8000000000000000336114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-merge-subtre|334ec69ba0fedd6f\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge-subtree.exe 13241300x8000000000000000336113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-merge-recurs|5342cf57bbb67b35\BinProductVersion2.39.1.1 13241300x8000000000000000336112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-merge-recurs|5342cf57bbb67b35\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-merge-recurs|5342cf57bbb67b35\Publisherthe git development community 13241300x8000000000000000336110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-merge-recurs|5342cf57bbb67b35\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge-recursive.exe 13241300x8000000000000000336109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-merge-ours.e|8a9c9030af4fea1\BinProductVersion2.39.1.1 13241300x8000000000000000336108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-merge-ours.e|8a9c9030af4fea1\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-merge-ours.e|8a9c9030af4fea1\Publisherthe git development community 13241300x8000000000000000336106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-merge-ours.e|8a9c9030af4fea1\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge-ours.exe 13241300x8000000000000000336105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-merge-index.|21be940b8e49773d\BinProductVersion2.39.1.1 13241300x8000000000000000336104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-merge-index.|21be940b8e49773d\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-merge-index.|21be940b8e49773d\Publisherthe git development community 13241300x8000000000000000336102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-merge-index.|21be940b8e49773d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge-index.exe 13241300x8000000000000000336101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-merge-file.e|daffc665e459523c\BinProductVersion2.39.1.1 13241300x8000000000000000336100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-merge-file.e|daffc665e459523c\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-merge-file.e|daffc665e459523c\Publisherthe git development community 13241300x8000000000000000336098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-merge-file.e|daffc665e459523c\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge-file.exe 13241300x8000000000000000336097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-merge-base.e|30dc1b69df66ab7c\BinProductVersion2.39.1.1 13241300x8000000000000000336096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-merge-base.e|30dc1b69df66ab7c\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-merge-base.e|30dc1b69df66ab7c\Publisherthe git development community 13241300x8000000000000000336094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-merge-base.e|30dc1b69df66ab7c\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge-base.exe 13241300x8000000000000000336093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-maintenance.|3bae5fb74f39ca3b\BinProductVersion2.39.1.1 13241300x8000000000000000336092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-maintenance.|3bae5fb74f39ca3b\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-maintenance.|3bae5fb74f39ca3b\Publisherthe git development community 13241300x8000000000000000336090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-maintenance.|3bae5fb74f39ca3b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-maintenance.exe 13241300x8000000000000000336089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-mailsplit.ex|6b4c4fb0ebcb699d\BinProductVersion2.39.1.1 13241300x8000000000000000336088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-mailsplit.ex|6b4c4fb0ebcb699d\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-mailsplit.ex|6b4c4fb0ebcb699d\Publisherthe git development community 13241300x8000000000000000336086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-mailsplit.ex|6b4c4fb0ebcb699d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-mailsplit.exe 13241300x8000000000000000336085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-mailinfo.exe|301710ecfb7896f7\BinProductVersion2.39.1.1 13241300x8000000000000000336084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-mailinfo.exe|301710ecfb7896f7\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-mailinfo.exe|301710ecfb7896f7\Publisherthe git development community 13241300x8000000000000000336082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-mailinfo.exe|301710ecfb7896f7\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-mailinfo.exe 13241300x8000000000000000336081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-ls-tree.exe|3da7a7da61dca8d3\BinProductVersion2.39.1.1 13241300x8000000000000000336080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-ls-tree.exe|3da7a7da61dca8d3\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-ls-tree.exe|3da7a7da61dca8d3\Publisherthe git development community 13241300x8000000000000000336078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-ls-tree.exe|3da7a7da61dca8d3\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-ls-tree.exe 13241300x8000000000000000336077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-ls-remote.ex|70eaf315f15c7a6d\BinProductVersion2.39.1.1 13241300x8000000000000000336076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-ls-remote.ex|70eaf315f15c7a6d\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-ls-remote.ex|70eaf315f15c7a6d\Publisherthe git development community 13241300x8000000000000000336074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-ls-remote.ex|70eaf315f15c7a6d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-ls-remote.exe 13241300x8000000000000000336073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-ls-files.exe|1e3ad688e0cb54cf\BinProductVersion2.39.1.1 13241300x8000000000000000336072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-ls-files.exe|1e3ad688e0cb54cf\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-ls-files.exe|1e3ad688e0cb54cf\Publisherthe git development community 13241300x8000000000000000336070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-ls-files.exe|1e3ad688e0cb54cf\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-ls-files.exe 13241300x8000000000000000336069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-log.exe|8e73c205e9f2f0be\BinProductVersion2.39.1.1 13241300x8000000000000000336068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-log.exe|8e73c205e9f2f0be\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-log.exe|8e73c205e9f2f0be\Publisherthe git development community 13241300x8000000000000000336066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-log.exe|8e73c205e9f2f0be\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-log.exe 13241300x8000000000000000336065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-lfs.exe|a5073c52b01e7b5b\BinProductVersion0.0.0.0 13241300x8000000000000000336064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-lfs.exe|a5073c52b01e7b5b\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-lfs.exe|a5073c52b01e7b5b\Publisher(Empty) 13241300x8000000000000000336062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-lfs.exe|a5073c52b01e7b5b\LowerCaseLongPathc:\program files\git\mingw64\bin\git-lfs.exe 13241300x8000000000000000336061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-lfs.exe|5a5fd3616aa3e5b5\BinProductVersion2.39.1.1 13241300x8000000000000000336060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-lfs.exe|5a5fd3616aa3e5b5\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-lfs.exe|5a5fd3616aa3e5b5\Publisherthe git development community 13241300x8000000000000000336058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.646{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-lfs.exe|5a5fd3616aa3e5b5\LowerCaseLongPathc:\program files\git\cmd\git-lfs.exe 13241300x8000000000000000336057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-interpret-tr|64a626455ecf8a98\BinProductVersion2.39.1.1 13241300x8000000000000000336056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-interpret-tr|64a626455ecf8a98\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-interpret-tr|64a626455ecf8a98\Publisherthe git development community 13241300x8000000000000000336054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-interpret-tr|64a626455ecf8a98\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-interpret-trailers.exe 13241300x8000000000000000336053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-init.exe|bfcd122907ddc590\BinProductVersion2.39.1.1 13241300x8000000000000000336052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-init.exe|bfcd122907ddc590\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-init.exe|bfcd122907ddc590\Publisherthe git development community 13241300x8000000000000000336050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-init.exe|bfcd122907ddc590\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-init.exe 13241300x8000000000000000336049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-init-db.exe|b6baf86f656c9cd\BinProductVersion2.39.1.1 13241300x8000000000000000336048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-init-db.exe|b6baf86f656c9cd\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-init-db.exe|b6baf86f656c9cd\Publisherthe git development community 13241300x8000000000000000336046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-init-db.exe|b6baf86f656c9cd\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-init-db.exe 13241300x8000000000000000336045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-index-pack.e|a057507fd54823f\BinProductVersion2.39.1.1 13241300x8000000000000000336044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-index-pack.e|a057507fd54823f\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-index-pack.e|a057507fd54823f\Publisherthe git development community 13241300x8000000000000000336042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-index-pack.e|a057507fd54823f\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-index-pack.exe 13241300x8000000000000000336041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-imap-send.ex|b89b2f1409a90d85\BinProductVersion2.39.1.1 13241300x8000000000000000336040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-imap-send.ex|b89b2f1409a90d85\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-imap-send.ex|b89b2f1409a90d85\Publisherthe git development community 13241300x8000000000000000336038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-imap-send.ex|b89b2f1409a90d85\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-imap-send.exe 13241300x8000000000000000336037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-http-push.ex|68d3cf7d040e7329\BinProductVersion2.39.1.1 13241300x8000000000000000336036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-http-push.ex|68d3cf7d040e7329\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-http-push.ex|68d3cf7d040e7329\Publisherthe git development community 13241300x8000000000000000336034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-http-push.ex|68d3cf7d040e7329\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-http-push.exe 13241300x8000000000000000336033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-http-fetch.e|ab1d6cbc9e29e771\BinProductVersion2.39.1.1 13241300x8000000000000000336032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-http-fetch.e|ab1d6cbc9e29e771\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-http-fetch.e|ab1d6cbc9e29e771\Publisherthe git development community 13241300x8000000000000000336030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-http-fetch.e|ab1d6cbc9e29e771\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-http-fetch.exe 13241300x8000000000000000336029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-http-backend|bf2a9779f0e0f190\BinProductVersion2.39.1.1 13241300x8000000000000000336028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-http-backend|bf2a9779f0e0f190\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-http-backend|bf2a9779f0e0f190\Publisherthe git development community 13241300x8000000000000000336026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-http-backend|bf2a9779f0e0f190\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-http-backend.exe 13241300x8000000000000000336025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-hook.exe|9c3f0b48df6ab5e5\BinProductVersion2.39.1.1 13241300x8000000000000000336024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-hook.exe|9c3f0b48df6ab5e5\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-hook.exe|9c3f0b48df6ab5e5\Publisherthe git development community 13241300x8000000000000000336022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-hook.exe|9c3f0b48df6ab5e5\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-hook.exe 13241300x8000000000000000336021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-help.exe|d3d7cc6cd9ec775b\BinProductVersion2.39.1.1 13241300x8000000000000000336020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-help.exe|d3d7cc6cd9ec775b\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-help.exe|d3d7cc6cd9ec775b\Publisherthe git development community 13241300x8000000000000000336018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-help.exe|d3d7cc6cd9ec775b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-help.exe 13241300x8000000000000000336017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-hash-object.|ea29aa5df7dca895\BinProductVersion2.39.1.1 13241300x8000000000000000336016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-hash-object.|ea29aa5df7dca895\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-hash-object.|ea29aa5df7dca895\Publisherthe git development community 13241300x8000000000000000336014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-hash-object.|ea29aa5df7dca895\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-hash-object.exe 13241300x8000000000000000336013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-gui.exe|d3e16d00d6d9753e\BinProductVersion2.39.1.1 13241300x8000000000000000336012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-gui.exe|d3e16d00d6d9753e\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-gui.exe|d3e16d00d6d9753e\Publisherthe git development community 13241300x8000000000000000336010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-gui.exe|d3e16d00d6d9753e\LowerCaseLongPathc:\program files\git\cmd\git-gui.exe 13241300x8000000000000000336009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-grep.exe|ed39fb46aff75ef0\BinProductVersion2.39.1.1 13241300x8000000000000000336008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-grep.exe|ed39fb46aff75ef0\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-grep.exe|ed39fb46aff75ef0\Publisherthe git development community 13241300x8000000000000000336006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-grep.exe|ed39fb46aff75ef0\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-grep.exe 13241300x8000000000000000336005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-get-tar-comm|7f010af0ea09c9e6\BinProductVersion2.39.1.1 13241300x8000000000000000336004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-get-tar-comm|7f010af0ea09c9e6\LinkDate01/12/2023 16:42:50 13241300x8000000000000000336003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-get-tar-comm|7f010af0ea09c9e6\Publisherthe git development community 13241300x8000000000000000336002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-get-tar-comm|7f010af0ea09c9e6\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-get-tar-commit-id.exe 13241300x8000000000000000336001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-gc.exe|fdbdc98f5cb28d88\BinProductVersion2.39.1.1 13241300x8000000000000000336000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-gc.exe|fdbdc98f5cb28d88\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-gc.exe|fdbdc98f5cb28d88\Publisherthe git development community 13241300x8000000000000000335998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-gc.exe|fdbdc98f5cb28d88\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-gc.exe 13241300x8000000000000000335997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-fsmonitor--d|e5fc2f5ce2dcd18a\BinProductVersion2.39.1.1 13241300x8000000000000000335996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-fsmonitor--d|e5fc2f5ce2dcd18a\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-fsmonitor--d|e5fc2f5ce2dcd18a\Publisherthe git development community 13241300x8000000000000000335994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-fsmonitor--d|e5fc2f5ce2dcd18a\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fsmonitor--daemon.exe 13241300x8000000000000000335993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-fsck.exe|d8efbaa5b906f8b2\BinProductVersion2.39.1.1 13241300x8000000000000000335992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-fsck.exe|d8efbaa5b906f8b2\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-fsck.exe|d8efbaa5b906f8b2\Publisherthe git development community 13241300x8000000000000000335990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-fsck.exe|d8efbaa5b906f8b2\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fsck.exe 13241300x8000000000000000335989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-fsck-objects|2121e55928d75601\BinProductVersion2.39.1.1 13241300x8000000000000000335988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-fsck-objects|2121e55928d75601\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-fsck-objects|2121e55928d75601\Publisherthe git development community 13241300x8000000000000000335986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-fsck-objects|2121e55928d75601\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fsck-objects.exe 13241300x8000000000000000335985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-format-patch|9e2e07188f28a95d\BinProductVersion2.39.1.1 13241300x8000000000000000335984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-format-patch|9e2e07188f28a95d\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-format-patch|9e2e07188f28a95d\Publisherthe git development community 13241300x8000000000000000335982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-format-patch|9e2e07188f28a95d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-format-patch.exe 13241300x8000000000000000335981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-for-each-rep|c87afe0458a928d\BinProductVersion2.39.1.1 13241300x8000000000000000335980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-for-each-rep|c87afe0458a928d\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-for-each-rep|c87afe0458a928d\Publisherthe git development community 13241300x8000000000000000335978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-for-each-rep|c87afe0458a928d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-for-each-repo.exe 13241300x8000000000000000335977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-for-each-ref|3abb92553793f6f\BinProductVersion2.39.1.1 13241300x8000000000000000335976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-for-each-ref|3abb92553793f6f\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-for-each-ref|3abb92553793f6f\Publisherthe git development community 13241300x8000000000000000335974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-for-each-ref|3abb92553793f6f\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-for-each-ref.exe 13241300x8000000000000000335973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-fmt-merge-ms|d963dc4ca06323fa\BinProductVersion2.39.1.1 13241300x8000000000000000335972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-fmt-merge-ms|d963dc4ca06323fa\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-fmt-merge-ms|d963dc4ca06323fa\Publisherthe git development community 13241300x8000000000000000335970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-fmt-merge-ms|d963dc4ca06323fa\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fmt-merge-msg.exe 13241300x8000000000000000335969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-fetch.exe|26836f160b2136d8\BinProductVersion2.39.1.1 13241300x8000000000000000335968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-fetch.exe|26836f160b2136d8\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-fetch.exe|26836f160b2136d8\Publisherthe git development community 13241300x8000000000000000335966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-fetch.exe|26836f160b2136d8\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fetch.exe 13241300x8000000000000000335965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-fetch-pack.e|eaa13da8b960bb8f\BinProductVersion2.39.1.1 13241300x8000000000000000335964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-fetch-pack.e|eaa13da8b960bb8f\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-fetch-pack.e|eaa13da8b960bb8f\Publisherthe git development community 13241300x8000000000000000335962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-fetch-pack.e|eaa13da8b960bb8f\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fetch-pack.exe 13241300x8000000000000000335961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-fast-import.|6e2bb2de2d0c9142\BinProductVersion2.39.1.1 13241300x8000000000000000335960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-fast-import.|6e2bb2de2d0c9142\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-fast-import.|6e2bb2de2d0c9142\Publisherthe git development community 13241300x8000000000000000335958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-fast-import.|6e2bb2de2d0c9142\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fast-import.exe 13241300x8000000000000000335957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-fast-export.|a89216de984913cf\BinProductVersion2.39.1.1 13241300x8000000000000000335956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-fast-export.|a89216de984913cf\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-fast-export.|a89216de984913cf\Publisherthe git development community 13241300x8000000000000000335954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-fast-export.|a89216de984913cf\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fast-export.exe 13241300x8000000000000000335953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-env--helper.|2c74ba6e4fc1d4ec\BinProductVersion2.39.1.1 13241300x8000000000000000335952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-env--helper.|2c74ba6e4fc1d4ec\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-env--helper.|2c74ba6e4fc1d4ec\Publisherthe git development community 13241300x8000000000000000335950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-env--helper.|2c74ba6e4fc1d4ec\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-env--helper.exe 13241300x8000000000000000335949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-difftool.exe|903a2ba27de6fa88\BinProductVersion2.39.1.1 13241300x8000000000000000335948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-difftool.exe|903a2ba27de6fa88\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-difftool.exe|903a2ba27de6fa88\Publisherthe git development community 13241300x8000000000000000335946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-difftool.exe|903a2ba27de6fa88\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-difftool.exe 13241300x8000000000000000335945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-diff.exe|fe3e1c9d29f52286\BinProductVersion2.39.1.1 13241300x8000000000000000335944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-diff.exe|fe3e1c9d29f52286\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-diff.exe|fe3e1c9d29f52286\Publisherthe git development community 13241300x8000000000000000335942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-diff.exe|fe3e1c9d29f52286\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-diff.exe 13241300x8000000000000000335941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-diff-tree.ex|d17f2f481ab32d12\BinProductVersion2.39.1.1 13241300x8000000000000000335940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-diff-tree.ex|d17f2f481ab32d12\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-diff-tree.ex|d17f2f481ab32d12\Publisherthe git development community 13241300x8000000000000000335938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-diff-tree.ex|d17f2f481ab32d12\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-diff-tree.exe 13241300x8000000000000000335937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-diff-index.e|3e5a108a9f567115\BinProductVersion2.39.1.1 13241300x8000000000000000335936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-diff-index.e|3e5a108a9f567115\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-diff-index.e|3e5a108a9f567115\Publisherthe git development community 13241300x8000000000000000335934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-diff-index.e|3e5a108a9f567115\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-diff-index.exe 13241300x8000000000000000335933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-diff-files.e|4b52f8fbf7fa68d0\BinProductVersion2.39.1.1 13241300x8000000000000000335932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-diff-files.e|4b52f8fbf7fa68d0\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-diff-files.e|4b52f8fbf7fa68d0\Publisherthe git development community 13241300x8000000000000000335930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.631{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-diff-files.e|4b52f8fbf7fa68d0\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-diff-files.exe 13241300x8000000000000000335929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-diagnose.exe|d4bf301f6fe27ef6\BinProductVersion2.39.1.1 13241300x8000000000000000335928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-diagnose.exe|d4bf301f6fe27ef6\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-diagnose.exe|d4bf301f6fe27ef6\Publisherthe git development community 13241300x8000000000000000335926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-diagnose.exe|d4bf301f6fe27ef6\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-diagnose.exe 13241300x8000000000000000335925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-describe.exe|ca93040df5afaed5\BinProductVersion2.39.1.1 13241300x8000000000000000335924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-describe.exe|ca93040df5afaed5\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-describe.exe|ca93040df5afaed5\Publisherthe git development community 13241300x8000000000000000335922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-describe.exe|ca93040df5afaed5\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-describe.exe 13241300x8000000000000000335921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-daemon.exe|4df8efdd24573ae6\BinProductVersion2.39.1.1 13241300x8000000000000000335920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-daemon.exe|4df8efdd24573ae6\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-daemon.exe|4df8efdd24573ae6\Publisherthe git development community 13241300x8000000000000000335918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-daemon.exe|4df8efdd24573ae6\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-daemon.exe 13241300x8000000000000000335917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-credential.e|7fcfd8585219b3da\BinProductVersion2.39.1.1 13241300x8000000000000000335916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-credential.e|7fcfd8585219b3da\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-credential.e|7fcfd8585219b3da\Publisherthe git development community 13241300x8000000000000000335914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-credential.e|7fcfd8585219b3da\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-credential.exe 13241300x8000000000000000335913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-credential-w|dd4fe27e45e1fd6b\BinProductVersion(Empty) 13241300x8000000000000000335912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-credential-w|dd4fe27e45e1fd6b\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-credential-w|dd4fe27e45e1fd6b\Publisher(Empty) 13241300x8000000000000000335910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-credential-w|dd4fe27e45e1fd6b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-credential-wincred.exe 13241300x8000000000000000335909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-credential-s|f72ca269558b1404\BinProductVersion2.39.1.1 13241300x8000000000000000335908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-credential-s|f72ca269558b1404\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-credential-s|f72ca269558b1404\Publisherthe git development community 13241300x8000000000000000335906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-credential-s|f72ca269558b1404\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-credential-store.exe 13241300x8000000000000000335905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-credential-m|b01c0b354a60e1d8\BinProductVersion2.0.886.0 13241300x8000000000000000335904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-credential-m|b01c0b354a60e1d8\LinkDate07/24/2043 06:17:02 13241300x8000000000000000335903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-credential-m|b01c0b354a60e1d8\Publishergit-credential-manager 13241300x8000000000000000335902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-credential-m|b01c0b354a60e1d8\LowerCaseLongPathc:\program files\git\mingw64\bin\git-credential-manager.exe 13241300x8000000000000000335901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-credential-m|68986ac338ae44eb\BinProductVersion2.0.886.0 13241300x8000000000000000335900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-credential-m|68986ac338ae44eb\LinkDate07/24/2043 06:17:02 13241300x8000000000000000335899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-credential-m|68986ac338ae44eb\Publishergit-credential-manager 13241300x8000000000000000335898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-credential-m|68986ac338ae44eb\LowerCaseLongPathc:\program files\git\mingw64\bin\git-credential-manager-core.exe 13241300x8000000000000000335897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-credential-m|47ee54a0a2f4693e\BinProductVersion2.0.886.0 13241300x8000000000000000335896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-credential-m|47ee54a0a2f4693e\LinkDate09/28/2046 06:40:45 13241300x8000000000000000335895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-credential-m|47ee54a0a2f4693e\Publishergit-credential-manager-ui 13241300x8000000000000000335894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-credential-m|47ee54a0a2f4693e\LowerCaseLongPathc:\program files\git\mingw64\bin\git-credential-manager-ui.exe 13241300x8000000000000000335893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-credential-h|e6dcddb0bd298778\BinProductVersion(Empty) 13241300x8000000000000000335892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-credential-h|e6dcddb0bd298778\LinkDate11/29/2022 16:06:30 13241300x8000000000000000335891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-credential-h|e6dcddb0bd298778\Publisher(Empty) 13241300x8000000000000000335890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-credential-h|e6dcddb0bd298778\LowerCaseLongPathc:\program files\git\mingw64\bin\git-credential-helper-selector.exe 13241300x8000000000000000335889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-credential-c|2da56af252cfcd16\BinProductVersion2.39.1.1 13241300x8000000000000000335888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-credential-c|2da56af252cfcd16\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-credential-c|2da56af252cfcd16\Publisherthe git development community 13241300x8000000000000000335886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-credential-c|2da56af252cfcd16\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-credential-cache.exe 13241300x8000000000000000335885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-credential-c|17175c202eed73b7\BinProductVersion2.39.1.1 13241300x8000000000000000335884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-credential-c|17175c202eed73b7\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-credential-c|17175c202eed73b7\Publisherthe git development community 13241300x8000000000000000335882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-credential-c|17175c202eed73b7\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-credential-cache--daemon.exe 13241300x8000000000000000335881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-count-object|9f950d53a6a442ff\BinProductVersion2.39.1.1 13241300x8000000000000000335880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-count-object|9f950d53a6a442ff\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-count-object|9f950d53a6a442ff\Publisherthe git development community 13241300x8000000000000000335878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-count-object|9f950d53a6a442ff\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-count-objects.exe 13241300x8000000000000000335877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-config.exe|e75be4b0a6770696\BinProductVersion2.39.1.1 13241300x8000000000000000335876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-config.exe|e75be4b0a6770696\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-config.exe|e75be4b0a6770696\Publisherthe git development community 13241300x8000000000000000335874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-config.exe|e75be4b0a6770696\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-config.exe 13241300x8000000000000000335873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-commit.exe|6e74d5dae67b444b\BinProductVersion2.39.1.1 13241300x8000000000000000335872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-commit.exe|6e74d5dae67b444b\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-commit.exe|6e74d5dae67b444b\Publisherthe git development community 13241300x8000000000000000335870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-commit.exe|6e74d5dae67b444b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-commit.exe 13241300x8000000000000000335869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-commit-tree.|e83233ce3cd9ee79\BinProductVersion2.39.1.1 13241300x8000000000000000335868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-commit-tree.|e83233ce3cd9ee79\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-commit-tree.|e83233ce3cd9ee79\Publisherthe git development community 13241300x8000000000000000335866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-commit-tree.|e83233ce3cd9ee79\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-commit-tree.exe 13241300x8000000000000000335865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-commit-graph|d249b2d5436de447\BinProductVersion2.39.1.1 13241300x8000000000000000335864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-commit-graph|d249b2d5436de447\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-commit-graph|d249b2d5436de447\Publisherthe git development community 13241300x8000000000000000335862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-commit-graph|d249b2d5436de447\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-commit-graph.exe 13241300x8000000000000000335861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-column.exe|218c406abdb7f5d8\BinProductVersion2.39.1.1 13241300x8000000000000000335860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-column.exe|218c406abdb7f5d8\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-column.exe|218c406abdb7f5d8\Publisherthe git development community 13241300x8000000000000000335858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-column.exe|218c406abdb7f5d8\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-column.exe 13241300x8000000000000000335857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-cmd.exe|7955156508a74f3e\BinProductVersion2.39.1.1 13241300x8000000000000000335856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-cmd.exe|7955156508a74f3e\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-cmd.exe|7955156508a74f3e\Publisherthe git development community 13241300x8000000000000000335854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-cmd.exe|7955156508a74f3e\LowerCaseLongPathc:\program files\git\git-cmd.exe 13241300x8000000000000000335853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-clone.exe|d02aef8e1b723e2e\BinProductVersion2.39.1.1 13241300x8000000000000000335852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-clone.exe|d02aef8e1b723e2e\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-clone.exe|d02aef8e1b723e2e\Publisherthe git development community 13241300x8000000000000000335850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-clone.exe|d02aef8e1b723e2e\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-clone.exe 13241300x8000000000000000335849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-clean.exe|d4eb9fccf53085a4\BinProductVersion2.39.1.1 13241300x8000000000000000335848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-clean.exe|d4eb9fccf53085a4\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-clean.exe|d4eb9fccf53085a4\Publisherthe git development community 13241300x8000000000000000335846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-clean.exe|d4eb9fccf53085a4\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-clean.exe 13241300x8000000000000000335845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-cherry.exe|e775100e4df4ef32\BinProductVersion2.39.1.1 13241300x8000000000000000335844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-cherry.exe|e775100e4df4ef32\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-cherry.exe|e775100e4df4ef32\Publisherthe git development community 13241300x8000000000000000335842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-cherry.exe|e775100e4df4ef32\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-cherry.exe 13241300x8000000000000000335841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-cherry-pick.|997eacdc80577639\BinProductVersion2.39.1.1 13241300x8000000000000000335840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-cherry-pick.|997eacdc80577639\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-cherry-pick.|997eacdc80577639\Publisherthe git development community 13241300x8000000000000000335838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-cherry-pick.|997eacdc80577639\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-cherry-pick.exe 13241300x8000000000000000335837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-checkout.exe|76b55428c67a380b\BinProductVersion2.39.1.1 13241300x8000000000000000335836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-checkout.exe|76b55428c67a380b\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-checkout.exe|76b55428c67a380b\Publisherthe git development community 13241300x8000000000000000335834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-checkout.exe|76b55428c67a380b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-checkout.exe 13241300x8000000000000000335833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-checkout-ind|7b051b3e6750a804\BinProductVersion2.39.1.1 13241300x8000000000000000335832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-checkout-ind|7b051b3e6750a804\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-checkout-ind|7b051b3e6750a804\Publisherthe git development community 13241300x8000000000000000335830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-checkout-ind|7b051b3e6750a804\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-checkout-index.exe 13241300x8000000000000000335829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-checkout--wo|5e17ac3afeabc004\BinProductVersion2.39.1.1 13241300x8000000000000000335828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-checkout--wo|5e17ac3afeabc004\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-checkout--wo|5e17ac3afeabc004\Publisherthe git development community 13241300x8000000000000000335826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-checkout--wo|5e17ac3afeabc004\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-checkout--worker.exe 13241300x8000000000000000335825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-check-ref-fo|4c4aae0ebfb00b85\BinProductVersion2.39.1.1 13241300x8000000000000000335824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-check-ref-fo|4c4aae0ebfb00b85\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-check-ref-fo|4c4aae0ebfb00b85\Publisherthe git development community 13241300x8000000000000000335822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-check-ref-fo|4c4aae0ebfb00b85\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-check-ref-format.exe 13241300x8000000000000000335821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-check-mailma|ed52c712797b00dc\BinProductVersion2.39.1.1 13241300x8000000000000000335820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-check-mailma|ed52c712797b00dc\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-check-mailma|ed52c712797b00dc\Publisherthe git development community 13241300x8000000000000000335818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-check-mailma|ed52c712797b00dc\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-check-mailmap.exe 13241300x8000000000000000335817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-check-ignore|9bc04723247ac2dd\BinProductVersion2.39.1.1 13241300x8000000000000000335816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-check-ignore|9bc04723247ac2dd\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-check-ignore|9bc04723247ac2dd\Publisherthe git development community 13241300x8000000000000000335814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-check-ignore|9bc04723247ac2dd\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-check-ignore.exe 13241300x8000000000000000335813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-check-attr.e|57c1145da335bf27\BinProductVersion2.39.1.1 13241300x8000000000000000335812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-check-attr.e|57c1145da335bf27\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-check-attr.e|57c1145da335bf27\Publisherthe git development community 13241300x8000000000000000335810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-check-attr.e|57c1145da335bf27\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-check-attr.exe 13241300x8000000000000000335809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-cat-file.exe|d0e6669a50eba4df\BinProductVersion2.39.1.1 13241300x8000000000000000335808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-cat-file.exe|d0e6669a50eba4df\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-cat-file.exe|d0e6669a50eba4df\Publisherthe git development community 13241300x8000000000000000335806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-cat-file.exe|d0e6669a50eba4df\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-cat-file.exe 13241300x8000000000000000335805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-bundle.exe|fac576bd3a94d60b\BinProductVersion2.39.1.1 13241300x8000000000000000335804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-bundle.exe|fac576bd3a94d60b\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.615{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-bundle.exe|fac576bd3a94d60b\Publisherthe git development community 13241300x8000000000000000335802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-bundle.exe|fac576bd3a94d60b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-bundle.exe 13241300x8000000000000000335801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-bugreport.ex|59a0df6a91883120\BinProductVersion2.39.1.1 13241300x8000000000000000335800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-bugreport.ex|59a0df6a91883120\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-bugreport.ex|59a0df6a91883120\Publisherthe git development community 13241300x8000000000000000335798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-bugreport.ex|59a0df6a91883120\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-bugreport.exe 13241300x8000000000000000335797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-branch.exe|60e03a3ca4e1184b\BinProductVersion2.39.1.1 13241300x8000000000000000335796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-branch.exe|60e03a3ca4e1184b\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-branch.exe|60e03a3ca4e1184b\Publisherthe git development community 13241300x8000000000000000335794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-branch.exe|60e03a3ca4e1184b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-branch.exe 13241300x8000000000000000335793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-blame.exe|695e1b21d217f64a\BinProductVersion2.39.1.1 13241300x8000000000000000335792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-blame.exe|695e1b21d217f64a\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-blame.exe|695e1b21d217f64a\Publisherthe git development community 13241300x8000000000000000335790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-blame.exe|695e1b21d217f64a\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-blame.exe 13241300x8000000000000000335789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-bisect--help|2b85661c358f83f3\BinProductVersion2.39.1.1 13241300x8000000000000000335788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-bisect--help|2b85661c358f83f3\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-bisect--help|2b85661c358f83f3\Publisherthe git development community 13241300x8000000000000000335786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-bisect--help|2b85661c358f83f3\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-bisect--helper.exe 13241300x8000000000000000335785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-bash.exe|bb55e09d0018cc9\BinProductVersion2.39.1.1 13241300x8000000000000000335784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-bash.exe|bb55e09d0018cc9\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-bash.exe|bb55e09d0018cc9\Publisherthe git development community 13241300x8000000000000000335782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-bash.exe|bb55e09d0018cc9\LowerCaseLongPathc:\program files\git\git-bash.exe 13241300x8000000000000000335781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-askyesno.exe|307382c653791a6b\BinProductVersion(Empty) 13241300x8000000000000000335780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-askyesno.exe|307382c653791a6b\LinkDate11/29/2022 16:06:30 13241300x8000000000000000335779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-askyesno.exe|307382c653791a6b\Publisher(Empty) 13241300x8000000000000000335778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-askyesno.exe|307382c653791a6b\LowerCaseLongPathc:\program files\git\mingw64\bin\git-askyesno.exe 13241300x8000000000000000335777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-askpass.exe|e2b400b31b8b5d22\BinProductVersion(Empty) 13241300x8000000000000000335776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-askpass.exe|e2b400b31b8b5d22\LinkDate11/29/2022 16:06:30 13241300x8000000000000000335775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-askpass.exe|e2b400b31b8b5d22\Publisher(Empty) 13241300x8000000000000000335774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-askpass.exe|e2b400b31b8b5d22\LowerCaseLongPathc:\program files\git\mingw64\bin\git-askpass.exe 13241300x8000000000000000335773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-archive.exe|36a80009064dc962\BinProductVersion2.39.1.1 13241300x8000000000000000335772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-archive.exe|36a80009064dc962\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-archive.exe|36a80009064dc962\Publisherthe git development community 13241300x8000000000000000335770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-archive.exe|36a80009064dc962\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-archive.exe 13241300x8000000000000000335769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-apply.exe|12e49d92e436268f\BinProductVersion2.39.1.1 13241300x8000000000000000335768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-apply.exe|12e49d92e436268f\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-apply.exe|12e49d92e436268f\Publisherthe git development community 13241300x8000000000000000335766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-apply.exe|12e49d92e436268f\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-apply.exe 13241300x8000000000000000335765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-annotate.exe|a44a56d360566d96\BinProductVersion2.39.1.1 13241300x8000000000000000335764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-annotate.exe|a44a56d360566d96\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-annotate.exe|a44a56d360566d96\Publisherthe git development community 13241300x8000000000000000335762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-annotate.exe|a44a56d360566d96\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-annotate.exe 13241300x8000000000000000335761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-am.exe|4f482c30f10b83a7\BinProductVersion2.39.1.1 13241300x8000000000000000335760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-am.exe|4f482c30f10b83a7\LinkDate01/12/2023 16:42:50 13241300x8000000000000000335759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.600{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\git-am.exe|4f482c30f10b83a7\Publisherthe git development community 23542300x8000000000000000448548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:26.498{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D1652614765E1D00CE8A0C09C8F4CC7,SHA256=19E1A6C2A708ED165562715F42101276B6E152F5905C93AD268E85F1EA7DD242,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000448547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:22.848{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52726-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 13241300x8000000000000000337660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msoicons.exe|3da37cfb4950ecae\Publishermicrosoft corporation 13241300x8000000000000000337659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msoicons.exe|3da37cfb4950ecae\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\msoicons.exe 13241300x8000000000000000337658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msoia.exe|114864795aa55b83\BinProductVersion16.0.15601.20286 13241300x8000000000000000337657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msoia.exe|114864795aa55b83\LinkDate11/02/2022 10:23:34 13241300x8000000000000000337656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msoia.exe|114864795aa55b83\Publishermicrosoft corporation 13241300x8000000000000000337655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msoia.exe|114864795aa55b83\LowerCaseLongPathc:\program files\microsoft office\root\office16\msoia.exe 13241300x8000000000000000337654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msohtmed.exe|99dd74e197b774bf\BinProductVersion16.0.15601.20044 13241300x8000000000000000337653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msohtmed.exe|99dd74e197b774bf\LinkDate08/10/2022 14:18:29 13241300x8000000000000000337652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msohtmed.exe|99dd74e197b774bf\Publishermicrosoft corporation 13241300x8000000000000000337651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msohtmed.exe|99dd74e197b774bf\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilesx86\microsoft office\office16\msohtmed.exe 13241300x8000000000000000337650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msohtmed.exe|148478b1871e8bf3\BinProductVersion16.0.15601.20044 13241300x8000000000000000337649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msohtmed.exe|148478b1871e8bf3\LinkDate08/10/2022 14:30:40 13241300x8000000000000000337648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msohtmed.exe|148478b1871e8bf3\Publishermicrosoft corporation 13241300x8000000000000000337647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msohtmed.exe|148478b1871e8bf3\LowerCaseLongPathc:\program files\microsoft office\root\office16\msohtmed.exe 13241300x8000000000000000337646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msoev.exe|b4e37bd46f9380f9\BinProductVersion16.0.15601.20456 13241300x8000000000000000337645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msoev.exe|b4e37bd46f9380f9\LinkDate12/30/2022 08:43:58 13241300x8000000000000000337644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msoev.exe|b4e37bd46f9380f9\Publishermicrosoft corporation 13241300x8000000000000000337643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msoev.exe|b4e37bd46f9380f9\LowerCaseLongPathc:\program files\microsoft office\root\office16\msoev.exe 13241300x8000000000000000337642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msoasb.exe|750d1f3936d98f5d\BinProductVersion16.0.15601.20038 13241300x8000000000000000337641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msoasb.exe|750d1f3936d98f5d\LinkDate08/06/2022 23:39:39 13241300x8000000000000000337640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msoasb.exe|750d1f3936d98f5d\Publishermicrosoft corporation 13241300x8000000000000000337639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msoasb.exe|750d1f3936d98f5d\LowerCaseLongPathc:\program files\microsoft office\root\office16\msoasb.exe 13241300x8000000000000000337638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msoadfsb.exe|53077702cdcc8005\BinProductVersion16.0.15601.20456 13241300x8000000000000000337637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msoadfsb.exe|53077702cdcc8005\LinkDate12/30/2022 08:45:56 13241300x8000000000000000337636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msoadfsb.exe|53077702cdcc8005\Publishermicrosoft corporation 13241300x8000000000000000337635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msoadfsb.exe|53077702cdcc8005\LowerCaseLongPathc:\program files\microsoft office\root\office16\msoadfsb.exe 13241300x8000000000000000337634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msaccess.exe|77cffae26fbe2b5\BinProductVersion16.0.15601.20456 13241300x8000000000000000337633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msaccess.exe|77cffae26fbe2b5\LinkDate12/30/2022 08:46:37 13241300x8000000000000000337632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msaccess.exe|77cffae26fbe2b5\Publishermicrosoft corporation 13241300x8000000000000000337631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msaccess.exe|77cffae26fbe2b5\LowerCaseLongPathc:\program files\microsoft office\root\office16\msaccess.exe 13241300x8000000000000000337630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mlcfg32.cpl|31c16fc3f63fc7dc\BinProductVersion16.0.15601.20038 13241300x8000000000000000337629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mlcfg32.cpl|31c16fc3f63fc7dc\LinkDate08/06/2022 22:32:53 13241300x8000000000000000337628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mlcfg32.cpl|31c16fc3f63fc7dc\Publishermicrosoft corporation 13241300x8000000000000000337627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mlcfg32.cpl|31c16fc3f63fc7dc\LowerCaseLongPathc:\program files\microsoft office\root\office16\mlcfg32.cpl 13241300x8000000000000000337626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\misc.exe|e53c61630655f462\BinProductVersion16.0.15601.20404 13241300x8000000000000000337625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\misc.exe|e53c61630655f462\LinkDate12/10/2022 05:33:56 13241300x8000000000000000337624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\misc.exe|e53c61630655f462\Publishermicrosoft corporation 13241300x8000000000000000337623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\misc.exe|e53c61630655f462\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-001f-0c0a-1000-0000000ff1ce}\misc.exe 13241300x8000000000000000337622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\misc.exe|d72ba68dc6224853\BinProductVersion16.0.15601.20404 13241300x8000000000000000337621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\misc.exe|d72ba68dc6224853\LinkDate12/10/2022 05:33:56 13241300x8000000000000000337620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\misc.exe|d72ba68dc6224853\Publishermicrosoft corporation 13241300x8000000000000000337619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\misc.exe|d72ba68dc6224853\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-006e-0409-1000-0000000ff1ce}\misc.exe 13241300x8000000000000000337618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\misc.exe|88c5db986dc6d3ce\BinProductVersion16.0.15601.20404 13241300x8000000000000000337617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\misc.exe|88c5db986dc6d3ce\LinkDate12/10/2022 05:33:56 13241300x8000000000000000337616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\misc.exe|88c5db986dc6d3ce\Publishermicrosoft corporation 13241300x8000000000000000337615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\misc.exe|88c5db986dc6d3ce\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-001f-040c-1000-0000000ff1ce}\misc.exe 13241300x8000000000000000337614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\misc.exe|74c239057bc7b55b\BinProductVersion16.0.15601.20404 13241300x8000000000000000337613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\misc.exe|74c239057bc7b55b\LinkDate12/10/2022 05:33:56 13241300x8000000000000000337612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\misc.exe|74c239057bc7b55b\Publishermicrosoft corporation 13241300x8000000000000000337611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\misc.exe|74c239057bc7b55b\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-001f-0409-1000-0000000ff1ce}\misc.exe 13241300x8000000000000000337610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\misc.exe|6a82b5241464385b\BinProductVersion16.0.15128.20004 13241300x8000000000000000337609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\misc.exe|6a82b5241464385b\LinkDate03/29/2022 23:49:42 13241300x8000000000000000337608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\misc.exe|6a82b5241464385b\Publishermicrosoft corporation 13241300x8000000000000000337607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\misc.exe|6a82b5241464385b\LowerCaseLongPathc:\program files\microsoft office\root\office16\misc.exe 13241300x8000000000000000337606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\misc.exe|34dbf5ff896a9c69\BinProductVersion16.0.15601.20404 13241300x8000000000000000337605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\misc.exe|34dbf5ff896a9c69\LinkDate12/10/2022 05:33:56 13241300x8000000000000000337604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\misc.exe|34dbf5ff896a9c69\Publishermicrosoft corporation 13241300x8000000000000000337603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\misc.exe|34dbf5ff896a9c69\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-000f-0000-1000-0000000ff1ce}\misc.exe 13241300x8000000000000000337602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\microsoft.mashup|f091cf2f235e136d\BinProductVersion0.0.0.0 13241300x8000000000000000337601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\microsoft.mashup|f091cf2f235e136d\LinkDate08/25/2022 08:55:29 13241300x8000000000000000337600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\microsoft.mashup|f091cf2f235e136d\Publishermicrosoft corporation 13241300x8000000000000000337599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\microsoft.mashup|f091cf2f235e136d\LowerCaseLongPathc:\program files\microsoft office\root\office16\addins\microsoft power query for excel integrated\bin\microsoft.mashup.container.netfx45.exe 13241300x8000000000000000337598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\microsoft.mashup|a56df878940cffa2\BinProductVersion0.0.0.0 13241300x8000000000000000337597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\microsoft.mashup|a56df878940cffa2\LinkDate08/25/2022 08:55:29 13241300x8000000000000000337596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\microsoft.mashup|a56df878940cffa2\Publishermicrosoft corporation 13241300x8000000000000000337595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\microsoft.mashup|a56df878940cffa2\LowerCaseLongPathc:\program files\microsoft office\root\office16\addins\microsoft power query for excel integrated\bin\microsoft.mashup.container.netfx40.exe 13241300x8000000000000000337594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\microsoft.mashup|2c539c4e8f922a27\BinProductVersion0.0.0.0 13241300x8000000000000000337593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\microsoft.mashup|2c539c4e8f922a27\LinkDate08/25/2022 08:55:29 13241300x8000000000000000337592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\microsoft.mashup|2c539c4e8f922a27\Publishermicrosoft corporation 13241300x8000000000000000337591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\microsoft.mashup|2c539c4e8f922a27\LowerCaseLongPathc:\program files\microsoft office\root\office16\addins\microsoft power query for excel integrated\bin\microsoft.mashup.container.exe 13241300x8000000000000000337590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\microsoft.mashup|237e2a2192600ea3\BinProductVersion2.108.986.0 13241300x8000000000000000337589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\microsoft.mashup|237e2a2192600ea3\LinkDate08/25/2022 08:51:03 13241300x8000000000000000337588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\microsoft.mashup|237e2a2192600ea3\Publishermicrosoft corporation 13241300x8000000000000000337587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\microsoft.mashup|237e2a2192600ea3\LowerCaseLongPathc:\program files\microsoft office\root\office16\addins\microsoft power query for excel integrated\bin\microsoft.mashup.container.loader.exe 13241300x8000000000000000337586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\lyncicon.exe|cf5ccf14e5b4e8d6\BinProductVersion16.0.15601.20404 13241300x8000000000000000337585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\lyncicon.exe|cf5ccf14e5b4e8d6\LinkDate12/10/2022 05:34:03 13241300x8000000000000000337584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\lyncicon.exe|cf5ccf14e5b4e8d6\Publishermicrosoft corporation 13241300x8000000000000000337583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\lyncicon.exe|cf5ccf14e5b4e8d6\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-000f-0000-1000-0000000ff1ce}\lyncicon.exe 13241300x8000000000000000337582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\lynchtmlconv.exe|963a17d6e811cd33\BinProductVersion16.0.15601.20456 13241300x8000000000000000337581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\lynchtmlconv.exe|963a17d6e811cd33\LinkDate12/30/2022 08:46:26 13241300x8000000000000000337580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\lynchtmlconv.exe|963a17d6e811cd33\Publishermicrosoft corporation 13241300x8000000000000000337579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\lynchtmlconv.exe|963a17d6e811cd33\LowerCaseLongPathc:\program files\microsoft office\root\office16\lynchtmlconv.exe 13241300x8000000000000000337578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\lync99.exe|11bf44393ed6256a\BinProductVersion16.0.15601.20456 13241300x8000000000000000337577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\lync99.exe|11bf44393ed6256a\LinkDate12/30/2022 08:49:37 13241300x8000000000000000337576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\lync99.exe|11bf44393ed6256a\Publishermicrosoft corporation 13241300x8000000000000000337575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\lync99.exe|11bf44393ed6256a\LowerCaseLongPathc:\program files\microsoft office\root\office16\lync99.exe 13241300x8000000000000000337574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\lync.exe|2fa06986cf265aad\BinProductVersion16.0.15601.20456 13241300x8000000000000000337573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\lync.exe|2fa06986cf265aad\LinkDate12/30/2022 08:44:48 13241300x8000000000000000337572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\lync.exe|2fa06986cf265aad\Publishermicrosoft corporation 13241300x8000000000000000337571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\lync.exe|2fa06986cf265aad\LowerCaseLongPathc:\program files\microsoft office\root\office16\lync.exe 13241300x8000000000000000337570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\joticon.exe|fbcbe724436d069f\BinProductVersion16.0.15601.20446 13241300x8000000000000000337569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\joticon.exe|fbcbe724436d069f\LinkDate12/23/2022 09:56:47 13241300x8000000000000000337568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\joticon.exe|fbcbe724436d069f\Publishermicrosoft corporation 13241300x8000000000000000337567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\joticon.exe|fbcbe724436d069f\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-000f-0000-1000-0000000ff1ce}\joticon.exe 13241300x8000000000000000337566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\integrator.exe|1b5d0d4b4f0be95e\BinProductVersion16.0.15601.20286 13241300x8000000000000000337565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\integrator.exe|1b5d0d4b4f0be95e\LinkDate11/02/2022 10:11:23 13241300x8000000000000000337564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\integrator.exe|1b5d0d4b4f0be95e\Publishermicrosoft corporation 13241300x8000000000000000337563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\integrator.exe|1b5d0d4b4f0be95e\LowerCaseLongPathc:\program files\microsoft office\root\integration\integrator.exe 13241300x8000000000000000337562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\iecontentservice|f42fbf118c5a773\BinProductVersion16.0.15601.20456 13241300x8000000000000000337561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\iecontentservice|f42fbf118c5a773\LinkDate12/30/2022 08:44:08 13241300x8000000000000000337560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\iecontentservice|f42fbf118c5a773\Publishermicrosoft corporation 13241300x8000000000000000337559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\iecontentservice|f42fbf118c5a773\LowerCaseLongPathc:\program files\microsoft office\root\office16\iecontentservice.exe 13241300x8000000000000000337558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\grv_icons.exe|d24c93c0e0170bfb\BinProductVersion16.0.15601.20404 13241300x8000000000000000337557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\grv_icons.exe|d24c93c0e0170bfb\LinkDate12/10/2022 05:34:03 13241300x8000000000000000337556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\grv_icons.exe|d24c93c0e0170bfb\Publishermicrosoft corporation 13241300x8000000000000000337555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\grv_icons.exe|d24c93c0e0170bfb\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-000f-0000-1000-0000000ff1ce}\grv_icons.exe 13241300x8000000000000000337554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\graph.exe|9e2331c7d66bcaeb\BinProductVersion16.0.15601.20456 13241300x8000000000000000337553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\graph.exe|9e2331c7d66bcaeb\LinkDate12/30/2022 08:50:59 13241300x8000000000000000337552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\graph.exe|9e2331c7d66bcaeb\Publishermicrosoft corporation 13241300x8000000000000000337551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\graph.exe|9e2331c7d66bcaeb\LowerCaseLongPathc:\program files\microsoft office\root\office16\graph.exe 13241300x8000000000000000337550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\fltldr.exe|3fca25c5b23cb198\BinProductVersion16.0.15601.20038 13241300x8000000000000000337549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\fltldr.exe|3fca25c5b23cb198\LinkDate08/06/2022 23:28:43 13241300x8000000000000000337548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\fltldr.exe|3fca25c5b23cb198\Publishermicrosoft corporation 13241300x8000000000000000337547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\fltldr.exe|3fca25c5b23cb198\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\fltldr.exe 13241300x8000000000000000337546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\filecompare.exe|eb3b84e79f3ffde4\BinProductVersion16.0.14931.20008 13241300x8000000000000000337545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\filecompare.exe|eb3b84e79f3ffde4\LinkDate02/01/2022 17:27:11 13241300x8000000000000000337544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\filecompare.exe|eb3b84e79f3ffde4\Publishermicrosoft corporation 13241300x8000000000000000337543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\filecompare.exe|eb3b84e79f3ffde4\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilesx86\microsoft office\office16\dcf\filecompare.exe 13241300x8000000000000000337542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\excelcnv.exe|f227d29286aef5b1\BinProductVersion16.0.15601.20456 13241300x8000000000000000337541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\excelcnv.exe|f227d29286aef5b1\LinkDate12/30/2022 08:49:34 13241300x8000000000000000337540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\excelcnv.exe|f227d29286aef5b1\Publishermicrosoft corporation 13241300x8000000000000000337539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\excelcnv.exe|f227d29286aef5b1\LowerCaseLongPathc:\program files\microsoft office\root\office16\excelcnv.exe 13241300x8000000000000000337538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\excel.exe|39225495ceb51fb7\BinProductVersion16.0.15601.20456 13241300x8000000000000000337537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\excel.exe|39225495ceb51fb7\LinkDate12/30/2022 08:57:24 13241300x8000000000000000337536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\excel.exe|39225495ceb51fb7\Publishermicrosoft corporation 13241300x8000000000000000337535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\excel.exe|39225495ceb51fb7\LowerCaseLongPathc:\program files\microsoft office\root\office16\excel.exe 13241300x8000000000000000337534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dw20.exe|12b87ce673fee545\BinProductVersion16.0.14931.20008 13241300x8000000000000000337533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dw20.exe|12b87ce673fee545\LinkDate02/01/2022 17:53:00 13241300x8000000000000000337532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dw20.exe|12b87ce673fee545\Publishermicrosoft corporation 13241300x8000000000000000337531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dw20.exe|12b87ce673fee545\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\dw\dw20.exe 13241300x8000000000000000337530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dbcicons.exe|8bf455c5b37991bd\BinProductVersion16.0.15601.20446 13241300x8000000000000000337529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dbcicons.exe|8bf455c5b37991bd\LinkDate12/23/2022 09:57:35 13241300x8000000000000000337528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dbcicons.exe|8bf455c5b37991bd\Publishermicrosoft corporation 13241300x8000000000000000337527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dbcicons.exe|8bf455c5b37991bd\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-000f-0000-1000-0000000ff1ce}\dbcicons.exe 13241300x8000000000000000337526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\databasecompare.|d0717b3f5b185152\BinProductVersion16.0.15028.20050 13241300x8000000000000000337525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\databasecompare.|d0717b3f5b185152\LinkDate05/30/2053 02:15:44 13241300x8000000000000000337524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\databasecompare.|d0717b3f5b185152\Publishermicrosoft corporation 13241300x8000000000000000337523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\databasecompare.|d0717b3f5b185152\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilesx86\microsoft office\office16\dcf\databasecompare.exe 13241300x8000000000000000337522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\common.showhelp.|aeead2886fb6295a\BinProductVersion16.0.15601.20038 13241300x8000000000000000337521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\common.showhelp.|aeead2886fb6295a\LinkDate08/06/2022 22:36:40 13241300x8000000000000000337520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\common.showhelp.|aeead2886fb6295a\Publishermicrosoft corporation 13241300x8000000000000000337519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\common.showhelp.|aeead2886fb6295a\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilesx86\microsoft office\office16\dcf\common.showhelp.exe 13241300x8000000000000000337518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\common.dbconnect|8e5b8f8cae900bd\BinProductVersion16.0.15128.20112 13241300x8000000000000000337517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\common.dbconnect|8e5b8f8cae900bd\LinkDate05/12/2048 17:16:37 13241300x8000000000000000337516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\common.dbconnect|8e5b8f8cae900bd\Publishermicrosoft corporation 13241300x8000000000000000337515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\common.dbconnect|8e5b8f8cae900bd\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilesx86\microsoft office\office16\dcf\common.dbconnection64.exe 13241300x8000000000000000337514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\common.dbconnect|4bf898c15eaab915\BinProductVersion16.0.15128.20004 13241300x8000000000000000337513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\common.dbconnect|4bf898c15eaab915\LinkDate03/09/2071 02:07:29 13241300x8000000000000000337512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\common.dbconnect|4bf898c15eaab915\Publishermicrosoft corporation 13241300x8000000000000000337511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\common.dbconnect|4bf898c15eaab915\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilesx86\microsoft office\office16\dcf\common.dbconnection.exe 13241300x8000000000000000337510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cnfnot32.exe|d12e39d78b8f7f17\BinProductVersion16.0.15601.20456 13241300x8000000000000000337509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cnfnot32.exe|d12e39d78b8f7f17\LinkDate12/30/2022 08:44:25 13241300x8000000000000000337508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cnfnot32.exe|d12e39d78b8f7f17\Publishermicrosoft corporation 13241300x8000000000000000337507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\cnfnot32.exe|d12e39d78b8f7f17\LowerCaseLongPathc:\program files\microsoft office\root\office16\cnfnot32.exe 13241300x8000000000000000337506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\clview.exe|2e549e1ffb2d5a44\BinProductVersion16.0.15601.20456 13241300x8000000000000000337505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\clview.exe|2e549e1ffb2d5a44\LinkDate12/30/2022 08:46:28 13241300x8000000000000000337504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\clview.exe|2e549e1ffb2d5a44\Publishermicrosoft corporation 13241300x8000000000000000337503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\clview.exe|2e549e1ffb2d5a44\LowerCaseLongPathc:\program files\microsoft office\root\office16\clview.exe 13241300x8000000000000000337502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\appvlp.exe|5c890c66f7320a9b\BinProductVersion10.0.22000.469 13241300x8000000000000000337501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\appvlp.exe|5c890c66f7320a9b\LinkDate08/16/2026 16:46:27 13241300x8000000000000000337500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\appvlp.exe|5c890c66f7320a9b\Publishermicrosoft corporation 13241300x8000000000000000337499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\appvlp.exe|5c890c66f7320a9b\LowerCaseLongPathc:\program files\microsoft office\root\client\appvlp.exe 13241300x8000000000000000337498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\appvdllsurrogate|dc36ed799a92e521\BinProductVersion10.0.22000.1 13241300x8000000000000000337497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\appvdllsurrogate|dc36ed799a92e521\LinkDate08/03/1994 21:46:11 13241300x8000000000000000337496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\appvdllsurrogate|dc36ed799a92e521\Publishermicrosoft corporation 13241300x8000000000000000337495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\appvdllsurrogate|dc36ed799a92e521\LowerCaseLongPathc:\program files\microsoft office\root\client\appvdllsurrogate32.exe 13241300x8000000000000000337494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\appvdllsurrogate|8207ddc3bc40ae21\BinProductVersion10.0.22000.1 13241300x8000000000000000337493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\appvdllsurrogate|8207ddc3bc40ae21\LinkDate11/28/1985 04:02:28 13241300x8000000000000000337492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\appvdllsurrogate|8207ddc3bc40ae21\Publishermicrosoft corporation 13241300x8000000000000000337491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\appvdllsurrogate|8207ddc3bc40ae21\LowerCaseLongPathc:\program files\microsoft office\root\client\appvdllsurrogate.exe 13241300x8000000000000000337490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\appvdllsurrogate|4a3dbcbfcf815bda\BinProductVersion10.0.22000.1 13241300x8000000000000000337489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\appvdllsurrogate|4a3dbcbfcf815bda\LinkDate11/28/1985 04:02:28 13241300x8000000000000000337488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\appvdllsurrogate|4a3dbcbfcf815bda\Publishermicrosoft corporation 13241300x8000000000000000337487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\appvdllsurrogate|4a3dbcbfcf815bda\LowerCaseLongPathc:\program files\microsoft office\root\client\appvdllsurrogate64.exe 13241300x8000000000000000337486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\appsharinghookco|ca17c1da2ae73545\BinProductVersion16.0.15601.20044 13241300x8000000000000000337485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\appsharinghookco|ca17c1da2ae73545\LinkDate08/10/2022 14:21:02 13241300x8000000000000000337484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\appsharinghookco|ca17c1da2ae73545\Publishermicrosoft corporation 13241300x8000000000000000337483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\appsharinghookco|ca17c1da2ae73545\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilesx86\microsoft office\office16\appsharinghookcontroller.exe 13241300x8000000000000000337482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\appsharinghookco|c43916d5d05bf0ab\BinProductVersion16.0.15601.20044 13241300x8000000000000000337481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\appsharinghookco|c43916d5d05bf0ab\LinkDate08/10/2022 14:33:18 13241300x8000000000000000337480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\appsharinghookco|c43916d5d05bf0ab\Publishermicrosoft corporation 13241300x8000000000000000337479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\appsharinghookco|c43916d5d05bf0ab\LowerCaseLongPathc:\program files\microsoft office\root\office16\appsharinghookcontroller64.exe 13241300x8000000000000000337478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\aimgr.exe|8fe45895571e761d\BinProductVersion0.9.9.0 13241300x8000000000000000337477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\aimgr.exe|8fe45895571e761d\LinkDate07/13/2022 11:11:45 13241300x8000000000000000337476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\aimgr.exe|8fe45895571e761d\Publishermicrosoft corporation 13241300x8000000000000000337475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\aimgr.exe|8fe45895571e761d\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\aimgr.exe 13241300x8000000000000000337474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\aimgr.exe|2190ab3308105e87\BinProductVersion0.9.9.0 13241300x8000000000000000337473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\aimgr.exe|2190ab3308105e87\LinkDate07/13/2022 11:05:13 13241300x8000000000000000337472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\aimgr.exe|2190ab3308105e87\Publishermicrosoft corporation 13241300x8000000000000000337471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\aimgr.exe|2190ab3308105e87\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilescommonx86\microsoft shared\office16\aimgr.exe 13241300x8000000000000000337470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ai.exe|784379c970ebc5e3\BinProductVersion0.9.9.0 13241300x8000000000000000337469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ai.exe|784379c970ebc5e3\LinkDate07/13/2022 11:05:06 13241300x8000000000000000337468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ai.exe|784379c970ebc5e3\Publishermicrosoft corporation 13241300x8000000000000000337467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ai.exe|784379c970ebc5e3\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilescommonx86\microsoft shared\office16\ai.exe 13241300x8000000000000000337466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ai.exe|74eed71c24f48874\BinProductVersion0.9.9.0 13241300x8000000000000000337465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ai.exe|74eed71c24f48874\LinkDate07/13/2022 11:11:37 13241300x8000000000000000337464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ai.exe|74eed71c24f48874\Publishermicrosoft corporation 13241300x8000000000000000337463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ai.exe|74eed71c24f48874\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe 13241300x8000000000000000337462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\accicons.exe|b4fb926f9d8f82ed\BinProductVersion16.0.15601.20404 13241300x8000000000000000337461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\accicons.exe|b4fb926f9d8f82ed\LinkDate12/10/2022 05:33:49 13241300x8000000000000000337460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\accicons.exe|b4fb926f9d8f82ed\Publishermicrosoft corporation 13241300x8000000000000000337459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\accicons.exe|b4fb926f9d8f82ed\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-000f-0000-1000-0000000ff1ce}\accicons.exe 13241300x8000000000000000337458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\accicons.exe|b0fb91e640fd7b1d\BinProductVersion16.0.15128.20004 13241300x8000000000000000337457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\accicons.exe|b0fb91e640fd7b1d\LinkDate03/29/2022 23:34:41 13241300x8000000000000000337456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\accicons.exe|b0fb91e640fd7b1d\Publishermicrosoft corporation 13241300x8000000000000000337455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\accicons.exe|b0fb91e640fd7b1d\LowerCaseLongPathc:\program files\microsoft office\root\office16\accicons.exe 13241300x8000000000000000337454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.375{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplication\00001691c1f1d85efa0beb67ff3bb361bfb00000ffff\PublisherMicrosoft Corporation 13241300x8000000000000000337453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.908{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\uninstall.exe|bd4762a4deb0ebdc\BinProductVersion8.4.8.0 13241300x8000000000000000337452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.908{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\uninstall.exe|bd4762a4deb0ebdc\LinkDate09/25/2021 21:56:47 13241300x8000000000000000337451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.908{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\uninstall.exe|bd4762a4deb0ebdc\Publisherdon ho don.h@free.fr 13241300x8000000000000000337450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.908{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\uninstall.exe|bd4762a4deb0ebdc\LowerCaseLongPathc:\program files\notepad++\uninstall.exe 13241300x8000000000000000337449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.908{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\notepad++.exe|9b63189e96115672\BinProductVersion8.4.8.0 13241300x8000000000000000337448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.908{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\notepad++.exe|9b63189e96115672\LinkDate12/24/2022 18:42:00 13241300x8000000000000000337447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.908{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\notepad++.exe|9b63189e96115672\Publisherdon ho don.h@free.fr 13241300x8000000000000000337446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.908{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\notepad++.exe|9b63189e96115672\LowerCaseLongPathc:\program files\notepad++\notepad++.exe 13241300x8000000000000000337445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.908{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gup.exe|eaab466dc417ed01\BinProductVersion5.2.4.0 13241300x8000000000000000337444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.908{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gup.exe|eaab466dc417ed01\LinkDate09/20/2022 16:52:44 13241300x8000000000000000337443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.893{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gup.exe|eaab466dc417ed01\Publisherdon ho don.h@free.fr 13241300x8000000000000000337442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.893{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\gup.exe|eaab466dc417ed01\LowerCaseLongPathc:\program files\notepad++\updater\gup.exe 13241300x8000000000000000337441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.893{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplication\0000005f46ab9adae81e72b3c6fdc4c36b720000ffff\PublisherNotepad++ Team 13241300x8000000000000000337440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.879{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\uninstall.exe|c3a2a248a1867c34\BinProductVersion1.0.0.0 13241300x8000000000000000337439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.879{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\uninstall.exe|c3a2a248a1867c34\LinkDate07/24/2021 22:21:04 13241300x8000000000000000337438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.879{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\uninstall.exe|c3a2a248a1867c34\Publishermozilla corporation 13241300x8000000000000000337437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.879{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\uninstall.exe|c3a2a248a1867c34\LowerCaseLongPathc:\program files (x86)\mozilla maintenance service\uninstall.exe 13241300x8000000000000000337436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.879{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\maintenanceservi|f537de1e8599ad9d\BinProductVersion109.0.0.8412 13241300x8000000000000000337435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.879{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\maintenanceservi|f537de1e8599ad9d\LinkDate01/12/2023 16:35:48 13241300x8000000000000000337434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.879{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\maintenanceservi|f537de1e8599ad9d\Publishermozilla foundation 13241300x8000000000000000337433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.879{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\maintenanceservi|f537de1e8599ad9d\LowerCaseLongPathc:\program files (x86)\mozilla maintenance service\maintenanceservice.exe 13241300x8000000000000000337432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.879{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplication\00001b5e68ccb8ac80a77578f36ae99de1660000ffff\PublisherMozilla 13241300x8000000000000000337431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\updater.exe|c1b2e9c223e636df\BinProductVersion109.0.0.8412 13241300x8000000000000000337430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\updater.exe|c1b2e9c223e636df\LinkDate01/12/2023 16:35:21 13241300x8000000000000000337429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\updater.exe|c1b2e9c223e636df\Publishermozilla foundation 13241300x8000000000000000337428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\updater.exe|c1b2e9c223e636df\LowerCaseLongPathc:\program files\mozilla firefox\updater.exe 13241300x8000000000000000337427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\private_browsing|8df236c0e7f5a36b\BinProductVersion109.0.0.0 13241300x8000000000000000337426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\private_browsing|8df236c0e7f5a36b\LinkDate01/12/2023 16:35:07 13241300x8000000000000000337425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\private_browsing|8df236c0e7f5a36b\Publishermozilla corporation 13241300x8000000000000000337424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\private_browsing|8df236c0e7f5a36b\LowerCaseLongPathc:\program files\mozilla firefox\private_browsing.exe 13241300x8000000000000000337423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\plugin-container|bff6e47ff7f94db5\BinProductVersion109.0.0.0 13241300x8000000000000000337422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\plugin-container|bff6e47ff7f94db5\LinkDate01/12/2023 16:57:29 13241300x8000000000000000337421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\plugin-container|bff6e47ff7f94db5\Publishermozilla corporation 13241300x8000000000000000337420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\plugin-container|bff6e47ff7f94db5\LowerCaseLongPathc:\program files\mozilla firefox\plugin-container.exe 13241300x8000000000000000337419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pingsender.exe|aaf23943349d4957\BinProductVersion109.0.0.8412 13241300x8000000000000000337418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pingsender.exe|aaf23943349d4957\LinkDate01/12/2023 16:35:50 13241300x8000000000000000337417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pingsender.exe|aaf23943349d4957\Publishermozilla foundation 13241300x8000000000000000337416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pingsender.exe|aaf23943349d4957\LowerCaseLongPathc:\program files\mozilla firefox\pingsender.exe 13241300x8000000000000000337415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\minidump-analyze|c30fa22ff3f6a149\BinProductVersion109.0.0.8412 13241300x8000000000000000337414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\minidump-analyze|c30fa22ff3f6a149\LinkDate01/12/2023 16:35:52 13241300x8000000000000000337413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\minidump-analyze|c30fa22ff3f6a149\Publishermozilla foundation 13241300x8000000000000000337412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\minidump-analyze|c30fa22ff3f6a149\LowerCaseLongPathc:\program files\mozilla firefox\minidump-analyzer.exe 13241300x8000000000000000337411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\maintenanceservi|a02830353e4ef7f\BinProductVersion1.0.0.0 13241300x8000000000000000337410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\maintenanceservi|a02830353e4ef7f\LinkDate07/24/2021 22:21:04 13241300x8000000000000000337409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\maintenanceservi|a02830353e4ef7f\Publishermozilla corporation 13241300x8000000000000000337408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\maintenanceservi|a02830353e4ef7f\LowerCaseLongPathc:\program files\mozilla firefox\maintenanceservice_installer.exe 13241300x8000000000000000337407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\maintenanceservi|97180995320ca115\BinProductVersion109.0.0.8412 13241300x8000000000000000337406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\maintenanceservi|97180995320ca115\LinkDate01/12/2023 16:35:48 13241300x8000000000000000337405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\maintenanceservi|97180995320ca115\Publishermozilla foundation 13241300x8000000000000000337404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\maintenanceservi|97180995320ca115\LowerCaseLongPathc:\program files\mozilla firefox\maintenanceservice.exe 13241300x8000000000000000337403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\helper.exe|e5fe7566efc548ac\BinProductVersion1.0.0.0 13241300x8000000000000000337402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\helper.exe|e5fe7566efc548ac\LinkDate07/24/2021 22:21:04 13241300x8000000000000000337401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\helper.exe|e5fe7566efc548ac\Publishermozilla corporation 13241300x8000000000000000337400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\helper.exe|e5fe7566efc548ac\LowerCaseLongPathc:\program files\mozilla firefox\uninstall\helper.exe 13241300x8000000000000000337399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\firefox.exe|ebd16581180f4552\BinProductVersion109.0.0.0 13241300x8000000000000000337398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\firefox.exe|ebd16581180f4552\LinkDate01/12/2023 16:35:39 13241300x8000000000000000337397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\firefox.exe|ebd16581180f4552\Publishermozilla corporation 13241300x8000000000000000337396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\firefox.exe|ebd16581180f4552\LowerCaseLongPathc:\program files\mozilla firefox\firefox.exe 13241300x8000000000000000337395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\default-browser-|dc77861eecd2248\BinProductVersion109.0.0.8412 13241300x8000000000000000337394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\default-browser-|dc77861eecd2248\LinkDate01/12/2023 16:44:50 13241300x8000000000000000337393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\default-browser-|dc77861eecd2248\Publishermozilla foundation 13241300x8000000000000000337392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\default-browser-|dc77861eecd2248\LowerCaseLongPathc:\program files\mozilla firefox\default-browser-agent.exe 13241300x8000000000000000337391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\crashreporter.ex|63c55d3d1009672b\BinProductVersion109.0.0.8412 13241300x8000000000000000337390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\crashreporter.ex|63c55d3d1009672b\LinkDate01/12/2023 16:36:26 13241300x8000000000000000337389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\crashreporter.ex|63c55d3d1009672b\Publishermozilla foundation 13241300x8000000000000000337388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\crashreporter.ex|63c55d3d1009672b\LowerCaseLongPathc:\program files\mozilla firefox\crashreporter.exe 13241300x8000000000000000337387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.864{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplication\00007f403aab0b5c26affbdbe474f5ea4c240000ffff\PublisherMozilla 23542300x8000000000000000337386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:25.819{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EIJ3YY2MF2\System.ni.dll.auxMD5=8AA30EF5A6FFA51F166D232C8B76A3CF,SHA256=CF2BEA95501884BCC9E3BE072E7006CE2316CE0C086748105EB2216B8512721C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000337385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\zipinfo.exe|221fb78378e3082e\BinProductVersion(Empty) 13241300x8000000000000000337384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\zipinfo.exe|221fb78378e3082e\LinkDate05/08/2031 18:06:26 13241300x8000000000000000337383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\zipinfo.exe|221fb78378e3082e\Publisher(Empty) 13241300x8000000000000000337382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\zipinfo.exe|221fb78378e3082e\LowerCaseLongPathc:\program files\git\usr\bin\zipinfo.exe 13241300x8000000000000000337381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\yes.exe|101013f8ea4cecdc\BinProductVersion(Empty) 13241300x8000000000000000337380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\yes.exe|101013f8ea4cecdc\LinkDate11/15/2022 17:19:09 13241300x8000000000000000337379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\yes.exe|101013f8ea4cecdc\Publisher(Empty) 13241300x8000000000000000337378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\yes.exe|101013f8ea4cecdc\LowerCaseLongPathc:\program files\git\usr\bin\yes.exe 13241300x8000000000000000337377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\yat2m.exe|e602d782765213bc\BinProductVersion(Empty) 13241300x8000000000000000337376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\yat2m.exe|e602d782765213bc\LinkDate01/01/1970 00:00:00 13241300x8000000000000000337375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\yat2m.exe|e602d782765213bc\Publisher(Empty) 13241300x8000000000000000337374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\yat2m.exe|e602d782765213bc\LowerCaseLongPathc:\program files\git\usr\bin\yat2m.exe 13241300x8000000000000000337373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xzdec.exe|aa41a1b6191a17c5\BinProductVersion5.2.9.0 13241300x8000000000000000337372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xzdec.exe|aa41a1b6191a17c5\LinkDate12/01/2022 09:26:17 13241300x8000000000000000337371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xzdec.exe|aa41a1b6191a17c5\Publisherthe tukaani project <https://tukaani.org/> 13241300x8000000000000000337370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xzdec.exe|aa41a1b6191a17c5\LowerCaseLongPathc:\program files\git\mingw64\bin\xzdec.exe 13241300x8000000000000000337369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xzcat.exe|6c454d521625ef75\BinProductVersion5.2.9.0 13241300x8000000000000000337368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xzcat.exe|6c454d521625ef75\LinkDate12/01/2022 09:26:17 13241300x8000000000000000337367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xzcat.exe|6c454d521625ef75\Publisherthe tukaani project <https://tukaani.org/> 13241300x8000000000000000337366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xzcat.exe|6c454d521625ef75\LowerCaseLongPathc:\program files\git\mingw64\bin\xzcat.exe 13241300x8000000000000000337365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xz.exe|f5dd0ac934ca84a7\BinProductVersion5.2.9.0 13241300x8000000000000000337364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xz.exe|f5dd0ac934ca84a7\LinkDate12/01/2022 09:26:17 13241300x8000000000000000337363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xz.exe|f5dd0ac934ca84a7\Publisherthe tukaani project <https://tukaani.org/> 13241300x8000000000000000337362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xz.exe|f5dd0ac934ca84a7\LowerCaseLongPathc:\program files\git\mingw64\bin\xz.exe 13241300x8000000000000000337361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xxd.exe|ec817b4721384459\BinProductVersion(Empty) 13241300x8000000000000000337360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xxd.exe|ec817b4721384459\LinkDate01/01/1970 00:00:00 13241300x8000000000000000337359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xxd.exe|ec817b4721384459\Publisher(Empty) 13241300x8000000000000000337358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xxd.exe|ec817b4721384459\LowerCaseLongPathc:\program files\git\usr\bin\xxd.exe 13241300x8000000000000000337357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xmlwf.exe|db82f10a63bc087f\BinProductVersion(Empty) 13241300x8000000000000000337356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xmlwf.exe|db82f10a63bc087f\LinkDate11/03/2022 14:16:53 13241300x8000000000000000337355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xmlwf.exe|db82f10a63bc087f\Publisher(Empty) 13241300x8000000000000000337354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xmlwf.exe|db82f10a63bc087f\LowerCaseLongPathc:\program files\git\mingw64\bin\xmlwf.exe 13241300x8000000000000000337353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xgettext.exe|d70e9fbf1e3251f9\BinProductVersion(Empty) 13241300x8000000000000000337352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xgettext.exe|d70e9fbf1e3251f9\LinkDate01/01/1970 00:00:00 13241300x8000000000000000337351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xgettext.exe|d70e9fbf1e3251f9\Publisher(Empty) 13241300x8000000000000000337350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xgettext.exe|d70e9fbf1e3251f9\LowerCaseLongPathc:\program files\git\usr\bin\xgettext.exe 13241300x8000000000000000337349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xargs.exe|b26b4866fba2ace6\BinProductVersion(Empty) 13241300x8000000000000000337348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xargs.exe|b26b4866fba2ace6\LinkDate01/01/1970 00:00:00 13241300x8000000000000000337347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xargs.exe|b26b4866fba2ace6\Publisher(Empty) 13241300x8000000000000000337346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xargs.exe|b26b4866fba2ace6\LowerCaseLongPathc:\program files\git\usr\bin\xargs.exe 13241300x8000000000000000337345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\x86_64-w64-mingw|721349a4c3d19334\BinProductVersion(Empty) 13241300x8000000000000000337344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\x86_64-w64-mingw|721349a4c3d19334\LinkDate01/01/1970 00:00:00 13241300x8000000000000000337343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\x86_64-w64-mingw|721349a4c3d19334\Publisher(Empty) 13241300x8000000000000000337342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\x86_64-w64-mingw|721349a4c3d19334\LowerCaseLongPathc:\program files\git\mingw64\bin\x86_64-w64-mingw32-agrep.exe 13241300x8000000000000000337341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\wish86.exe|b43e477f47c04c0d\BinProductVersion8.6.2.12 13241300x8000000000000000337340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\wish86.exe|b43e477f47c04c0d\LinkDate09/24/2022 10:44:56 13241300x8000000000000000337339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\wish86.exe|b43e477f47c04c0d\Publisheractivestate corporation 13241300x8000000000000000337338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\wish86.exe|b43e477f47c04c0d\LowerCaseLongPathc:\program files\git\mingw64\bin\wish86.exe 13241300x8000000000000000337337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\wish.exe|387f467bcbc945b9\BinProductVersion8.6.2.12 13241300x8000000000000000337336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\wish.exe|387f467bcbc945b9\LinkDate09/24/2022 10:44:56 13241300x8000000000000000337335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\wish.exe|387f467bcbc945b9\Publisheractivestate corporation 13241300x8000000000000000337334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\wish.exe|387f467bcbc945b9\LowerCaseLongPathc:\program files\git\mingw64\bin\wish.exe 13241300x8000000000000000337333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\wintoast.exe|a56a902040daad41\BinProductVersion(Empty) 13241300x8000000000000000337332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\wintoast.exe|a56a902040daad41\LinkDate11/03/2022 13:15:48 13241300x8000000000000000337331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\wintoast.exe|a56a902040daad41\Publisher(Empty) 13241300x8000000000000000337330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\wintoast.exe|a56a902040daad41\LowerCaseLongPathc:\program files\git\mingw64\bin\wintoast.exe 13241300x8000000000000000337329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\winpty.exe|b62f1084964abfa7\BinProductVersion(Empty) 13241300x8000000000000000337328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\winpty.exe|b62f1084964abfa7\LinkDate06/19/2025 15:30:53 13241300x8000000000000000337327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\winpty.exe|b62f1084964abfa7\Publisher(Empty) 13241300x8000000000000000337326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\winpty.exe|b62f1084964abfa7\LowerCaseLongPathc:\program files\git\usr\bin\winpty.exe 13241300x8000000000000000337325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\winpty-debugserv|fa3a25afb3dba9c5\BinProductVersion(Empty) 13241300x8000000000000000337324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\winpty-debugserv|fa3a25afb3dba9c5\LinkDate05/08/2031 18:06:26 13241300x8000000000000000337323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\winpty-debugserv|fa3a25afb3dba9c5\Publisher(Empty) 13241300x8000000000000000337322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\winpty-debugserv|fa3a25afb3dba9c5\LowerCaseLongPathc:\program files\git\usr\bin\winpty-debugserver.exe 13241300x8000000000000000337321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\winpty-agent.exe|f42c4e896f998b23\BinProductVersion(Empty) 13241300x8000000000000000337320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\winpty-agent.exe|f42c4e896f998b23\LinkDate05/08/2031 18:06:26 13241300x8000000000000000337319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\winpty-agent.exe|f42c4e896f998b23\Publisher(Empty) 13241300x8000000000000000337318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\winpty-agent.exe|f42c4e896f998b23\LowerCaseLongPathc:\program files\git\usr\bin\winpty-agent.exe 13241300x8000000000000000337317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\whouses.exe|112098ea380b8223\BinProductVersion(Empty) 13241300x8000000000000000337316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\whouses.exe|112098ea380b8223\LinkDate11/29/2022 16:06:30 13241300x8000000000000000337315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\whouses.exe|112098ea380b8223\Publisher(Empty) 13241300x8000000000000000337314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\whouses.exe|112098ea380b8223\LowerCaseLongPathc:\program files\git\mingw64\bin\whouses.exe 13241300x8000000000000000337313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\whoami.exe|db400e84413562a4\BinProductVersion(Empty) 13241300x8000000000000000337312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\whoami.exe|db400e84413562a4\LinkDate11/15/2022 17:19:08 13241300x8000000000000000337311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\whoami.exe|db400e84413562a4\Publisher(Empty) 13241300x8000000000000000337310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.803{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\whoami.exe|db400e84413562a4\LowerCaseLongPathc:\program files\git\usr\bin\whoami.exe 13241300x8000000000000000337309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\who.exe|cb672bc7f4c40afb\BinProductVersion(Empty) 13241300x8000000000000000337308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\who.exe|cb672bc7f4c40afb\LinkDate11/15/2022 17:19:08 13241300x8000000000000000337307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\who.exe|cb672bc7f4c40afb\Publisher(Empty) 13241300x8000000000000000337306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\who.exe|cb672bc7f4c40afb\LowerCaseLongPathc:\program files\git\usr\bin\who.exe 13241300x8000000000000000337305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\which.exe|fd8a97b7fcb2af43\BinProductVersion(Empty) 13241300x8000000000000000337304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\which.exe|fd8a97b7fcb2af43\LinkDate01/01/1970 00:00:00 13241300x8000000000000000337303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\which.exe|fd8a97b7fcb2af43\Publisher(Empty) 13241300x8000000000000000337302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\which.exe|fd8a97b7fcb2af43\LowerCaseLongPathc:\program files\git\usr\bin\which.exe 13241300x8000000000000000337301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\wc.exe|8047af858fdb6703\BinProductVersion(Empty) 13241300x8000000000000000337300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\wc.exe|8047af858fdb6703\LinkDate11/15/2022 17:19:08 13241300x8000000000000000337299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\wc.exe|8047af858fdb6703\Publisher(Empty) 13241300x8000000000000000337298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\wc.exe|8047af858fdb6703\LowerCaseLongPathc:\program files\git\usr\bin\wc.exe 13241300x8000000000000000337297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\watchgnupg.exe|4fab39cd9f6ffe71\BinProductVersion(Empty) 13241300x8000000000000000337296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\watchgnupg.exe|4fab39cd9f6ffe71\LinkDate01/01/1970 00:00:00 13241300x8000000000000000337295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\watchgnupg.exe|4fab39cd9f6ffe71\Publisher(Empty) 13241300x8000000000000000337294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\watchgnupg.exe|4fab39cd9f6ffe71\LowerCaseLongPathc:\program files\git\usr\bin\watchgnupg.exe 13241300x8000000000000000337293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\vimdiff.exe|67340c9152f6152c\BinProductVersion(Empty) 13241300x8000000000000000337292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\vimdiff.exe|67340c9152f6152c\LinkDate01/01/1970 00:00:00 13241300x8000000000000000337291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\vimdiff.exe|67340c9152f6152c\Publisher(Empty) 13241300x8000000000000000337290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\vimdiff.exe|67340c9152f6152c\LowerCaseLongPathc:\program files\git\usr\bin\vimdiff.exe 13241300x8000000000000000337289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\vim.exe|43ed39053a824d04\BinProductVersion(Empty) 13241300x8000000000000000337288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\vim.exe|43ed39053a824d04\LinkDate01/01/1970 00:00:00 13241300x8000000000000000337287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\vim.exe|43ed39053a824d04\Publisher(Empty) 13241300x8000000000000000337286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\vim.exe|43ed39053a824d04\LowerCaseLongPathc:\program files\git\usr\bin\vim.exe 13241300x8000000000000000337285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\view.exe|904157a959d595c9\BinProductVersion(Empty) 13241300x8000000000000000337284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\view.exe|904157a959d595c9\LinkDate01/01/1970 00:00:00 13241300x8000000000000000337283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\view.exe|904157a959d595c9\Publisher(Empty) 13241300x8000000000000000337282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\view.exe|904157a959d595c9\LowerCaseLongPathc:\program files\git\usr\bin\view.exe 13241300x8000000000000000337281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\vdir.exe|d36f5c65563e728d\BinProductVersion(Empty) 13241300x8000000000000000337280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\vdir.exe|d36f5c65563e728d\LinkDate11/15/2022 17:19:07 13241300x8000000000000000337279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\vdir.exe|d36f5c65563e728d\Publisher(Empty) 13241300x8000000000000000337278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\vdir.exe|d36f5c65563e728d\LowerCaseLongPathc:\program files\git\usr\bin\vdir.exe 13241300x8000000000000000337277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\users.exe|4d383589d66a4050\BinProductVersion(Empty) 13241300x8000000000000000337276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\users.exe|4d383589d66a4050\LinkDate11/15/2022 17:19:07 13241300x8000000000000000337275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\users.exe|4d383589d66a4050\Publisher(Empty) 13241300x8000000000000000337274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\users.exe|4d383589d66a4050\LowerCaseLongPathc:\program files\git\usr\bin\users.exe 13241300x8000000000000000337273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\urlget.exe|b1ac3fe6098df4f3\BinProductVersion(Empty) 13241300x8000000000000000337272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\urlget.exe|b1ac3fe6098df4f3\LinkDate01/01/1970 00:00:00 13241300x8000000000000000337271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\urlget.exe|b1ac3fe6098df4f3\Publisher(Empty) 13241300x8000000000000000337270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\urlget.exe|b1ac3fe6098df4f3\LowerCaseLongPathc:\program files\git\usr\lib\gettext\urlget.exe 13241300x8000000000000000337269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\unzipsfx.exe|f11926d1b5caa9e4\BinProductVersion(Empty) 13241300x8000000000000000337268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\unzipsfx.exe|f11926d1b5caa9e4\LinkDate05/08/2031 18:06:26 13241300x8000000000000000337267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\unzipsfx.exe|f11926d1b5caa9e4\Publisher(Empty) 13241300x8000000000000000337266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\unzipsfx.exe|f11926d1b5caa9e4\LowerCaseLongPathc:\program files\git\usr\bin\unzipsfx.exe 13241300x8000000000000000337265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\unzip.exe|678f320572a2cac0\BinProductVersion(Empty) 13241300x8000000000000000337264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\unzip.exe|678f320572a2cac0\LinkDate05/08/2031 18:06:26 13241300x8000000000000000337263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\unzip.exe|678f320572a2cac0\Publisher(Empty) 13241300x8000000000000000337262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\unzip.exe|678f320572a2cac0\LowerCaseLongPathc:\program files\git\usr\bin\unzip.exe 13241300x8000000000000000337261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\unxz.exe|af430565744d9629\BinProductVersion5.2.9.0 13241300x8000000000000000337260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\unxz.exe|af430565744d9629\LinkDate12/01/2022 09:26:17 13241300x8000000000000000337259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\unxz.exe|af430565744d9629\Publisherthe tukaani project <https://tukaani.org/> 13241300x8000000000000000337258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\unxz.exe|af430565744d9629\LowerCaseLongPathc:\program files\git\mingw64\bin\unxz.exe 13241300x8000000000000000337257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\unlink.exe|8905006f80ba665e\BinProductVersion(Empty) 13241300x8000000000000000337256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\unlink.exe|8905006f80ba665e\LinkDate11/15/2022 17:19:07 13241300x8000000000000000337255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\unlink.exe|8905006f80ba665e\Publisher(Empty) 13241300x8000000000000000337254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\unlink.exe|8905006f80ba665e\LowerCaseLongPathc:\program files\git\usr\bin\unlink.exe 13241300x8000000000000000337253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\unix2mac.exe|ce61a10675030bc2\BinProductVersion(Empty) 13241300x8000000000000000337252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\unix2mac.exe|ce61a10675030bc2\LinkDate01/01/1970 00:00:00 13241300x8000000000000000337251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\unix2mac.exe|ce61a10675030bc2\Publisher(Empty) 13241300x8000000000000000337250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\unix2mac.exe|ce61a10675030bc2\LowerCaseLongPathc:\program files\git\usr\bin\unix2mac.exe 13241300x8000000000000000337249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\unix2dos.exe|d30cb63cbe1e2952\BinProductVersion(Empty) 13241300x8000000000000000337248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\unix2dos.exe|d30cb63cbe1e2952\LinkDate01/01/1970 00:00:00 13241300x8000000000000000337247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\unix2dos.exe|d30cb63cbe1e2952\Publisher(Empty) 13241300x8000000000000000337246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\unix2dos.exe|d30cb63cbe1e2952\LowerCaseLongPathc:\program files\git\usr\bin\unix2dos.exe 13241300x8000000000000000337245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\uniq.exe|4d8db7f943d46212\BinProductVersion(Empty) 13241300x8000000000000000337244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\uniq.exe|4d8db7f943d46212\LinkDate11/15/2022 17:19:07 13241300x8000000000000000337243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\uniq.exe|4d8db7f943d46212\Publisher(Empty) 13241300x8000000000000000337242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\uniq.exe|4d8db7f943d46212\LowerCaseLongPathc:\program files\git\usr\bin\uniq.exe 13241300x8000000000000000337241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\unins000.exe|53f54630e98a3bb8\BinProductVersion2.39.1.1 13241300x8000000000000000337240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\unins000.exe|53f54630e98a3bb8\LinkDate04/14/2022 16:10:23 13241300x8000000000000000337239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\unins000.exe|53f54630e98a3bb8\Publisherthe git development community 13241300x8000000000000000337238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\unins000.exe|53f54630e98a3bb8\LowerCaseLongPathc:\program files\git\unins000.exe 13241300x8000000000000000337237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\unexpand.exe|4aa0be7d58d7a70e\BinProductVersion(Empty) 13241300x8000000000000000337236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\unexpand.exe|4aa0be7d58d7a70e\LinkDate11/15/2022 17:19:06 13241300x8000000000000000337235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\unexpand.exe|4aa0be7d58d7a70e\Publisher(Empty) 13241300x8000000000000000337234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\unexpand.exe|4aa0be7d58d7a70e\LowerCaseLongPathc:\program files\git\usr\bin\unexpand.exe 13241300x8000000000000000337233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\uname.exe|aa1eb9eb8d6d257c\BinProductVersion(Empty) 13241300x8000000000000000337232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\uname.exe|aa1eb9eb8d6d257c\LinkDate11/15/2022 17:19:06 13241300x8000000000000000337231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\uname.exe|aa1eb9eb8d6d257c\Publisher(Empty) 13241300x8000000000000000337230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\uname.exe|aa1eb9eb8d6d257c\LowerCaseLongPathc:\program files\git\usr\bin\uname.exe 13241300x8000000000000000337229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\umount.exe|7b6c7cea428daaaa\BinProductVersion(Empty) 13241300x8000000000000000337228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\umount.exe|7b6c7cea428daaaa\LinkDate09/05/2022 20:36:33 13241300x8000000000000000337227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\umount.exe|7b6c7cea428daaaa\Publisher(Empty) 13241300x8000000000000000337226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\umount.exe|7b6c7cea428daaaa\LowerCaseLongPathc:\program files\git\usr\bin\umount.exe 13241300x8000000000000000337225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\u2d.exe|757aee4677b2e42f\BinProductVersion(Empty) 13241300x8000000000000000337224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\u2d.exe|757aee4677b2e42f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000337223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\u2d.exe|757aee4677b2e42f\Publisher(Empty) 13241300x8000000000000000337222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\u2d.exe|757aee4677b2e42f\LowerCaseLongPathc:\program files\git\usr\bin\u2d.exe 13241300x8000000000000000337221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tzset.exe|6044895f1b845eb4\BinProductVersion(Empty) 13241300x8000000000000000337220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tzset.exe|6044895f1b845eb4\LinkDate09/05/2022 20:36:33 13241300x8000000000000000337219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tzset.exe|6044895f1b845eb4\Publisher(Empty) 13241300x8000000000000000337218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tzset.exe|6044895f1b845eb4\LowerCaseLongPathc:\program files\git\usr\bin\tzset.exe 13241300x8000000000000000337217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tty.exe|f000538bcc1d4307\BinProductVersion(Empty) 13241300x8000000000000000337216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tty.exe|f000538bcc1d4307\LinkDate11/15/2022 17:19:06 13241300x8000000000000000337215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tty.exe|f000538bcc1d4307\Publisher(Empty) 13241300x8000000000000000337214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tty.exe|f000538bcc1d4307\LowerCaseLongPathc:\program files\git\usr\bin\tty.exe 13241300x8000000000000000337213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tsort.exe|cfc2b8bfaeea292f\BinProductVersion(Empty) 13241300x8000000000000000337212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tsort.exe|cfc2b8bfaeea292f\LinkDate11/15/2022 17:19:06 13241300x8000000000000000337211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tsort.exe|cfc2b8bfaeea292f\Publisher(Empty) 13241300x8000000000000000337210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tsort.exe|cfc2b8bfaeea292f\LowerCaseLongPathc:\program files\git\usr\bin\tsort.exe 13241300x8000000000000000337209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tset.exe|9472efe3f6c3d05\BinProductVersion(Empty) 13241300x8000000000000000337208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tset.exe|9472efe3f6c3d05\LinkDate01/01/1970 00:00:00 13241300x8000000000000000337207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tset.exe|9472efe3f6c3d05\Publisher(Empty) 13241300x8000000000000000337206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tset.exe|9472efe3f6c3d05\LowerCaseLongPathc:\program files\git\usr\bin\tset.exe 13241300x8000000000000000337205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\trust.exe|f023a445426ea5a\BinProductVersion(Empty) 13241300x8000000000000000337204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\trust.exe|f023a445426ea5a\LinkDate08/10/2022 18:54:55 13241300x8000000000000000337203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\trust.exe|f023a445426ea5a\Publisher(Empty) 13241300x8000000000000000337202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\trust.exe|f023a445426ea5a\LowerCaseLongPathc:\program files\git\mingw64\bin\trust.exe 13241300x8000000000000000337201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\trust.exe|8799eae1c6ff22d6\BinProductVersion(Empty) 13241300x8000000000000000337200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\trust.exe|8799eae1c6ff22d6\LinkDate01/01/1970 00:00:00 13241300x8000000000000000337199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\trust.exe|8799eae1c6ff22d6\Publisher(Empty) 13241300x8000000000000000337198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\trust.exe|8799eae1c6ff22d6\LowerCaseLongPathc:\program files\git\usr\bin\trust.exe 13241300x8000000000000000337197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\truncate.exe|c8ba1860e9b89c7c\BinProductVersion(Empty) 13241300x8000000000000000337196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\truncate.exe|c8ba1860e9b89c7c\LinkDate11/15/2022 17:19:05 13241300x8000000000000000337195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\truncate.exe|c8ba1860e9b89c7c\Publisher(Empty) 13241300x8000000000000000337194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\truncate.exe|c8ba1860e9b89c7c\LowerCaseLongPathc:\program files\git\usr\bin\truncate.exe 13241300x8000000000000000337193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\true.exe|63cbe5fc93313f79\BinProductVersion(Empty) 13241300x8000000000000000337192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\true.exe|63cbe5fc93313f79\LinkDate11/15/2022 17:19:05 13241300x8000000000000000337191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\true.exe|63cbe5fc93313f79\Publisher(Empty) 13241300x8000000000000000337190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\true.exe|63cbe5fc93313f79\LowerCaseLongPathc:\program files\git\usr\bin\true.exe 13241300x8000000000000000337189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tr.exe|8da93faf0d2cfacc\BinProductVersion(Empty) 13241300x8000000000000000337188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tr.exe|8da93faf0d2cfacc\LinkDate11/15/2022 17:19:05 13241300x8000000000000000337187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tr.exe|8da93faf0d2cfacc\Publisher(Empty) 13241300x8000000000000000337186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tr.exe|8da93faf0d2cfacc\LowerCaseLongPathc:\program files\git\usr\bin\tr.exe 13241300x8000000000000000337185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tput.exe|b8002a648477f6bb\BinProductVersion(Empty) 13241300x8000000000000000337184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tput.exe|b8002a648477f6bb\LinkDate01/01/1970 00:00:00 13241300x8000000000000000337183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tput.exe|b8002a648477f6bb\Publisher(Empty) 13241300x8000000000000000337182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tput.exe|b8002a648477f6bb\LowerCaseLongPathc:\program files\git\usr\bin\tput.exe 13241300x8000000000000000337181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\touch.exe|be858ef96bb42d35\BinProductVersion(Empty) 13241300x8000000000000000337180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\touch.exe|be858ef96bb42d35\LinkDate11/15/2022 17:19:05 13241300x8000000000000000337179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\touch.exe|be858ef96bb42d35\Publisher(Empty) 13241300x8000000000000000337178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\touch.exe|be858ef96bb42d35\LowerCaseLongPathc:\program files\git\usr\bin\touch.exe 13241300x8000000000000000337177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\toe.exe|575b8daf3eccb5a3\BinProductVersion(Empty) 13241300x8000000000000000337176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\toe.exe|575b8daf3eccb5a3\LinkDate01/01/1970 00:00:00 13241300x8000000000000000337175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\toe.exe|575b8daf3eccb5a3\Publisher(Empty) 13241300x8000000000000000337174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\toe.exe|575b8daf3eccb5a3\LowerCaseLongPathc:\program files\git\usr\bin\toe.exe 13241300x8000000000000000337173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\timeout.exe|f5ffdc28654e342e\BinProductVersion(Empty) 13241300x8000000000000000337172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\timeout.exe|f5ffdc28654e342e\LinkDate11/15/2022 17:19:04 13241300x8000000000000000337171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\timeout.exe|f5ffdc28654e342e\Publisher(Empty) 13241300x8000000000000000337170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\timeout.exe|f5ffdc28654e342e\LowerCaseLongPathc:\program files\git\usr\bin\timeout.exe 13241300x8000000000000000337169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tig.exe|20d76728e205d2a5\BinProductVersion(Empty) 13241300x8000000000000000337168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tig.exe|20d76728e205d2a5\LinkDate01/01/1970 00:00:00 13241300x8000000000000000337167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tig.exe|20d76728e205d2a5\Publisher(Empty) 13241300x8000000000000000337166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tig.exe|20d76728e205d2a5\LowerCaseLongPathc:\program files\git\usr\bin\tig.exe 13241300x8000000000000000337165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tic.exe|c473b2ddd094de9a\BinProductVersion(Empty) 13241300x8000000000000000337164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tic.exe|c473b2ddd094de9a\LinkDate01/01/1970 00:00:00 13241300x8000000000000000337163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tic.exe|c473b2ddd094de9a\Publisher(Empty) 13241300x8000000000000000337162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tic.exe|c473b2ddd094de9a\LowerCaseLongPathc:\program files\git\usr\bin\tic.exe 13241300x8000000000000000337161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\test.exe|74f4cc67b5c7e4f\BinProductVersion(Empty) 13241300x8000000000000000337160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\test.exe|74f4cc67b5c7e4f\LinkDate11/15/2022 17:19:04 13241300x8000000000000000337159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\test.exe|74f4cc67b5c7e4f\Publisher(Empty) 13241300x8000000000000000337158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.787{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\test.exe|74f4cc67b5c7e4f\LowerCaseLongPathc:\program files\git\usr\bin\test.exe 13241300x8000000000000000337157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tee.exe|991299bf040bfe2d\BinProductVersion(Empty) 13241300x8000000000000000337156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tee.exe|991299bf040bfe2d\LinkDate11/15/2022 17:19:04 13241300x8000000000000000337155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tee.exe|991299bf040bfe2d\Publisher(Empty) 13241300x8000000000000000337154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tee.exe|991299bf040bfe2d\LowerCaseLongPathc:\program files\git\usr\bin\tee.exe 13241300x8000000000000000337153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tclsh86.exe|4994964426e57062\BinProductVersion8.6.2.12 13241300x8000000000000000337152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tclsh86.exe|4994964426e57062\LinkDate09/24/2022 10:30:55 13241300x8000000000000000337151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tclsh86.exe|4994964426e57062\Publisheractivestate corporation 13241300x8000000000000000337150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tclsh86.exe|4994964426e57062\LowerCaseLongPathc:\program files\git\mingw64\bin\tclsh86.exe 13241300x8000000000000000337149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tclsh.exe|c680bc50ff765224\BinProductVersion8.6.2.12 13241300x8000000000000000337148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tclsh.exe|c680bc50ff765224\LinkDate09/24/2022 10:30:55 13241300x8000000000000000337147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tclsh.exe|c680bc50ff765224\Publisheractivestate corporation 13241300x8000000000000000337146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tclsh.exe|c680bc50ff765224\LowerCaseLongPathc:\program files\git\mingw64\bin\tclsh.exe 13241300x8000000000000000337145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tar.exe|1dbed49e1ef6b70d\BinProductVersion(Empty) 13241300x8000000000000000337144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tar.exe|1dbed49e1ef6b70d\LinkDate01/01/1970 00:00:00 13241300x8000000000000000337143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tar.exe|1dbed49e1ef6b70d\Publisher(Empty) 13241300x8000000000000000337142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tar.exe|1dbed49e1ef6b70d\LowerCaseLongPathc:\program files\git\usr\bin\tar.exe 13241300x8000000000000000337141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tail.exe|6acc971f2533f90e\BinProductVersion(Empty) 13241300x8000000000000000337140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tail.exe|6acc971f2533f90e\LinkDate11/15/2022 17:19:04 13241300x8000000000000000337139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tail.exe|6acc971f2533f90e\Publisher(Empty) 13241300x8000000000000000337138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tail.exe|6acc971f2533f90e\LowerCaseLongPathc:\program files\git\usr\bin\tail.exe 13241300x8000000000000000337137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tac.exe|e73e5023bd74098e\BinProductVersion(Empty) 13241300x8000000000000000337136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tac.exe|e73e5023bd74098e\LinkDate11/15/2022 17:19:03 13241300x8000000000000000337135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tac.exe|e73e5023bd74098e\Publisher(Empty) 13241300x8000000000000000337134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tac.exe|e73e5023bd74098e\LowerCaseLongPathc:\program files\git\usr\bin\tac.exe 13241300x8000000000000000337133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tabs.exe|743d286408f97c6a\BinProductVersion(Empty) 13241300x8000000000000000337132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tabs.exe|743d286408f97c6a\LinkDate01/01/1970 00:00:00 13241300x8000000000000000337131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tabs.exe|743d286408f97c6a\Publisher(Empty) 13241300x8000000000000000337130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\tabs.exe|743d286408f97c6a\LowerCaseLongPathc:\program files\git\usr\bin\tabs.exe 13241300x8000000000000000337129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sync.exe|5031e1e27bd724c8\BinProductVersion(Empty) 13241300x8000000000000000337128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sync.exe|5031e1e27bd724c8\LinkDate11/15/2022 17:19:03 13241300x8000000000000000337127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sync.exe|5031e1e27bd724c8\Publisher(Empty) 13241300x8000000000000000337126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sync.exe|5031e1e27bd724c8\LowerCaseLongPathc:\program files\git\usr\bin\sync.exe 13241300x8000000000000000337125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sum.exe|624682ccf5cba616\BinProductVersion(Empty) 13241300x8000000000000000337124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sum.exe|624682ccf5cba616\LinkDate11/15/2022 17:19:03 13241300x8000000000000000337123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sum.exe|624682ccf5cba616\Publisher(Empty) 13241300x8000000000000000337122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sum.exe|624682ccf5cba616\LowerCaseLongPathc:\program files\git\usr\bin\sum.exe 13241300x8000000000000000337121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\stty.exe|4906c606dce675\BinProductVersion(Empty) 13241300x8000000000000000337120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\stty.exe|4906c606dce675\LinkDate11/15/2022 17:19:02 13241300x8000000000000000337119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\stty.exe|4906c606dce675\Publisher(Empty) 13241300x8000000000000000337118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\stty.exe|4906c606dce675\LowerCaseLongPathc:\program files\git\usr\bin\stty.exe 13241300x8000000000000000337117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\strace.exe|2e71f496c5d1f2c3\BinProductVersion(Empty) 13241300x8000000000000000337116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\strace.exe|2e71f496c5d1f2c3\LinkDate09/05/2022 20:35:40 13241300x8000000000000000337115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\strace.exe|2e71f496c5d1f2c3\Publisher(Empty) 13241300x8000000000000000337114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\strace.exe|2e71f496c5d1f2c3\LowerCaseLongPathc:\program files\git\usr\bin\strace.exe 13241300x8000000000000000337113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\stdbuf.exe|993a8b786b346306\BinProductVersion(Empty) 13241300x8000000000000000337112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\stdbuf.exe|993a8b786b346306\LinkDate11/15/2022 17:19:02 13241300x8000000000000000337111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\stdbuf.exe|993a8b786b346306\Publisher(Empty) 13241300x8000000000000000337110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\stdbuf.exe|993a8b786b346306\LowerCaseLongPathc:\program files\git\usr\bin\stdbuf.exe 13241300x8000000000000000337109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\stat.exe|1f444a67c4725e6b\BinProductVersion(Empty) 13241300x8000000000000000337108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\stat.exe|1f444a67c4725e6b\LinkDate11/15/2022 17:19:02 13241300x8000000000000000337107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\stat.exe|1f444a67c4725e6b\Publisher(Empty) 13241300x8000000000000000337106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\stat.exe|1f444a67c4725e6b\LowerCaseLongPathc:\program files\git\usr\bin\stat.exe 13241300x8000000000000000337105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssp.exe|e0a08db5e80ffcdd\BinProductVersion(Empty) 13241300x8000000000000000337104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssp.exe|e0a08db5e80ffcdd\LinkDate09/05/2022 20:36:33 13241300x8000000000000000337103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssp.exe|e0a08db5e80ffcdd\Publisher(Empty) 13241300x8000000000000000337102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssp.exe|e0a08db5e80ffcdd\LowerCaseLongPathc:\program files\git\usr\bin\ssp.exe 13241300x8000000000000000337101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sshd.exe|5f6404603331db89\BinProductVersion(Empty) 13241300x8000000000000000337100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sshd.exe|5f6404603331db89\LinkDate11/03/2022 11:52:51 13241300x8000000000000000337099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sshd.exe|5f6404603331db89\Publisher(Empty) 13241300x8000000000000000337098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sshd.exe|5f6404603331db89\LowerCaseLongPathc:\program files\git\usr\bin\sshd.exe 13241300x8000000000000000337097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssh.exe|4c8b77151293e36e\BinProductVersion(Empty) 13241300x8000000000000000337096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssh.exe|4c8b77151293e36e\LinkDate11/03/2022 11:52:50 13241300x8000000000000000337095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssh.exe|4c8b77151293e36e\Publisher(Empty) 13241300x8000000000000000337094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssh.exe|4c8b77151293e36e\LowerCaseLongPathc:\program files\git\usr\bin\ssh.exe 13241300x8000000000000000337093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssh-sk-helper.ex|526e238c0df646d1\BinProductVersion(Empty) 13241300x8000000000000000337092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssh-sk-helper.ex|526e238c0df646d1\LinkDate11/03/2022 11:52:52 13241300x8000000000000000337091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssh-sk-helper.ex|526e238c0df646d1\Publisher(Empty) 13241300x8000000000000000337090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssh-sk-helper.ex|526e238c0df646d1\LowerCaseLongPathc:\program files\git\usr\lib\ssh\ssh-sk-helper.exe 13241300x8000000000000000337089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssh-pkcs11-helpe|d67a44ebac5d5f31\BinProductVersion(Empty) 13241300x8000000000000000337088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssh-pkcs11-helpe|d67a44ebac5d5f31\LinkDate11/03/2022 11:52:51 13241300x8000000000000000337087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssh-pkcs11-helpe|d67a44ebac5d5f31\Publisher(Empty) 13241300x8000000000000000337086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssh-pkcs11-helpe|d67a44ebac5d5f31\LowerCaseLongPathc:\program files\git\usr\lib\ssh\ssh-pkcs11-helper.exe 13241300x8000000000000000337085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssh-pageant.exe|f558d3a8a2e8201c\BinProductVersion(Empty) 13241300x8000000000000000337084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssh-pageant.exe|f558d3a8a2e8201c\LinkDate01/01/1970 00:00:00 13241300x8000000000000000337083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssh-pageant.exe|f558d3a8a2e8201c\Publisher(Empty) 13241300x8000000000000000337082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssh-pageant.exe|f558d3a8a2e8201c\LowerCaseLongPathc:\program files\git\usr\bin\ssh-pageant.exe 13241300x8000000000000000337081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssh-keysign.exe|9428dc5f875b1cbe\BinProductVersion(Empty) 13241300x8000000000000000337080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssh-keysign.exe|9428dc5f875b1cbe\LinkDate11/03/2022 11:52:51 13241300x8000000000000000337079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssh-keysign.exe|9428dc5f875b1cbe\Publisher(Empty) 13241300x8000000000000000337078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssh-keysign.exe|9428dc5f875b1cbe\LowerCaseLongPathc:\program files\git\usr\lib\ssh\ssh-keysign.exe 13241300x8000000000000000337077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssh-keyscan.exe|54318a1f39629d66\BinProductVersion(Empty) 13241300x8000000000000000337076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssh-keyscan.exe|54318a1f39629d66\LinkDate11/03/2022 11:52:50 13241300x8000000000000000337075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssh-keyscan.exe|54318a1f39629d66\Publisher(Empty) 13241300x8000000000000000337074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssh-keyscan.exe|54318a1f39629d66\LowerCaseLongPathc:\program files\git\usr\bin\ssh-keyscan.exe 13241300x8000000000000000337073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssh-keygen.exe|4fd9485267bf242f\BinProductVersion(Empty) 13241300x8000000000000000337072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssh-keygen.exe|4fd9485267bf242f\LinkDate11/03/2022 11:52:50 13241300x8000000000000000337071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssh-keygen.exe|4fd9485267bf242f\Publisher(Empty) 13241300x8000000000000000337070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssh-keygen.exe|4fd9485267bf242f\LowerCaseLongPathc:\program files\git\usr\bin\ssh-keygen.exe 13241300x8000000000000000337069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssh-agent.exe|1411e9f6efc17c0f\BinProductVersion(Empty) 13241300x8000000000000000337068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssh-agent.exe|1411e9f6efc17c0f\LinkDate11/03/2022 11:52:49 13241300x8000000000000000337067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssh-agent.exe|1411e9f6efc17c0f\Publisher(Empty) 13241300x8000000000000000337066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssh-agent.exe|1411e9f6efc17c0f\LowerCaseLongPathc:\program files\git\usr\bin\ssh-agent.exe 13241300x8000000000000000337065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssh-add.exe|52771e80916527e6\BinProductVersion(Empty) 13241300x8000000000000000337064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssh-add.exe|52771e80916527e6\LinkDate11/03/2022 11:52:49 13241300x8000000000000000337063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssh-add.exe|52771e80916527e6\Publisher(Empty) 13241300x8000000000000000337062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ssh-add.exe|52771e80916527e6\LowerCaseLongPathc:\program files\git\usr\bin\ssh-add.exe 13241300x8000000000000000337061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\split.exe|6b78af18101c82a4\BinProductVersion(Empty) 13241300x8000000000000000337060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\split.exe|6b78af18101c82a4\LinkDate11/15/2022 17:19:01 13241300x8000000000000000337059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\split.exe|6b78af18101c82a4\Publisher(Empty) 13241300x8000000000000000337058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.772{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\split.exe|6b78af18101c82a4\LowerCaseLongPathc:\program files\git\usr\bin\split.exe 13241300x8000000000000000337057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sort.exe|5a1eaeebcdfdfa5b\BinProductVersion(Empty) 13241300x8000000000000000337056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sort.exe|5a1eaeebcdfdfa5b\LinkDate11/15/2022 17:19:01 13241300x8000000000000000337055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sort.exe|5a1eaeebcdfdfa5b\Publisher(Empty) 13241300x8000000000000000337054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sort.exe|5a1eaeebcdfdfa5b\LowerCaseLongPathc:\program files\git\usr\bin\sort.exe 13241300x8000000000000000337053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sleep.exe|1e8f62417166ba32\BinProductVersion(Empty) 13241300x8000000000000000337052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sleep.exe|1e8f62417166ba32\LinkDate11/15/2022 17:19:01 13241300x8000000000000000337051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sleep.exe|1e8f62417166ba32\Publisher(Empty) 13241300x8000000000000000337050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sleep.exe|1e8f62417166ba32\LowerCaseLongPathc:\program files\git\usr\bin\sleep.exe 13241300x8000000000000000337049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\shuf.exe|cfb51deed9f02428\BinProductVersion(Empty) 13241300x8000000000000000337048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\shuf.exe|cfb51deed9f02428\LinkDate11/15/2022 17:19:01 13241300x8000000000000000337047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\shuf.exe|cfb51deed9f02428\Publisher(Empty) 13241300x8000000000000000337046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\shuf.exe|cfb51deed9f02428\LowerCaseLongPathc:\program files\git\usr\bin\shuf.exe 13241300x8000000000000000337045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\shred.exe|43071571d2a31944\BinProductVersion(Empty) 13241300x8000000000000000337044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\shred.exe|43071571d2a31944\LinkDate11/15/2022 17:19:00 13241300x8000000000000000337043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\shred.exe|43071571d2a31944\Publisher(Empty) 13241300x8000000000000000337042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\shred.exe|43071571d2a31944\LowerCaseLongPathc:\program files\git\usr\bin\shred.exe 13241300x8000000000000000337041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sha512sum.exe|f96cb84497fcdcc3\BinProductVersion(Empty) 13241300x8000000000000000337040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sha512sum.exe|f96cb84497fcdcc3\LinkDate11/15/2022 17:19:00 13241300x8000000000000000337039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sha512sum.exe|f96cb84497fcdcc3\Publisher(Empty) 13241300x8000000000000000337038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sha512sum.exe|f96cb84497fcdcc3\LowerCaseLongPathc:\program files\git\usr\bin\sha512sum.exe 13241300x8000000000000000337037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sha384sum.exe|ea7c3d331520b41a\BinProductVersion(Empty) 13241300x8000000000000000337036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sha384sum.exe|ea7c3d331520b41a\LinkDate11/15/2022 17:19:00 13241300x8000000000000000337035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sha384sum.exe|ea7c3d331520b41a\Publisher(Empty) 13241300x8000000000000000337034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sha384sum.exe|ea7c3d331520b41a\LowerCaseLongPathc:\program files\git\usr\bin\sha384sum.exe 13241300x8000000000000000337033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sha256sum.exe|d1427df5ba9eb839\BinProductVersion(Empty) 13241300x8000000000000000337032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sha256sum.exe|d1427df5ba9eb839\LinkDate11/15/2022 17:19:00 13241300x8000000000000000337031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sha256sum.exe|d1427df5ba9eb839\Publisher(Empty) 13241300x8000000000000000337030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sha256sum.exe|d1427df5ba9eb839\LowerCaseLongPathc:\program files\git\usr\bin\sha256sum.exe 13241300x8000000000000000337029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sha224sum.exe|fc63c300ff87f33f\BinProductVersion(Empty) 13241300x8000000000000000337028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sha224sum.exe|fc63c300ff87f33f\LinkDate11/15/2022 17:18:59 13241300x8000000000000000337027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sha224sum.exe|fc63c300ff87f33f\Publisher(Empty) 13241300x8000000000000000337026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sha224sum.exe|fc63c300ff87f33f\LowerCaseLongPathc:\program files\git\usr\bin\sha224sum.exe 13241300x8000000000000000337025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sha1sum.exe|f6d44c369684cd7e\BinProductVersion(Empty) 13241300x8000000000000000337024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sha1sum.exe|f6d44c369684cd7e\LinkDate11/15/2022 17:18:59 13241300x8000000000000000337023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sha1sum.exe|f6d44c369684cd7e\Publisher(Empty) 13241300x8000000000000000337022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sha1sum.exe|f6d44c369684cd7e\LowerCaseLongPathc:\program files\git\usr\bin\sha1sum.exe 13241300x8000000000000000337021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sh.exe|464d78a7aeef6674\BinProductVersion2.39.1.1 13241300x8000000000000000337020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sh.exe|464d78a7aeef6674\LinkDate01/12/2023 16:42:50 13241300x8000000000000000337019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sh.exe|464d78a7aeef6674\Publisherthe git development community 13241300x8000000000000000337018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sh.exe|464d78a7aeef6674\LowerCaseLongPathc:\program files\git\bin\sh.exe 13241300x8000000000000000337017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sh.exe|1bb90a29aab21f25\BinProductVersion(Empty) 13241300x8000000000000000337016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sh.exe|1bb90a29aab21f25\LinkDate11/24/2022 23:19:19 13241300x8000000000000000337015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sh.exe|1bb90a29aab21f25\Publisher(Empty) 13241300x8000000000000000337014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sh.exe|1bb90a29aab21f25\LowerCaseLongPathc:\program files\git\usr\bin\sh.exe 13241300x8000000000000000337013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sftp.exe|e3eb45112610e0ab\BinProductVersion(Empty) 13241300x8000000000000000337012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sftp.exe|e3eb45112610e0ab\LinkDate11/03/2022 11:52:49 13241300x8000000000000000337011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sftp.exe|e3eb45112610e0ab\Publisher(Empty) 13241300x8000000000000000337010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sftp.exe|e3eb45112610e0ab\LowerCaseLongPathc:\program files\git\usr\bin\sftp.exe 13241300x8000000000000000337009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sftp-server.exe|88c04bc0a95e22d3\BinProductVersion(Empty) 13241300x8000000000000000337008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sftp-server.exe|88c04bc0a95e22d3\LinkDate11/03/2022 11:52:51 13241300x8000000000000000337007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sftp-server.exe|88c04bc0a95e22d3\Publisher(Empty) 13241300x8000000000000000337006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sftp-server.exe|88c04bc0a95e22d3\LowerCaseLongPathc:\program files\git\usr\lib\ssh\sftp-server.exe 13241300x8000000000000000337005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sexp-conv.exe|ff49bfd2063ca556\BinProductVersion(Empty) 13241300x8000000000000000337004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sexp-conv.exe|ff49bfd2063ca556\LinkDate01/01/1970 00:00:00 13241300x8000000000000000337003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sexp-conv.exe|ff49bfd2063ca556\Publisher(Empty) 13241300x8000000000000000337002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sexp-conv.exe|ff49bfd2063ca556\LowerCaseLongPathc:\program files\git\mingw64\bin\sexp-conv.exe 13241300x8000000000000000337001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sexp-conv.exe|8bde837678ce07ac\BinProductVersion(Empty) 13241300x8000000000000000337000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sexp-conv.exe|8bde837678ce07ac\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sexp-conv.exe|8bde837678ce07ac\Publisher(Empty) 13241300x8000000000000000336998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sexp-conv.exe|8bde837678ce07ac\LowerCaseLongPathc:\program files\git\usr\bin\sexp-conv.exe 13241300x8000000000000000336997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\setmetamode.exe|2c2c0eb5bddaec82\BinProductVersion(Empty) 13241300x8000000000000000336996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\setmetamode.exe|2c2c0eb5bddaec82\LinkDate09/05/2022 20:36:33 13241300x8000000000000000336995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\setmetamode.exe|2c2c0eb5bddaec82\Publisher(Empty) 13241300x8000000000000000336994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\setmetamode.exe|2c2c0eb5bddaec82\LowerCaseLongPathc:\program files\git\usr\bin\setmetamode.exe 13241300x8000000000000000336993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\setfacl.exe|3de57f6a3e2d7242\BinProductVersion(Empty) 13241300x8000000000000000336992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\setfacl.exe|3de57f6a3e2d7242\LinkDate09/05/2022 20:36:32 13241300x8000000000000000336991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\setfacl.exe|3de57f6a3e2d7242\Publisher(Empty) 13241300x8000000000000000336990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\setfacl.exe|3de57f6a3e2d7242\LowerCaseLongPathc:\program files\git\usr\bin\setfacl.exe 13241300x8000000000000000336989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\seq.exe|1f2e494e389bf41a\BinProductVersion(Empty) 13241300x8000000000000000336988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\seq.exe|1f2e494e389bf41a\LinkDate11/15/2022 17:18:59 13241300x8000000000000000336987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\seq.exe|1f2e494e389bf41a\Publisher(Empty) 13241300x8000000000000000336986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\seq.exe|1f2e494e389bf41a\LowerCaseLongPathc:\program files\git\usr\bin\seq.exe 13241300x8000000000000000336985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sed.exe|cef6dc9db4fd3f4e\BinProductVersion(Empty) 13241300x8000000000000000336984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sed.exe|cef6dc9db4fd3f4e\LinkDate11/19/2022 12:49:27 13241300x8000000000000000336983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sed.exe|cef6dc9db4fd3f4e\Publisher(Empty) 13241300x8000000000000000336982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sed.exe|cef6dc9db4fd3f4e\LowerCaseLongPathc:\program files\git\usr\bin\sed.exe 13241300x8000000000000000336981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sdiff.exe|4d47b8c2d2524c04\BinProductVersion(Empty) 13241300x8000000000000000336980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sdiff.exe|4d47b8c2d2524c04\LinkDate11/13/2022 11:50:45 13241300x8000000000000000336979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sdiff.exe|4d47b8c2d2524c04\Publisher(Empty) 13241300x8000000000000000336978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sdiff.exe|4d47b8c2d2524c04\LowerCaseLongPathc:\program files\git\usr\bin\sdiff.exe 13241300x8000000000000000336977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\scp.exe|7ba9f24b1c00395a\BinProductVersion(Empty) 13241300x8000000000000000336976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\scp.exe|7ba9f24b1c00395a\LinkDate11/03/2022 11:52:49 13241300x8000000000000000336975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\scp.exe|7ba9f24b1c00395a\Publisher(Empty) 13241300x8000000000000000336974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\scp.exe|7ba9f24b1c00395a\LowerCaseLongPathc:\program files\git\usr\bin\scp.exe 13241300x8000000000000000336973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\scdaemon.exe|53479827260a265e\BinProductVersion(Empty) 13241300x8000000000000000336972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\scdaemon.exe|53479827260a265e\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\scdaemon.exe|53479827260a265e\Publisher(Empty) 13241300x8000000000000000336970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\scdaemon.exe|53479827260a265e\LowerCaseLongPathc:\program files\git\usr\lib\gnupg\scdaemon.exe 13241300x8000000000000000336969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\rvim.exe|58eacdb700b2ffd3\BinProductVersion(Empty) 13241300x8000000000000000336968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\rvim.exe|58eacdb700b2ffd3\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\rvim.exe|58eacdb700b2ffd3\Publisher(Empty) 13241300x8000000000000000336966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\rvim.exe|58eacdb700b2ffd3\LowerCaseLongPathc:\program files\git\usr\bin\rvim.exe 13241300x8000000000000000336965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\rview.exe|1b8d8c7426c49f6d\BinProductVersion(Empty) 13241300x8000000000000000336964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\rview.exe|1b8d8c7426c49f6d\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\rview.exe|1b8d8c7426c49f6d\Publisher(Empty) 13241300x8000000000000000336962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\rview.exe|1b8d8c7426c49f6d\LowerCaseLongPathc:\program files\git\usr\bin\rview.exe 13241300x8000000000000000336961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\runcon.exe|9d9d38ca848c2576\BinProductVersion(Empty) 13241300x8000000000000000336960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\runcon.exe|9d9d38ca848c2576\LinkDate11/15/2022 17:18:59 13241300x8000000000000000336959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\runcon.exe|9d9d38ca848c2576\Publisher(Empty) 13241300x8000000000000000336958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\runcon.exe|9d9d38ca848c2576\LowerCaseLongPathc:\program files\git\usr\bin\runcon.exe 13241300x8000000000000000336957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\rnano.exe|59695cb2874e092d\BinProductVersion(Empty) 13241300x8000000000000000336956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\rnano.exe|59695cb2874e092d\LinkDate12/19/2022 21:25:14 13241300x8000000000000000336955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\rnano.exe|59695cb2874e092d\Publisher(Empty) 13241300x8000000000000000336954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\rnano.exe|59695cb2874e092d\LowerCaseLongPathc:\program files\git\usr\bin\rnano.exe 13241300x8000000000000000336953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\rmt.exe|dda7820342efab83\BinProductVersion(Empty) 13241300x8000000000000000336952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\rmt.exe|dda7820342efab83\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\rmt.exe|dda7820342efab83\Publisher(Empty) 13241300x8000000000000000336950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\rmt.exe|dda7820342efab83\LowerCaseLongPathc:\program files\git\usr\lib\tar\rmt.exe 13241300x8000000000000000336949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\rmdir.exe|1053bde30940b254\BinProductVersion(Empty) 13241300x8000000000000000336948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\rmdir.exe|1053bde30940b254\LinkDate11/15/2022 17:18:58 13241300x8000000000000000336947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\rmdir.exe|1053bde30940b254\Publisher(Empty) 13241300x8000000000000000336946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\rmdir.exe|1053bde30940b254\LowerCaseLongPathc:\program files\git\usr\bin\rmdir.exe 13241300x8000000000000000336945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\rm.exe|1eee459e666dde29\BinProductVersion(Empty) 13241300x8000000000000000336944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\rm.exe|1eee459e666dde29\LinkDate11/15/2022 17:18:58 13241300x8000000000000000336943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\rm.exe|1eee459e666dde29\Publisher(Empty) 13241300x8000000000000000336942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\rm.exe|1eee459e666dde29\LowerCaseLongPathc:\program files\git\usr\bin\rm.exe 13241300x8000000000000000336941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\reset.exe|bb8c4a8b474d3d85\BinProductVersion(Empty) 13241300x8000000000000000336940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\reset.exe|bb8c4a8b474d3d85\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\reset.exe|bb8c4a8b474d3d85\Publisher(Empty) 13241300x8000000000000000336938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\reset.exe|bb8c4a8b474d3d85\LowerCaseLongPathc:\program files\git\usr\bin\reset.exe 13241300x8000000000000000336937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\regtool.exe|2c34de713dfed575\BinProductVersion(Empty) 13241300x8000000000000000336936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\regtool.exe|2c34de713dfed575\LinkDate09/05/2022 20:36:32 13241300x8000000000000000336935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\regtool.exe|2c34de713dfed575\Publisher(Empty) 13241300x8000000000000000336934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\regtool.exe|2c34de713dfed575\LowerCaseLongPathc:\program files\git\usr\bin\regtool.exe 13241300x8000000000000000336933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\recode-sr-latin.|fef01b1a870bf6ba\BinProductVersion(Empty) 13241300x8000000000000000336932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\recode-sr-latin.|fef01b1a870bf6ba\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\recode-sr-latin.|fef01b1a870bf6ba\Publisher(Empty) 13241300x8000000000000000336930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\recode-sr-latin.|fef01b1a870bf6ba\LowerCaseLongPathc:\program files\git\usr\bin\recode-sr-latin.exe 13241300x8000000000000000336929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\rebase.exe|227817bf057aff56\BinProductVersion(Empty) 13241300x8000000000000000336928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\rebase.exe|227817bf057aff56\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\rebase.exe|227817bf057aff56\Publisher(Empty) 13241300x8000000000000000336926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\rebase.exe|227817bf057aff56\LowerCaseLongPathc:\program files\git\usr\bin\rebase.exe 13241300x8000000000000000336925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\realpath.exe|c0afeb0f661fb0d7\BinProductVersion(Empty) 13241300x8000000000000000336924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\realpath.exe|c0afeb0f661fb0d7\LinkDate11/15/2022 17:18:58 13241300x8000000000000000336923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\realpath.exe|c0afeb0f661fb0d7\Publisher(Empty) 13241300x8000000000000000336922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\realpath.exe|c0afeb0f661fb0d7\LowerCaseLongPathc:\program files\git\usr\bin\realpath.exe 13241300x8000000000000000336921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\readlink.exe|95adf512ea71f082\BinProductVersion(Empty) 13241300x8000000000000000336920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.756{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\readlink.exe|95adf512ea71f082\LinkDate11/15/2022 17:18:57 13241300x8000000000000000336919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\readlink.exe|95adf512ea71f082\Publisher(Empty) 13241300x8000000000000000336918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\readlink.exe|95adf512ea71f082\LowerCaseLongPathc:\program files\git\usr\bin\readlink.exe 13241300x8000000000000000336917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pwd.exe|d284abac49ab21f2\BinProductVersion(Empty) 13241300x8000000000000000336916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pwd.exe|d284abac49ab21f2\LinkDate11/15/2022 17:18:57 13241300x8000000000000000336915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pwd.exe|d284abac49ab21f2\Publisher(Empty) 13241300x8000000000000000336914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pwd.exe|d284abac49ab21f2\LowerCaseLongPathc:\program files\git\usr\bin\pwd.exe 13241300x8000000000000000336913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pwcat.exe|8b9017bb0d797817\BinProductVersion(Empty) 13241300x8000000000000000336912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pwcat.exe|8b9017bb0d797817\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pwcat.exe|8b9017bb0d797817\Publisher(Empty) 13241300x8000000000000000336910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pwcat.exe|8b9017bb0d797817\LowerCaseLongPathc:\program files\git\usr\lib\awk\pwcat.exe 13241300x8000000000000000336909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ptx.exe|e8f065049d3c881d\BinProductVersion(Empty) 13241300x8000000000000000336908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ptx.exe|e8f065049d3c881d\LinkDate11/15/2022 17:18:57 13241300x8000000000000000336907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ptx.exe|e8f065049d3c881d\Publisher(Empty) 13241300x8000000000000000336906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ptx.exe|e8f065049d3c881d\LowerCaseLongPathc:\program files\git\usr\bin\ptx.exe 13241300x8000000000000000336905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\psl.exe|c168c852dc0b9a95\BinProductVersion(Empty) 13241300x8000000000000000336904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\psl.exe|c168c852dc0b9a95\LinkDate11/13/2022 15:21:23 13241300x8000000000000000336903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\psl.exe|c168c852dc0b9a95\Publisher(Empty) 13241300x8000000000000000336902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\psl.exe|c168c852dc0b9a95\LowerCaseLongPathc:\program files\git\usr\bin\psl.exe 13241300x8000000000000000336901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ps.exe|c0f5c870a00cafd8\BinProductVersion(Empty) 13241300x8000000000000000336900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ps.exe|c0f5c870a00cafd8\LinkDate09/05/2022 20:36:28 13241300x8000000000000000336899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ps.exe|c0f5c870a00cafd8\Publisher(Empty) 13241300x8000000000000000336898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ps.exe|c0f5c870a00cafd8\LowerCaseLongPathc:\program files\git\usr\bin\ps.exe 13241300x8000000000000000336897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\proxy-lookup.exe|1b18ebec8d870bc5\BinProductVersion(Empty) 13241300x8000000000000000336896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\proxy-lookup.exe|1b18ebec8d870bc5\LinkDate11/29/2022 16:06:30 13241300x8000000000000000336895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\proxy-lookup.exe|1b18ebec8d870bc5\Publisher(Empty) 13241300x8000000000000000336894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\proxy-lookup.exe|1b18ebec8d870bc5\LowerCaseLongPathc:\program files\git\mingw64\bin\proxy-lookup.exe 13241300x8000000000000000336893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\profiler.exe|375a9b384421d7c1\BinProductVersion(Empty) 13241300x8000000000000000336892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\profiler.exe|375a9b384421d7c1\LinkDate09/05/2022 20:36:32 13241300x8000000000000000336891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\profiler.exe|375a9b384421d7c1\Publisher(Empty) 13241300x8000000000000000336890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\profiler.exe|375a9b384421d7c1\LowerCaseLongPathc:\program files\git\usr\bin\profiler.exe 13241300x8000000000000000336889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\printf.exe|89ffa032389ba988\BinProductVersion(Empty) 13241300x8000000000000000336888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\printf.exe|89ffa032389ba988\LinkDate11/15/2022 17:18:57 13241300x8000000000000000336887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\printf.exe|89ffa032389ba988\Publisher(Empty) 13241300x8000000000000000336886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\printf.exe|89ffa032389ba988\LowerCaseLongPathc:\program files\git\usr\bin\printf.exe 13241300x8000000000000000336885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\printenv.exe|f3bb2a19296ad0a0\BinProductVersion(Empty) 13241300x8000000000000000336884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\printenv.exe|f3bb2a19296ad0a0\LinkDate11/15/2022 17:18:56 13241300x8000000000000000336883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\printenv.exe|f3bb2a19296ad0a0\Publisher(Empty) 13241300x8000000000000000336882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\printenv.exe|f3bb2a19296ad0a0\LowerCaseLongPathc:\program files\git\usr\bin\printenv.exe 13241300x8000000000000000336881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pr.exe|4e05d5efd64cfc18\BinProductVersion(Empty) 13241300x8000000000000000336880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pr.exe|4e05d5efd64cfc18\LinkDate11/15/2022 17:18:56 13241300x8000000000000000336879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pr.exe|4e05d5efd64cfc18\Publisher(Empty) 13241300x8000000000000000336878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pr.exe|4e05d5efd64cfc18\LowerCaseLongPathc:\program files\git\usr\bin\pr.exe 13241300x8000000000000000336877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pluginviewer.exe|f40dc68beb42a176\BinProductVersion(Empty) 13241300x8000000000000000336876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pluginviewer.exe|f40dc68beb42a176\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pluginviewer.exe|f40dc68beb42a176\Publisher(Empty) 13241300x8000000000000000336874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pluginviewer.exe|f40dc68beb42a176\LowerCaseLongPathc:\program files\git\usr\bin\pluginviewer.exe 13241300x8000000000000000336873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pldd.exe|2d0b12ded17c614c\BinProductVersion(Empty) 13241300x8000000000000000336872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pldd.exe|2d0b12ded17c614c\LinkDate09/05/2022 20:36:31 13241300x8000000000000000336871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pldd.exe|2d0b12ded17c614c\Publisher(Empty) 13241300x8000000000000000336870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pldd.exe|2d0b12ded17c614c\LowerCaseLongPathc:\program files\git\usr\bin\pldd.exe 13241300x8000000000000000336869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pkcs1-conv.exe|8fa2ffc9f6076c8c\BinProductVersion(Empty) 13241300x8000000000000000336868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pkcs1-conv.exe|8fa2ffc9f6076c8c\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pkcs1-conv.exe|8fa2ffc9f6076c8c\Publisher(Empty) 13241300x8000000000000000336866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pkcs1-conv.exe|8fa2ffc9f6076c8c\LowerCaseLongPathc:\program files\git\mingw64\bin\pkcs1-conv.exe 13241300x8000000000000000336865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pkcs1-conv.exe|5cc5d2e050d9b487\BinProductVersion(Empty) 13241300x8000000000000000336864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pkcs1-conv.exe|5cc5d2e050d9b487\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pkcs1-conv.exe|5cc5d2e050d9b487\Publisher(Empty) 13241300x8000000000000000336862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pkcs1-conv.exe|5cc5d2e050d9b487\LowerCaseLongPathc:\program files\git\usr\bin\pkcs1-conv.exe 13241300x8000000000000000336861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pinky.exe|852da7421d64c177\BinProductVersion(Empty) 13241300x8000000000000000336860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pinky.exe|852da7421d64c177\LinkDate11/15/2022 17:18:56 13241300x8000000000000000336859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pinky.exe|852da7421d64c177\Publisher(Empty) 13241300x8000000000000000336858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pinky.exe|852da7421d64c177\LowerCaseLongPathc:\program files\git\usr\bin\pinky.exe 13241300x8000000000000000336857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pinentry.exe|5a096695f03f1450\BinProductVersion(Empty) 13241300x8000000000000000336856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pinentry.exe|5a096695f03f1450\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pinentry.exe|5a096695f03f1450\Publisher(Empty) 13241300x8000000000000000336854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pinentry.exe|5a096695f03f1450\LowerCaseLongPathc:\program files\git\usr\bin\pinentry.exe 13241300x8000000000000000336853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pinentry-w32.exe|24e0f01a1d2b39e8\BinProductVersion(Empty) 13241300x8000000000000000336852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pinentry-w32.exe|24e0f01a1d2b39e8\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pinentry-w32.exe|24e0f01a1d2b39e8\Publisher(Empty) 13241300x8000000000000000336850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pinentry-w32.exe|24e0f01a1d2b39e8\LowerCaseLongPathc:\program files\git\usr\bin\pinentry-w32.exe 13241300x8000000000000000336849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\perl5.36.0.exe|ec636b82bafbca2b\BinProductVersion(Empty) 13241300x8000000000000000336848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\perl5.36.0.exe|ec636b82bafbca2b\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\perl5.36.0.exe|ec636b82bafbca2b\Publisher(Empty) 13241300x8000000000000000336846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\perl5.36.0.exe|ec636b82bafbca2b\LowerCaseLongPathc:\program files\git\usr\bin\perl5.36.0.exe 13241300x8000000000000000336845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\perl.exe|196d1afec7915eef\BinProductVersion(Empty) 13241300x8000000000000000336844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\perl.exe|196d1afec7915eef\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\perl.exe|196d1afec7915eef\Publisher(Empty) 13241300x8000000000000000336842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\perl.exe|196d1afec7915eef\LowerCaseLongPathc:\program files\git\usr\bin\perl.exe 13241300x8000000000000000336841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pdftotext.exe|69d0d84ca547f7ea\BinProductVersion(Empty) 13241300x8000000000000000336840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pdftotext.exe|69d0d84ca547f7ea\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pdftotext.exe|69d0d84ca547f7ea\Publisher(Empty) 13241300x8000000000000000336838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pdftotext.exe|69d0d84ca547f7ea\LowerCaseLongPathc:\program files\git\mingw64\bin\pdftotext.exe 13241300x8000000000000000336837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pathchk.exe|815a4f847b55a65e\BinProductVersion(Empty) 13241300x8000000000000000336836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pathchk.exe|815a4f847b55a65e\LinkDate11/15/2022 17:18:56 13241300x8000000000000000336835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pathchk.exe|815a4f847b55a65e\Publisher(Empty) 13241300x8000000000000000336834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pathchk.exe|815a4f847b55a65e\LowerCaseLongPathc:\program files\git\usr\bin\pathchk.exe 13241300x8000000000000000336833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\patch.exe|ec282c9a0120237a\BinProductVersion(Empty) 13241300x8000000000000000336832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\patch.exe|ec282c9a0120237a\LinkDate11/14/2022 21:26:13 13241300x8000000000000000336831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\patch.exe|ec282c9a0120237a\Publisher(Empty) 13241300x8000000000000000336830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\patch.exe|ec282c9a0120237a\LowerCaseLongPathc:\program files\git\usr\bin\patch.exe 13241300x8000000000000000336829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\paste.exe|4b6449e13df12ac2\BinProductVersion(Empty) 13241300x8000000000000000336828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\paste.exe|4b6449e13df12ac2\LinkDate11/15/2022 17:18:55 13241300x8000000000000000336827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\paste.exe|4b6449e13df12ac2\Publisher(Empty) 13241300x8000000000000000336826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\paste.exe|4b6449e13df12ac2\LowerCaseLongPathc:\program files\git\usr\bin\paste.exe 13241300x8000000000000000336825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\passwd.exe|3074fd45afd21d5a\BinProductVersion(Empty) 13241300x8000000000000000336824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\passwd.exe|3074fd45afd21d5a\LinkDate09/05/2022 20:36:31 13241300x8000000000000000336823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\passwd.exe|3074fd45afd21d5a\Publisher(Empty) 13241300x8000000000000000336822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\passwd.exe|3074fd45afd21d5a\LowerCaseLongPathc:\program files\git\usr\bin\passwd.exe 13241300x8000000000000000336821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\p11-kit.exe|8bade04a6e35b25c\BinProductVersion(Empty) 13241300x8000000000000000336820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\p11-kit.exe|8bade04a6e35b25c\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\p11-kit.exe|8bade04a6e35b25c\Publisher(Empty) 13241300x8000000000000000336818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\p11-kit.exe|8bade04a6e35b25c\LowerCaseLongPathc:\program files\git\usr\bin\p11-kit.exe 13241300x8000000000000000336817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\p11-kit.exe|3b750087bc81dbf1\BinProductVersion(Empty) 13241300x8000000000000000336816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\p11-kit.exe|3b750087bc81dbf1\LinkDate08/10/2022 18:54:55 13241300x8000000000000000336815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\p11-kit.exe|3b750087bc81dbf1\Publisher(Empty) 13241300x8000000000000000336814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\p11-kit.exe|3b750087bc81dbf1\LowerCaseLongPathc:\program files\git\mingw64\bin\p11-kit.exe 13241300x8000000000000000336813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\p11-kit-server.e|8dad05e39eda3bda\BinProductVersion(Empty) 13241300x8000000000000000336812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\p11-kit-server.e|8dad05e39eda3bda\LinkDate08/10/2022 18:54:55 13241300x8000000000000000336811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\p11-kit-server.e|8dad05e39eda3bda\Publisher(Empty) 13241300x8000000000000000336810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\p11-kit-server.e|8dad05e39eda3bda\LowerCaseLongPathc:\program files\git\mingw64\libexec\p11-kit\p11-kit-server.exe 13241300x8000000000000000336809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\p11-kit-server.e|2949625778c73062\BinProductVersion(Empty) 13241300x8000000000000000336808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\p11-kit-server.e|2949625778c73062\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\p11-kit-server.e|2949625778c73062\Publisher(Empty) 13241300x8000000000000000336806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\p11-kit-server.e|2949625778c73062\LowerCaseLongPathc:\program files\git\usr\libexec\p11-kit\p11-kit-server.exe 13241300x8000000000000000336805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\p11-kit-remote.e|51a36587ed162938\BinProductVersion(Empty) 13241300x8000000000000000336804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\p11-kit-remote.e|51a36587ed162938\LinkDate01/01/1970 00:00:00 13241300x8000000000000000336803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\p11-kit-remote.e|51a36587ed162938\Publisher(Empty) 13241300x8000000000000000336802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\p11-kit-remote.e|51a36587ed162938\LowerCaseLongPathc:\program files\git\usr\libexec\p11-kit\p11-kit-remote.exe 13241300x8000000000000000336801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\p11-kit-remote.e|368a54e725b4b107\BinProductVersion(Empty) 13241300x8000000000000000336800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\p11-kit-remote.e|368a54e725b4b107\LinkDate08/10/2022 18:54:55 13241300x8000000000000000336799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\p11-kit-remote.e|368a54e725b4b107\Publisher(Empty) 13241300x8000000000000000336798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\p11-kit-remote.e|368a54e725b4b107\LowerCaseLongPathc:\program files\git\mingw64\libexec\p11-kit\p11-kit-remote.exe 13241300x8000000000000000336797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\openssl.exe|f1700e8a34a30f68\BinProductVersion1.1.1.19 13241300x8000000000000000336796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\openssl.exe|f1700e8a34a30f68\LinkDate11/02/2022 10:08:58 13241300x8000000000000000336795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\openssl.exe|f1700e8a34a30f68\Publisherthe openssl project, https://www.openssl.org/ 13241300x8000000000000000336794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\openssl.exe|f1700e8a34a30f68\LowerCaseLongPathc:\program files\git\mingw64\bin\openssl.exe 13241300x8000000000000000336793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\openssl.exe|171f6196cf43df96\BinProductVersion1.1.1.19 13241300x8000000000000000336792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\openssl.exe|171f6196cf43df96\LinkDate11/02/2022 10:13:32 13241300x8000000000000000336791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\openssl.exe|171f6196cf43df96\Publisherthe openssl project, https://www.openssl.org/ 13241300x8000000000000000336790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\openssl.exe|171f6196cf43df96\LowerCaseLongPathc:\program files\git\usr\bin\openssl.exe 13241300x8000000000000000336789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\odt2txt.exe|6473e7d965a98c3a\BinProductVersion(Empty) 13241300x8000000000000000336788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\odt2txt.exe|6473e7d965a98c3a\LinkDate10/29/2022 11:38:06 13241300x8000000000000000336787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\odt2txt.exe|6473e7d965a98c3a\Publisher(Empty) 13241300x8000000000000000336786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\odt2txt.exe|6473e7d965a98c3a\LowerCaseLongPathc:\program files\git\mingw64\bin\odt2txt.exe 13241300x8000000000000000336785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\od.exe|4327ce9d2e91b98c\BinProductVersion(Empty) 13241300x8000000000000000336784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\od.exe|4327ce9d2e91b98c\LinkDate11/15/2022 17:18:55 13241300x8000000000000000336783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\od.exe|4327ce9d2e91b98c\Publisher(Empty) 13241300x8000000000000000336782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\od.exe|4327ce9d2e91b98c\LowerCaseLongPathc:\program files\git\usr\bin\od.exe 13241300x8000000000000000336781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\numfmt.exe|8ee1d73a41ab2c69\BinProductVersion(Empty) 13241300x8000000000000000336780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\numfmt.exe|8ee1d73a41ab2c69\LinkDate11/15/2022 17:18:55 13241300x8000000000000000336779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\numfmt.exe|8ee1d73a41ab2c69\Publisher(Empty) 13241300x8000000000000000336778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\numfmt.exe|8ee1d73a41ab2c69\LowerCaseLongPathc:\program files\git\usr\bin\numfmt.exe 13241300x8000000000000000336777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:25.740{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\nproc.exe|4b998916d3f3a9c7\BinProductVersion(Empty) 23542300x8000000000000000448549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:27.592{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9142237A676442A6365514001429E6A0,SHA256=F6A005CF707A19D800696F8C4F344E64FCDC58657CD899F834193CC14038D660,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:28.784{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EVDMVTR3CF\System.DirectoryServices.ni.dll.auxMD5=463466C086AE4CB364147189D71737DE,SHA256=F86388926054947476E69DE5CF63B1D6654EF8F72F52F547182B167D54F4C315,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:28.755{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EVDMVTR3CF\System.DirectoryServices.ni.dllMD5=A7C1F5A9C297260EAE6137984332B62C,SHA256=76846F40CAE958B044C3A425596B5A374D28E278668F499377D2C5AEA717EA55,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:28.644{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ETLOCP7CIU\System.Management.ni.dll.auxMD5=A1123A272EA45D0BE152C0EEBD6784E2,SHA256=5B0E627B5F7CFC5A685543302698C7882E396403C78E13DE7A7443221A86F536,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:28.644{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ETLOCP7CIU\System.Management.ni.dllMD5=1EE419429DFC6FD092EA7828ED535BFB,SHA256=66C905BB59A36F4F0D862B6C9C7125C212BCD31DC12821EEB4B7B72994CAA787,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:28.582{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ESD5USV53U\System.IO.Compression.FileSystem.ni.dll.auxMD5=F4A1A9F448D8081CE864ACA2BE6078F0,SHA256=AA8B0EB7C8260304C5F8FEEEFD3711382ABEB7B49BDC2A7836E30B95601C7130,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:28.582{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ESD5USV53U\System.IO.Compression.FileSystem.ni.dllMD5=4D09B7B8869461AE2CE6EF317D352683,SHA256=979C8FB3B516F86588AF859C6985EE6EBF9A829F1E7CCB723908FECD08B6C98D,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:28.566{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ESCYIE534Q\System.DirectoryServices.ni.dll.auxMD5=59C110736777D69755BD9640210D5DBD,SHA256=ACBCFE5DF9F4481CB736A5EAD30EAA17287FE36A2A93EFEB7E6A563099100F71,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:28.566{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ESCYIE534Q\System.DirectoryServices.ni.dllMD5=0D805B76A05F5CE550EF1D8FFEF30169,SHA256=589EF92923F29A1D6169A89FD617812D186CE924E66E6061CA72EF73C28496BE,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:28.488{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ERBBTO37OP\System.Transactions.ni.dll.auxMD5=41883768C7D7479B1DB43486DB643490,SHA256=1BAEDD2A3F1CF3E8A6609E785516D4FE12A0A385C609C883D2E4C93C7A3CA1D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:28.488{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ERBBTO37OP\System.Transactions.ni.dllMD5=633F934076A97D4532D53B525E93F9C7,SHA256=6E7917F3008778C89D0ADE04E311B5DE8E70E49881A956E4135A1835EF932960,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:28.441{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EP11F84FAZ\System.Configuration.ni.dll.auxMD5=DA810D6720904049073727FD6BD9FB49,SHA256=2649C749A8B27C31913BCD740C07011190E03D96F939785025B89E59E562809C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:28.441{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EP11F84FAZ\System.Configuration.ni.dllMD5=07AD02FCFB1B6DF601EA7DB7C48DA6C6,SHA256=AE1EBE8EE75C409CD977C220DA3CE3963F7BEAA1FEA0B6FB0436C96289AF8C3D,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 13241300x8000000000000000338062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:28.426{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\aws-cfn-bootstra|4a2a0f18abe18815\BinProductVersion2.0.21.0 13241300x8000000000000000338061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:28.426{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\aws-cfn-bootstra|4a2a0f18abe18815\LinkDate09/17/2019 05:33:38 13241300x8000000000000000338060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:28.426{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\aws-cfn-bootstra|4a2a0f18abe18815\Publisheramazon web services 13241300x8000000000000000338059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:28.426{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\aws-cfn-bootstra|4a2a0f18abe18815\LowerCaseLongPathc:\programdata\package cache\{ad4b19a9-986d-47f6-a634-fc67d21e63bc}\aws-cfn-bootstrap-bundle.exe 13241300x8000000000000000338058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:28.410{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplication\0000f705aaa46c731a6bc15ad6d69b5cfef50000ffff\PublisherAmazon Web Services 23542300x8000000000000000338057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:28.410{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D93BD5A57869B71787B2F642DA7421C0,SHA256=E8AC1C3B490DDA11D39439022FC06D6FFBA61985E0C9FB2763C8788AFCA7C087,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:28.410{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5ACAC4C597A8FA105FFE7D3A741A0C79,SHA256=44083D4B7E745D6F8AEB599DD1F2B0DE859CFE4B418C06A95AB6E5988529671C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:28.410{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=092FC9C56B1DD47D40C4A0CB8E35ACB7,SHA256=DF5230B13A21562E64416C6289B54C5CDBE56893EF68B69DD97B1B0CF31CE2CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:28.410{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EMT96RIEL3\System.Numerics.ni.dll.auxMD5=8C8F36DCBC0AB4F29DC79D33D9CD7240,SHA256=48D6097F83178C3905EC2BCDA01C80CFFB1A832CB1F0BF5F08E510C86D6F9215,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000338053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:28.347{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\amazonssmagentse|b40e927f0766f7b6\BinProductVersion3.1.1856.0 13241300x8000000000000000338052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:28.347{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\amazonssmagentse|b40e927f0766f7b6\LinkDate05/01/2017 14:33:52 13241300x8000000000000000338051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:28.347{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\amazonssmagentse|b40e927f0766f7b6\Publisheramazon web services 13241300x8000000000000000338050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:28.347{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\amazonssmagentse|b40e927f0766f7b6\LowerCaseLongPathc:\programdata\package cache\{a03aa3d3-9def-49cc-b485-98af979363d5}\amazonssmagentsetup.exe 13241300x8000000000000000338049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:28.347{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplication\0000489ad1f8be161d408fbbe58c2deab5c80000ffff\PublisherAmazon Web Services 13241300x8000000000000000338048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:28.347{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplication\00002197a04627267d33f487d4ca7108473200000904\PublisherAmazon Web Services Developer Relations 23542300x8000000000000000338047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:27.763{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EFB1D59026C1C0E7D7512F8A37EB34C,SHA256=DAC81944513BAD6D776197571045B1197446277A67316583443688516DA40E11,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:27.685{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EMT96RIEL3\System.Numerics.ni.dllMD5=845E361BD51C969466956F80361DE179,SHA256=1BFFC23BB5882DA343969E12ABE4FC89BBC0EC41D9C30E7DDBCA7ACF250A2752,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 13241300x8000000000000000338045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:27.140{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\vc_redist.x64.ex|ac6cefdd519516da\BinProductVersion14.29.30139.0 13241300x8000000000000000338044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:27.140{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\vc_redist.x64.ex|ac6cefdd519516da\LinkDate11/18/2017 21:37:28 13241300x8000000000000000338043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:27.140{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\vc_redist.x64.ex|ac6cefdd519516da\Publishermicrosoft corporation 13241300x8000000000000000338042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:27.140{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\vc_redist.x64.ex|ac6cefdd519516da\LowerCaseLongPathc:\programdata\package cache\{2c673fb6-3e65-4751-965d-33d30b68a8a6}\vc_redist.x64.exe 13241300x8000000000000000338041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:27.140{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplication\000016327ecc2d9540554ae9d78684f942320000ffff\PublisherMicrosoft Corporation 13241300x8000000000000000338040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:27.106{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\uninstall.exe|af59766a7e5a8c5a\BinProductVersion5.1.55.828 13241300x8000000000000000338039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:27.106{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\uninstall.exe|af59766a7e5a8c5a\LinkDate07/24/2021 22:41:54 13241300x8000000000000000338038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:27.106{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\uninstall.exe|af59766a7e5a8c5a\Publisher(Empty) 13241300x8000000000000000338037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:27.106{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\uninstall.exe|af59766a7e5a8c5a\LowerCaseLongPathc:\program files\npcap\uninstall.exe 13241300x8000000000000000338036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:27.106{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\npfinstall.exe|4fcd245e63e11e31\BinProductVersion5.1.55.828 13241300x8000000000000000338035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:27.106{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\npfinstall.exe|4fcd245e63e11e31\LinkDate08/29/2021 00:22:49 13241300x8000000000000000338034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:27.106{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\npfinstall.exe|4fcd245e63e11e31\Publisherinsecure.com llc. 13241300x8000000000000000338033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:27.106{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\npfinstall.exe|4fcd245e63e11e31\LowerCaseLongPathc:\program files\npcap\npfinstall.exe 13241300x8000000000000000338032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:27.105{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\npcap.sys|3741aa4c3d128834\BinProductVersion5.1.55.828 13241300x8000000000000000338031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:27.105{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\npcap.sys|3741aa4c3d128834\LinkDate08/29/2021 00:22:59 13241300x8000000000000000338030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:27.105{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\npcap.sys|3741aa4c3d128834\Publisherinsecure.com llc. 13241300x8000000000000000338029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:27.105{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\npcap.sys|3741aa4c3d128834\LowerCaseLongPathc:\program files\npcap\npcap.sys 13241300x8000000000000000338028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:27.105{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplication\0000663de35f4d04146ae36ebf14122b6e9f0000ffff\PublisherNmap Project 354300x8000000000000000338027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:25.358{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51030-false10.0.1.12-8000- 13241300x8000000000000000338026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:27.097{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplication\0000796febf638f09872f9ee8652784218b400000904\PublisherMicrosoft Corporation 13241300x8000000000000000338025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:27.089{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xenvif.sys|cb31ee26ddd80e14\BinProductVersion8.2.9.8 13241300x8000000000000000338024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:27.089{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xenvif.sys|cb31ee26ddd80e14\LinkDate07/08/2020 18:42:42 13241300x8000000000000000338023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:27.089{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xenvif.sys|cb31ee26ddd80e14\Publisheramazon inc. 13241300x8000000000000000338022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:27.089{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xenvif.sys|cb31ee26ddd80e14\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xenvif\xenvif.sys 13241300x8000000000000000338021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:27.089{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xenvbd.sys|1569d4886cd76c31\BinProductVersion8.4.1.6 13241300x8000000000000000338020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:27.089{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xenvbd.sys|1569d4886cd76c31\LinkDate02/18/2022 01:28:57 13241300x8000000000000000338019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:27.089{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xenvbd.sys|1569d4886cd76c31\Publisheramazon inc. 13241300x8000000000000000338018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:27.089{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xenvbd.sys|1569d4886cd76c31\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xenvbd\xenvbd.sys 13241300x8000000000000000338017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:27.088{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xennet.sys|b6a1491527cb2a5f\BinProductVersion8.2.5.32 13241300x8000000000000000338016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:27.088{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xennet.sys|b6a1491527cb2a5f\LinkDate11/19/2018 22:01:56 13241300x8000000000000000338015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:27.088{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xennet.sys|b6a1491527cb2a5f\Publisheramazon inc. 13241300x8000000000000000338014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:27.088{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xennet.sys|b6a1491527cb2a5f\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xennet\xennet.sys 13241300x8000000000000000338013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:27.088{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xeniface.sys|79e991f7eda45e8b\BinProductVersion8.2.7.5 13241300x8000000000000000338012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:27.088{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xeniface.sys|79e991f7eda45e8b\LinkDate12/16/2019 19:58:01 13241300x8000000000000000338011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:27.088{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xeniface.sys|79e991f7eda45e8b\Publisheramazon inc. 13241300x8000000000000000338010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:27.088{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xeniface.sys|79e991f7eda45e8b\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xeniface\xeniface.sys 13241300x8000000000000000338009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:27.088{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xenfilt.sys|5ed52abf02907bc4\BinProductVersion8.3.0.7 13241300x8000000000000000338008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:27.088{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xenfilt.sys|5ed52abf02907bc4\LinkDate02/12/2021 02:15:56 13241300x8000000000000000338007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:27.088{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xenfilt.sys|5ed52abf02907bc4\Publisheramazon inc. 13241300x8000000000000000338006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:27.088{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xenfilt.sys|5ed52abf02907bc4\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xenbus\xenfilt.sys 13241300x8000000000000000338005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:27.087{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xencrsh.sys|b42c374052fc1b77\BinProductVersion8.4.1.6 13241300x8000000000000000338004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:27.087{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xencrsh.sys|b42c374052fc1b77\LinkDate02/18/2022 01:28:46 13241300x8000000000000000338003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:27.087{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xencrsh.sys|b42c374052fc1b77\Publisheramazon inc. 13241300x8000000000000000338002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:27.087{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xencrsh.sys|b42c374052fc1b77\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xenvbd\xencrsh.sys 13241300x8000000000000000338001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:27.087{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xenbus.sys|e7523a385fe94ef1\BinProductVersion8.3.0.7 13241300x8000000000000000338000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:27.087{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xenbus.sys|e7523a385fe94ef1\LinkDate02/12/2021 02:15:52 13241300x8000000000000000337999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:27.087{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xenbus.sys|e7523a385fe94ef1\Publisheramazon inc. 13241300x8000000000000000337998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:27.087{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xenbus.sys|e7523a385fe94ef1\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xenbus\xenbus.sys 13241300x8000000000000000337997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:27.087{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xen.sys|67bb7edc45be100\BinProductVersion8.3.0.7 13241300x8000000000000000337996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:27.087{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xen.sys|67bb7edc45be100\LinkDate02/12/2021 02:15:39 13241300x8000000000000000337995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:27.087{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xen.sys|67bb7edc45be100\Publisheramazon inc. 13241300x8000000000000000337994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:27.087{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xen.sys|67bb7edc45be100\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xenbus\xen.sys 13241300x8000000000000000337993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:27.086{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\liteagent.exe|9ddbd66af55387\BinProductVersion8.2.7.5 13241300x8000000000000000337992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:27.086{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\liteagent.exe|9ddbd66af55387\LinkDate12/16/2019 19:58:07 13241300x8000000000000000337991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:27.086{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\liteagent.exe|9ddbd66af55387\Publisheramazon inc. 13241300x8000000000000000337990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:27.086{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\liteagent.exe|9ddbd66af55387\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xeniface\liteagent.exe 13241300x8000000000000000337989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:27.086{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dpinst.exe|e98c683d63883b7\BinProductVersion2.1.0.0 13241300x8000000000000000337988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:27.086{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dpinst.exe|e98c683d63883b7\LinkDate05/23/2009 10:37:17 13241300x8000000000000000337987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:27.086{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dpinst.exe|e98c683d63883b7\Publishermicrosoft corporation 13241300x8000000000000000337986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:27.086{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dpinst.exe|e98c683d63883b7\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xenvif\dpinst.exe 13241300x8000000000000000337985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:27.086{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dpinst.exe|d085d8f0649b17ca\BinProductVersion2.1.0.0 13241300x8000000000000000337984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:27.086{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dpinst.exe|d085d8f0649b17ca\LinkDate05/23/2009 10:37:17 13241300x8000000000000000337983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:27.086{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dpinst.exe|d085d8f0649b17ca\Publishermicrosoft corporation 13241300x8000000000000000337982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:27.086{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dpinst.exe|d085d8f0649b17ca\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xennet\dpinst.exe 13241300x8000000000000000337981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:27.086{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dpinst.exe|c91633581a81cffd\BinProductVersion2.1.0.0 13241300x8000000000000000337980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:27.086{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dpinst.exe|c91633581a81cffd\LinkDate05/23/2009 10:37:17 13241300x8000000000000000337979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:27.085{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dpinst.exe|c91633581a81cffd\Publishermicrosoft corporation 13241300x8000000000000000337978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:27.085{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dpinst.exe|c91633581a81cffd\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xenbus\dpinst.exe 13241300x8000000000000000337977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:27.085{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dpinst.exe|40221a38c568eb82\BinProductVersion2.1.0.0 13241300x8000000000000000337976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:27.085{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dpinst.exe|40221a38c568eb82\LinkDate05/23/2009 10:37:17 13241300x8000000000000000337975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:27.085{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dpinst.exe|40221a38c568eb82\Publishermicrosoft corporation 13241300x8000000000000000337974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:27.085{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dpinst.exe|40221a38c568eb82\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xenvbd\dpinst.exe 13241300x8000000000000000337973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:27.085{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dpinst.exe|1e846670f76471a8\BinProductVersion2.1.0.0 13241300x8000000000000000337972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:27.085{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dpinst.exe|1e846670f76471a8\LinkDate05/23/2009 10:37:17 13241300x8000000000000000337971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:27.085{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dpinst.exe|1e846670f76471a8\Publishermicrosoft corporation 13241300x8000000000000000337970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:27.085{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\dpinst.exe|1e846670f76471a8\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xeniface\dpinst.exe 13241300x8000000000000000337969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:27.084{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplication\0000df4f8c3e17bb0724f0203e6fb65399ab00000904\PublisherAmazon Web Services 13241300x8000000000000000337968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.764{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\vstoinstaller.ex|c0ef73c374d5c127\BinProductVersion10.0.60828.0 13241300x8000000000000000337967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.764{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\vstoinstaller.ex|c0ef73c374d5c127\LinkDate12/22/2017 05:08:07 13241300x8000000000000000337966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.764{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\vstoinstaller.ex|c0ef73c374d5c127\Publishermicrosoft corporation 13241300x8000000000000000337965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.764{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\vstoinstaller.ex|c0ef73c374d5c127\LowerCaseLongPathc:\program files\common files\microsoft shared\vsto\10.0\vstoinstaller.exe 13241300x8000000000000000337964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.764{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\vstoinstaller.ex|4af637e234df85fb\BinProductVersion10.0.60828.0 13241300x8000000000000000337963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.764{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\vstoinstaller.ex|4af637e234df85fb\LinkDate12/22/2017 05:12:25 13241300x8000000000000000337962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.764{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\vstoinstaller.ex|4af637e234df85fb\Publishermicrosoft corporation 13241300x8000000000000000337961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.764{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\vstoinstaller.ex|4af637e234df85fb\LowerCaseLongPathc:\program files (x86)\common files\microsoft shared\vsto\10.0\vstoinstaller.exe 13241300x8000000000000000337960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.764{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplication\000028bca733e0c368dbe38c4209a51a637500000000\PublisherMicrosoft Corporation 13241300x8000000000000000337959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.702{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplication\0000b51d592f6864d16b5c12f1b8ddf688c400000000\PublisherMicrosoft Corporation 13241300x8000000000000000337958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.702{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplication\0000b41147bfe9ad6023f5f0d83a776e725600000904\PublisherMicrosoft Corporation 13241300x8000000000000000337957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.655{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplication\0000489ad1f8be161d408fbbe58c2deab5c800000904\PublisherAmazon Web Services 13241300x8000000000000000337956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\srm.exe|928901d4ccf4225c\BinProductVersion(Empty) 13241300x8000000000000000337955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\srm.exe|928901d4ccf4225c\LinkDate01/14/2022 11:37:50 13241300x8000000000000000337954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\srm.exe|928901d4ccf4225c\Publisher(Empty) 13241300x8000000000000000337953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\srm.exe|928901d4ccf4225c\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\srm.exe 13241300x8000000000000000337952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunkmonitornoh|e59d09056446ab10\BinProductVersion10.0.10011.16384 13241300x8000000000000000337951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunkmonitornoh|e59d09056446ab10\LinkDate10/02/2019 17:37:14 13241300x8000000000000000337950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunkmonitornoh|e59d09056446ab10\Publisherwindows (r) win 7 ddk provider 13241300x8000000000000000337949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunkmonitornoh|e59d09056446ab10\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunkmonitornohandledrv.sys 13241300x8000000000000000337948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunkdrv.sys|d26d9681615e2fde\BinProductVersion10.0.10011.16384 13241300x8000000000000000337947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunkdrv.sys|d26d9681615e2fde\LinkDate10/02/2019 17:37:08 13241300x8000000000000000337946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunkdrv.sys|d26d9681615e2fde\Publisherwindows (r) win 7 ddk provider 13241300x8000000000000000337945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunkdrv.sys|d26d9681615e2fde\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunkdrv.sys 13241300x8000000000000000337944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunkd.exe|97fa29633c3fe2cc\BinProductVersion2050.1280.25060.64002 13241300x8000000000000000337943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunkd.exe|97fa29633c3fe2cc\LinkDate01/17/2022 05:29:26 13241300x8000000000000000337942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunkd.exe|97fa29633c3fe2cc\Publishersplunk inc. 13241300x8000000000000000337941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunkd.exe|97fa29633c3fe2cc\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunkd.exe 13241300x8000000000000000337940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk.exe|a8c4bd649036a5f1\BinProductVersion2050.1280.25060.64002 13241300x8000000000000000337939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk.exe|a8c4bd649036a5f1\LinkDate01/17/2022 05:11:21 13241300x8000000000000000337938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk.exe|a8c4bd649036a5f1\Publishersplunk inc. 13241300x8000000000000000337937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk.exe|a8c4bd649036a5f1\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk.exe 13241300x8000000000000000337936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-wmi.exe|fd58174ea9e370c0\BinProductVersion2050.1280.25060.64002 13241300x8000000000000000337935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-wmi.exe|fd58174ea9e370c0\LinkDate01/17/2022 05:26:52 13241300x8000000000000000337934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-wmi.exe|fd58174ea9e370c0\Publishersplunk inc. 13241300x8000000000000000337933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-wmi.exe|fd58174ea9e370c0\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-wmi.exe 13241300x8000000000000000337932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-winprintm|94e5804991a842aa\BinProductVersion2050.1280.25060.64002 13241300x8000000000000000337931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-winprintm|94e5804991a842aa\LinkDate01/17/2022 05:20:49 13241300x8000000000000000337930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-winprintm|94e5804991a842aa\Publishersplunk inc. 13241300x8000000000000000337929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-winprintm|94e5804991a842aa\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-winprintmon.exe 13241300x8000000000000000337928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-winhostin|9c2f9c50ce2f578e\BinProductVersion2050.1280.25060.64002 13241300x8000000000000000337927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-winhostin|9c2f9c50ce2f578e\LinkDate01/17/2022 05:20:02 13241300x8000000000000000337926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-winhostin|9c2f9c50ce2f578e\Publishersplunk inc. 13241300x8000000000000000337925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-winhostin|9c2f9c50ce2f578e\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-winhostinfo.exe 13241300x8000000000000000337924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-winevtlog|d8125e0c86684fca\BinProductVersion2050.1280.25060.64002 13241300x8000000000000000337923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-winevtlog|d8125e0c86684fca\LinkDate01/17/2022 05:21:04 13241300x8000000000000000337922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-winevtlog|d8125e0c86684fca\Publishersplunk inc. 13241300x8000000000000000337921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-winevtlog|d8125e0c86684fca\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-winevtlog.exe 13241300x8000000000000000337920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-regmon.ex|618812230e4591fb\BinProductVersion2050.1280.25060.64002 13241300x8000000000000000337919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-regmon.ex|618812230e4591fb\LinkDate01/17/2022 05:19:42 13241300x8000000000000000337918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-regmon.ex|618812230e4591fb\Publishersplunk inc. 13241300x8000000000000000337917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-regmon.ex|618812230e4591fb\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-regmon.exe 13241300x8000000000000000337916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-powershel|2c084771581f2247\BinProductVersion(Empty) 13241300x8000000000000000337915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-powershel|2c084771581f2247\LinkDate01/17/2022 05:19:47 13241300x8000000000000000337914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-powershel|2c084771581f2247\Publisher(Empty) 13241300x8000000000000000337913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-powershel|2c084771581f2247\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-powershell.exe 13241300x8000000000000000337912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-perfmon.e|5179a15d38015aca\BinProductVersion2050.1280.25060.64002 13241300x8000000000000000337911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-perfmon.e|5179a15d38015aca\LinkDate01/17/2022 05:19:42 13241300x8000000000000000337910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-perfmon.e|5179a15d38015aca\Publishersplunk inc. 13241300x8000000000000000337909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-perfmon.e|5179a15d38015aca\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-perfmon.exe 13241300x8000000000000000337908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-netmon.ex|1a876d8838ded3dd\BinProductVersion2050.1280.25060.64002 13241300x8000000000000000337907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-netmon.ex|1a876d8838ded3dd\LinkDate01/17/2022 05:20:03 13241300x8000000000000000337906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-netmon.ex|1a876d8838ded3dd\Publishersplunk inc. 13241300x8000000000000000337905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-netmon.ex|1a876d8838ded3dd\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-netmon.exe 13241300x8000000000000000337904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-monitorno|903ef6eeb885a45b\BinProductVersion10.0.10011.16384 13241300x8000000000000000337903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-monitorno|903ef6eeb885a45b\LinkDate01/17/2022 05:20:03 13241300x8000000000000000337902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-monitorno|903ef6eeb885a45b\Publisherwindows (r) win 7 ddk provider 13241300x8000000000000000337901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-monitorno|903ef6eeb885a45b\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-monitornohandle.exe 13241300x8000000000000000337900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-compresst|40738d14a4b5ef86\BinProductVersion2050.1280.25060.64002 13241300x8000000000000000337899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-compresst|40738d14a4b5ef86\LinkDate01/17/2022 05:11:22 13241300x8000000000000000337898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-compresst|40738d14a4b5ef86\Publishersplunk inc. 13241300x8000000000000000337897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-compresst|40738d14a4b5ef86\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-compresstool.exe 13241300x8000000000000000337896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-admon.exe|eab473bd2c77f301\BinProductVersion2050.1280.25060.64002 13241300x8000000000000000337895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-admon.exe|eab473bd2c77f301\LinkDate01/17/2022 05:19:46 13241300x8000000000000000337894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-admon.exe|eab473bd2c77f301\Publishersplunk inc. 13241300x8000000000000000337893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splunk-admon.exe|eab473bd2c77f301\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-admon.exe 13241300x8000000000000000337892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splknetdrv.sys|9d837bc7abc517f\BinProductVersion10.0.10011.16384 13241300x8000000000000000337891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splknetdrv.sys|9d837bc7abc517f\LinkDate09/27/2019 18:25:44 13241300x8000000000000000337890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splknetdrv.sys|9d837bc7abc517f\Publisherwindows (r) win 7 ddk provider 13241300x8000000000000000337889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\splknetdrv.sys|9d837bc7abc517f\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splknetdrv.sys 13241300x8000000000000000337888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\openssl.exe|fe2747d40e70e115\BinProductVersion(Empty) 13241300x8000000000000000337887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\openssl.exe|fe2747d40e70e115\LinkDate01/14/2022 10:30:27 13241300x8000000000000000337886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\openssl.exe|fe2747d40e70e115\Publisher(Empty) 13241300x8000000000000000337885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\openssl.exe|fe2747d40e70e115\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\openssl.exe 13241300x8000000000000000337884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\classify.exe|c62b2c99ddbdcd65\BinProductVersion2050.1280.25060.64002 13241300x8000000000000000337883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\classify.exe|c62b2c99ddbdcd65\LinkDate01/17/2022 05:11:12 13241300x8000000000000000337882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\classify.exe|c62b2c99ddbdcd65\Publishersplunk inc. 13241300x8000000000000000337881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\classify.exe|c62b2c99ddbdcd65\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\classify.exe 13241300x8000000000000000337880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\btprobe.exe|ca8341d242e7a488\BinProductVersion2050.1280.25060.64002 13241300x8000000000000000337879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\btprobe.exe|ca8341d242e7a488\LinkDate01/17/2022 05:11:00 13241300x8000000000000000337878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\btprobe.exe|ca8341d242e7a488\Publishersplunk inc. 13241300x8000000000000000337877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\btprobe.exe|ca8341d242e7a488\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\btprobe.exe 13241300x8000000000000000337876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\btool.exe|4e68b21196df7ca2\BinProductVersion2050.1280.25060.64002 13241300x8000000000000000337875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\btool.exe|4e68b21196df7ca2\LinkDate01/17/2022 05:10:59 13241300x8000000000000000337874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\btool.exe|4e68b21196df7ca2\Publishersplunk inc. 13241300x8000000000000000337873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\btool.exe|4e68b21196df7ca2\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\btool.exe 13241300x8000000000000000337872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.609{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplication\00003fa61965e10b70214d70fe482073af3000000904\PublisherSplunk, Inc. 13241300x8000000000000000337871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.531{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplication\0000f705aaa46c731a6bc15ad6d69b5cfef500000904\PublisherAmazon Web Services 13241300x8000000000000000337870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xlicons.exe|f1f83fd61f5a2af1\BinProductVersion16.0.15601.20404 13241300x8000000000000000337869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xlicons.exe|f1f83fd61f5a2af1\LinkDate12/10/2022 05:33:54 13241300x8000000000000000337868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xlicons.exe|f1f83fd61f5a2af1\Publishermicrosoft corporation 13241300x8000000000000000337867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xlicons.exe|f1f83fd61f5a2af1\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-000f-0000-1000-0000000ff1ce}\xlicons.exe 13241300x8000000000000000337866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xlicons.exe|7d12eeff2e863364\BinProductVersion16.0.15128.20004 13241300x8000000000000000337865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xlicons.exe|7d12eeff2e863364\LinkDate03/29/2022 23:33:13 13241300x8000000000000000337864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xlicons.exe|7d12eeff2e863364\Publishermicrosoft corporation 13241300x8000000000000000337863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\xlicons.exe|7d12eeff2e863364\LowerCaseLongPathc:\program files\microsoft office\root\office16\xlicons.exe 13241300x8000000000000000337862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\wordicon.exe|78223a0fd1214c54\BinProductVersion16.0.15128.20004 13241300x8000000000000000337861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\wordicon.exe|78223a0fd1214c54\LinkDate03/29/2022 23:24:16 13241300x8000000000000000337860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\wordicon.exe|78223a0fd1214c54\Publishermicrosoft corporation 13241300x8000000000000000337859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\wordicon.exe|78223a0fd1214c54\LowerCaseLongPathc:\program files\microsoft office\root\office16\wordicon.exe 13241300x8000000000000000337858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\wordicon.exe|444cd0949335bdb3\BinProductVersion16.0.15601.20404 13241300x8000000000000000337857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\wordicon.exe|444cd0949335bdb3\LinkDate12/10/2022 05:34:01 13241300x8000000000000000337856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\wordicon.exe|444cd0949335bdb3\Publishermicrosoft corporation 13241300x8000000000000000337855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\wordicon.exe|444cd0949335bdb3\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-000f-0000-1000-0000000ff1ce}\wordicon.exe 13241300x8000000000000000337854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\wordconv.exe|21b337580489bd1\BinProductVersion16.0.15601.20456 13241300x8000000000000000337853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\wordconv.exe|21b337580489bd1\LinkDate12/30/2022 08:44:39 13241300x8000000000000000337852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\wordconv.exe|21b337580489bd1\Publishermicrosoft corporation 13241300x8000000000000000337851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\wordconv.exe|21b337580489bd1\LowerCaseLongPathc:\program files\microsoft office\root\office16\wordconv.exe 13241300x8000000000000000337850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\winword.exe|13fbee5927c46013\BinProductVersion16.0.15601.20456 13241300x8000000000000000337849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\winword.exe|13fbee5927c46013\LinkDate12/30/2022 08:44:41 13241300x8000000000000000337848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\winword.exe|13fbee5927c46013\Publishermicrosoft corporation 13241300x8000000000000000337847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\winword.exe|13fbee5927c46013\LowerCaseLongPathc:\program files\microsoft office\root\office16\winword.exe 13241300x8000000000000000337846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\vpreview.exe|a4f4b801e1787737\BinProductVersion16.0.15601.20456 13241300x8000000000000000337845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\vpreview.exe|a4f4b801e1787737\LinkDate12/30/2022 08:44:50 13241300x8000000000000000337844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\vpreview.exe|a4f4b801e1787737\Publishermicrosoft corporation 13241300x8000000000000000337843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\vpreview.exe|a4f4b801e1787737\LowerCaseLongPathc:\program files\microsoft office\root\office16\vpreview.exe 13241300x8000000000000000337842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\visicon.exe|298c64a15915f13a\BinProductVersion16.0.15601.20446 13241300x8000000000000000337841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\visicon.exe|298c64a15915f13a\LinkDate12/23/2022 10:17:08 13241300x8000000000000000337840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\visicon.exe|298c64a15915f13a\Publishermicrosoft corporation 13241300x8000000000000000337839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\visicon.exe|298c64a15915f13a\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-000f-0000-1000-0000000ff1ce}\visicon.exe 13241300x8000000000000000337838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ucmapi.exe|3a5e65afd4555fb0\BinProductVersion16.0.15601.20456 13241300x8000000000000000337837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ucmapi.exe|3a5e65afd4555fb0\LinkDate12/30/2022 08:46:07 13241300x8000000000000000337836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ucmapi.exe|3a5e65afd4555fb0\Publishermicrosoft corporation 13241300x8000000000000000337835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ucmapi.exe|3a5e65afd4555fb0\LowerCaseLongPathc:\program files\microsoft office\root\office16\ucmapi.exe 13241300x8000000000000000337834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sscicons.exe|8c93d9f769666121\BinProductVersion16.0.15601.20446 13241300x8000000000000000337833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sscicons.exe|8c93d9f769666121\LinkDate12/23/2022 09:57:35 13241300x8000000000000000337832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sscicons.exe|8c93d9f769666121\Publishermicrosoft corporation 13241300x8000000000000000337831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sscicons.exe|8c93d9f769666121\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-000f-0000-1000-0000000ff1ce}\sscicons.exe 13241300x8000000000000000337830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sqldumper.exe|f5cecdb30a72910f\BinProductVersion15.0.2000.311 13241300x8000000000000000337829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sqldumper.exe|f5cecdb30a72910f\LinkDate03/18/2020 21:16:52 13241300x8000000000000000337828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sqldumper.exe|f5cecdb30a72910f\Publishermicrosoft corporation 13241300x8000000000000000337827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sqldumper.exe|f5cecdb30a72910f\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilesx64\microsoft analysis services\as oledb\140\sqldumper.exe 13241300x8000000000000000337826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sqldumper.exe|464160c2533d4588\BinProductVersion15.0.2000.311 13241300x8000000000000000337825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sqldumper.exe|464160c2533d4588\LinkDate03/18/2020 21:17:11 13241300x8000000000000000337824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sqldumper.exe|464160c2533d4588\Publishermicrosoft corporation 13241300x8000000000000000337823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sqldumper.exe|464160c2533d4588\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilesx86\microsoft analysis services\as oledb\140\sqldumper.exe 13241300x8000000000000000337822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\spreadsheetcompa|13e8473ddb031adc\BinProductVersion16.0.15028.20050 13241300x8000000000000000337821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\spreadsheetcompa|13e8473ddb031adc\LinkDate10/12/2074 05:20:33 13241300x8000000000000000337820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\spreadsheetcompa|13e8473ddb031adc\Publishermicrosoft corporation 13241300x8000000000000000337819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\spreadsheetcompa|13e8473ddb031adc\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilesx86\microsoft office\office16\dcf\spreadsheetcompare.exe 13241300x8000000000000000337818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\smarttaginstall.|f826035e5377ee3e\BinProductVersion16.0.14931.20008 13241300x8000000000000000337817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\smarttaginstall.|f826035e5377ee3e\LinkDate02/01/2022 20:59:18 13241300x8000000000000000337816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\smarttaginstall.|f826035e5377ee3e\Publishermicrosoft corporation 13241300x8000000000000000337815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\smarttaginstall.|f826035e5377ee3e\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\smart tag\smarttaginstall.exe 13241300x8000000000000000337814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\skypeserver.exe|8a108f2e74c54779\BinProductVersion16.0.15601.20038 13241300x8000000000000000337813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\skypeserver.exe|8a108f2e74c54779\LinkDate08/07/2022 00:16:59 13241300x8000000000000000337812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\skypeserver.exe|8a108f2e74c54779\Publishermicrosoft corporation 13241300x8000000000000000337811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\skypeserver.exe|8a108f2e74c54779\LowerCaseLongPathc:\program files\microsoft office\root\office16\skypesrv\skypeserver.exe 13241300x8000000000000000337810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\setlang.exe|f09b3851d8a3961f\BinProductVersion16.0.15601.20456 13241300x8000000000000000337809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\setlang.exe|f09b3851d8a3961f\LinkDate12/30/2022 08:47:54 13241300x8000000000000000337808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\setlang.exe|f09b3851d8a3961f\Publishermicrosoft corporation 13241300x8000000000000000337807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\setlang.exe|f09b3851d8a3961f\LowerCaseLongPathc:\program files\microsoft office\root\office16\setlang.exe 13241300x8000000000000000337806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\selfcert.exe|e2ec62361730e601\BinProductVersion16.0.15601.20456 13241300x8000000000000000337805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\selfcert.exe|e2ec62361730e601\LinkDate12/30/2022 08:43:21 13241300x8000000000000000337804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\selfcert.exe|e2ec62361730e601\Publishermicrosoft corporation 13241300x8000000000000000337803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\selfcert.exe|e2ec62361730e601\LowerCaseLongPathc:\program files\microsoft office\root\office16\selfcert.exe 13241300x8000000000000000337802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sdxhelperbgt.exe|10dd51b76d1cbf67\BinProductVersion16.0.14931.20008 13241300x8000000000000000337801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sdxhelperbgt.exe|10dd51b76d1cbf67\LinkDate02/01/2022 13:52:52 13241300x8000000000000000337800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sdxhelperbgt.exe|10dd51b76d1cbf67\Publishermicrosoft corporation 13241300x8000000000000000337799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sdxhelperbgt.exe|10dd51b76d1cbf67\LowerCaseLongPathc:\program files\microsoft office\root\office16\sdxhelperbgt.exe 13241300x8000000000000000337798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sdxhelper.exe|10f28420cb1d5514\BinProductVersion16.0.15601.20456 13241300x8000000000000000337797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sdxhelper.exe|10f28420cb1d5514\LinkDate12/30/2022 08:45:04 13241300x8000000000000000337796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sdxhelper.exe|10f28420cb1d5514\Publishermicrosoft corporation 13241300x8000000000000000337795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\sdxhelper.exe|10f28420cb1d5514\LowerCaseLongPathc:\program files\microsoft office\root\office16\sdxhelper.exe 13241300x8000000000000000337794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\scanpst.exe|b3299f6a464b1648\BinProductVersion16.0.15601.20456 13241300x8000000000000000337793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\scanpst.exe|b3299f6a464b1648\LinkDate12/30/2022 08:44:39 13241300x8000000000000000337792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\scanpst.exe|b3299f6a464b1648\Publishermicrosoft corporation 13241300x8000000000000000337791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\scanpst.exe|b3299f6a464b1648\LowerCaseLongPathc:\program files\microsoft office\root\office16\scanpst.exe 13241300x8000000000000000337790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pubs.exe|221ddcdbe2c5911d\BinProductVersion16.0.15601.20446 13241300x8000000000000000337789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pubs.exe|221ddcdbe2c5911d\LinkDate12/23/2022 10:25:33 13241300x8000000000000000337788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pubs.exe|221ddcdbe2c5911d\Publishermicrosoft corporation 13241300x8000000000000000337787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pubs.exe|221ddcdbe2c5911d\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-000f-0000-1000-0000000ff1ce}\pubs.exe 13241300x8000000000000000337786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\protocolhandler.|9fae8d2618c9287e\BinProductVersion16.0.15601.20456 13241300x8000000000000000337785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\protocolhandler.|9fae8d2618c9287e\LinkDate12/30/2022 08:46:45 13241300x8000000000000000337784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\protocolhandler.|9fae8d2618c9287e\Publishermicrosoft corporation 13241300x8000000000000000337783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\protocolhandler.|9fae8d2618c9287e\LowerCaseLongPathc:\program files\microsoft office\root\office16\protocolhandler.exe 13241300x8000000000000000337782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pptico.exe|d7bc0ff224c77abb\BinProductVersion16.0.15128.20004 13241300x8000000000000000337781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pptico.exe|d7bc0ff224c77abb\LinkDate03/29/2022 23:45:02 13241300x8000000000000000337780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pptico.exe|d7bc0ff224c77abb\Publishermicrosoft corporation 13241300x8000000000000000337779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pptico.exe|d7bc0ff224c77abb\LowerCaseLongPathc:\program files\microsoft office\root\office16\pptico.exe 13241300x8000000000000000337778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pptico.exe|39fd6212a4a4bffe\BinProductVersion16.0.15601.20404 13241300x8000000000000000337777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pptico.exe|39fd6212a4a4bffe\LinkDate12/10/2022 05:27:09 13241300x8000000000000000337776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pptico.exe|39fd6212a4a4bffe\Publishermicrosoft corporation 13241300x8000000000000000337775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pptico.exe|39fd6212a4a4bffe\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-000f-0000-1000-0000000ff1ce}\pptico.exe 13241300x8000000000000000337774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\powerpnt.exe|d26b5ec93e6588c4\BinProductVersion16.0.15601.20456 13241300x8000000000000000337773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\powerpnt.exe|d26b5ec93e6588c4\LinkDate12/30/2022 08:45:34 13241300x8000000000000000337772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\powerpnt.exe|d26b5ec93e6588c4\Publishermicrosoft corporation 13241300x8000000000000000337771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\powerpnt.exe|d26b5ec93e6588c4\LowerCaseLongPathc:\program files\microsoft office\root\office16\powerpnt.exe 13241300x8000000000000000337770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pj11icon.exe|3eb73d0357cb7ab9\BinProductVersion16.0.15601.20446 13241300x8000000000000000337769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pj11icon.exe|3eb73d0357cb7ab9\LinkDate12/23/2022 09:56:10 13241300x8000000000000000337768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pj11icon.exe|3eb73d0357cb7ab9\Publishermicrosoft corporation 13241300x8000000000000000337767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pj11icon.exe|3eb73d0357cb7ab9\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-000f-0000-1000-0000000ff1ce}\pj11icon.exe 13241300x8000000000000000337766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\perfboost.exe|27e8fad257309e8d\BinProductVersion16.0.15601.20456 13241300x8000000000000000337765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\perfboost.exe|27e8fad257309e8d\LinkDate12/30/2022 08:44:34 13241300x8000000000000000337764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\perfboost.exe|27e8fad257309e8d\Publishermicrosoft corporation 13241300x8000000000000000337763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\perfboost.exe|27e8fad257309e8d\LowerCaseLongPathc:\program files\microsoft office\root\office16\perfboost.exe 13241300x8000000000000000337762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pdfreflow.exe|8db2822531d6bf4e\BinProductVersion16.0.15601.20456 13241300x8000000000000000337761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pdfreflow.exe|8db2822531d6bf4e\LinkDate12/30/2022 08:47:07 13241300x8000000000000000337760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pdfreflow.exe|8db2822531d6bf4e\Publishermicrosoft corporation 13241300x8000000000000000337759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\pdfreflow.exe|8db2822531d6bf4e\LowerCaseLongPathc:\program files\microsoft office\root\office16\pdfreflow.exe 13241300x8000000000000000337758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\outlook.exe|bf505a2e251894e\BinProductVersion16.0.15601.20456 13241300x8000000000000000337757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\outlook.exe|bf505a2e251894e\LinkDate12/30/2022 09:01:40 13241300x8000000000000000337756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\outlook.exe|bf505a2e251894e\Publishermicrosoft corporation 13241300x8000000000000000337755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\outlook.exe|bf505a2e251894e\LowerCaseLongPathc:\program files\microsoft office\root\office16\outlook.exe 13241300x8000000000000000337754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\outicon.exe|5d91efc2ef9fbaa3\BinProductVersion16.0.15601.20404 13241300x8000000000000000337753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.406{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\outicon.exe|5d91efc2ef9fbaa3\LinkDate12/10/2022 05:33:47 13241300x8000000000000000337752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\outicon.exe|5d91efc2ef9fbaa3\Publishermicrosoft corporation 13241300x8000000000000000337751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\outicon.exe|5d91efc2ef9fbaa3\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-000f-0000-1000-0000000ff1ce}\outicon.exe 13241300x8000000000000000337750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ospprearm.exe|a1d69ba702646028\BinProductVersion(Empty) 13241300x8000000000000000337749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ospprearm.exe|a1d69ba702646028\LinkDate11/02/2022 10:02:08 13241300x8000000000000000337748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ospprearm.exe|a1d69ba702646028\Publisher(Empty) 13241300x8000000000000000337747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ospprearm.exe|a1d69ba702646028\LowerCaseLongPathc:\program files\microsoft office\office16\ospprearm.exe 13241300x8000000000000000337746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\osmclienticon.ex|bc2995a7d78281bf\BinProductVersion16.0.15601.20404 13241300x8000000000000000337745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\osmclienticon.ex|bc2995a7d78281bf\LinkDate12/10/2022 05:33:49 13241300x8000000000000000337744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\osmclienticon.ex|bc2995a7d78281bf\Publishermicrosoft corporation 13241300x8000000000000000337743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\osmclienticon.ex|bc2995a7d78281bf\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-000f-0000-1000-0000000ff1ce}\osmclienticon.exe 13241300x8000000000000000337742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\osmadminicon.exe|1023b0e7e6d67170\BinProductVersion16.0.15601.20404 13241300x8000000000000000337741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\osmadminicon.exe|1023b0e7e6d67170\LinkDate12/10/2022 05:33:49 13241300x8000000000000000337740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\osmadminicon.exe|1023b0e7e6d67170\Publishermicrosoft corporation 13241300x8000000000000000337739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\osmadminicon.exe|1023b0e7e6d67170\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-000f-0000-1000-0000000ff1ce}\osmadminicon.exe 13241300x8000000000000000337738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ose.exe|4d61fdf0b4f5491a\BinProductVersion16.0.15128.20080 13241300x8000000000000000337737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ose.exe|4d61fdf0b4f5491a\LinkDate04/06/2022 16:33:02 13241300x8000000000000000337736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ose.exe|4d61fdf0b4f5491a\Publishermicrosoft corporation 13241300x8000000000000000337735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ose.exe|4d61fdf0b4f5491a\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\source engine\ose.exe 13241300x8000000000000000337734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\orgchart.exe|f3872224b48ee8a5\BinProductVersion16.0.15601.20456 13241300x8000000000000000337733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\orgchart.exe|f3872224b48ee8a5\LinkDate12/30/2022 08:39:37 13241300x8000000000000000337732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\orgchart.exe|f3872224b48ee8a5\Publishermicrosoft corporation 13241300x8000000000000000337731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\orgchart.exe|f3872224b48ee8a5\LowerCaseLongPathc:\program files\microsoft office\root\office16\orgchart.exe 13241300x8000000000000000337730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\operfmon.exe|a403828f515d2a9d\BinProductVersion16.0.15601.20038 13241300x8000000000000000337729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\operfmon.exe|a403828f515d2a9d\LinkDate08/07/2022 00:26:11 13241300x8000000000000000337728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\operfmon.exe|a403828f515d2a9d\Publishermicrosoft corporation 13241300x8000000000000000337727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\operfmon.exe|a403828f515d2a9d\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\operfmon.exe 13241300x8000000000000000337726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\onenotem.exe|ee4342edaa4ce03e\BinProductVersion16.0.15601.20456 13241300x8000000000000000337725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\onenotem.exe|ee4342edaa4ce03e\LinkDate12/30/2022 08:44:21 13241300x8000000000000000337724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\onenotem.exe|ee4342edaa4ce03e\Publishermicrosoft corporation 13241300x8000000000000000337723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\onenotem.exe|ee4342edaa4ce03e\LowerCaseLongPathc:\program files\microsoft office\root\office16\onenotem.exe 13241300x8000000000000000337722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\onenote.exe|1340679fc786a65d\BinProductVersion16.0.15601.20456 13241300x8000000000000000337721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\onenote.exe|1340679fc786a65d\LinkDate12/30/2022 08:44:53 13241300x8000000000000000337720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\onenote.exe|1340679fc786a65d\Publishermicrosoft corporation 13241300x8000000000000000337719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\onenote.exe|1340679fc786a65d\LowerCaseLongPathc:\program files\microsoft office\root\office16\onenote.exe 13241300x8000000000000000337718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\onedrivesetup.ex|13fa51f7fa101eb7\BinProductVersion22.77.410.7 13241300x8000000000000000337717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\onedrivesetup.ex|13fa51f7fa101eb7\LinkDate04/14/1981 15:28:41 13241300x8000000000000000337716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\onedrivesetup.ex|13fa51f7fa101eb7\Publishermicrosoft corporation 13241300x8000000000000000337715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\onedrivesetup.ex|13fa51f7fa101eb7\LowerCaseLongPathc:\program files\microsoft office\root\integration\addons\onedrivesetup.exe 13241300x8000000000000000337714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\olicenseheartbea|685556b86b591b30\BinProductVersion16.0.15601.20456 13241300x8000000000000000337713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\olicenseheartbea|685556b86b591b30\LinkDate12/30/2022 08:45:16 13241300x8000000000000000337712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\olicenseheartbea|685556b86b591b30\Publishermicrosoft corporation 13241300x8000000000000000337711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\olicenseheartbea|685556b86b591b30\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\olicenseheartbeat.exe 13241300x8000000000000000337710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\olcfg.exe|a02976be835ef87a\BinProductVersion16.0.14931.20008 13241300x8000000000000000337709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\olcfg.exe|a02976be835ef87a\LinkDate02/01/2022 13:35:36 13241300x8000000000000000337708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\olcfg.exe|a02976be835ef87a\Publishermicrosoft corporation 13241300x8000000000000000337707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\olcfg.exe|a02976be835ef87a\LowerCaseLongPathc:\program files\microsoft office\root\office16\olcfg.exe 13241300x8000000000000000337706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ohub32.exe|1cbd8b063e0dbfd8\BinProductVersion16.0.15601.20450 13241300x8000000000000000337705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ohub32.exe|1cbd8b063e0dbfd8\LinkDate12/27/2022 02:56:38 13241300x8000000000000000337704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ohub32.exe|1cbd8b063e0dbfd8\Publishermicrosoft corporation 13241300x8000000000000000337703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ohub32.exe|1cbd8b063e0dbfd8\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-000f-0000-1000-0000000ff1ce}\ohub32.exe 13241300x8000000000000000337702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\officescrsanbrok|e231fa2bcc3155ac\BinProductVersion16.0.15601.20456 13241300x8000000000000000337701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\officescrsanbrok|e231fa2bcc3155ac\LinkDate12/30/2022 08:42:06 13241300x8000000000000000337700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\officescrsanbrok|e231fa2bcc3155ac\Publishermicrosoft corporation 13241300x8000000000000000337699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\officescrsanbrok|e231fa2bcc3155ac\LowerCaseLongPathc:\program files\microsoft office\root\office16\officescrsanbroker.exe 13241300x8000000000000000337698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\officescrbroker.|e4e7e22c4559bc25\BinProductVersion16.0.15601.20456 13241300x8000000000000000337697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\officescrbroker.|e4e7e22c4559bc25\LinkDate12/30/2022 08:42:02 13241300x8000000000000000337696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\officescrbroker.|e4e7e22c4559bc25\Publishermicrosoft corporation 13241300x8000000000000000337695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\officescrbroker.|e4e7e22c4559bc25\LowerCaseLongPathc:\program files\microsoft office\root\office16\officescrbroker.exe 13241300x8000000000000000337694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\officeappguardwi|1d315891d4000f76\BinProductVersion16.0.15601.20456 13241300x8000000000000000337693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\officeappguardwi|1d315891d4000f76\LinkDate12/30/2022 08:44:11 13241300x8000000000000000337692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\officeappguardwi|1d315891d4000f76\Publishermicrosoft corporation 13241300x8000000000000000337691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\officeappguardwi|1d315891d4000f76\LowerCaseLongPathc:\program files\microsoft office\root\office16\officeappguardwin32.exe 13241300x8000000000000000337690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ocpubmgr.exe|bf7b23fd8b5a21e6\BinProductVersion16.0.15601.20456 13241300x8000000000000000337689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ocpubmgr.exe|bf7b23fd8b5a21e6\LinkDate12/30/2022 08:45:39 13241300x8000000000000000337688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ocpubmgr.exe|bf7b23fd8b5a21e6\Publishermicrosoft corporation 13241300x8000000000000000337687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\ocpubmgr.exe|bf7b23fd8b5a21e6\LowerCaseLongPathc:\program files\microsoft office\root\office16\ocpubmgr.exe 13241300x8000000000000000337686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\namecontrolserve|6e9ebbbd25720a1f\BinProductVersion16.0.15601.20456 13241300x8000000000000000337685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\namecontrolserve|6e9ebbbd25720a1f\LinkDate12/30/2022 08:45:33 13241300x8000000000000000337684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\namecontrolserve|6e9ebbbd25720a1f\Publishermicrosoft corporation 13241300x8000000000000000337683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\namecontrolserve|6e9ebbbd25720a1f\LowerCaseLongPathc:\program files\microsoft office\root\office16\namecontrolserver.exe 13241300x8000000000000000337682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msqry32.exe|f4966ad2a4f8b618\BinProductVersion16.0.15601.20456 13241300x8000000000000000337681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msqry32.exe|f4966ad2a4f8b618\LinkDate12/30/2022 08:43:23 13241300x8000000000000000337680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msqry32.exe|f4966ad2a4f8b618\Publishermicrosoft corporation 13241300x8000000000000000337679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msqry32.exe|f4966ad2a4f8b618\LowerCaseLongPathc:\program files\microsoft office\root\office16\msqry32.exe 13241300x8000000000000000337678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mspub.exe|627686ba4cede96f\BinProductVersion16.0.15601.20456 13241300x8000000000000000337677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mspub.exe|627686ba4cede96f\LinkDate12/30/2022 08:46:50 13241300x8000000000000000337676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mspub.exe|627686ba4cede96f\Publishermicrosoft corporation 13241300x8000000000000000337675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\mspub.exe|627686ba4cede96f\LowerCaseLongPathc:\program files\microsoft office\root\office16\mspub.exe 13241300x8000000000000000337674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msoxmled.exe|9d4c86224f942115\BinProductVersion16.0.15330.20114 13241300x8000000000000000337673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msoxmled.exe|9d4c86224f942115\LinkDate06/11/2022 02:12:00 13241300x8000000000000000337672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msoxmled.exe|9d4c86224f942115\Publishermicrosoft corporation 13241300x8000000000000000337671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msoxmled.exe|9d4c86224f942115\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\msoxmled.exe 13241300x8000000000000000337670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msotd.exe|1846727dbe2e5345\BinProductVersion16.0.15601.20456 13241300x8000000000000000337669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msotd.exe|1846727dbe2e5345\LinkDate12/30/2022 08:44:04 13241300x8000000000000000337668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msotd.exe|1846727dbe2e5345\Publishermicrosoft corporation 13241300x8000000000000000337667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msotd.exe|1846727dbe2e5345\LowerCaseLongPathc:\program files\microsoft office\root\office16\msotd.exe 13241300x8000000000000000337666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msosrec.exe|7e420f036fdc982e\BinProductVersion16.0.15601.20456 13241300x8000000000000000337665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msosrec.exe|7e420f036fdc982e\LinkDate12/30/2022 08:51:30 13241300x8000000000000000337664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msosrec.exe|7e420f036fdc982e\Publishermicrosoft corporation 13241300x8000000000000000337663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msosrec.exe|7e420f036fdc982e\LowerCaseLongPathc:\program files\microsoft office\root\office16\msosrec.exe 13241300x8000000000000000337662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msoicons.exe|3da37cfb4950ecae\BinProductVersion16.0.15128.20004 13241300x8000000000000000337661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:26.391{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\msoicons.exe|3da37cfb4950ecae\LinkDate03/29/2022 23:47:06 23542300x8000000000000000448550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:28.678{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EAC350FD7AAC94188D6F95904C490DE,SHA256=4438945A9CC1A33BA8B988076A51EC2C7E1958C8F6F54592EC0EBC3C7D5BFC62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:29.547{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EZQS3Z3PKI\System.Management.ni.dll.auxMD5=9E113C3F173739443B36B19DD5C6669B,SHA256=E6D1A62EA7C191912AA011D805E8000EE89FE7281E888EF7A398F4FBA9AC4182,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:29.547{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EZQS3Z3PKI\System.Management.ni.dllMD5=545B093E8C7408982436090E8E13BA3C,SHA256=CFFD545D318D02B523B06E28AFD09A3649D013965B45986CFCAEE54A07AF0C1A,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:29.500{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EZLUQYGNRY\Microsoft.PowerShell.Commands.Management.ni.dll.auxMD5=053C44E7298FF822FD253A2B4D8E2CB9,SHA256=66979902B63DF50164C88984A2FFE7EAEAAC6326E026F555908D509D8C6FB3C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:29.500{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EZLUQYGNRY\Microsoft.PowerShell.Commands.Management.ni.dllMD5=174660B59DBD564D494EEC6EEF69B035,SHA256=80EDDCEFE4C0D3A28D448378DBCA2606081DA3E45F2619B94B117C9A8E514554,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:29.391{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EZG4G5DGOJ\WindowsBase.ni.dll.auxMD5=CE451180C26759B1028E3A902C17F85E,SHA256=5AC69F8930094C256A2A4CA5A979682EABBA3BC3AB7DD7F8C2844ED726B91AD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:29.376{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EZG4G5DGOJ\WindowsBase.ni.dllMD5=BD60B125B9BEF727540A7D61965BAA66,SHA256=A7053DEFC3CF04D3182513BA4E94DA8400513083D146E6FBC67B3E6A213B7137,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:29.219{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EXPS2KV3DT\System.Core.ni.dll.auxMD5=9D050BEFC0EDCA0AC4ABF20376FA0FE5,SHA256=DA8CA881AB535F16D75059E1A0BD90FC8602D4549C17EBBED9870D7CFF6B6CE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:29.219{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EXPS2KV3DT\System.Core.ni.dllMD5=2041735ACCF4A0D44DDE0F13495434C0,SHA256=E12DF0280703B65BC806F70DC05590E33A48732C852ACF4D8A738F9D625218A1,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 13241300x8000000000000000338083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:29.174{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\onedrivesetup.ex|13fa51f7fa101eb7\BinProductVersion22.77.410.7 13241300x8000000000000000338082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:29.174{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\onedrivesetup.ex|13fa51f7fa101eb7\LinkDate04/14/1981 15:28:41 13241300x8000000000000000338081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:29.174{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\onedrivesetup.ex|13fa51f7fa101eb7\Publishermicrosoft corporation 13241300x8000000000000000338080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:29.174{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\onedrivesetup.ex|13fa51f7fa101eb7\LowerCaseLongPathc:\program files\microsoft office\root\integration\addons\onedrivesetup.exe 13241300x8000000000000000338079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:26:29.174{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\integrator.exe|1b5d0d4b4f0be95e\BinProductVersion16.0.15601.20286 13241300x8000000000000000338078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:26:29.174{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\integrator.exe|1b5d0d4b4f0be95e\LinkDate11/02/2022 10:11:23 13241300x8000000000000000338077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:29.174{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\integrator.exe|1b5d0d4b4f0be95e\Publishermicrosoft corporation 13241300x8000000000000000338076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:26:29.174{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplicationFile\integrator.exe|1b5d0d4b4f0be95e\LowerCaseLongPathc:\program files\microsoft office\root\integration\integrator.exe 13241300x8000000000000000338075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:26:29.174{72106695-B4CD-63D3-1104-00000000BD02}4412C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{77aa36e5-de46-b935-359e-afed42ecc0d4}\Root\InventoryApplication\0000b51d592f6864d16b5c12f1b8ddf688c400000000\PublisherMicrosoft Corporation 23542300x8000000000000000448551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:29.896{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C15FAED6CB9775D09B61B8AFBEB4A7F,SHA256=40B971AC29274A5CA3D44B022BD2EADAD077813D1217EE6146E147E6B0FF12D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:30.693{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FABK614OQL\System.Configuration.ni.dll.auxMD5=DA810D6720904049073727FD6BD9FB49,SHA256=2649C749A8B27C31913BCD740C07011190E03D96F939785025B89E59E562809C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:30.677{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FABK614OQL\System.Configuration.ni.dllMD5=07AD02FCFB1B6DF601EA7DB7C48DA6C6,SHA256=AE1EBE8EE75C409CD977C220DA3CE3963F7BEAA1FEA0B6FB0436C96289AF8C3D,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:30.614{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\F9LKXV5EN8\System.ni.dll.auxMD5=5B314DACE0CD48E791031B93EFEBB413,SHA256=5D2290D3508F6D1F4FE644AAC53333AFFB5F08F3EDBECFF6B39B3A4AFAB3B6C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:30.614{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\F9LKXV5EN8\System.ni.dllMD5=CFEAD2F9FBBBC856CC066EDF87EACCD6,SHA256=C7594D5B6C3886ABC31EA390BDEAAE0753669682020DCE90F51B0209E9649048,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:30.098{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\F7GCLFMCW1\System.DirectoryServices.ni.dll.auxMD5=59C110736777D69755BD9640210D5DBD,SHA256=ACBCFE5DF9F4481CB736A5EAD30EAA17287FE36A2A93EFEB7E6A563099100F71,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:30.097{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\F7GCLFMCW1\System.DirectoryServices.ni.dllMD5=0D805B76A05F5CE550EF1D8FFEF30169,SHA256=589EF92923F29A1D6169A89FD617812D186CE924E66E6061CA72EF73C28496BE,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:30.016{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\F1R0DZWR68\System.ni.dll.auxMD5=83A798F75378B58F303737DDEA2A82DA,SHA256=5298F68DF0A59A3273E50A7379FFC8130F7A59630FDB9708C5599AEEED598B11,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:30.016{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\F1R0DZWR68\System.ni.dllMD5=7BF417CEFA7114803F9790E7F77CFE53,SHA256=BCFAC92FEE902A98C44D030324FC9DC31524AD816184D660C26EA48C910E0783,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 354300x8000000000000000448552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:27.911{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52727-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000338117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:31.821{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FSBNHSOHUF\Microsoft.CSharp.ni.dll.auxMD5=9BCA4C7BBF4BA7DE4DEFCD6D3CEF45FD,SHA256=9F5E777C978EF4EBFA33977335DCB4BD26DD284FB65E25375F1028BD3291AF57,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:31.821{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FSBNHSOHUF\Microsoft.CSharp.ni.dllMD5=964847567F390EECD11E2314B6FE3CB1,SHA256=3897257C98046CE789A0520914D7012ECA59924FD67245095D2DB1A08E3B4A0E,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:31.681{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FOGJRDHHJ8\System.Configuration.Install.ni.dll.auxMD5=DFEE9A07D29D011E5C90B8528DA018EA,SHA256=4D719B04BC17977086E3C97ED6DDE6D64193831715F3671EDBB40F39E3684887,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:31.681{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FOGJRDHHJ8\System.Configuration.Install.ni.dllMD5=FDAA71B0FD121959A938C6CE35450216,SHA256=0D969086369893119F98A8FA80E3A2CF52CE193BBB4C617BC777FDEF295AC069,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:31.681{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FNZSDPPEPZ\System.Workflow.Runtime.ni.dll.auxMD5=F9CEDA5F1BD524CBD53AEF7BD6DCECC8,SHA256=4922568A7F165F3630497523E3A2E560EFF49F2DFFC4B9ECD0201976EDCB1738,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:31.681{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FNZSDPPEPZ\System.Workflow.Runtime.ni.dllMD5=E8DF784058D9E5DC751793A8EF140D73,SHA256=3B63C84DA7401E9835C5615F01B8C69E0CC4D4828EED599DAB67AED65A1FCD7D,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:31.556{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FLV143629Q\System.DirectoryServices.ni.dll.auxMD5=463466C086AE4CB364147189D71737DE,SHA256=F86388926054947476E69DE5CF63B1D6654EF8F72F52F547182B167D54F4C315,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:31.556{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FLV143629Q\System.DirectoryServices.ni.dllMD5=A7C1F5A9C297260EAE6137984332B62C,SHA256=76846F40CAE958B044C3A425596B5A374D28E278668F499377D2C5AEA717EA55,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:31.540{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FLPB47NP0N\System.Configuration.Install.ni.dll.auxMD5=5205ADC93D8411C34E93F3D714E9467A,SHA256=FB0D577B81AB94285BEE583359844A2C428C0D35E37188AE8EFAB03555DB1ACC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:31.540{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FLPB47NP0N\System.Configuration.Install.ni.dllMD5=1E22254635ADCD0A1A27129E74308B25,SHA256=511FF337E660333AE9C1059C6A785D5FC2A45CEDCEF313A447AF58EEB6CBD773,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:31.540{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FKHB9ZW9N7\System.Numerics.ni.dll.auxMD5=7498484D2E7FD785FA532DB7139D4C0D,SHA256=D6FD9362B956709DB3F8C9184D1F8B3E52993121DA5A437FC523B2A71C0EF3A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:31.540{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FKHB9ZW9N7\System.Numerics.ni.dllMD5=3F7CB439388CDE4109829B47B69E53EB,SHA256=87DF519A1570E4A7DC96D21E67FD4F16120CD0EFEF35854EF277C4C059B226A1,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:31.493{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FKBOD29XUR\System.Security.ni.dll.auxMD5=8BA8863BEEC87568AAC3B366897D0D32,SHA256=D0E77250356D5D825C484FEE34BBC25BD06C6D1AECC9292A0E3B3DD14FF4B081,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:31.493{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FKBOD29XUR\System.Security.ni.dllMD5=E050C5A89D23FE6EED7B86C3271787F5,SHA256=1045BCADAF25EAA099C264222B8AB242EC71EF1500EE5C524B2F2D6232D4F3C1,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:31.478{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FK8KVELJLD\System.Data.ni.dll.auxMD5=9A6ECBF9E54407755BC7A46CC31C1903,SHA256=AB66C7611BE08DAACE1216C27356E58F5FBA629E0D55564BB48C68566CA7DAE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:31.478{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FK8KVELJLD\System.Data.ni.dllMD5=C803FD0E8E41B8E4D88B5A805756F020,SHA256=6F56D02E25E27523A86510764F1EA2827AECD9BF4B1B7385CCD2F24940FB4718,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:31.099{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FB4JZYWPNI\System.ni.dll.auxMD5=38FB7500511703557B2A490D76E5F3AF,SHA256=82F46FA003FED0DBA41032CD924E47376658DD9F6EF6F9949BC9A853AE793FDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:31.083{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FB4JZYWPNI\System.ni.dllMD5=7FC9BC6F3421B57FEB848576BC809437,SHA256=F25EB9DBCC000D600320A0964A9EBF678A2220481AEC9C0284A5EDBD6ACAFE6C,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000448553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:31.013{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D89521AD2203408955E517FC8FD6606,SHA256=966CAF6187E881F8CA0981D8284CF6EF65DDC9E0204AFC1DF9ABB53954842D1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:32.746{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FVG9I175L6\System.Xml.ni.dll.auxMD5=8095866932D116E9C54CB06A279A8C87,SHA256=ED3F11FAC5D38FB2CDD797B3031E7D49EFB7BD44DBF9355ABABA43B82CA46466,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:32.746{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FVG9I175L6\System.Xml.ni.dllMD5=016FE7AF94AF0BFB824D63F6B0688E43,SHA256=AE20EA6C343733690F1BB9B5963AEA624FFB3B86FAC697FA4C16A753363B291C,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 354300x8000000000000000338122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:30.378{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51031-false10.0.1.12-8000- 23542300x8000000000000000338121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:32.480{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EC81BF177BF827ACF58A6B6352E1F09,SHA256=7A23D15514053295193AEFE5080EF404942331714AB1CA800BD2A0CA8FDB5D57,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:32.449{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A5FC2890DBD6268A809B770709403E1,SHA256=F4DB5CAC8B3C6F6715CC7C1D6BEC63F5B51D6745CE63FFFD5D01AAFCFD02B69D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:32.292{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FT2A5LLBUM\System.ni.dll.auxMD5=C691D5867B11E6FA7C4907BD66ADB550,SHA256=8F94A82313AAA813A83D97E376328517AC88F6B2FB97897F65ACCED1BEED2317,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:32.292{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FT2A5LLBUM\System.ni.dllMD5=C928B5301D291782935A1342A01F6125,SHA256=945ACD65BDCE2291C3C2D15FD910F6E331570D516D386C53FDFB5EC38BE69125,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000448554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:32.092{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AF8C93A1DBEE4EAADB26B3920F3B48F,SHA256=4F3517550A6B438AD79ACC2D8D3EE5B1196D16368D2FF2065B94EB8FF6D663EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000338165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.971{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.971{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.971{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.971{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.971{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.971{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.971{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.971{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.971{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.971{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.971{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.971{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.971{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.971{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.971{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.971{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.971{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.971{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.971{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.971{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.971{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.971{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.971{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.971{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.971{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.971{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.971{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.971{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.971{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000338136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.877{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\G13O28JG3B\System.Transactions.ni.dll.auxMD5=0D6387AC9B68EE76DD1AE4111FEB0842,SHA256=F87542DCD5903BA1C034524739A790E9D3B1B336B227F243592B34110620F13B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.877{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\G13O28JG3B\System.Transactions.ni.dllMD5=847A385B1E0000FE8E4F31BFD457AEA4,SHA256=70ABFFB679617A8B62208F4BD26F1DAC0C5ADF6FD62EB9C81BE6A249613E340C,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.862{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FY65QPL515\System.Web.ni.dll.auxMD5=19FB3A849C52671A5AB8AB8EFABC318A,SHA256=799F28D0CC5031F28563E4C53CCF7B1B088589E6908C1961EA9ECB296B368AD9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.862{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FY65QPL515\System.Web.ni.dllMD5=0EA90B6E8B779F335E221C1AB127E1F7,SHA256=7F19FC08816DA636C530A17A011AEB221A83A8785ECA95E3530458B296F79C66,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.799{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D5734FC6977A5BDE71D55741AADDC8C,SHA256=D6D9013AA2F52905C2ECEE593026EDEBA346E45F0D9BEF86190E5022D0B49700,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000338131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:30.807{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse171.244.61.138-53685-false10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal3389ms-wbt-server 23542300x8000000000000000338130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.252{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C30EDF2B173B771A08F74F1BEDCA812D,SHA256=A5FB8D778EFAF38E7AB37C0D9DD58799FFF4519B0741643358049EA0D763C260,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.252{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3171671763007CAE3F4D8FC45D2BB454,SHA256=632F2C8AB2A32D501C1FCDFB9E59C59A048D6227D5B655F0BE1B4CD99E6616AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.208{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FWBSD7EXL8\System.Drawing.ni.dll.auxMD5=FC5F26849EFBF982445B480BFF804638,SHA256=727468BAE2F554E06B8D2CBE4B73E98EC2235F69B034064CE4367C539E48EB1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.207{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FWBSD7EXL8\System.Drawing.ni.dllMD5=C20190DA3D4B77A1662F026118F06968,SHA256=61EA726F02F345255C81371B7B124DB2FA9B4234BBE14E4DF8784DB752BD3D89,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.144{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FW9MK8UIY5\System.Data.ni.dll.auxMD5=2AB656FB5268C785EF923D3EE5459128,SHA256=C0A8E0011E3037F316B88BED6DF66543AAB3B178F62A39F6070B5670248F67F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:33.129{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FW9MK8UIY5\System.Data.ni.dllMD5=93CE7584E855F6AFBB0E78492FD58849,SHA256=8091F64043891CCB2D0FDC3FA0B9670D53F3444C7B6250340DE846628448DFA0,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000448555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:33.306{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A3142AE2C04D4C9279F0FBCC51F0B8D,SHA256=56616501D84B6144B962E9361634922D1F43D921C6EC10D34D923ABFC2D257D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:34.983{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\GPQFBQHNH8\System.Xml.ni.dll.auxMD5=5455B6AB44C604037C740B50E5FFC5C6,SHA256=F6DEC63B038D0EA9732A1BE14CA36195B168C591E314A84F91E708C39298BFB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:34.968{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\GPQFBQHNH8\System.Xml.ni.dllMD5=304F547F46EE61270FFA0DAD2DF6912B,SHA256=37CDD607A795FAB4BE194AB6EACECC81903EC2EC9ED2DDD4C4D24276A01E9F96,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:34.577{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\GHIXZ6P982\System.Drawing.ni.dll.auxMD5=ED6F728EBAB3F9359BF38652E0A3BE96,SHA256=5B4FF2366465DD63029F18AEA31116E3A92B132C33B03B516400560F34B1D7CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:34.561{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\GHIXZ6P982\System.Drawing.ni.dllMD5=FC675190F2508357D44C08353701D758,SHA256=B84A5EEC1D57708E0FC5D7DB9DD2C1AE39C579218933B855E5B27C3EF274CA91,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:34.499{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\GGTS06TXPC\System.Management.ni.dll.auxMD5=C1BFBA62286B37FE0040708E215BF84E,SHA256=03F8237BF012F6F2808F96D34F1F239C6853F03E0260BB8CEC7971ECB0B3BC53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:34.499{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\GGTS06TXPC\System.Management.ni.dllMD5=3C5C4EC7108C741BC98B0C4DDD57674E,SHA256=9D2273BEADA4D0C7D2CE64B81771586505790835694F2984E7BBE37F0BAAEC05,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:34.421{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\G7Z8TQPLC6\System.Numerics.ni.dll.auxMD5=EB049ABA5517841C734115079F8BD603,SHA256=2877312EFE8951A61700B5A8981F42E506060308E5D402F8E5FC7F879EDAC5FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:34.421{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\G7Z8TQPLC6\System.Numerics.ni.dllMD5=D282D2158C31BBF5B31EE855F7B15EC7,SHA256=72E1074D33DC23AB1D680257B353F3C2210E1C9095D3284570DC678FA3E93907,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:34.405{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\G5TUSP1O1H\System.Numerics.ni.dll.auxMD5=7498484D2E7FD785FA532DB7139D4C0D,SHA256=D6FD9362B956709DB3F8C9184D1F8B3E52993121DA5A437FC523B2A71C0EF3A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:34.405{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\G5TUSP1O1H\System.Numerics.ni.dllMD5=3F7CB439388CDE4109829B47B69E53EB,SHA256=87DF519A1570E4A7DC96D21E67FD4F16120CD0EFEF35854EF277C4C059B226A1,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:34.389{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\G1SDECW2WW\System.Web.ni.dll.auxMD5=9A94D56493D66174C9A37E6EF2C17EB5,SHA256=FC910E7B67FB2A4152E62DD5331172171DBF204E9378834C9614E4E30F8511AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:34.389{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\G1SDECW2WW\System.Web.ni.dllMD5=58C687EE63E997153029284E45B3E091,SHA256=3A8601672FF13A34D8B297B144322BA802EAECE4DD3146096F9C9BC54F9BCC4C,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 354300x8000000000000000448558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:32.060{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A49362- 23542300x8000000000000000448557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:34.389{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=711A7337C9596EA0289F932EC7E892AC,SHA256=184BB96F759074E04F2C887151755F6F26562023E92A1355AD1CB9098C2DF0CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000448556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:34.189{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000448561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:33.065{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-58813-true2001:503:ba3e:0:0:0:2:30-53domain 354300x8000000000000000448560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:32.871{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52728-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000448559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:35.594{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=993CA8AFB887DF00301613D8DD1255AA,SHA256=0E9FE584E36EDEE40B9F2F654538C22E33BB24817CE46A008D70FB848A33EE10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:35.908{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\GUMIO55O5I\System.ni.dll.auxMD5=3E37F06FB38530095A5E52EDFAA8D60E,SHA256=2929FBBD5565E1EC8D3B2CD52A903C76F4203019FF8650FA442F4C2E4DFD70AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:35.908{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\GUMIO55O5I\System.ni.dllMD5=7F0A5DBF2075D53BE5881B6557331A1D,SHA256=7EEEF2EC1F43BBAB9E50783C6F3333BA9DBDF55A626B20A9D9CC595AE89DE89F,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:35.471{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\GPZSSK3LU9\System.ni.dll.auxMD5=0FE2DA91CA727C5FDFB9683466098809,SHA256=DE9F5C5937D844B72D91CF96C0AF781757C79DA906EB3F5E9C80C79CDE977E1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:35.471{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\GPZSSK3LU9\System.ni.dllMD5=2FAB64A8785560F3831C0C7A07105E56,SHA256=F511E0987071071C6932C33C02B2C6F3D379482690813FA5212CA5E646068662,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:35.046{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=834FC439A64ECA0D198D91E1E2D683CD,SHA256=E78D3F782618BADB5A71135688A73AA1D52366F38E22AAD14825C217F13B4DC3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000448563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:33.931{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52729-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000448562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:36.684{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B32016F8F2A99031FE997B3922209339,SHA256=E3B3667315474C2DE439E9C0DC6D7EBD3B310872DD83852B019FFFD6B2453220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:36.753{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\H088DTS69H\System.Configuration.ni.dll.auxMD5=A650D62C1B07795353DB85586C2E280D,SHA256=5502F0BA239BCE64AD09EC5757B09E5589B63B6CC48AA98FFFCA5C0C8B81AFE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:36.753{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\H088DTS69H\System.Configuration.ni.dllMD5=C72DC22457897D57F8616C219F2CFA3C,SHA256=D34717DC9D1EF4E96E9A52245A3763CE8770B05E6A0B1C652FCD99F8AB652166,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:36.646{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\GZ4YS4RWHA\System.Core.ni.dll.auxMD5=31D5B19F1E7043E4A4C2853F0C6EAEDE,SHA256=A6B8B784C6015CCFC5A71EFD20503F8727A6EA60077AD74B3FBB4AD6A89BE756,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:36.646{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\GZ4YS4RWHA\System.Core.ni.dllMD5=8FD4D1C0E4FE382890C35514BE55E82D,SHA256=5C8462C3B08C87B8670303A35984818B47ACE440906864BD8A9CEEE12C804EAA,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:36.128{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\GXZFSB4FLE\System.Configuration.ni.dll.auxMD5=EA64890856D84601CF0F15F8F925876E,SHA256=BC3CBF89983AF4F608D30A0FA34FB62C3F716BF7B77DAF65A806DD567D4EEA24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:36.128{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\GXZFSB4FLE\System.Configuration.ni.dllMD5=7C4B6B49CBB1C3DBAA853BD4E51B378B,SHA256=91DE196C16599FE3164E02F877E74D5F2526AC8C0B8DFDDD3A07D072654E8E98,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:36.080{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\GW3Z3ACCXR\System.Web.Extensions.ni.dll.auxMD5=47F23732071CE372B9243110B56A1313,SHA256=7F15665D9BB1AE85C095B19115B0C67B3A4EB52758FE0ECBDC13C288723E79ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:36.065{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\GW3Z3ACCXR\System.Web.Extensions.ni.dllMD5=33ABBACBEBD570DF9FC4774D00275EA4,SHA256=378ED5CA79D9890DEFA965E9591B916A35B60E1B8D7EB39CC9D4E88FDB6FD52E,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:36.002{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED87C2B7239D79BD9DCDF8F2EF945F0F,SHA256=C24053A974127C78E016F6D47DCBC6A88AFAD5B3678CD857AF2EBC4F3541489A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:37.889{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD41E27ECB9BD73AF8FC8F67527D764B,SHA256=C789F67F50B9E7A7A4CB8D542C7A4C719724B635E80F402A1768C12E8FDDC026,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:37.744{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\HDK4YLB7IW\System.Transactions.ni.dll.auxMD5=41883768C7D7479B1DB43486DB643490,SHA256=1BAEDD2A3F1CF3E8A6609E785516D4FE12A0A385C609C883D2E4C93C7A3CA1D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:37.744{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\HDK4YLB7IW\System.Transactions.ni.dllMD5=633F934076A97D4532D53B525E93F9C7,SHA256=6E7917F3008778C89D0ADE04E311B5DE8E70E49881A956E4135A1835EF932960,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:37.666{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\H6GX73S4CQ\ReachFramework.ni.dll.auxMD5=8E0B5273E15B0F56E9333938DF76CA3E,SHA256=4F360EF24EA7F0823D897C9611EADD08300C981C161C1B36AD8CEE21CED8EA41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:37.666{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\H6GX73S4CQ\ReachFramework.ni.dllMD5=E069FAA5ED61AE659FFF54862D342EAF,SHA256=51516AF2F20913DCE266088B51C10A25A23950B680553277955B6DA6C62D8001,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:37.494{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\H2G07N9EPI\System.Web.ni.dll.auxMD5=23A9FFB9BCBC4F9A11D681DBC0DD5D5B,SHA256=4730C2530D69C372781D3F2E0E1147E5F8BD50A421151BC1945CAA1DB4404A23,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:37.494{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\H2G07N9EPI\System.Web.ni.dllMD5=2602829E6BF56CA87AB04C746A7C2796,SHA256=7FB850C2D57A548EE50F6D412FC39DFE8B97CCFAC2610BA48959795B487B3D33,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 354300x8000000000000000338193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:35.391{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51032-false10.0.1.12-8000- 23542300x8000000000000000338192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:37.176{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6B53E7927DF6CE19089EFBCD5EF73E3,SHA256=81D4AB67A6E1D469D0878F3FA3137839F01D2974E1BEF1D7F775703269EEC60A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:38.861{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:38.754{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\HLHUP5UT8C\System.Numerics.ni.dll.auxMD5=7498484D2E7FD785FA532DB7139D4C0D,SHA256=D6FD9362B956709DB3F8C9184D1F8B3E52993121DA5A437FC523B2A71C0EF3A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:38.754{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\HLHUP5UT8C\System.Numerics.ni.dllMD5=3F7CB439388CDE4109829B47B69E53EB,SHA256=87DF519A1570E4A7DC96D21E67FD4F16120CD0EFEF35854EF277C4C059B226A1,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:38.722{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\HIPE4POG86\System.ni.dll.auxMD5=6E04E51CD860986EF0DB3BBFE1E7BCFA,SHA256=BFC5EA27C0C03579C98792DF6832F1756F586EE29A7A098B758E568F0DD3EE1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:38.690{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\HIPE4POG86\System.ni.dllMD5=D66E0FBF1A4BFEC46E49BCC74B2D2D78,SHA256=61E00A836AC7D8D18D6FB4C8437E60489E3F77C91146D75884F88DA5B29484FA,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:38.287{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\HGDQMPXGQ7\System.Web.ni.dll.auxMD5=F70CFE77E87F55A4FB36DAB40447C16E,SHA256=C4FBD72EABC752EDB93372AADFEF11DAAA4BD9299569721BD28D962590520BC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:38.287{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\HGDQMPXGQ7\System.Web.ni.dllMD5=F79C500CAC32075017619FD8994AE0F4,SHA256=21CE1E3E0ED6F59044FA08BE14CE93325A1AB45F1E334B7233718A455BFA4637,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:38.271{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56476D4615FDDAAD4759CDA2E24C5FD0,SHA256=5DAF4887B058F2955C8B16BDCA403D68F27BEE99E93E5F35810698C181E46013,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000448569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:34.504{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-60590-false127.0.0.1-53domain 354300x8000000000000000448568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:34.399{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-60590- 354300x8000000000000000448567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:34.399{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:9850:4442:aa2:ffff-60590-true7f00:1:0:0:0:0:0:0-53domain 354300x8000000000000000448566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:34.369{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local60590- 354300x8000000000000000448565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:34.369{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local50515- 23542300x8000000000000000338216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:39.750{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\HTCUSIATTQ\System.Configuration.ni.dll.auxMD5=821F157CE83C26D58C913E0B6D5857CC,SHA256=E48DCBEED6091043D522B51F9672012C24DD1A4E1AE3049C4D97EB8DF333586F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:39.750{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\HTCUSIATTQ\System.Configuration.ni.dllMD5=E3CC7F685FF0CC69AE85D4257EEB138D,SHA256=A28DBAAC3F5E65C015A573338541016FF57BE35464F877BF5A6A20B55409A6D5,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:39.672{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\HT8PBFPRZO\System.Transactions.ni.dll.auxMD5=560017ABB720E97EBD29B91F1B0C94BE,SHA256=F031EA98BD2D59AA0BDA9C4D330A42BA25C58F5717F1830AA77F2768471B23B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:39.672{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\HT8PBFPRZO\System.Transactions.ni.dllMD5=F684A57BDF29DB0382B45635BA7B61C6,SHA256=377A2C8E71B2FF28495C441089A4ACC7F57BDCC2BBBC295802DC3A5831DF8A98,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:39.657{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\HPNDMQTEVV\System.Core.ni.dll.auxMD5=93D95F2F680B38DF44FFA68C5FF94F18,SHA256=72A85819D2E502E7D38481242C3E198DE388A4979E762BF18B8DBAA4458E8445,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:39.657{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\HPNDMQTEVV\System.Core.ni.dllMD5=E0BFA251DF4F05EF0F0567845B91DECA,SHA256=C8DFF5085A37FFCAB934033B038500806EBD5AA39DF275F743480B6D729BCA5A,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:39.375{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A93D96021EB2A4A8D990FAE1D44B306,SHA256=5DFDA4F16080C4FDDCFDFC3167189E52CD889C137A7717E6BDC8C6492AC76713,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:39.297{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\HOKOV5H7CS\System.Windows.Forms.ni.dll.auxMD5=52BD50ED4F47D2E2F29961EE0EFE38D1,SHA256=4805A52F8ED7EF89DC686E2DCC6B06E6CE63E763917F8B1AB9012712243523C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:39.297{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\HOKOV5H7CS\System.Windows.Forms.ni.dllMD5=4B85DF10FF589C916B17F5D590D44713,SHA256=696E3043EC7372A00BC16ADBD6A77EC067A177538A498EFE96BE7549B2A264EE,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000448589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:39.536{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:39.520{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:39.501{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:39.489{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:39.487{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:39.485{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:39.434{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:39.426{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:39.413{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:39.407{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:39.397{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:39.382{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:39.374{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:39.360{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:39.352{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:39.341{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:39.330{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:39.301{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000448571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:39.299{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 23542300x8000000000000000448570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:39.087{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7E71C51393BCF98CFF08B512A540506,SHA256=35E9721D0807D94F80D9C30048CEA0841B195AB86A7B5DDDDF8FAE8AFE925128,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000338271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.664{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A7-63D3-0904-00000000BD02}5936C:\Windows\System32\MsiExec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.662{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A6-63D3-0804-00000000BD02}4860C:\Windows\syswow64\MsiExec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.661{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A1-63D3-E803-00000000BD02}5548C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.655{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.648{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.648{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.646{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.632{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.621{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.611{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.609{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.601{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.589{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.579{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.577{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.555{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.549{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.538{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.532{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 354300x8000000000000000338252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:38.108{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51033-false10.0.1.12-8089- 10341000x8000000000000000338251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.530{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.526{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.525{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.522{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.516{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.514{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.508{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.507{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.505{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.498{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.497{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.486{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.481{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 23542300x8000000000000000338238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.480{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\HZN6I2R0XO\System.Xml.ni.dll.auxMD5=5455B6AB44C604037C740B50E5FFC5C6,SHA256=F6DEC63B038D0EA9732A1BE14CA36195B168C591E314A84F91E708C39298BFB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.479{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\HZN6I2R0XO\System.Xml.ni.dllMD5=304F547F46EE61270FFA0DAD2DF6912B,SHA256=37CDD607A795FAB4BE194AB6EACECC81903EC2EC9ED2DDD4C4D24276A01E9F96,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000338236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.475{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.473{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.466{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.447{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.445{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.434{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.400{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.394{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 23542300x8000000000000000338228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.387{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71D8FE14E3B70A28A3140B57BBB18F81,SHA256=AE0D68807A583AEC4CDBB23EA35598EAA33A7A004CD76511B8E9C45A7A6D66C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000338227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.386{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.379{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.365{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.360{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.353{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000448596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:40.305{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:40.301{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:40.298{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:40.294{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:40.292{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 23542300x8000000000000000448591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:40.121{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=177620CB2DEA166FFBCE2E0A28BA8101,SHA256=6EFEBDC6E916E3A9ED400F88C2D4F4973F3B2CEB25A58FD9D0F3C50F535D2AA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000448590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:36.961{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-58813-true2001:500:2:0:0:0:0:c-53domain 10341000x8000000000000000338222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.344{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.336{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.328{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.326{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 23542300x8000000000000000338218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.140{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\HYL1KLWVXE\System.ni.dll.auxMD5=FD6DE591D3545BD3186DE631F46BB80B,SHA256=D9B496E22C03C6FE99055B4F3BE41057867B2190F6032B0E7B386988E37046C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.140{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\HYL1KLWVXE\System.ni.dllMD5=94AE45817D7A11DB2165BC6DF4997AD3,SHA256=45879B1C723A5AE6F9577A9BC99A145C15487C5CD4FF456EEDBCC87403041C9A,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:41.971{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\I4EZ579ZE9\System.Data.ni.dll.auxMD5=DF0F1C0FA81E796AC70A2D94A073E9CC,SHA256=0845B10F66BEDD2065E719081C9D63342AA232BF92EA04790F2F4B5CAD7C0E9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:41.971{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\I4EZ579ZE9\System.Data.ni.dllMD5=3EE0E72D8E3B1539DC08D97CEEA7108A,SHA256=255AC27EC0628CD1C208742807B816562D279688C1DA873A889FB54230281B6F,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:41.799{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5FE2F6BDF9EE9D3786368BB9B00A0182,SHA256=50C84FCDEF03C8F49D49F6BDEBE1777631EC34F604693762299634B7987F7A9B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:41.674{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\I36AMTGQTY\System.Core.ni.dll.auxMD5=0FBFE5BF85572E5EAF926378B1D5A6CD,SHA256=365F134ED4CC28065A185B62435A5E607FC545BF4555821AF933C4BF882EEC27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:41.674{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\I36AMTGQTY\System.Core.ni.dllMD5=B2E70F3704B5B64DC37B04E4C1C9CB25,SHA256=E91FFA95C7EABAFFCA0D419C77925EDD1D4F7901C520B962CAC5FBF4547830C3,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:41.658{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E95588FB199AD47127CE5F85CA504FDC,SHA256=1446A48CB284A9D7B643E5E3EDF2A52414F73FCA75AA0C7B174D242396CAED15,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:41.203{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=994F837A7D7CBAEDB0BEE2862C2F1CA8,SHA256=50C76D11B0FDE64B3C43E92BA6A54B356B355BD017C221F62E48A735F4901969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:41.167{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\I0ZG5LI9D8\PresentationFramework.ni.dll.auxMD5=5D398136B7EF718AEDDC2B292F49FA7E,SHA256=DA7E0528132F730C1206B617B914AC2DEF37E27A63759CEE6CDF56EC61E54650,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:41.167{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\I0ZG5LI9D8\PresentationFramework.ni.dllMD5=78D04F023FC7CE7C0509605E674FB7EA,SHA256=35B483E27DF57BD7F2025E69EFC2C721C552C158D7D1DCB8398CF7DE3ECE8DA7,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:42.984{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=AC266F6A03122B7FB7BFC6A2F40837EB,SHA256=34BC03D2DF173EF684A845A4CDAE34BB3697B783C4B0AE4EFAF8909DFF2B2552,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:42.812{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E082C21F25B27533F586657C58F8D5C,SHA256=6B60B76538B34B0E9D0979E168EBADC3726F9E4ABDA33BEF83B91107B9AC74CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:42.765{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IFIZWTS6QK\System.ServiceProcess.ni.dll.auxMD5=5F1B10CF85EC7771100106A8D294DE9A,SHA256=C39E9DA9D01E465D0018CD0F38C4679CA99D3D2DE577B40FADE4BBD70AAEB914,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:42.765{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IFIZWTS6QK\System.ServiceProcess.ni.dllMD5=B5478080DC0565883D13ED0AEB88AE0D,SHA256=7133B1C2FE4870AB945EFDC8A8846A7C8F3F50F9C86784C3B9E0EF0CCBE62418,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:42.765{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IFE8ASBLJ1\System.Core.ni.dll.auxMD5=870A3297397BA0FE7218B9C05CCD1E5E,SHA256=1EB4BF3E6FB4775A6F7AEE5392F452B0E673B4F5C6E539E2C40414946C7BDEFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:42.765{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IFE8ASBLJ1\System.Core.ni.dllMD5=8326A23004BDB577F7A7127273214004,SHA256=F00785989931F0C8E944A6A8DD2D28F4F623EF4B9CDCBFDA3C1ADE17FDF1D9F8,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000448623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:42.986{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:42.967{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:42.965{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:42.958{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:42.948{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:42.923{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:42.916{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:42.902{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:42.892{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:42.890{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:42.887{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:42.883{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:42.882{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:42.880{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:42.359{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:42.358{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:42.358{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:42.358{45AAC21C-9B83-63D3-0B00-00000000BC02}632756C:\Windows\system32\lsass.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:42.357{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:42.355{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:42.341{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:42.337{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-3000-00000000BC02}2848C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:42.333{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 23542300x8000000000000000448600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:42.309{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=818ACF571846061BEEAF6196837A6C6F,SHA256=9C7ED3BC5AEADF111335D061FDB93DC0E15011274253ED7B676219F53FA1FFFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000338288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.025{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:2c1c:73d:f5ff:fef0win-host-ctus-attack-range-212546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x8000000000000000338287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:42.491{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IE2S1VDDUQ\System.Core.ni.dll.auxMD5=31D5B19F1E7043E4A4C2853F0C6EAEDE,SHA256=A6B8B784C6015CCFC5A71EFD20503F8727A6EA60077AD74B3FBB4AD6A89BE756,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:42.489{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IE2S1VDDUQ\System.Core.ni.dllMD5=8FD4D1C0E4FE382890C35514BE55E82D,SHA256=5C8462C3B08C87B8670303A35984818B47ACE440906864BD8A9CEEE12C804EAA,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:42.173{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IDGUDGPLPN\System.Configuration.Install.ni.dll.auxMD5=6B649BA7D5A288FCDC0C05BF03C05385,SHA256=357A2261D1AEF1101F9E68A357062516F87B80EF483B576376D691273BEA6333,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:42.173{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IDGUDGPLPN\System.Configuration.Install.ni.dllMD5=677A0EB38AA4E398E7CC37177E63B75D,SHA256=A830A97C4F75ED8EAC18E61A2C26CEB801F1F8B001A0542FB63DAD99D7EFBC5E,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:42.128{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\I88DXXSPAG\System.Configuration.Install.ni.dll.auxMD5=35A313588DD8BF1C4A5557EAA79D2888,SHA256=8C1A5F0899AC55E471D0A266242CB849FA7A827C6DFB151597B962F19439A003,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:42.128{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\I88DXXSPAG\System.Configuration.Install.ni.dllMD5=E6EAB74B0CC7C40180FA4FE64126C927,SHA256=2B84A2239A9EADFF8DDEDB693D7C2DB00821062A8A2330814592705446E34CA6,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:42.128{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\I4ZC1WO7UV\Microsoft.CSharp.ni.dll.auxMD5=DD0CEB4EA439E19B10174EF6765C98E1,SHA256=75AE3D143A5C54005FD62BDD0961B822893FA6950D9511F46D3F0FBA167B910E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:42.128{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\I4ZC1WO7UV\Microsoft.CSharp.ni.dllMD5=B532D8EE87DC58C1B47163040764B56F,SHA256=D21ED6A4DE422B51B01FB33ABE0B8A7E05ECB33DE3565C080BC7F36531BA0ED3,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 354300x8000000000000000448599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:38.654{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-58701- 354300x8000000000000000448598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:38.630{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local58701- 23542300x8000000000000000338300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:43.811{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=238923AE23C2D401EB22D2713076EFE3,SHA256=0F91F12D3940D97FA794B039DB7FE86CC2176B50E04ACBEE6FD1C1C3D3A76D79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:43.422{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEC4CEF8E07B12AED9EE26588466A20D,SHA256=2B883D8D63B40694E1D575859DB15C814433C4D00A2AA1C0319F095748E8C240,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000338299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:40.448{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51034-false10.0.1.12-8000- 23542300x8000000000000000338298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:43.590{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IGF1HM5791\System.Xml.ni.dll.auxMD5=1D30F3B92D5134B2A30A5F0DE1C91264,SHA256=E0F0F10CD976EFE6069FBD50986EB409295BB110D1848EB1C721DB525CA03F10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:43.590{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IGF1HM5791\System.Xml.ni.dllMD5=D7943DFED3B022B1D45A86E115CA587A,SHA256=0CC48205999BBF650571D739A7CCD2436528FA0DBE507E46F61D53028F5246CE,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:43.278{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IFZ4XBDHAS\System.ni.dll.auxMD5=EDC52D59BDF2DFBB195AE6DD2A938270,SHA256=ED816F3F4B2D458DDAC0306AFA5B9D2C080734BC035126054DF76141F90910C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:43.278{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IFZ4XBDHAS\System.ni.dllMD5=D71B052A790A577400CB572A7D4CB69B,SHA256=DE2BE5C6691862A5223BDFEFEE00F33FB6C7A5B2F6DC68124E44EB42D8D3B709,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 354300x8000000000000000448624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:39.715{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52730-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000338307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:44.921{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=397A6B77BD2541B6309AB8F38FD1F028,SHA256=0162E9475E596CC75C8017FB1A1D4BECFA3E61B07193B7FAD34AC22B9B070F35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:44.512{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=098A9E49CBD423D8C2C419D927A67E09,SHA256=11B92280DA468C6BB0BE0C3C7FF520477F640F36895247B0096B475220E5F088,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:44.796{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IK5PEOTIH1\System.Numerics.ni.dll.auxMD5=6D550B69BDC7D89EC2E3554A3DDB4667,SHA256=7CF8E63A66C6685A48A43466D8842DE966699265AF5DDA14CF5EE7EA2398B019,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:44.796{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IK5PEOTIH1\System.Numerics.ni.dllMD5=AF5901179DD8427F1BCE805FC1C60542,SHA256=976A8BC3D65758BF022E26BC0F8BEC1B908D58665A99B6DB45FD5004809E16C5,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:44.781{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IHRTXUCXB7\System.Core.ni.dll.auxMD5=34557D491F925C33B9579E2AE5BD4017,SHA256=AD30F4DA8CFDDF64D38E65145696AF7233CD5ABA10C244B882ABAFB770D7E608,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:44.781{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IHRTXUCXB7\System.Core.ni.dllMD5=19160F5E64B830DD9B54C49057A68163,SHA256=F18AEDE0C9B8E6ADA6BF9FCBD86239712F1C420E1BAEF0FF02339F2F15F8BB81,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:44.310{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IGNWWS1ZB4\System.Windows.Forms.ni.dll.auxMD5=D446BDCD7E3BFA151BD38417CA52BBB4,SHA256=DC1794960B5836EC691C2DC58B068E76C8FE07B8A1293373ED30ED08A02887B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:44.294{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IGNWWS1ZB4\System.Windows.Forms.ni.dllMD5=EBA141EB6870A5CE8F381C7423130E8C,SHA256=60BF35B16E89046C8D5D49C3FE8D73AF63226FA1A4C865B96EE067035A3C21A8,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000448635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:45.843{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B4F5-63D3-D803-00000000BC02}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:45.843{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:45.843{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:45.843{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:45.843{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:45.843{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B4F5-63D3-D803-00000000BC02}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000448629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:45.843{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B4F5-63D3-D803-00000000BC02}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000448628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:45.844{45AAC21C-B4F5-63D3-D803-00000000BC02}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000448627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:45.596{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7391F65B7BBBE46BE2BB4F1A48F40231,SHA256=D8C3960C461F172BB1B6841636F3FD4F99900DCB04A35858354123CFB11D8A30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:45.847{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ILWKXVRXJC\Microsoft.CSharp.ni.dll.auxMD5=DD0CEB4EA439E19B10174EF6765C98E1,SHA256=75AE3D143A5C54005FD62BDD0961B822893FA6950D9511F46D3F0FBA167B910E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:45.847{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ILWKXVRXJC\Microsoft.CSharp.ni.dllMD5=B532D8EE87DC58C1B47163040764B56F,SHA256=D21ED6A4DE422B51B01FB33ABE0B8A7E05ECB33DE3565C080BC7F36531BA0ED3,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:45.785{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ILB9TGUI9J\System.ni.dll.auxMD5=38FB7500511703557B2A490D76E5F3AF,SHA256=82F46FA003FED0DBA41032CD924E47376658DD9F6EF6F9949BC9A853AE793FDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:45.785{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ILB9TGUI9J\System.ni.dllMD5=7FC9BC6F3421B57FEB848576BC809437,SHA256=F25EB9DBCC000D600320A0964A9EBF678A2220481AEC9C0284A5EDBD6ACAFE6C,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:45.326{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IKXY32A1W2\System.Configuration.Install.ni.dll.auxMD5=08DAC8470A6071A6F9D300CCECE11FDC,SHA256=F21F4F9BD5BEBE704971BBC058A01C007211FABC2BF86E2BDFF504394E89A5F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:45.326{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IKXY32A1W2\System.Configuration.Install.ni.dllMD5=6CEF29BBBE3A64E8EDA58C8614B58316,SHA256=D6B4C973DAA83DB08F6D1013643F3A287BE92A3DF7629A06421EA2370B126C58,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:45.326{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IK9XFCCW7P\System.ni.dll.auxMD5=0FE2DA91CA727C5FDFB9683466098809,SHA256=DE9F5C5937D844B72D91CF96C0AF781757C79DA906EB3F5E9C80C79CDE977E1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:45.326{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IK9XFCCW7P\System.ni.dllMD5=2FAB64A8785560F3831C0C7A07105E56,SHA256=F511E0987071071C6932C33C02B2C6F3D379482690813FA5212CA5E646068662,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000448658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:46.973{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B4F6-63D3-DA03-00000000BC02}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:46.973{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:46.973{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:46.973{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:46.973{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:46.973{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B4F6-63D3-DA03-00000000BC02}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000448652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:46.973{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B4F6-63D3-DA03-00000000BC02}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000448651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:46.975{45AAC21C-B4F6-63D3-DA03-00000000BC02}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000448650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:46.895{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71E2385E4272251EBDAD15FD6C7F570B,SHA256=56D732A47C89080B85DDAA2AC70A67940CC40BF307F38AC7ED0EC97053364EA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000448649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:46.678{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E95D6D3B364895432FD91B1B8BB37A2B,SHA256=3AA47D896E7BAB98A62F75386364A6D39B193F10A7955F6BCED8EC73D1C81C7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:46.840{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IONPFI7NJD\System.Web.ni.dll.auxMD5=2021AE82CBD2D825BCC5BD389D6B04BC,SHA256=E735BB5F60025D0802BCA188FCC852A0EF05D1F61A823F2B3F1A7F8432BDAFB8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:46.840{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IONPFI7NJD\System.Web.ni.dllMD5=3ADF0B1515BDE1375284BF35B32290C2,SHA256=026A4F05226CFDA96E2C8AEDD27DF895A67061C9D5BA5C4F3E695A5B5828F65C,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:46.205{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IN56BUF5C8\System.Core.ni.dll.auxMD5=013277D926600FEE37F6DE6655FB40B3,SHA256=95B4838E806B9231A478DE12CE63D595A691B9E9E3AD073B2FF0962385464A97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:46.205{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IN56BUF5C8\System.Core.ni.dllMD5=A9F9876DFDF47CA3FDB3CBB3326D13EA,SHA256=DF6D6A1345DC974C0D5DF039403DE65156918A4D4EB08343A2ADE6256597B1D4,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:46.019{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C5214D300BCD8272B7A57E8ECCCDF4E,SHA256=86F245341E002478558A7D3F3D94B3065EF5026047FE09C8EAD219E01ED57980,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:46.490{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F87BBADE7BF016D5459A2D7BF12176E8,SHA256=DD61D11ABC8F038A6CAD4A6AAED87BF3A0ACD39BFBDC3F9FC1FA52C0C15DE002,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000448647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:46.438{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B4F6-63D3-D903-00000000BC02}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000448646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:46.437{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B4F6-63D3-D903-00000000BC02}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000448645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:46.437{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B4F6-63D3-D903-00000000BC02}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000448644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:46.342{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B4F6-63D3-D903-00000000BC02}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:46.342{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:46.342{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:46.342{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:46.342{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:46.342{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B4F6-63D3-D903-00000000BC02}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000448638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:46.342{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B4F6-63D3-D903-00000000BC02}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000448637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:46.343{45AAC21C-B4F6-63D3-D903-00000000BC02}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000448636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:46.093{45AAC21C-B4F5-63D3-D803-00000000BC02}47285476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000448660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:47.797{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983AB0B61EE54B43962DF48BBBA0777A,SHA256=6295198A6E2372CE5BBD5F2CF1546E35870541D47F98D9C72778430DD06FBDAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:47.914{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\J4KUJBC91E\Microsoft.PowerShell.Commands.Management.ni.dll.auxMD5=DA3300D2BFF5327E652B6021C4E6DA5F,SHA256=3B03C81F9279D9D725B2C94EB09C53DC77DCBEC9F0E08F2475C6A4A841CBA91C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:47.914{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\J4KUJBC91E\Microsoft.PowerShell.Commands.Management.ni.dllMD5=EE81C20775C385A7A844F0E1970F85FE,SHA256=7D945D96DD05215EA853F76964203B7EA946D474846FA3F40A2A4916A6BF99CA,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:47.755{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\J36I8I01GY\System.ServiceProcess.ni.dll.auxMD5=7F30D62C40ECEBE959AB7FB13D9CACB6,SHA256=F563890C1B347670F0A4C7D48375B329C4D6D5668656AB34D431CF54BDC84959,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:47.755{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\J36I8I01GY\System.ServiceProcess.ni.dllMD5=6DA4DEFCCDD3303D217F37080B3C82F2,SHA256=5848262A5DF18EEDA336B5BCB85B1E4544E04A99B0D79AD3E249CB0F4AF89CCF,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:47.740{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\J28YD181DN\System.Web.Extensions.ni.dll.auxMD5=C347F922A9553D718BBCAEEE3869876C,SHA256=722410E5968780B9E761CF0DD4EB88AE0ECFDFDD4108B53D86E537B6EA9C8737,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:47.740{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\J28YD181DN\System.Web.Extensions.ni.dllMD5=77ED9EDEB0747952D3B1A7B6E67D01E3,SHA256=9307F45BFEF69DEF67D5F1B21A7EE2B9DC6B8721A33329220F5038C01A3B0A8C,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:47.552{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IZPXNW5H8G\System.DirectoryServices.ni.dll.auxMD5=59C110736777D69755BD9640210D5DBD,SHA256=ACBCFE5DF9F4481CB736A5EAD30EAA17287FE36A2A93EFEB7E6A563099100F71,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:47.552{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IZPXNW5H8G\System.DirectoryServices.ni.dllMD5=0D805B76A05F5CE550EF1D8FFEF30169,SHA256=589EF92923F29A1D6169A89FD617812D186CE924E66E6061CA72EF73C28496BE,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:47.474{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IWZPZAJL13\System.Management.ni.dll.auxMD5=01E8C031085FF8BBB38DD53F01924384,SHA256=3C5FAA30091A95257E80AC41FD202AFCB16ECDF79580A88B7BFC05ECF44F2FE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:47.474{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IWZPZAJL13\System.Management.ni.dllMD5=5C1FAAE417082B6C49E892CB5E511218,SHA256=68EBA231E243F2FBDE1EC5F1EE17FA7C1D6B49EB116652AAE4E980CCF1878101,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:47.427{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IVU2WPLSOB\System.Numerics.ni.dll.auxMD5=7498484D2E7FD785FA532DB7139D4C0D,SHA256=D6FD9362B956709DB3F8C9184D1F8B3E52993121DA5A437FC523B2A71C0EF3A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:47.427{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IVU2WPLSOB\System.Numerics.ni.dllMD5=3F7CB439388CDE4109829B47B69E53EB,SHA256=87DF519A1570E4A7DC96D21E67FD4F16120CD0EFEF35854EF277C4C059B226A1,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:47.380{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IVTSH2AZKH\System.DirectoryServices.ni.dll.auxMD5=E240420E93103B565F0E202D65BF02CC,SHA256=30A7A2ECEEA4B1E1EDE71D67D6B3E652C6996BD71D330FE6C58618AE230795F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:47.380{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IVTSH2AZKH\System.DirectoryServices.ni.dllMD5=1C9EB8C8F79E7AE6D1837A92AEA937C9,SHA256=3FDBD432E9BD0A40D636E64FED0E27AFA7AFE8EC8DFBAF1CEB0E02CF9D45E191,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:47.318{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ISOLJHW95H\System.Security.ni.dll.auxMD5=A8E16B0835C7BA8888173106EDFD7698,SHA256=7D44F7630D8C42C9BCBA5DB5C74B36391E11FC17D4FAF6D26C452C1BD3E359EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:47.318{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ISOLJHW95H\System.Security.ni.dllMD5=B92BEE33B09857E5DB60DF34BED170CA,SHA256=C07B57EDCAACD9E9B6CA2340A8DAB75CCF3BE99EDDF063804E73FFB74CDE645D,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:47.240{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IOQDB6LLXG\System.Xml.ni.dll.auxMD5=BF6EA5973A8704BEAFF93DFF43013B1D,SHA256=5BF8F953CC2F161A4CAEEF0EC652C03AA7AECFB647E304E537D7E3A8A8307C15,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:47.208{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IOQDB6LLXG\System.Xml.ni.dllMD5=01F6655832EABC197CC007750402E376,SHA256=04FD469741ACB756B4FA93C6CFDAE38417AE8FAE04FF1608D08F85105D61A33E,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:47.099{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=387111E71D1C8C4A31B44F0471F8190F,SHA256=8A0D88163B1A256D51C8A804A2028AAB0359510A50A26C6A537067DEE9E4B92F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:47.594{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=88CB9C375285ACA948110F001697BCCC,SHA256=C5C9E9A46968551D1F790CF3CD19BDBCF0DBCE535CC7A997255ABD3B86613A90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000448662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:48.875{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72A09394FBDF51FA842E414E0FCB7F9F,SHA256=B03FE7DC9EEAF5945220A385B79BC6800368D0003363385787104C9D27E83E6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:48.981{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JBBR8BELHO\System.Web.ni.dll.auxMD5=0957F4DA581E02FF9C1610899338F081,SHA256=149C4DEBA1B8BC2221AE4E9375A4D096B7FA043FD251BF9127A286B9B5C870AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:48.981{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JBBR8BELHO\System.Web.ni.dllMD5=518A18816F2AD45C37A53A4D5AB36114,SHA256=3978A170D2047F55D0D22592D4D67EFDBD4AD29E48606367706C9BE4214F84FA,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:48.787{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0F53009E551F5014FE93E1385A40E8F5,SHA256=84DD78B8542CD24EB46BDEAA11827B40E1C0A396B194D95BE928A4F912EA2F7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:48.442{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\J9LJ1HYI5C\System.ni.dll.auxMD5=6E04E51CD860986EF0DB3BBFE1E7BCFA,SHA256=BFC5EA27C0C03579C98792DF6832F1756F586EE29A7A098B758E568F0DD3EE1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:48.442{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\J9LJ1HYI5C\System.ni.dllMD5=D66E0FBF1A4BFEC46E49BCC74B2D2D78,SHA256=61E00A836AC7D8D18D6FB4C8437E60489E3F77C91146D75884F88DA5B29484FA,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:48.302{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=192C8FC30F28390E516EAA5128E96E8B,SHA256=D7B37507F104E8C8DC6F849B9809737662DB6C87BD2F7D70BDDD9706C9DE161C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000448661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:44.793{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52731-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000338355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:49.761{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JMYST3KO7Z\System.ni.dll.auxMD5=2757D2358B8F06C9205162B01ADD8563,SHA256=7DA6F03A2961DB5296E81D1186309960BE931C942AD7F3BD2FE11BD1F40F0B40,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:49.761{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JMYST3KO7Z\System.ni.dllMD5=897FC7C6AA44F5EBF88139492F41E46A,SHA256=D365B32B72989F4BAED79A536394AB7D040B9A920F89897DD5BF77264F8A6792,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 354300x8000000000000000338353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:46.408{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51035-false10.0.1.12-8000- 23542300x8000000000000000338352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:49.496{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AB298574F8EF8B9A752C94FF969A0FA,SHA256=CBA7348BF8F3B0ACC388F5B81C37B28F654E923D3A36229A22522DF761C66112,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:49.946{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D7CBC7862572E28463F9F7580F922DE,SHA256=91160258C9861EFB3C5A476E9E0596A2A61D1C8CB730E3F6C79BCA80FC808DB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000448681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:49.915{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B4F9-63D3-DC03-00000000BC02}2168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:49.915{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:49.915{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:49.915{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:49.915{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:49.915{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B4F9-63D3-DC03-00000000BC02}2168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000448675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:49.915{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B4F9-63D3-DC03-00000000BC02}2168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000448674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:49.916{45AAC21C-B4F9-63D3-DC03-00000000BC02}2168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000448673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:46.294{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52732-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000448672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:46.293{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52732-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 10341000x8000000000000000448671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:49.401{45AAC21C-B4F9-63D3-DB03-00000000BC02}42044140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:49.245{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B4F9-63D3-DB03-00000000BC02}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:49.245{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:49.245{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:49.245{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:49.245{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:49.245{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B4F9-63D3-DB03-00000000BC02}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000448664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:49.245{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B4F9-63D3-DB03-00000000BC02}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000448663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:49.246{45AAC21C-B4F9-63D3-DB03-00000000BC02}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000338351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:49.355{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JHYA271NNM\System.Numerics.ni.dll.auxMD5=6D550B69BDC7D89EC2E3554A3DDB4667,SHA256=7CF8E63A66C6685A48A43466D8842DE966699265AF5DDA14CF5EE7EA2398B019,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:49.355{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JHYA271NNM\System.Numerics.ni.dllMD5=AF5901179DD8427F1BCE805FC1C60542,SHA256=976A8BC3D65758BF022E26BC0F8BEC1B908D58665A99B6DB45FD5004809E16C5,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:49.339{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JFWNK2VC4X\Microsoft.CSharp.ni.dll.auxMD5=47E268156ACDA1AC47111ED9B7EBD269,SHA256=E08EDF2CC1C73FCFF183B729BCB9123AA5BD4FA0375D3DE77D36FC7AE81E193A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:49.339{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JFWNK2VC4X\Microsoft.CSharp.ni.dllMD5=5F9939CF8E3680218554FD483ECB6CCD,SHA256=20FA3AA93BAF831BB13EE7A02769F5947BCD7108E5C413C4ADD4BED59134E0BC,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:49.261{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JEVKK19JJW\System.Xml.ni.dll.auxMD5=C46AFE767A7A6B01F533899717A6FF6C,SHA256=238FAA1207CF64F8A485C487FC4C1DD2A8BE09388400164CB241A0D1A1339D49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:49.261{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JEVKK19JJW\System.Xml.ni.dllMD5=7C9F4479BD2D810B1EE158C97F4E5CBA,SHA256=FB6106C5455C32DEB7A2ABD62BF44D36E839A835101BBE840713298AC986B802,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000448696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:50.933{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0259C23F5D7126784BD1ABE1935A450,SHA256=4DA7E87C10FBE59D485022A4DD7C95D05C13500AC42C302F30C33113988E9F6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:50.932{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JUQ7610ZGN\System.Windows.Forms.ni.dll.auxMD5=337A44DF08CED104D7814C2A7B3A0898,SHA256=C5E3AE32A409B4FCCE84FA81A83509558C8AC31166CF91760407F9DEEF2EAA60,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:50.932{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JUQ7610ZGN\System.Windows.Forms.ni.dllMD5=AB95BE2F0381664F51CEDC66091D7BE9,SHA256=177E9A8A1D1800F1C28BEC108CD5AD847338548FDDB471FF708CE4FCC6F5C606,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:50.577{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D87773B616367FB280BD50DC60C25122,SHA256=ACEEBBAB6F5332F4DCE7BB8CB5A20C1C06CF3784BFFCCA634717FFAEADA23B2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:50.351{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JQ2J01Y2Y7\System.ni.dll.auxMD5=0FE2DA91CA727C5FDFB9683466098809,SHA256=DE9F5C5937D844B72D91CF96C0AF781757C79DA906EB3F5E9C80C79CDE977E1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:50.348{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JQ2J01Y2Y7\System.ni.dllMD5=2FAB64A8785560F3831C0C7A07105E56,SHA256=F511E0987071071C6932C33C02B2C6F3D379482690813FA5212CA5E646068662,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000448695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:50.608{45AAC21C-B4FA-63D3-DD03-00000000BC02}1824644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:50.562{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B4FA-63D3-DD03-00000000BC02}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000448693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:50.562{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B4FA-63D3-DD03-00000000BC02}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000448692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:50.561{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B4FA-63D3-DD03-00000000BC02}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000448691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:50.414{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B4FA-63D3-DD03-00000000BC02}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:50.414{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:50.414{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:50.414{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:50.414{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:50.414{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B4FA-63D3-DD03-00000000BC02}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000448685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:50.414{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B4FA-63D3-DD03-00000000BC02}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000448684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:50.415{45AAC21C-B4FA-63D3-DD03-00000000BC02}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000448683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:50.180{45AAC21C-B4F9-63D3-DC03-00000000BC02}21682556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000338369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:51.981{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\K2C08Z5VQM\System.ni.dll.auxMD5=938F2463A77401FE0B14F375FA9E1ECC,SHA256=CF737F659C2B4F6A5991AECCCB5A424748075189BDD3853576AC68B316A37A36,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:51.968{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\K2C08Z5VQM\System.ni.dllMD5=E5B921ECDA5B62F89AD0F30770489EE7,SHA256=94548B6DA782327576F76F826309ACB5CF6A80F9799F6C1D79DF4320DD8A36EB,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:51.766{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A01F594D5B5A3F4110BB77B88CC2589E,SHA256=310FB97F5A57575007B56617CA680041D8F1E3140E1E4987B4F0631AA1EE46D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000448704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:51.614{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B4FB-63D3-DE03-00000000BC02}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:51.614{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:51.614{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:51.614{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:51.614{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:51.614{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B4FB-63D3-DE03-00000000BC02}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000448698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:51.614{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B4FB-63D3-DE03-00000000BC02}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000448697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:51.615{45AAC21C-B4FB-63D3-DE03-00000000BC02}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000338366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:51.364{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JZA3WDDAAK\System.Transactions.ni.dll.auxMD5=35DB795925B0CFC1CD7005D1E90CA76A,SHA256=0D1F9FADEE7CCB7FFCD0BCFEB4289B3F89101312E396962FCBC3486FDBBE4FB2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:51.348{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JZA3WDDAAK\System.Transactions.ni.dllMD5=992BDD0BA5CA1305C35337080E779862,SHA256=37D038879A46694553D2D62090B2C34B5C4A6310B753DBE8E5AC80AE90700D21,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:51.315{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JXCZJIJOPH\System.Numerics.ni.dll.auxMD5=8C8F36DCBC0AB4F29DC79D33D9CD7240,SHA256=48D6097F83178C3905EC2BCDA01C80CFFB1A832CB1F0BF5F08E510C86D6F9215,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:51.299{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JXCZJIJOPH\System.Numerics.ni.dllMD5=845E361BD51C969466956F80361DE179,SHA256=1BFFC23BB5882DA343969E12ABE4FC89BBC0EC41D9C30E7DDBCA7ACF250A2752,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:51.299{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JUUBNE2GJ7\System.ni.dll.auxMD5=28BED03F73DC4744FB49D7F20F049F10,SHA256=8483EC49A05339DBB4833BD234194E62DBF6E372CAF3E701874DE793FDB68996,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:51.299{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JUUBNE2GJ7\System.ni.dllMD5=88C6A31917BA9F2506E523DA037CC8DF,SHA256=15CD43739560489AEC0A752ACF5403A467319AC8E978DE279C702C74E792C5F2,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:52.867{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=681B7C8B6E0805ED9DB16D1D49212EE0,SHA256=67E404CB0008272B22AD8233E1DD3D3383C368D8A7A6E8CE2372EFD989B6AD21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:52.571{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KCBM58UC8Y\System.Management.ni.dll.auxMD5=D1FB47B13BEB3E3FB03751D019B8D15C,SHA256=8C6E70F4C3FEC15367AFDD3AB7E1A31225D13B8002E76E66F28E297090FBD149,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:52.571{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KCBM58UC8Y\System.Management.ni.dllMD5=80E812D84EC5E760A33A174532E98ACE,SHA256=E2E98827A0D3A37F3B4562AEDE2CDDDB9EA45E33C40DEAEEDF862BE0282E3A51,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:52.555{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\K8OWUJ1965\SMDiagnostics.ni.dll.auxMD5=8C2D9DDF29CE304ABD9A5B9C4B2389A5,SHA256=72812CC8CC4F48B00B4E4CBD46B33AE89E2017A9195CA931F9F33575A395990D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:52.555{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\K8OWUJ1965\SMDiagnostics.ni.dllMD5=F5E8B4B9A1BF8EFDC39C37D2C3204142,SHA256=41F864173A01EDC328DC5002F801270BA05E84D303FE78B710EBB52CE339781C,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:52.555{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\K7H6ATT9LJ\System.ni.dll.auxMD5=6E04E51CD860986EF0DB3BBFE1E7BCFA,SHA256=BFC5EA27C0C03579C98792DF6832F1756F586EE29A7A098B758E568F0DD3EE1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:52.540{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\K7H6ATT9LJ\System.ni.dllMD5=D66E0FBF1A4BFEC46E49BCC74B2D2D78,SHA256=61E00A836AC7D8D18D6FB4C8437E60489E3F77C91146D75884F88DA5B29484FA,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000448706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:52.732{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCA5BBCBFC49868EAA7DADD5B1726F6C,SHA256=5D177DF720216F35E7CF434864F6F04F6FE8A940857EF105EC35788934C99745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000448705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:52.020{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E645A4E384BD855CB87F4F6C0B1BBBB,SHA256=F21C9DF33D3A35D699BFD44160F7D5AEB804276205B04A3F6D94C9749412034D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:53.955{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12CEAC59CCDC0F51CF240F80D809E02D,SHA256=D22252257B6C19437AA7D2923D80756D6C8F95278FC5D99ED41F68B1B9DBF6F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000338397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:53.847{72106695-B4FD-63D3-1304-00000000BD02}51321076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000338396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:53.722{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KKNIV7Y3I1\System.ni.dll.auxMD5=4D1A6689DC11F81CF9642E9CA661FBD8,SHA256=184270D73884EA9ADD722EAEC9D3A0806F5CBD2C7CB4D6DC4591869DDB2A4194,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:53.722{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KKNIV7Y3I1\System.ni.dllMD5=1D502B42F3922DB469D11EC1DD4A452F,SHA256=3F4717011759940D5F9F588CC8BED4B958CD94C373592206C1AAEBE284DAD7EA,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000338394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:53.565{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B4FD-63D3-1304-00000000BD02}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:53.565{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:53.565{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:53.565{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:53.565{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:53.565{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B4FD-63D3-1304-00000000BD02}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000338388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:53.565{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B4FD-63D3-1304-00000000BD02}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000338387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:53.566{72106695-B4FD-63D3-1304-00000000BD02}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000338386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:53.222{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KIR6X57GGI\System.ServiceProcess.ni.dll.auxMD5=A2054B56E52D30E988FB8E8A16E667BF,SHA256=009ABF98AFF25034C2A60E2E5C2F5687889F13B9435D965E52052A797E830C74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:53.222{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KIR6X57GGI\System.ServiceProcess.ni.dllMD5=701013E651E17E9D7EFC716A52EF250D,SHA256=653178D1F2FE4983C9E8FAC3E4BC2F0CE7CAB8F5A44BF1FB710B901082841FEE,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:53.222{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KERR5LIL6C\Microsoft.CSharp.ni.dll.auxMD5=74793ED55CA5E05229CDD02BCE056C64,SHA256=109B547081FB3D7DD775E60449A24B88EAF5A35B5EC3B69F4B0987E6EA0D5C84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:53.222{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KERR5LIL6C\Microsoft.CSharp.ni.dllMD5=401729E38D7ABECD78EC2E9BCA281C5C,SHA256=BF273BA827A9BADBB785086965D428382DDFDE50B53355D2BCD4AFF70695C0BE,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:53.130{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KDNMLMAVDO\System.Configuration.ni.dll.auxMD5=821F157CE83C26D58C913E0B6D5857CC,SHA256=E48DCBEED6091043D522B51F9672012C24DD1A4E1AE3049C4D97EB8DF333586F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:53.130{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KDNMLMAVDO\System.Configuration.ni.dllMD5=E3CC7F685FF0CC69AE85D4257EEB138D,SHA256=A28DBAAC3F5E65C015A573338541016FF57BE35464F877BF5A6A20B55409A6D5,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:53.082{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KCJ11CEMAI\System.Management.ni.dll.auxMD5=7E6A57527B56B59D980CEF5444D51556,SHA256=FF8F2B7EC66DA279782F9754696EC304536B7BBDF25CABEE475EC6C276F3A0B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:53.082{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KCJ11CEMAI\System.Management.ni.dllMD5=DBB27AB7CAB61053088108EADD3FF3A1,SHA256=703DD09A5B05E85DAC24B667BC3245FBD5E5656E5310E2C12D07854509D5B197,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:53.038{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KCGD84R0ER\System.ni.dll.auxMD5=67517A99BFC7B8E9EC4553DA1ABE1AA6,SHA256=A1393DEBE5DFF4DDC64BBEB10B89DF902844FE74B3557B066328CD5E2E51B784,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:53.037{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KCGD84R0ER\System.ni.dllMD5=B2AFC35A1874090FC9C00C5667666DF7,SHA256=9453A1476B8EEC59BCE413CD0FEEB46354ECC6532B7037488CC113D9EFD84452,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 354300x8000000000000000448708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:50.750{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52733-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000448707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:53.107{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=018B5D4B0D52D499F91103A1243C32CD,SHA256=973BF8F5F274607D55116DFCA4DB4BBF8ECD9A7700BBBC60935B5ED9831CAEF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000448709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:54.177{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8E793238B34CDE49D92166C4081C7BC,SHA256=D07EA0C951FCEB9D9FF51743998BB5BF0FEFC4D020658B2D9AF5D1EF3E56BF2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000338423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:52.376{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51036-false10.0.1.12-8000- 23542300x8000000000000000338422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:54.782{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KOLTA8KVP1\System.Transactions.ni.dll.auxMD5=684302FE423D7E41FDC82C1D5856E236,SHA256=F337F5920192EC0AACF5FB4361AC90BC3C648AC0846D5C2CE84645D465DE0ECB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:54.782{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KOLTA8KVP1\System.Transactions.ni.dllMD5=ED09B66BD9413256CD1DED2FD1782AD2,SHA256=90BD081F86F3888C1C8F639B10BD88D7F212573EBCC4E7B226103CC1472AD823,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:54.766{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KO6MFHOT3H\System.Xml.ni.dll.auxMD5=ED9496CE2223D4E1A165BEFC8A495F49,SHA256=4F40C0EB01C6D669BAD474D8A1EFA20E9875920DDBCB1E521BBFEFEE2ACC0FA1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:54.766{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KO6MFHOT3H\System.Xml.ni.dllMD5=37E129A04ED511528A4B868C33DA4466,SHA256=ADF060A953F940FFAC3B248DE75B69860F955197BEABB73C56CF26EB8705E668,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000338418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:54.610{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B4FE-63D3-1504-00000000BD02}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:54.610{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:54.610{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:54.610{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:54.610{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:54.610{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B4FE-63D3-1504-00000000BD02}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000338412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:54.610{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B4FE-63D3-1504-00000000BD02}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000338411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:54.611{72106695-B4FE-63D3-1504-00000000BD02}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000338410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:54.594{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09DCADD6ED7406321DADF303186A5CBC,SHA256=2EE602F54A721BC7169BE63A0B1FADFF8816FEC018E39F74C497EA2951F80776,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:54.375{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KKPT3NGPQI\System.Windows.Forms.ni.dll.auxMD5=4DF0412E3BA2AB1E179D87346D88EA22,SHA256=DF6511BAE1B97EC81B5CC61AD70C7A84B7AE42E1FAEC939A63D25DE65C8CF930,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:54.375{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KKPT3NGPQI\System.Windows.Forms.ni.dllMD5=284300B512FE92853D650AAF7654D6BC,SHA256=FE18DCD6BC8C80D5D619EF185396A79DE86D785493BA0D21C66E6D70ADACD959,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000338407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:54.282{72106695-B4FE-63D3-1404-00000000BD02}19644564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:54.064{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B4FE-63D3-1404-00000000BD02}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:54.064{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:54.064{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:54.064{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:54.064{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:54.064{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B4FE-63D3-1404-00000000BD02}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000338400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:54.064{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B4FE-63D3-1404-00000000BD02}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000338399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:54.065{72106695-B4FE-63D3-1404-00000000BD02}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000448710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:55.272{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5340188F592C3287FBD07BBC2B963248,SHA256=96219D5733D5076399805336609E49FAA878E8E631D4C4A1F5B350E6ED661870,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000338453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:55.861{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B4FF-63D3-1704-00000000BD02}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:55.861{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:55.861{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:55.861{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:55.861{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:55.861{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B4FF-63D3-1704-00000000BD02}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000338447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:55.861{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B4FF-63D3-1704-00000000BD02}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000338446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:55.862{72106695-B4FF-63D3-1704-00000000BD02}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000338445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:55.767{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\L34A9E49NO\System.ServiceProcess.ni.dll.auxMD5=9046DC8AF57A689737E35673E1FEBE4D,SHA256=0718FB2272D8BDA1BE26978BC6F3F271E3E73EF81782F75BD593C4B5273F8388,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:55.767{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\L34A9E49NO\System.ServiceProcess.ni.dllMD5=B4E93247C9175B5C117FD4A0B662D510,SHA256=60596192CD9252FE839884860D51FAA078887038E91EAEAB3E04E563E6F66ADB,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:55.752{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KZYRIY0MEY\System.Numerics.ni.dll.auxMD5=46C8A979AD3266DDEF725C7E593B0EC9,SHA256=44F41AE20DFD28ABE6EE0E04898C519AD9709FA50D948409B2ECD81BB20D3D37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:55.752{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KZYRIY0MEY\System.Numerics.ni.dllMD5=63A9B260BCFCC94E75F0B012DE2B32EF,SHA256=3BFD410197EBDCE1914F9CA077D5B2BE75A664A54D5D9B05169694327EC86CE3,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:55.752{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KYQGEDG1SD\System.Windows.Forms.ni.dll.auxMD5=AC36643F64BD9537E552F35C0B019EFB,SHA256=4AA66A91B44CCA1403B9F0E71435C3233124EAAC20C434412CCACB77255B5612,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:55.752{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KYQGEDG1SD\System.Windows.Forms.ni.dllMD5=A8D652BBECDD183E51E2E654E8F4770A,SHA256=C1FC8E5327FC8C5492756648C2AEF53E12E5F647D82C4A01DDCF1DEF561E92F7,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000338439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:55.240{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B4FF-63D3-1604-00000000BD02}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:55.240{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:55.240{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:55.240{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:55.240{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B4FF-63D3-1604-00000000BD02}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000338434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:55.240{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:55.240{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B4FF-63D3-1604-00000000BD02}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000338432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:55.242{72106695-B4FF-63D3-1604-00000000BD02}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000338431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:55.240{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A0D2AB9A4CB9F26658A8685154390E5E,SHA256=66D28709CB9313AA37A433B8F6BB76D7FEE9D971A22F4C5E5A85F0B9407AA8CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:55.224{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KXNDZRV6MH\System.DirectoryServices.ni.dll.auxMD5=C2E0864BC116ECCED285DA8D65EBA6C4,SHA256=2BB21F1B779326CC28A17D48D9F22E3D40D2AA67CF35282497E9BB087377688B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:55.224{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KXNDZRV6MH\System.DirectoryServices.ni.dllMD5=D8D409480F7CC454D0719266B2D7D9CC,SHA256=9B5D64CF20C48A42257A1E2E68F810F179E553C3CF743ADCA720BC20682A0849,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:55.177{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KWU26L5G78\System.Numerics.ni.dll.auxMD5=CC8504EB0D831F3A4D7BF486C8BBEA57,SHA256=E9740B680C31812CB7524E87205E12CA8DA04DE69735BD7EAA900EDEA24D8309,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:55.177{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KWU26L5G78\System.Numerics.ni.dllMD5=AD4643D2B1E5DF5D5B5986C4870424FB,SHA256=E7518CA9B10991F2C502321C26DD4F3AB778E162B1A3AC90888628FC864C47BB,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:55.162{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KU41JGUGM9\System.Xml.ni.dll.auxMD5=63CFFCE43BBED168D0654C5A8A018374,SHA256=3424CFD864C6AE00FFC20B978CC30ABBA607511DCD8E423091E952A7A99B11F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:55.162{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KU41JGUGM9\System.Xml.ni.dllMD5=4BC31F57ACB281F7C863B91725EB6C29,SHA256=459055F2D2B7F600BE627AA49F1681130C1892BC0A0F8DDC76E9BCA32487DE2D,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:55.067{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E37071A825CCFBF96D59F87D7937851,SHA256=D735C6F2DC01F0DDFBD531072661C2C8174B39C3AE8690CF653FE8F4EFC93467,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000448711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:56.360{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9668CE6110EE14E6936CDF8CC7DA442B,SHA256=C251845C6A3838C68487597E4784C295F806C535A266C5CB3B64DF222328B735,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000338479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:56.712{72106695-B500-63D3-1804-00000000BD02}48485468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000338478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:56.670{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\respondent-20230127093815-105MD5=FAFF531EDF0CFC03BCEBADF518BA5361,SHA256=88BF976C27BC6DB398DABD588375EB870CCDB2E8695A85E73E9E0CF078A2553A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000338477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:56.543{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B500-63D3-1804-00000000BD02}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:56.543{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:56.543{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:56.543{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:56.543{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:56.543{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B500-63D3-1804-00000000BD02}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000338471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:56.543{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B500-63D3-1804-00000000BD02}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000338470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:56.544{72106695-B500-63D3-1804-00000000BD02}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000338469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:56.342{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LLC80O1ZV5\System.Security.ni.dll.auxMD5=7BE8E3D8CBA8DE7A117F27F0345AACDB,SHA256=9BEB3A0B9B7CC3C5843693FD59757D3AF78C48A48C7E949A2DCABC3181AB7625,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:56.342{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LLC80O1ZV5\System.Security.ni.dllMD5=54B8805EB3C694F29052E9B1789A07DA,SHA256=4D2E9C421DE3E5FA95A79E6C35CD689B53BBDAA27FD36114ED4710F9CF1F27DC,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:56.279{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LKAJNTQ0TG\System.Configuration.Install.ni.dll.auxMD5=1BFDFCF998903EA6AF2C7F1496C9BD50,SHA256=DE281F3E622CCF729BB00B9DDF68643C79FCF455B0EC1FB21DFB5F94AEDD6859,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:56.279{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LKAJNTQ0TG\System.Configuration.Install.ni.dllMD5=A8DA77D12ECE05B2F62E9C4953661141,SHA256=FC27E15E339A52EF8C0D829E7E6800365A1755A8F6DD1650018EA73CFC18996F,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:56.263{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LK2QT4W2RD\System.Drawing.ni.dll.auxMD5=CCA0985CD95C87162EE8FABD44FAE1F5,SHA256=EE34560D22D7CDEF63F66AE66B409DEB4D75505E1017190BEBE0D4191610E7DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:56.263{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LK2QT4W2RD\System.Drawing.ni.dllMD5=13B68E88BC8FE03216C474B8DC5258D1,SHA256=64B7FB05FD5CA1DE5630A096593393F2EBEBE2D43AD94B1D514AACF05702F345,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:56.201{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE73F94B98E9B1305543B91E0B8372C4,SHA256=B96CDEB21CA22F819A646258BDBE3EB4F6B91EAFB268B8E66CF86EC7292FC1E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:56.188{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LJUZPZX2FI\System.Numerics.ni.dll.auxMD5=7498484D2E7FD785FA532DB7139D4C0D,SHA256=D6FD9362B956709DB3F8C9184D1F8B3E52993121DA5A437FC523B2A71C0EF3A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:56.188{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LJUZPZX2FI\System.Numerics.ni.dllMD5=3F7CB439388CDE4109829B47B69E53EB,SHA256=87DF519A1570E4A7DC96D21E67FD4F16120CD0EFEF35854EF277C4C059B226A1,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:56.172{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LIM5T5XM4L\System.DirectoryServices.ni.dll.auxMD5=8C62FCC7526EA7B45336F62B19961917,SHA256=380C559E81001EB5A7E6E4CB27A7BBC78CAF792DAC2CA81FB5CEEDD346D56718,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:56.172{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LIM5T5XM4L\System.DirectoryServices.ni.dllMD5=1B1CEB2CC83E5F299E616C434A37FC86,SHA256=1AD9A12E233F803A985AFF686A26B3DED3CB16927C25CF4C7BF0D7AA4CED4137,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:56.127{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\L3ERTDNST0\System.Core.ni.dll.auxMD5=7E0C144A9DCAD31A8111B8B42DDCECBA,SHA256=AD9B8AF589F1D2BA5C81427E41087FC704AC82D57DE568EF8085DC9977CF8549,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:56.127{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\L3ERTDNST0\System.Core.ni.dllMD5=F1FE6824F513926F23FFFE53348D791F,SHA256=8AB5DF5356D9BC7FF295DA609CE1AD35A98FA8A91B98CE805B6CE72840483BBC,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 10341000x8000000000000000338456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:56.103{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4FF-63D3-1704-00000000BD02}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000338455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:56.102{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4FF-63D3-1704-00000000BD02}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000338454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:56.101{72106695-B4FF-63D3-1704-00000000BD02}57484924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000448712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:57.453{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D028A609F3BD92831CF74930F056D3C,SHA256=34BC5EFE6882AEE6C214CC1F2F6BED25A46D04CA9664F52A2B1974C92CF4CB34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:57.850{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LX7S04MTOY\System.Numerics.ni.dll.auxMD5=53F171148A0259FC9F8CAD8DD0BE72F5,SHA256=9BFF35BBEF3463179129A8844ECDA6381CE9B8154987A8EB02169B1B26903D51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:57.850{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LX7S04MTOY\System.Numerics.ni.dllMD5=E2F37D6662BF0951356738A4F5ADB453,SHA256=D9849E412FEF691733299C42A71A6EFFFD859C8E88A0F5283ECC1FE5761EC4CC,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:57.803{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LX4LELSMYZ\System.Transactions.ni.dll.auxMD5=560017ABB720E97EBD29B91F1B0C94BE,SHA256=F031EA98BD2D59AA0BDA9C4D330A42BA25C58F5717F1830AA77F2768471B23B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:57.803{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LX4LELSMYZ\System.Transactions.ni.dllMD5=F684A57BDF29DB0382B45635BA7B61C6,SHA256=377A2C8E71B2FF28495C441089A4ACC7F57BDCC2BBBC295802DC3A5831DF8A98,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:57.756{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LUC2W71J27\Microsoft.CSharp.ni.dll.auxMD5=C4E4AFE001B45754A961F829FA2AA4FA,SHA256=AD75AEFF2DD869B6EBA26338422C0DA1577C6D99923183CA8E58F68D71873E64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:57.756{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LUC2W71J27\Microsoft.CSharp.ni.dllMD5=3DA8C7A3CE434CDF212B055456B2D5AD,SHA256=800BC5C217E541299A28DCF0F10BCD943B74F33E250FAFCE57D3BCBE02060463,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:57.667{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230127093814-106MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:57.641{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LP9L9JM2ZF\Microsoft.PowerShell.Security.ni.dll.auxMD5=11B6B174F3B0F109A57C84BF941445D1,SHA256=D1622923070626B2EE11393A4D9DC5EFBF6AA759DFCFD6AF959A2526CFE58074,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:57.641{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LP9L9JM2ZF\Microsoft.PowerShell.Security.ni.dllMD5=C8071429217A3924B703E5495189E0AF,SHA256=1689B55477AF2D74DC24A4E0D68E955A522902C78E5C52FC82554CCE56C37FC2,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:57.641{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LN80HUF6UN\System.ni.dll.auxMD5=6CA3DEBF05BA5E829FF4B40317CDF747,SHA256=81402C4AB7DD7977F5E820A834768DB387FD89FE895FC69AF3FF0BFBC5B131AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:57.641{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LN80HUF6UN\System.ni.dllMD5=EC5EC15D98858C12E5013977BE925EAE,SHA256=F6D3CDAE6CBDE96ABB430F15A999D898E4926362852FB0E8EA56E74B341C0F71,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:57.282{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LMV1K7MTCD\PresentationFramework.ni.dll.auxMD5=DE88ADE06E3B0B87F9EC542D03B909BD,SHA256=CA646AF9FA56EDA1FF4974D5AF0A9B2B360B84CC30AE311FAB387D747E11DC02,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:57.282{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LMV1K7MTCD\PresentationFramework.ni.dllMD5=585F7866FCC0FE6A5D732D961852CC62,SHA256=1DA8CCE6A338D38A2D88A14748AED2156D2B95311FB4EB5CD0A5BE147BCD403F,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:57.266{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=839829EEBF536C60FBD2D28F7FFF8AD8,SHA256=5557AD51F34729A93B341A2113EA27ADB5AE9B40477C8B3251A3140FA7A9F3B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000338487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:57.220{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B501-63D3-1904-00000000BD02}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:57.220{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:57.220{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:57.220{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:57.220{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:57.220{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B501-63D3-1904-00000000BD02}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000338481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:57.220{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B501-63D3-1904-00000000BD02}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000338480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:57.220{72106695-B501-63D3-1904-00000000BD02}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000448713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:58.641{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0C39D2495EFEC6E8825CAD1613B844C,SHA256=33ED631A837477146A7E56BEBFB48FDB1D1D8A02489D5D9727BC8227113E7A82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:58.780{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\M9C2F9E7XE\System.ni.dll.auxMD5=67517A99BFC7B8E9EC4553DA1ABE1AA6,SHA256=A1393DEBE5DFF4DDC64BBEB10B89DF902844FE74B3557B066328CD5E2E51B784,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:58.780{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\M9C2F9E7XE\System.ni.dllMD5=B2AFC35A1874090FC9C00C5667666DF7,SHA256=9453A1476B8EEC59BCE413CD0FEEB46354ECC6532B7037488CC113D9EFD84452,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:58.418{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9633BBBFDF5F20CFC80CB3F9DB750F7A,SHA256=DDB413A7DF70C8E14D2F70B881DA8A1D3D0B40E9C27440621875623150F870F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:58.269{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F58505D0EB6512431A32B15ED6A7E911,SHA256=2A9883BFE5F651E70C8EB5FF2CDD395B040067089D6446796CD9C93F39B81C6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:58.179{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\M06ORVAQ4N\System.Security.ni.dll.auxMD5=A8E16B0835C7BA8888173106EDFD7698,SHA256=7D44F7630D8C42C9BCBA5DB5C74B36391E11FC17D4FAF6D26C452C1BD3E359EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:58.179{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\M06ORVAQ4N\System.Security.ni.dllMD5=B92BEE33B09857E5DB60DF34BED170CA,SHA256=C07B57EDCAACD9E9B6CA2340A8DAB75CCF3BE99EDDF063804E73FFB74CDE645D,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:58.177{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LYGE1N23YW\System.Xml.ni.dll.auxMD5=040DE208CE1EB5D0024CE936E00E3392,SHA256=33953292338BFB6EE2756974051377A824A6C6DA3BA533A3FBA6D86218957BEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:58.160{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LYGE1N23YW\System.Xml.ni.dllMD5=6644706835E5D443B9822C53AED1B87C,SHA256=14CFCA3962038FEEFF28F93571BDA791D9DAF2FB8E34C066E027DBEF1D07F5F7,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000448734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:59.713{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D24B0DCA3D32CA762DF89A965F589AD,SHA256=1CA78C2D6FA910B281AF4534DC2EE23A4BC77A6A4313AA315B26DFCC9553ADA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:59.725{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\MIQB39911B\System.ni.dll.auxMD5=3E37F06FB38530095A5E52EDFAA8D60E,SHA256=2929FBBD5565E1EC8D3B2CD52A903C76F4203019FF8650FA442F4C2E4DFD70AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:59.710{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\MIQB39911B\System.ni.dllMD5=7F0A5DBF2075D53BE5881B6557331A1D,SHA256=7EEEF2EC1F43BBAB9E50783C6F3333BA9DBDF55A626B20A9D9CC595AE89DE89F,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:59.335{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=457D25B6C9D7D582B8ABFCC1C90B50BB,SHA256=102A8F4F7CD55EA1A164190CCDA8D2414F5F2D47633C85EE2EC55012158B7938,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000448733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:59.546{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:59.527{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:59.514{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:59.509{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:59.507{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:59.503{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:59.461{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:59.448{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:59.434{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:59.427{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:59.413{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:59.402{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:59.393{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:59.376{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:59.364{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:59.352{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:59.344{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:59.297{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:59.294{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 354300x8000000000000000448714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:26:55.906{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52734-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000338511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:59.166{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\M9TLN9HBIF\System.Xml.ni.dll.auxMD5=040DE208CE1EB5D0024CE936E00E3392,SHA256=33953292338BFB6EE2756974051377A824A6C6DA3BA533A3FBA6D86218957BEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:59.166{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\M9TLN9HBIF\System.Xml.ni.dllMD5=6644706835E5D443B9822C53AED1B87C,SHA256=14CFCA3962038FEEFF28F93571BDA791D9DAF2FB8E34C066E027DBEF1D07F5F7,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000448740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:00.793{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54AEB46884315D463F21B64FB590114A,SHA256=7FEF925A25C6628D610A4377BEF8945778907B0256A69494752FA77577202D0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.917{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\MOEPGXJBXV\System.Data.ni.dll.auxMD5=4873E34E22982DC21781DA70C533F01E,SHA256=BA2C4B6AF434301923D13C2A65E93CF2C32EC22ADBF51FB0AB7632603DAADA25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.901{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\MOEPGXJBXV\System.Data.ni.dllMD5=F272D5B22EDF3A927F701CFDE35030F4,SHA256=C0BE2D832A6B76E8F363F7E2BCC3053AA7E815E1E83F8F36F77DE84E04744563,IMPHASH=00000000000000000000000000000000truetrue 10341000x8000000000000000338570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.794{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A7-63D3-0904-00000000BD02}5936C:\Windows\System32\MsiExec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.792{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A6-63D3-0804-00000000BD02}4860C:\Windows\syswow64\MsiExec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.791{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A1-63D3-E803-00000000BD02}5548C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.787{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.779{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.778{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.776{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.762{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.750{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.738{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.735{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.725{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.714{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.700{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.698{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.675{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.662{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.649{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.644{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.643{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.640{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.638{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.636{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.633{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.632{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.629{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.628{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.627{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.625{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.623{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.613{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.609{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.604{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.601{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.594{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.581{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.579{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.570{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.517{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.506{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.486{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.472{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.443{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.421{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 23542300x8000000000000000338526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.415{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A54AFDE8C944A015B7D8C2C4E01C11CD,SHA256=C7F85418E35B0E6796A1931936358095E76A7838005E83268BD6AC58337A0757,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.408{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\MMFOGD1HWU\System.Xml.ni.dll.auxMD5=AB37B4D34FC53F43A723D713E12B4003,SHA256=47AFE86256B978AB7CC1A26216ADFCBB2C3B3BE59AA00ED8EF85B73360C40569,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.406{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\MMFOGD1HWU\System.Xml.ni.dllMD5=6D871CEE5183880F2C6E45D4A633B9BB,SHA256=08C1A990205468C817F6A1084644002912BDD347EC03D4139E99E54424A86960,IMPHASH=00000000000000000000000000000000truetrue 10341000x8000000000000000338523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.397{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.378{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000448739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:00.181{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:00.177{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:00.175{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:00.173{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:00.171{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000338521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.345{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.338{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x8000000000000000338519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.335{72106695-9B85-63D3-2000-00000000BD02}20002900C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 23542300x8000000000000000338518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.118{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\MJWPBNBEUE\Microsoft.Management.Infrastructure.ni.dll.auxMD5=351FF41B05C666E700DC4ECCAC1B742C,SHA256=BC6E447639CE2F3E55A818A5544D79A8EC9FA262038676D1E5057BA487431D1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.102{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\MJWPBNBEUE\Microsoft.Management.Infrastructure.ni.dllMD5=D2C979F08E9591FEA75DF3508C978E19,SHA256=49576FFF8B97C1D03CDED4CE8D0C67E73D4588894D56A6CECC3B6FC5FB7387CD,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000338516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.102{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\MIUYZJ4R64\System.Data.ni.dll.auxMD5=4000DCA0209C14C9BCD1DD177196F2B5,SHA256=83875A2E7B0EA34843C1D8EBC0980BEC7A91B6E1FE4B11BCE69E81BBDDFFC942,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000338515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:00.101{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\MIUYZJ4R64\System.Data.ni.dllMD5=E0DF78698CCBBBD22D7DF8B84B214338,SHA256=D5D79E6A941196BDDAA97DD97CE08D88F5D49F6F6BBE4DC1BE1BD3BC2DD611D8,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x8000000000000000448741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:01.883{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7F1391D4D98694550D0902082C91FD3,SHA256=909C18330E74C52AC274EB5D73C16D531EAD1932BE1240592A035C47E6DC2D23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:01.981{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64F6C65A9F7EA095D855E938C28A2230,SHA256=BB54BA0B22E718DD89BB0D4E6BF4B8EEFCBE4741834634C8DEE2DFC75B0BA5F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:01.746{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\N205AWVJXF\System.Xml.ni.dll.auxMD5=1CD15247EE1C5D8F755F534F8BF479B8,SHA256=575905C7B80A6120790833CA28E5A80EBC85BDAE18D5832AD0EEE3954DCE217A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:01.746{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\N205AWVJXF\System.Xml.ni.dllMD5=08D61386684ADBA053CB789D95877CCF,SHA256=DF851FE33C1842760B0384CA90D1D643DB695856A9FFCB94E033D5B9507094C0,IMPHASH=00000000000000000000000000000000truetrue 354300x8000000000000000338579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:26:58.412{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51037-false10.0.1.12-8000- 23542300x8000000000000000338578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:01.434{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\N1KLWYMHPA\System.Numerics.ni.dll.auxMD5=3D584449D8994C8A6F53D6EA35FA327C,SHA256=1186AFEB65B6390E39B8A9F7DE621BAD52FAB94F71382CE854A7FDB820FE19B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:01.434{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\N1KLWYMHPA\System.Numerics.ni.dllMD5=B7046061FFE1EC155C9812796FB7A2D2,SHA256=4F1AAA6948C8B9F14673FE17A83438A868FD347A58F44DFE85831136466B723E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:01.418{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\N0IVNE6B7B\System.Transactions.ni.dll.auxMD5=6C339FFF8233C29C022D6F64132B3565,SHA256=245A00C8C84BF6FDC07FA7C3AA0F192283A8D1E55AA1FC5212B59BDBE5B0DC39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:01.418{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\N0IVNE6B7B\System.Transactions.ni.dllMD5=B419B44AAD97CA3AA622FC69F9F700EF,SHA256=85E6B77303F3C2B52190AD6ECB73FFF9A6EB42C02D61D315128653B8D806ED7F,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:01.387{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\MQOCM2A3T9\System.Data.ni.dll.auxMD5=55B9DBFF22E9F9EA9030C8506FBB4BDD,SHA256=21857952A4D88926E936A4E055A5A32BC852B2C854FB5B5D02E2CE26FA11076B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:01.375{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\MQOCM2A3T9\System.Data.ni.dllMD5=5B8A1387F38B3747F281326AE0AE6046,SHA256=72AFDE4C5841503A8DA13C06C8132644F73CE9B49086AF3B3DDBA5F85FA3D3D4,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000448761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:02.969{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD139708656273B6199232E9524CE89E,SHA256=2FB55346EADC591D79F0965368457A13D7DD489EE69AA9C7BDDB7915BD261B4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000448760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:02.933{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:02.886{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 23542300x8000000000000000338585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:02.657{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\N5H02E3PIR\System.Web.ni.dll.auxMD5=A7A4CD8A95ABCFFACDF2F603D8B09799,SHA256=BB0FE3B3CCDD641F6EAB89DC49233F107CCA52E4394D13478078C5840536E5D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:02.657{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\N5H02E3PIR\System.Web.ni.dllMD5=0DFF1F9ABEE96AB90C20ABF8F7D5E0FF,SHA256=3AA89AE39ABA8E68B4C7728F90065F4966878A8787CB79A952087077C0E55892,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:02.470{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26C483FA61BE54BB6AE8017C2B9DB2F5,SHA256=C6D0FB108A9C5F2A154A96822008861195DA67AAEB5AA6FA98C6038B5B3319E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000448758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:02.880{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:02.865{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:02.842{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:02.800{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:02.792{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:02.778{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:02.772{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:02.769{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:02.765{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:02.761{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:02.760{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:02.757{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:02.249{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:02.248{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:02.247{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:02.238{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:02.232{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 23542300x8000000000000000338592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:03.938{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\N7F7OPQH0I\System.ServiceProcess.ni.dll.auxMD5=FB48CBD15429C7B1F9A14E82CDF8B24D,SHA256=E11D297738EB6EFD68E74B919FC25F124C6CC4AE3E1C7595BB224BF4567C30FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:03.938{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\N7F7OPQH0I\System.ServiceProcess.ni.dllMD5=52E1C1642839FB780CD29C337867C549,SHA256=5823F6CC6549B5FE1FDFF03DCF1B95DFAFDE9D381C04D3C8F5BDCC636A053E54,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:03.922{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\N771T2GRDN\PresentationFramework.ni.dll.auxMD5=1CD640D915EAE872FC60479FB1991D49,SHA256=4136E63F0E092B2DB0DB99F29185481D5F9CF9273FB96BB33273FC4B8F077704,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:03.922{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\N771T2GRDN\PresentationFramework.ni.dllMD5=F4BE31FD7508880EBE11971999150E20,SHA256=67784892A02B103C517FFBCEB07F743E14E727539AADA82138342FEAECD1C8C9,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:03.547{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A676BD2ED398306B9B9B6FB3C528519E,SHA256=A439B96C274F0D092C7A45679B42F4EE8D00A97D6337E55463CA290987BD667E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000448788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:03.339{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:03.339{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:03.339{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:03.339{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:03.339{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:03.339{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:03.339{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:03.339{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:03.339{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:03.339{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:03.339{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:03.339{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:03.339{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:03.339{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:03.339{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:03.339{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:03.339{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:03.339{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:03.339{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:03.339{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:03.339{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:03.339{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:03.339{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:03.339{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:03.339{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:03.339{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:03.339{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000338587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:03.169{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\N6GEV7NRLJ\System.ni.dll.auxMD5=F974195E5ECE86B40F7C98CEAFF80650,SHA256=6FED5EE609434200BCCA2E954E4FF45678A458F016A429BD3AD7BE480AC33845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:03.169{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\N6GEV7NRLJ\System.ni.dllMD5=13DE7F98F0CB9EB352C90FC60D125E6B,SHA256=895BF50B6C923C70F9F96ED6117D4F5929607376E5F00531F7E0E9209D4A1028,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:04.768{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NKXKVS83F8\System.Transactions.ni.dll.auxMD5=560017ABB720E97EBD29B91F1B0C94BE,SHA256=F031EA98BD2D59AA0BDA9C4D330A42BA25C58F5717F1830AA77F2768471B23B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:04.768{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NKXKVS83F8\System.Transactions.ni.dllMD5=F684A57BDF29DB0382B45635BA7B61C6,SHA256=377A2C8E71B2FF28495C441089A4ACC7F57BDCC2BBBC295802DC3A5831DF8A98,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:04.721{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NHYZ7O8ATL\System.Configuration.ni.dll.auxMD5=31F59B6EC91918CABE6D8A17CF35470C,SHA256=3B92A71B5A489DDAF17B8D47EECB0E52A66EAF43479763AC6A8EAE9D4D652A63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:04.721{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NHYZ7O8ATL\System.Configuration.ni.dllMD5=9EAA59368783AFE4107F28B6ED8AB1E6,SHA256=BBAC50983BA9B2EDA9CBA8FD0F1DCABF71D24D736A973BA164AF6917A3FC2E7F,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:04.674{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NFDQOC6M66\System.ni.dll.auxMD5=0FE2DA91CA727C5FDFB9683466098809,SHA256=DE9F5C5937D844B72D91CF96C0AF781757C79DA906EB3F5E9C80C79CDE977E1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:04.674{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NFDQOC6M66\System.ni.dllMD5=2FAB64A8785560F3831C0C7A07105E56,SHA256=F511E0987071071C6932C33C02B2C6F3D379482690813FA5212CA5E646068662,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:04.643{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F34BE5D53256D184BAF72CD928ACEB73,SHA256=B3BF6AEA277FD9619AC260724E4F915E7A02AF19E96D8EE5673BBD43ACD4C8E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000448790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:01.730{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52735-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000448789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:04.277{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D32837AC5C6EC70B8B29649EEB13A4E5,SHA256=D3E93B4480A08D10AD175D7BAD1F44D78903C45737AABDD793B6A32F40E862AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:05.985{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NSCDQAJZZE\System.Data.ni.dll.auxMD5=CC9F9CB4F637C42741255EF17203B47C,SHA256=370A27D995B8AC7DEC609867B2B7BBEA89A465AB01320C77D7F8CB57793DC76B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:05.985{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NSCDQAJZZE\System.Data.ni.dllMD5=4CE9DA541633C93EAE8D016C36CA6BF4,SHA256=08E8F1F9463152B6AABF02E6A7CB02A2DA4608AD745320837A9718B87B52AA29,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:05.735{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8245620AC070CAB7B61DDF08403604A0,SHA256=8AEE5B332B580AE4F98F92A713B2404BBE430E1A8666A030123EB115AF68F688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000448791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:05.396{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC404244857FB9996829CA3B67D37EBF,SHA256=4D6B0C4DFF82769F6E09CF8CE585019D79ED50A11A0FDB0FCE7AC930737BCCBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:05.626{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NPITZ5IXUS\System.Core.ni.dll.auxMD5=952B64D4882C741C3D0EE8D8BEFD35DE,SHA256=970C39703CE0EBCD93451BC76F25D06A9C47C75E3ED6DCC45ADEF215CC75EED8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:05.626{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NPITZ5IXUS\System.Core.ni.dllMD5=CD0AE5AB227C80CD2904C2D3A91B69F4,SHA256=16605440A47722DCDAB1286F1F7F80843D51AF596D3BF4A07748EAB30B3C9DE3,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:05.235{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NO21KQA2HF\System.Configuration.Install.ni.dll.auxMD5=0CBC2C9737233F80F1C8DD57CE1AE88C,SHA256=6E18B2C2DFA32D6F4925D1BBE903FD9049472C36261FEBA8DD59628E8C6A9F30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:05.219{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NO21KQA2HF\System.Configuration.Install.ni.dllMD5=2582241664CA944A32E31176A66CF0C6,SHA256=B7C2F435943924E46E604D1D35C1835920CC706BF320D85179E53CA0F84354FF,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:05.219{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NL4EC7YXBV\System.Data.ni.dll.auxMD5=EDB7CB075A217959013CD75CE405CCD2,SHA256=240A71F1AF20552B564ACE0F494BDFFCA2B3982D62D762D1E71E6E1535797972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:05.219{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NL4EC7YXBV\System.Data.ni.dllMD5=7ABB236413DDD5D4953BB3A2C663E53F,SHA256=D14A3A1F1851D9FD244CBF574F22A3B94B05FBBBC6147381E68F694AD59574E3,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:06.937{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A641619074ADE17F9BDF7DB9DDC30F4F,SHA256=6BC13B86E02F5B3AFFA581C351ADB4D0A5D18A4226631F8FAB73FFB4F2967323,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000338611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:03.479{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51038-false10.0.1.12-8000- 23542300x8000000000000000448792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:06.492{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8D5CEC5FE078B4E3B92EFC61433E4C9,SHA256=5701E0562C0B22F7368B0FA0425E1B2F996C559807D9B6E09E5D8693A1670DFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:06.264{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NT9MP1KTD4\System.Xml.ni.dll.auxMD5=14534856F5BFC8845800D7A0C0021323,SHA256=DF0C74610B1D9ED7885858C67522DCC363520C33C02C892266B6EDAA443F20EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:06.264{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NT9MP1KTD4\System.Xml.ni.dllMD5=A49A9BCFBC3F880CAEA2B5E8D0DB3087,SHA256=E45A8FC2DBDF0D096F4763E4816346B46C4DCC752E1E7A5AA6569B1D2099D70E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000448793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:07.577{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E935F35CF5B400B79E3961EDF39AD01A,SHA256=88A0B66C637BEDEADF7BC82934440E53CB1CE5F18FFD7752A7B1F2E4832A65BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:07.672{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NVJRBVWD7A\System.Core.ni.dll.auxMD5=48FFD457B52D2283A43AAA2D8D7B2895,SHA256=529CDC113FC10D5542623FECA65BED08EF6A85D46AD9F372D32D25C91224FB54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:07.672{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NVJRBVWD7A\System.Core.ni.dllMD5=783B07F6DC4FEB9350CE7157E6240EA5,SHA256=A3CDC262830D14397834BF31D00E6F5179BFA6B9E570BD76C623E6033A0FF60D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:07.253{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NUT2VYH7I4\PresentationFramework.ni.dll.auxMD5=ECB529A046D242E51A9089A65B9CA3F0,SHA256=A5046A01D77CFACA04260C1B08C02BBB858EA7C2DA5C47F26680B9B31879B6DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:07.253{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NUT2VYH7I4\PresentationFramework.ni.dllMD5=F36284DCB208C14ED6D3D850D9222A56,SHA256=41F492A599FB3B090FE04F171C28043B3B4064EC0C29416CA78F7216E0432FB3,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000448794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:08.651{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0D64876032D5B08A8EDA007B778605B,SHA256=E8101E707B8AC58FBEF78ED01D824ADE2CC9A014EC71AEA0E0E21CB0EDD01E80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:08.855{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\O4I2YE29AG\System.ComponentModel.Composition.ni.dll.auxMD5=694406FEC9A4D3335D220AADB0FA8797,SHA256=45E44499273F3E2F07640B16480103FEAE49022794D70F6B761C1B8A7D283CFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:08.855{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\O4I2YE29AG\System.ComponentModel.Composition.ni.dllMD5=0632FC2C8FE933134DC4039823BF7DDA,SHA256=65074EB6B679C8BEFA936EC373CCFDB9EAE1A71563936A3F77DDE751164D8143,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:08.764{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\O1XY2L8YSR\System.ni.dll.auxMD5=38FB7500511703557B2A490D76E5F3AF,SHA256=82F46FA003FED0DBA41032CD924E47376658DD9F6EF6F9949BC9A853AE793FDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:08.764{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\O1XY2L8YSR\System.ni.dllMD5=7FC9BC6F3421B57FEB848576BC809437,SHA256=F25EB9DBCC000D600320A0964A9EBF678A2220481AEC9C0284A5EDBD6ACAFE6C,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:08.266{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NYVHM2R3TX\System.Web.Extensions.ni.dll.auxMD5=2E5BF9BC9FDDEE2EC1CEE49920A68190,SHA256=7B7EE9D744FC87E1201615E105AF04D68FFC0FD8252CCF8FF56192515A78266E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:08.266{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NYVHM2R3TX\System.Web.Extensions.ni.dllMD5=D602F4E4961AC3F0634411EB02C74107,SHA256=033EC4F8235BE6B6559D52FA7FB72897740BAD369F757FD534EF6708C4882AAD,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:08.108{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NYU4M9NQO7\System.Drawing.ni.dll.auxMD5=AE1806558A5233CA0895E229CA9A5CDD,SHA256=BF8A1C5F9A51673F43C265FD747004440EA4B3BC1CE92378D2A9C6B197995F1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:08.108{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NYU4M9NQO7\System.Drawing.ni.dllMD5=FDBA63CB8F1C68D60D66AC4C25A52A2D,SHA256=9DFCA47793FC5BA5B8158ABB6E3487263E7967F0CD4533083D465AB38EA2018C,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:08.032{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23F63BCDBE4A9EDF7BC2A03C0793A089,SHA256=21D39A91DE23830DD3E316B93282874F8140E3C8D36A2892780E92522043A60D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:08.016{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NXC57X7YDX\System.Data.ni.dll.auxMD5=86CC809B400EEFB04A49E3D7C6CB90CC,SHA256=896EC91EB408F7ABA6E5A8E79A3C302AE35CA2475D36402793207F469627F1D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:08.016{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NXC57X7YDX\System.Data.ni.dllMD5=760268CF6608C488D33AD29A18FE51B4,SHA256=C2E3A8B5BF47F222FABA37D7F757BE0C2F471D4B3AEC2063F88ACF226DE31990,IMPHASH=00000000000000000000000000000000truetrue 354300x8000000000000000448796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:06.841{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52736-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000448795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:09.750{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76B4CD00B07970B41643AA4D125D7F8F,SHA256=BCA904FF698180D58A0F4D91740D96DC4A473E2B8EFB447B0D1A093327E2F606,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:09.989{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\OGDK7D6YZH\System.Configuration.Install.ni.dll.auxMD5=35A313588DD8BF1C4A5557EAA79D2888,SHA256=8C1A5F0899AC55E471D0A266242CB849FA7A827C6DFB151597B962F19439A003,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:09.973{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\OGDK7D6YZH\System.Configuration.Install.ni.dllMD5=E6EAB74B0CC7C40180FA4FE64126C927,SHA256=2B84A2239A9EADFF8DDEDB693D7C2DB00821062A8A2330814592705446E34CA6,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:09.973{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\OFVXZGR1VK\System.ni.dll.auxMD5=F5E454AFEA99BF074A1D3313654C9C7C,SHA256=15FFAD8EC46C0265F01EE5C5891650A8C1D7D481080057D01EC1F0B597D009F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:09.973{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\OFVXZGR1VK\System.ni.dllMD5=D60796FB70D97A574714D0C77F93D97D,SHA256=A1C4314F753DA4EE230B0AB995A4F9EC872F35780174F6E060A1DF56EBBBD6EF,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:09.339{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\OD8WEIQHVA\System.Transactions.ni.dll.auxMD5=799D1D6903AEF7B551CD4A4C6B265AA9,SHA256=EAE828D0DC70B8C0CADC0F2FB1EB4DAB7A5E36C371C4B8A27C807DE7C0974339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:09.339{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\OD8WEIQHVA\System.Transactions.ni.dllMD5=8D18FAAB7987602078CF848438C95F88,SHA256=AB760B68DE4E3D55C85FBC48423AC7C47C8A8C34FC3964E0473DA960D0BC3C5D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:09.307{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\OBA46COO2S\System.Configuration.ni.dll.auxMD5=8B5E71610245DA112DD1B3CF99113D16,SHA256=7301367D9172276014F1648702F784C0E503E4F85F500D6A9F3C3CCDC03B6EF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:09.307{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\OBA46COO2S\System.Configuration.ni.dllMD5=01618134B523B3891FF461CE3AA9A7F0,SHA256=900F655094091C1A877AE20E42D4429A77E88EAC41863F79AF9ABF1591E7F45F,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:09.260{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\OAFK8U3HIG\System.ServiceProcess.ni.dll.auxMD5=571E3F17881029282382BE17223D6354,SHA256=FB244CCB45FB0E5E0804EFB9B8B38B750F1A50D5DE93999CFC8186084ED8A54B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:09.260{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\OAFK8U3HIG\System.ServiceProcess.ni.dllMD5=DB9C179552E1BBCB89C995B53E534A39,SHA256=F9A810E75F910AB614771109BF323517A1E21348E177C03113DFE4F9D00A8255,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:09.245{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\O93JO8LMGQ\System.Management.ni.dll.auxMD5=3E61D2464C4E4AB4B4D3ECCAF651195A,SHA256=E45A9A9710EFC4CCC7649A51BEB67FA0C92C8AAE007D50554F876C0E86BB79E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:09.245{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\O93JO8LMGQ\System.Management.ni.dllMD5=B05D7DA87351B11F85473ADC296D69E7,SHA256=875E1B76FE1F04097C454800EE709182120B0EA712F519266AF1B6FF6121E37B,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:09.198{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\O8XCWSNQV8\System.Core.ni.dll.auxMD5=EB3705BF415BBFABE3EEF435BB9CAADD,SHA256=19E4BFB51F3918297F82E34403F9F1935B17BBC2A78E6C4247D6089C94C8BF15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:09.182{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\O8XCWSNQV8\System.Core.ni.dllMD5=D34A762C6315A7E500BD3DC88FEDD43D,SHA256=80E62A15C9EB0FAB896B1D0A216D1C3AB4C103B8F957DB46C14E6DD9614D43FC,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:09.135{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B012CCED1AC05923BF5E82840192123C,SHA256=186A4C491EBC588EF271AADB61AE777A6ACC96D0431C65CE2BF2918E9047BA17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000448797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:10.842{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C8A4DE93D346C71B5DB47561295373,SHA256=7F04A18569F78681B2EF3642342E20E84B973A743800BE151AEA83E893BCEB7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:10.818{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\P11WA3S3IV\System.Web.Extensions.ni.dll.auxMD5=2E5BF9BC9FDDEE2EC1CEE49920A68190,SHA256=7B7EE9D744FC87E1201615E105AF04D68FFC0FD8252CCF8FF56192515A78266E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:10.818{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\P11WA3S3IV\System.Web.Extensions.ni.dllMD5=D602F4E4961AC3F0634411EB02C74107,SHA256=033EC4F8235BE6B6559D52FA7FB72897740BAD369F757FD534EF6708C4882AAD,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:10.690{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\P0RK1OW14J\System.Configuration.ni.dll.auxMD5=F07B09293E0492E71E96C7A764BB524D,SHA256=A24285135DCD60675A12C5E36DF5B3FD7AEEEACFD305973C262A0C73053C7703,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:10.690{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\P0RK1OW14J\System.Configuration.ni.dllMD5=B0386808CBC978446F0D8638C53F9F02,SHA256=7E05166D981CF6FA3157EE088305E2B901B9721FCED6370E9D1CE7511A71AC64,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:10.596{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\OXYH1ETAXY\System.Core.ni.dll.auxMD5=5DCD12C73B9F94AD86DD5CCFF0961B76,SHA256=F48412CADA48829BCA494224CE73B46166853194748E6A93117C35D3A388A473,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:10.596{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\OXYH1ETAXY\System.Core.ni.dllMD5=0AA216B359BB985E91C06D6CEC347EF2,SHA256=5EDE9B67C3A3A41FCC240B0D7F27764343BD8C1BB1EAC39F441E00C6E5066C92,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:10.331{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94D6ADE73DDF159566B9E8FF23C8086E,SHA256=CB7AAA5B34CC3E04719F7967A907DD9C276E364EE31BFEED4D305164C69EA194,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:10.205{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\OW0TSGNAHK\System.Configuration.ni.dll.auxMD5=D06E00CAF0A4FF9E9847C4F362BB0BCC,SHA256=DA0A8BF0FC5465EFD8985DEF36E705109BB80846F0DE02BE0A646B62917BED40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:10.190{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\OW0TSGNAHK\System.Configuration.ni.dllMD5=C79E5EB1FACD30619716197154387EB5,SHA256=647950113EDEE6BF94AD58D6B2A56C6F68DBA638F7FBC2062B76A7173D7C1012,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:10.115{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\OP19E3HM16\Microsoft.PowerShell.ConsoleHost.ni.dll.auxMD5=A4798438DC55A2AF305B72774CEF28D9,SHA256=A2499D47E1671F98CC4F90E65162F7234B2B314A8FD6DDC60A9918CCCA32AF36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:10.115{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\OP19E3HM16\Microsoft.PowerShell.ConsoleHost.ni.dllMD5=9F15D6A8BD0AAE9EAA6ABCC64206F916,SHA256=371ED5681FD953566B7C39FA9FBC9CACBA808362C2CBE939094B01DC82C6F560,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:10.067{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\OOS41VYSH3\System.DirectoryServices.ni.dll.auxMD5=5BE283A9E68591B32773566F147A211F,SHA256=83CFFD1BAEA158353574578F2145C054F207526C8E544F114652C4EF01713BAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:10.067{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\OOS41VYSH3\System.DirectoryServices.ni.dllMD5=8CE05080E8212D45575DB5EC52382363,SHA256=B2960982ADB25974561E8356470B1234CDEC00F5FDBAFDC39F221B37F914433E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000448798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:11.943{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85356372B79E21228D6100074F8F0742,SHA256=3626CEC971C00783762C8962C9F07627F0A67B5991C2519B7363D8B7C25A1C9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:11.736{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\PC4QJUM510\System.Numerics.ni.dll.auxMD5=46C8A979AD3266DDEF725C7E593B0EC9,SHA256=44F41AE20DFD28ABE6EE0E04898C519AD9709FA50D948409B2ECD81BB20D3D37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:11.736{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\PC4QJUM510\System.Numerics.ni.dllMD5=63A9B260BCFCC94E75F0B012DE2B32EF,SHA256=3BFD410197EBDCE1914F9CA077D5B2BE75A664A54D5D9B05169694327EC86CE3,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:11.736{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\P5RBFV7DTM\System.Management.ni.dll.auxMD5=9E113C3F173739443B36B19DD5C6669B,SHA256=E6D1A62EA7C191912AA011D805E8000EE89FE7281E888EF7A398F4FBA9AC4182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:11.720{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\P5RBFV7DTM\System.Management.ni.dllMD5=545B093E8C7408982436090E8E13BA3C,SHA256=CFFD545D318D02B523B06E28AFD09A3649D013965B45986CFCAEE54A07AF0C1A,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:11.642{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\P3LFTWOA7M\System.Core.ni.dll.auxMD5=0B7B3547A6755335583D2C975D27717F,SHA256=CB5ECB0625E0E2D5C2A864279FFAFC96048F0E10B0A47437B6CA6D8FA2DAE6E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:11.642{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\P3LFTWOA7M\System.Core.ni.dllMD5=90F0732AF7D2F9207DEA5BD7ECAD33B0,SHA256=C929FD867AE7413965067562351E1DFA8D05721D5A6151A3B575EB94B970F923,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:11.423{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9127411355F6AF72471AED85D238E51,SHA256=E9F9511297485A918F5513114FC499EB515DD81D367B59DF87BF1B3F663E625B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:11.316{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\P1WYFUDXSN\System.Security.ni.dll.auxMD5=74E5478F4A51B682700233CD6B7C05DC,SHA256=4BC93A21F6F5BE0B8E4ACFB6F96A6F3B1444A8310826E2CCC4DD8862E4D6F3E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:11.316{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\P1WYFUDXSN\System.Security.ni.dllMD5=D518D6481A2B6037B8E61101718E6EB3,SHA256=154839515F16941BB2AB2FF9716A5CBCA5FECCD9CEAF9D0D51BA9797F3B98721,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:11.300{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\P153XR6IER\System.ni.dll.auxMD5=38FB7500511703557B2A490D76E5F3AF,SHA256=82F46FA003FED0DBA41032CD924E47376658DD9F6EF6F9949BC9A853AE793FDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:11.300{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\P153XR6IER\System.ni.dllMD5=7FC9BC6F3421B57FEB848576BC809437,SHA256=F25EB9DBCC000D600320A0964A9EBF678A2220481AEC9C0284A5EDBD6ACAFE6C,IMPHASH=00000000000000000000000000000000truetrue 354300x8000000000000000338656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:08.491{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51039-false10.0.1.12-8000- 23542300x8000000000000000338672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:12.984{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\PI73CYL2TN\System.ni.dll.auxMD5=6E04E51CD860986EF0DB3BBFE1E7BCFA,SHA256=BFC5EA27C0C03579C98792DF6832F1756F586EE29A7A098B758E568F0DD3EE1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:12.968{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\PI73CYL2TN\System.ni.dllMD5=D66E0FBF1A4BFEC46E49BCC74B2D2D78,SHA256=61E00A836AC7D8D18D6FB4C8437E60489E3F77C91146D75884F88DA5B29484FA,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:12.516{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\PG3AN2E5Y1\PresentationFramework.ni.dll.auxMD5=1CD640D915EAE872FC60479FB1991D49,SHA256=4136E63F0E092B2DB0DB99F29185481D5F9CF9273FB96BB33273FC4B8F077704,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:12.516{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87AF4A6EDF2684A4EF4CDB0470AE3EE8,SHA256=A86A6EF372FF6D8992587D76806AB6B37CA30FAEB79AED7825196D6FF9A58A0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:12.516{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\PG3AN2E5Y1\PresentationFramework.ni.dllMD5=F4BE31FD7508880EBE11971999150E20,SHA256=67784892A02B103C517FFBCEB07F743E14E727539AADA82138342FEAECD1C8C9,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:13.605{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CA009E5905EDA420CD928EA6F175847,SHA256=B1CDD1A7646EEA5BA0FF3EC0316979985F5A082F2D4728FE42498E60F479739C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:13.574{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\PUCJ4UE05A\System.DirectoryServices.ni.dll.auxMD5=21CF650ADD80570624AF2C9E8E40684C,SHA256=2AF2690FE7B69F7CB87B9F4260CFB4161C8E79A280DF2EAB0BFFE84EC8060964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:13.574{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\PUCJ4UE05A\System.DirectoryServices.ni.dllMD5=A549FE893968454ACDF9BEF67D5BE098,SHA256=A9F047E1EC8FFD931754C43AB41CAA1F465E1C3645A7F0453F9AB86FCEAD5D10,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000448799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:13.129{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=755B7C6B4EC48405A2B31503801CE669,SHA256=1248C11C3A40754EABC6D6CCDEC8F5EC9D4CE1732141CDDD599D79C514A91EB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:13.465{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\PL1HU7TT90\System.Numerics.ni.dll.auxMD5=D4AF447AE12A5806CB93B8D78E283140,SHA256=09DBF9D69C0FA8722ED60CCB128241D63E23DBAAC1AC0C3406136024ECC0EEC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:13.465{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\PL1HU7TT90\System.Numerics.ni.dllMD5=5FF3E0606A26FD5CED8795E64BD23991,SHA256=3100FEDE83BB1EF84518D4DDF9344F0FA72E1797C5934D4BDC3C0473463C8693,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:13.449{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\PJG7UJLNWQ\System.ni.dll.auxMD5=6E04E51CD860986EF0DB3BBFE1E7BCFA,SHA256=BFC5EA27C0C03579C98792DF6832F1756F586EE29A7A098B758E568F0DD3EE1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:13.449{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\PJG7UJLNWQ\System.ni.dllMD5=D66E0FBF1A4BFEC46E49BCC74B2D2D78,SHA256=61E00A836AC7D8D18D6FB4C8437E60489E3F77C91146D75884F88DA5B29484FA,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:14.773{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\Q2MFXXO1IW\System.Web.ni.dll.auxMD5=83B0819F19853C14765B24B1AD811ABC,SHA256=24231188EFF9EBADA282616086E59934ECD0A180EACC8CBA3A623AE1026052BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:14.773{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\Q2MFXXO1IW\System.Web.ni.dllMD5=5AD420742C2665182250F7D95FF74A76,SHA256=7A8D4B30B8FF51570A614F387F29715B80B2BBC4C7BB4213062AD17DDA698C4A,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:14.695{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D340C133A8D1A08A5591412C7F6D1A03,SHA256=C115486ECBC4D6307F8DF2222CC9C9D7A63107AD546C60D6807F4601BEBB2575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000448801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:14.739{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\respondent-20230127093833-105MD5=ABD21C848C86C8C4C327246443A18885,SHA256=621828FF48080C628607F27990B50D4C7839DD5149D1A5B05A104AE9C04F6CF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000448800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:14.326{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=569929784A0146D4CA0BE7090BF33C8E,SHA256=2CD8B333E7A9B0E5B46E7523BB5562D27617E59766B6A1461B0844D9B5753494,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:14.057{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\PYJA7OW6LL\System.Transactions.ni.dll.auxMD5=67EA7579FBE5D95C014B695402882EE0,SHA256=02A0F13F1E4E2882F3F1298FD9F09EDC0DF787CB503D2929A7536ABCE64D90FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:14.057{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\PYJA7OW6LL\System.Transactions.ni.dllMD5=0111D3A2E533281DC6DD7C981CB8CAA1,SHA256=600DE357800878318E9B1C166BF9402EACA737CADBAB9ADCB7FDF8BBA6C67030,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:14.041{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\PXWMWZ4ZQT\System.Core.ni.dll.auxMD5=E1AA5E3E964C85C2427B886F54C978E8,SHA256=E004E58B9C1E7551EC656F8EF790C6D85AD50EFDEA1578B30FEB6105788830E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:14.041{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\PXWMWZ4ZQT\System.Core.ni.dllMD5=280F296DE8542AC2E937D3B40C5A4856,SHA256=DABE01C37D755336397BE888F66917B9FB070255EBC5B77337D175EC08FCA195,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:15.780{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26DB8340BE44FE9653821FF75B802FFF,SHA256=912778AE96512ACFB4118F2567685079460A4A8F63F1DC816CC80D0544498366,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:15.702{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\QA13L0N0D6\System.Numerics.ni.dll.auxMD5=99540E1E3A9909352ABF7EDB826D045E,SHA256=F9B8E4FDAD0D00F99477CAB1080EEB88ED7734977705F01A76302EDC40975074,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:15.702{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\QA13L0N0D6\System.Numerics.ni.dllMD5=6D610EC50E9D1F98CCCF19BD425D76B4,SHA256=3E9EEE1D3B6D758587018798C57A5139CA16CE3F4E4442EFEA09BE3F214A4FDD,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:15.702{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\Q8G8M444VJ\Microsoft.CSharp.ni.dll.auxMD5=0821BD65FA52F1E469DFB7056C40614F,SHA256=4797D4A57924FCCE2343888C30CDD1345E0AF98BCC73949EE0C74D94D01EE533,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000448804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:12.763{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52737-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000448803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:15.739{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\surveyor-20230127093831-106MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000448802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:15.412{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C44C4718A5598DC3B681231E19B7048,SHA256=61FCAEADAD081821434CD8339E463962A9E911454F665D5E18672F1205B7DDF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:15.655{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\Q8G8M444VJ\Microsoft.CSharp.ni.dllMD5=4A25A7443023AC698644ECF4F3F19552,SHA256=27E06A9FB4403425024AE4544A5532BE32C02F810E29731ECA8C7884E2D0D799,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:15.592{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\Q5MF3AYVTA\System.ServiceModel.ni.dll.auxMD5=D9EA29F8B3C587F8A388E2C44AF446DD,SHA256=61515EE0004F0BA51135A47837FFBCC51EC1417BF6C4D10BDB1F4DA6E2C17F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:15.592{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\Q5MF3AYVTA\System.ServiceModel.ni.dllMD5=72297374A83EFE1E568D5F1AA1B4E748,SHA256=0C5281E6416D4F9EEE59F1CAA2C737DB472DEBC0A7F15B038484A51AD2D9634A,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:16.971{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1B2BEDB591A44CD615162EB73A49A07,SHA256=8AC7CDCB234348908B452F79FCB447C37272283F0BE30C62521A3319A96A13CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000448806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:16.506{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE6606450199B6340B38FDB9035E28B0,SHA256=D95A80CE066D6D01DE396B76318B8C1C72D781A4C76816833D86C258346218A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:16.632{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\QXL4YWDM1H\System.ServiceProcess.ni.dll.auxMD5=FB48CBD15429C7B1F9A14E82CDF8B24D,SHA256=E11D297738EB6EFD68E74B919FC25F124C6CC4AE3E1C7595BB224BF4567C30FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:16.632{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\QXL4YWDM1H\System.ServiceProcess.ni.dllMD5=52E1C1642839FB780CD29C337867C549,SHA256=5823F6CC6549B5FE1FDFF03DCF1B95DFAFDE9D381C04D3C8F5BDCC636A053E54,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:16.616{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\QSGIT28P8A\System.Xml.ni.dll.auxMD5=6A7FCA88EB093FE1BB082E272AC2421D,SHA256=A5950FA568159B35AA8963997DB039E0CCBABC8668001E24B0E8E7B05467B0DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:16.616{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\QSGIT28P8A\System.Xml.ni.dllMD5=D2D51896FC97FC53362B468BA49EEE3A,SHA256=D42A3DE02488863E75FAED49C251D958F8C26CC2F523ACA01D0F0CAC4052F78C,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:16.259{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\QMRBCI4X0Y\System.ServiceModel.Channels.ni.dll.auxMD5=9A6EEE35615E5769DF9CBD8D78E58A23,SHA256=2259E6C664EE584F044FF02882B0AD5F649E4B95542ECA802E2CC629CA93E8C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:16.259{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\QMRBCI4X0Y\System.ServiceModel.Channels.ni.dllMD5=56A45B51B26D15BED3993F0BAD08E65C,SHA256=DF73A6D477E4F09ED4335D2EF7642BED5CE9EAFF5688A1A7426FF5579B072ADA,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:16.212{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\QGHMUB8IBD\System.ni.dll.auxMD5=4C4FFFC3E154C905C9C643845FCE328A,SHA256=1F43D99B3935FB07CC6C6340C832C92C43495F06826C07A01FEBF4BF1E97336B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:16.212{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\QGHMUB8IBD\System.ni.dllMD5=78947C49BA92424CC6AA6E8CD6D1CB3A,SHA256=4123DF564E230E74A1AB0AB44271D9B033898AE5F9BD741BB3C914D6F1D539C7,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:16.165{72106695-9B85-63D3-1100-00000000BD02}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2F693AC34E441B7901A80DF3F0B897B1,SHA256=5617D32F7F67B36840EDEDECC8FB80BF6D1EA255034105712B37CFA9DC17E079,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000448805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:16.242{45AAC21C-9B85-63D3-1000-00000000BC02}368NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A5D6CAEA4A0D5CC0E7B145C03D0A22CF,SHA256=8B62E84321066EE0B72978038E18E5AF2743F8E3B9CEF938981958D9A9FF3CA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000448808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:17.835{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E6C13A5B8E8E8E89DBE9AA83A1A114A8,SHA256=C4CABB16A88379BEF587BA34642331361CD04B1B3EDC4310E21204103C6A7463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000448807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:17.710{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=193406145643EC63B9595D2D85928302,SHA256=1D9FCDEE72FE86D4062443B6E1375AF55308085787C3024352BB5F5E1A1280A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:17.706{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\RFANI0AIQZ\System.ni.dll.auxMD5=9651A4D69D091A91F7509B493895084C,SHA256=7F97FFC6DBCF14DEF386747D99B2204F6C0BE9C123F585888BF0BC23B424155B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:17.706{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\RFANI0AIQZ\System.ni.dllMD5=0D511A145E1BEFBF8048E4958B18EF8C,SHA256=5B4E622B50F3659A09BC10F7047FB5AECD568565E358232DBD8B85B615F42FB0,IMPHASH=00000000000000000000000000000000truetrue 354300x8000000000000000338706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:14.328{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51040-false10.0.1.12-8000- 23542300x8000000000000000338705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:17.065{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\QXUP2CX6WS\System.ni.dll.auxMD5=0ABA8EE4C96771CD3B6CD56A2DA9CBF6,SHA256=9C26CAC4A3E0C19DF4928C90F5F36A2D5AA689905B7AF3E9A7CBA5B925753D0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:17.065{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\QXUP2CX6WS\System.ni.dllMD5=FC806E761F72F4A41798B08766D9DB13,SHA256=1B6FB65CE6BCF66CE1BFC0BE58F06DD2949012D03BF79CE67EB35A20A5460839,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000448809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:18.791{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=701514AB7161DA523408D874D91DB1F1,SHA256=0225F235D4CE75E4B8D71C1C568D781CFB74A0EA50A82AC0548852FD7F6C7FB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:18.372{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\RWWS0XEEX8\System.Management.ni.dll.auxMD5=3C0E46C45BCF91E9607FCCE8F2EB1153,SHA256=8B62160D2B2016E7615E19AF407C52A66A6AB89F6AA48255F39D85AD826A6391,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:18.372{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\RWWS0XEEX8\System.Management.ni.dllMD5=ED030D562E600AD124F818C0F59AE89D,SHA256=5080BE95FA9CA821324B2094792AE5A473F1CFBC38E20209EFDC3E775D054CE4,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:18.310{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\RTNTAJ5QYG\System.Xml.Linq.ni.dll.auxMD5=CCF15A1A5478AD4C9A6C5EAC3B4EDB1D,SHA256=80C7E515F2F30459C447E0C663804F04B2325BC9F6246CC881B933FFF502A2BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:18.310{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\RTNTAJ5QYG\System.Xml.Linq.ni.dllMD5=01675F7E454CEA910CBAEB0A7D4BF59F,SHA256=0F6DF0E70167F51DABB0B82E921D337094D2833E91B72BF4BE15756F8E49DA88,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:18.294{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\RPBBOPTSH9\System.Numerics.ni.dll.auxMD5=99540E1E3A9909352ABF7EDB826D045E,SHA256=F9B8E4FDAD0D00F99477CAB1080EEB88ED7734977705F01A76302EDC40975074,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:18.294{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\RPBBOPTSH9\System.Numerics.ni.dllMD5=6D610EC50E9D1F98CCCF19BD425D76B4,SHA256=3E9EEE1D3B6D758587018798C57A5139CA16CE3F4E4442EFEA09BE3F214A4FDD,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:18.294{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\RLJ402KVPV\Microsoft.CSharp.ni.dll.auxMD5=4F6E2CF657AB3C20B463DF7873DF8594,SHA256=F609CD67B4E59BCAEA6C8472B314A28DCF1872AA6EE9113BF399F45726EB4F5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:18.294{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\RLJ402KVPV\Microsoft.CSharp.ni.dllMD5=5F895695883F631A993A0F8F582807B3,SHA256=1C785DA125A9DF9516988A97E44348DB77186BA39EFF3C7F82E5391505B61CC8,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:18.278{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D25CF749A513A932A7540E9CBA96747,SHA256=6E4AC21A41E299B27AFA7B549BBF96EEE33C2F3AD4456C09170CAB25C195E91A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:18.153{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\RK5K12ZZVI\System.Data.ni.dll.auxMD5=AD2C4453E59EB7892FA2CC4ABD0A7E7C,SHA256=DE2C69FD102FE3E1072F2FA0F3FB9625D65E9059393B2664F5D464A7E3FEA7BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:18.153{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\RK5K12ZZVI\System.Data.ni.dllMD5=504A4880B14625199F3F1AEFCCE6B202,SHA256=3F6D6E89B2EBE19C15EDBC2E78B8BE32178FDB37A8C1DB5A46DB8A76701910EF,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000448829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:19.863{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96BFE7F5E20AB90BE64FD973250D6C9C,SHA256=B40ABEC30A86FE7753BD63BC591F1406159CED7F570067A91F135857DDCD1B99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:19.782{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\S65XIIPIM7\Microsoft.PowerShell.Commands.Management.ni.dll.auxMD5=3C190C19DEAAE539A28EB7BD701BDDC8,SHA256=54150D03B9B745FF037434FF103BE0D32A05C340DA7FE1031D97E4EB5B2CE388,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:19.766{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\S65XIIPIM7\Microsoft.PowerShell.Commands.Management.ni.dllMD5=B9C7B4660CDE1AF558F032A129A53CE8,SHA256=CC77710AA36EA5F9D11E9A801514A8E457BDD18C05FFF9A7D25F7A95F8830146,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:19.688{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\S3RKDRW7J9\System.Configuration.Install.ni.dll.auxMD5=19DCE4CF0E343FD43DD0946FEC2CFD31,SHA256=9C6D5E281C9A3EB2E18F197E2C6A02EF55081A69A97C59DAF14EB444C1262B41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:19.688{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\S3RKDRW7J9\System.Configuration.Install.ni.dllMD5=9CB459211EEACFE422AC09F0D51BB565,SHA256=839E9CF7E2FCC05AC1635019C08EB7F51EC625C38E0ED515470EF9147D7CC5AA,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:19.688{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\S28N7JUG56\System.ServiceModel.Channels.ni.dll.auxMD5=24C96490414503BD6F9A89910E524FE6,SHA256=90368670D86C6D23108DEFB97877396DB68D63E4C13B11C6F482519FD387661B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:19.688{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\S28N7JUG56\System.ServiceModel.Channels.ni.dllMD5=0B906FCE3A311AB81C8EBEA00FD629F0,SHA256=E7F372A1C2CF8BDA12DBD0860F3562D207689D5C6BECCE0015EF5CA97E7649E5,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:19.641{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\RX0NEKSP98\PresentationFramework.ni.dll.auxMD5=72766E03DEB3C34D3B8E3B1B00337EF6,SHA256=9F4E2E43DEE4721F36C5FB0E26371E54A1C0E7BEB4AB9F30C7957933D0651808,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:19.641{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\RX0NEKSP98\PresentationFramework.ni.dllMD5=628F4D65A62FFBC220FD0719DE7CA8AB,SHA256=ED6F194F316186D32189CEA83ED9E0B016581656E16BFF8B5FD79B7D1FE8B255,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:19.360{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDE44E583D3F4EA1670084512CCDEDB9,SHA256=D2C280C274D209800144EEAF6B67DF68F5E9D91130C621476A07C156BFF4B2B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000448828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:19.576{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:19.560{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:19.550{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:19.546{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:19.543{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:19.540{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:19.489{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:19.480{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:19.459{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:19.450{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:19.438{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:19.426{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:19.416{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:19.401{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:19.391{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:19.375{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:19.365{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:19.312{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:19.307{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 23542300x8000000000000000448835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:20.918{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EB6C00F13EF0815DBF078246666C6BA,SHA256=A13336CE18CFA74ED39B68A83E3394BBFF03A42778164B1DE1EAA60BA1145B1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.876{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SB031RS5HZ\PresentationFramework.ni.dll.auxMD5=9FFC653E1E73BA3507C493E66691077F,SHA256=8B3B6DFDD8DB46E7E6B68BE6B35317C2226999A272A07406EEC7D44B96ECE668,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000338779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.875{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A7-63D3-0904-00000000BD02}5936C:\Windows\System32\MsiExec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 23542300x8000000000000000338778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.875{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SB031RS5HZ\PresentationFramework.ni.dllMD5=C817E891FEA0D7BBBA24895842715EEE,SHA256=2F9EC0C9DDBC76E7390D6DACA87ECFC492BEFF5481DAED0B8EAAEF5ABA51DB0B,IMPHASH=00000000000000000000000000000000truetrue 10341000x8000000000000000338777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.873{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A6-63D3-0804-00000000BD02}4860C:\Windows\syswow64\MsiExec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.873{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A1-63D3-E803-00000000BD02}5548C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.869{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.853{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.852{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.851{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.834{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.815{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.807{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.802{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.793{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.768{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.749{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.745{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.708{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.698{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.674{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.666{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.663{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.657{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.654{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.649{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.641{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.641{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.638{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.637{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.636{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.634{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.631{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.623{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.618{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.606{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.602{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.593{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.576{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.573{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.559{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.506{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.488{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.473{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.464{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 23542300x8000000000000000338736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.455{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD1F572555A3222F32DE07730E51F011,SHA256=646795DB85796AC6B68A85670E91504E6AFF13D794C84B0C77065225102B1807,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000338735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.452{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.440{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.428{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.390{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000338731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.367{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000448834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:20.236{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:20.232{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:20.230{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:20.228{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:20.226{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000338730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.344{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000338729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.336{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 23542300x8000000000000000338787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:21.833{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SIJQI2MAC9\System.Web.Extensions.ni.dll.auxMD5=E3501E76D9EF0B69A4026C6B590FB58D,SHA256=12ADFF882440F9EB5C27A056A218ED416F9DCD578D265D632B1B75C828662F8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:21.817{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SIJQI2MAC9\System.Web.Extensions.ni.dllMD5=BC1955AB148A91685B03B1BB941055AB,SHA256=D878F2A32362A0F1E85C7712D8FC5C8A8176F39970472B42987638B84169ED3E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:21.710{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2254BB06F5B8E5A6E86264A41E22D46F,SHA256=9CA502CCE77921CBEC31ACDC5423042CF4A96750CC97FE89D20E60F295D575E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:21.616{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SG3QQYR109\System.Core.ni.dll.auxMD5=9C2C1DF16379BF958B0D67E0B3610AE4,SHA256=AFBE99A8170E89F98A87750E88CC02E6E9B7B6E188CA47043EB1B64C68FA0B0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:21.600{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SG3QQYR109\System.Core.ni.dllMD5=E0408356E6103FCD924AC2285DC1C885,SHA256=0D45CD52A92CB9B17E8931E21B3183C8605255624264C10BF9B5AB5FF14D8D0D,IMPHASH=00000000000000000000000000000000truetrue 354300x8000000000000000448836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:17.802{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52738-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000338782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:21.228{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SE93RZEWOY\System.ni.dll.auxMD5=02AA118D8E3C67485AE986D7809E5813,SHA256=B90C0DD717587FAB26AE04FAA85FAB8119FF23CDD5596A954BC5E660BB3EB1CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:21.228{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SE93RZEWOY\System.ni.dllMD5=6D7E9BF18E21AD794AF893EBB009E6A7,SHA256=837C8E670276112124615988CF0B655B6202FD2F351A34F56A7159AF12C4855A,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:22.996{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SV5TTEV0E5\System.Management.ni.dllMD5=6F21DC360242F38389A416C54A78EC73,SHA256=E5CD935F728CBC8D6939CD9B71458EBEE0550664F3EE8BDB9D17ABCD7F249D0E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:22.871{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SUK77Z1XOM\System.Drawing.ni.dll.auxMD5=DCEFC8B9CB7245B90F2A6AA4084A0F71,SHA256=3760AFB996B9C1860A13167C3DA5FD6B019EE185076145A71387745DC8DA24A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:22.871{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SUK77Z1XOM\System.Drawing.ni.dllMD5=E8956B039DFD94E1EDBD129DE56F3F2D,SHA256=1DAC647C4642EB0A13A5135BCAF254A30E477CD5DF6BD7DF978F2065CAF5BFE2,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:22.809{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SU6BGTV8II\System.Management.ni.dll.auxMD5=FE20915E753A6B48C1D7C978C1AFF282,SHA256=D66CA48589CA1B1CCCDFDE70ECB6B57B258A0962DA308809DD46E0F4ABEC0D4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:22.809{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SU6BGTV8II\System.Management.ni.dllMD5=A2398F5CDEEC4226380CB620C5D180D8,SHA256=4007C9B8A5360D49CD4DA98D262DA539AD790AA13CA54712757441B1C56F2980,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:22.717{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=565251E0039D473830812A0D063F5FC3,SHA256=A1588A15460D45C1E58E507FD576742DD29FE12F795BBDCDBF8934C78744FCB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:22.717{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SQ7M0TZAP9\System.Management.ni.dll.auxMD5=A1123A272EA45D0BE152C0EEBD6784E2,SHA256=5B0E627B5F7CFC5A685543302698C7882E396403C78E13DE7A7443221A86F536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:22.701{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SQ7M0TZAP9\System.Management.ni.dllMD5=1EE419429DFC6FD092EA7828ED535BFB,SHA256=66C905BB59A36F4F0D862B6C9C7125C212BCD31DC12821EEB4B7B72994CAA787,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:22.654{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SNLOKA1ZYO\System.Core.ni.dll.auxMD5=68F3E83339872D673C61BCDADE513017,SHA256=25ECE5E7917FE392F280C93C69EA441333898E738D28AE8C2F578E364ED7DA77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:22.654{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SNLOKA1ZYO\System.Core.ni.dllMD5=E993EA2898B9C9812D58FFE1AE84E74B,SHA256=28BB8495AE0284A1262A0A7F02F222498059917F05A973937589A60F9C8A23E2,IMPHASH=00000000000000000000000000000000truetrue 10341000x8000000000000000448856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:22.973{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:22.945{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:22.939{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:22.928{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:22.909{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:22.879{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:22.868{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:22.857{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:22.849{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:22.846{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:22.839{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:22.834{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:22.833{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:22.829{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:22.315{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:22.311{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:22.309{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:22.289{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000448838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:22.276{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 23542300x8000000000000000448837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:22.007{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B735E1E8006E284E30C294A31FA85726,SHA256=88DDE45D6CB24008CE7D1A57F2D0C98D5E168A25AAB44D06FE528E323652C393,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:22.298{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SLJJ7JM0CR\System.Data.ni.dll.auxMD5=F1B0E3797E1FE78975EE40A12DCA905D,SHA256=97AC61F5AF042419CF86BC935D8B80BCD13C4DC023752ED10FF40200865C29B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:22.298{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SLJJ7JM0CR\System.Data.ni.dllMD5=2BEC529C281F6FAFE58502E23B896177,SHA256=24FCD1C5B352D391F19E7C8140E9A791DC7B57D2F18BA276ACC7DFDE27DD45A3,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:23.733{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SV8TAH5U0Y\System.Web.ni.dll.auxMD5=EC60E3221C3EBFF5986B29FFA07A55F8,SHA256=46D5499FAAB9A175C7595A39DC660D3EA84F5285A7C385FC78A9A67FCA39400C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:23.733{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SV8TAH5U0Y\System.Web.ni.dllMD5=36F4CE73DBAAE2514000BBC5C663C76E,SHA256=DDB01599ED5CB285CF4B944879278F305F3288CB14F7E35AF2F99A233A7DFA78,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:23.686{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEF4087FD55876839572058D891D79C2,SHA256=0718689D62878DD6D1938B82B4A5F08A0870C2A2E81C93719B1C8417CAA4DE55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000448857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:23.058{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4798090DD83C2D8250025E05BD4555D6,SHA256=5CE45ECD059B790370318DF774D4106BD6588D5E2B3F6BBC553C832C28D1CDEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000338805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:20.295{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51041-false10.0.1.12-8000- 10341000x8000000000000000338804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:23.161{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:23.161{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:23.161{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:23.146{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-2000-00000000BD02}2000C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000338800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:22.996{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SV5TTEV0E5\System.Management.ni.dll.auxMD5=C2198BB3A427A79CEAC2BA77C9D0C7EA,SHA256=60369509C2526BD29714E83A68FC2274983F545D39F23171D68184A8D422B5AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:24.796{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F8DB9E70CB733F4DE6FD36CF7174429,SHA256=1FE1F8B9319F5E4203F291708C0BFF88F0D6E0C546A9C5DAE2329635ADEE76C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:24.765{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\T7AOIKB17Q\Microsoft.PowerShell.Security.ni.dll.auxMD5=FD3CF62E653CAAE854CAFDFE128D5D18,SHA256=3104C9E1F01AD7774BA96F4A3260F1829A103B1133755AF20FACACBE431F0A59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:24.765{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\T7AOIKB17Q\Microsoft.PowerShell.Security.ni.dllMD5=9C858A3D27D6BBECEAA7D88103FBB99B,SHA256=50ABB47279AE7ADE562B53A4783E7C1613F3B719CBA593E086BAD0E3BCF04AFC,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:24.750{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\T6JCDJM3HS\SMDiagnostics.ni.dll.auxMD5=EF5C14ECD2942930CBEF3F78811C4906,SHA256=0E1472E7112F197434E8D7BC4022A0175E43C87D88359F8DC0160FD1CD201B3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:24.750{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\T6JCDJM3HS\SMDiagnostics.ni.dllMD5=B757420CDCD64133145474F44A5C7244,SHA256=A82EC800BA2BE97D195321BF99EE6D030A8F1A999DCF882934F525A2EC66FA72,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000448858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:24.169{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B15CCC4596E2534EBE7C9BC0B518E91,SHA256=D55D2B6F02EA99668DCCBA7012170FDA684632C29D50F9ED18354369B81C2B56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:24.718{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\T35SMSC9NL\System.Core.ni.dll.auxMD5=F17814BA3A499E75D25D8600316A312E,SHA256=83B003AF767D928434650744A536BB23C6BEB46D3D16DD964DBE77382A1EADC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:24.718{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\T35SMSC9NL\System.Core.ni.dllMD5=BABB1248300114458CE418D687F12C45,SHA256=2C4CF0E399747B3A28FAF4BED3A5DB80E1B32E39A1F6AD1A24DCEB2F4BDBD731,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:24.405{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SY9SBW8JHI\System.Xml.ni.dll.auxMD5=ED9496CE2223D4E1A165BEFC8A495F49,SHA256=4F40C0EB01C6D669BAD474D8A1EFA20E9875920DDBCB1E521BBFEFEE2ACC0FA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:24.405{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SY9SBW8JHI\System.Xml.ni.dllMD5=37E129A04ED511528A4B868C33DA4466,SHA256=ADF060A953F940FFAC3B248DE75B69860F955197BEABB73C56CF26EB8705E668,IMPHASH=00000000000000000000000000000000truetrue 354300x8000000000000000338811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:21.456{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse171.244.61.138-50897-false10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal3389ms-wbt-server 23542300x8000000000000000338810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:24.046{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SWWQ6AOVGJ\System.Xml.ni.dll.auxMD5=E01ABDE7405B6917FD52CBCECEDFB15C,SHA256=73DEA8197F091277613BAAFEDBE37A4231410291B5AFABAC8D6907407482215B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:24.046{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SWWQ6AOVGJ\System.Xml.ni.dllMD5=5F6EA5E77659D339DC666E0BCCD7B0FB,SHA256=D03C42DCD3565491379E0C0940E60507EB8B28F6FAC705F98D68A788AA31F8C8,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:25.947{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\TGY81KS0Z5\System.ni.dll.auxMD5=7A44EFFA7DCC91B7C5544BE94DCAB99B,SHA256=82430CD1974781DDBA8E3229219F17123658865551FEC8BC2D4290A1B5106A91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:25.932{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\TGY81KS0Z5\System.ni.dllMD5=D52C7EE4CFB46F754E22E0C2A47AE1F7,SHA256=70C0BF60131A45390406D3C461BEE5C0449868CD3E9B41A89FD5808F16D9516E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:25.791{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75D07E1A495AB77CB066823A0C45866D,SHA256=D72F3A14C6303977523ABC0BDC40C95A5C70AE10598375A9A885A33E30C88874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000448859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:25.253{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F98CFA2458A8A9F8C2CF5F41C2C397E,SHA256=B2785FF4EFE7C6E754881B0943D9B70523D7EAB11272C48BAA29381683C69A2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:25.463{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\T7DUA2RN2I\System.ni.dll.auxMD5=97D37AFB390992CE3C6F1D4E1112CAA5,SHA256=E9BE5584192A17CDF882242AB2C104E2A185B276E589F81AEC50663E4BA6F881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:25.463{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\T7DUA2RN2I\System.ni.dllMD5=709A692740777021A1BC08A50B61C807,SHA256=AD85D06B3912A64986318D87202BDCAD748D6E68E3B693D37459EF9874889CCF,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:26.866{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A679E7FB107276FB513F0A1C168AB85B,SHA256=FB05DF8F08C3E39B9A19153D240C58D596B3EB6C3692D5706BEB9C1A211B4B9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000448861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:26.343{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DC168CD8177D995FACC3BBF76919D04,SHA256=4B23402B12BFA814ECDDF2B6BF0587F330263E95AE5C0B8A9796D6B9B6732327,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:26.571{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\U0BMJW9V31\System.Data.ni.dll.auxMD5=418B412A71B2AA5AE310EB5DF17FE51E,SHA256=B677025EE31D0C7BFF82842A1F7F498CCFE04FB539B3C4D9E7EC7D7EAD792C26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:26.571{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\U0BMJW9V31\System.Data.ni.dllMD5=3533887869DE063F12A49173713939AD,SHA256=E62285592037076E8A83F5A315787203C0133A8D6B45E72847EBDC980B6B9707,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:26.148{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\TREBLZ8848\System.Transactions.ni.dll.auxMD5=345B032FDAB64413D929BFBDE26FDCD7,SHA256=2071BD12C470F01C83E6EFFBADF7E960568551E140259A99309F9CFF8BE70FAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:26.148{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\TREBLZ8848\System.Transactions.ni.dllMD5=CD8B06DACE1AE70F053FB67F75439D1A,SHA256=0D78871A1A1AFA2B8AE0A97E0D781565C2014C1A4C687D3731557233DD0684C3,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:26.133{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\TN03GDFH5C\System.Management.ni.dll.auxMD5=D1FB47B13BEB3E3FB03751D019B8D15C,SHA256=8C6E70F4C3FEC15367AFDD3AB7E1A31225D13B8002E76E66F28E297090FBD149,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:26.133{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\TN03GDFH5C\System.Management.ni.dllMD5=80E812D84EC5E760A33A174532E98ACE,SHA256=E2E98827A0D3A37F3B4562AEDE2CDDDB9EA45E33C40DEAEEDF862BE0282E3A51,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:26.057{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\TKH0RXDAYQ\System.Drawing.ni.dll.auxMD5=6C52FA11480271A7CA24597B93F7BB04,SHA256=61F5983290D91AB3DF009F8C874FA8FE2746C9AB30195650831EE3035CB71CCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:26.057{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\TKH0RXDAYQ\System.Drawing.ni.dllMD5=C0CD3B953E9ADDA2C2CA1B521CAC444A,SHA256=792530B90A2559951E4A2DBECBE5B4B3FDC08CB4140A89FC252E49C9FD342359,IMPHASH=00000000000000000000000000000000truetrue 354300x8000000000000000448860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:22.899{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52739-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000338846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:27.950{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C99C643C5E46724932A5D980242A6F5,SHA256=511FA0264A53248D89B82CA2C899CA36AB563F6A9CF2724BB9BAB3A2F0F966E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000448862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:27.450{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=375839BC8DE55621D4F57C0F8931ABA5,SHA256=6007CAB45CD274D2458DCFB47F4A1AB10E4508F278B5CAD311829007BD8CF204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:27.763{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\UBWQV75U4G\WindowsBase.ni.dll.auxMD5=3E713C7FCF62BCBBB6E934266B0EE0C1,SHA256=FFA92757F191A444E0C5E7FF5B29DF748B316E98B3BB92FFCBAB4EC7CE02A9F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:27.763{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\UBWQV75U4G\WindowsBase.ni.dllMD5=EDCA98CCEA19C0A493682BF7DC431B46,SHA256=3C51943AB2BFE5B3E2C7AED128412928385E915AAD345062A4077C33D2619684,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:27.622{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E4081C952724B9C7EA7B38D870A9F905,SHA256=4DE6F2EACA9488A4ECB51892AA31DB02DAF0DA1353EA879373C4CE2E978AB55D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:27.531{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\U97084HOD2\CustomMarshalers.ni.dll.auxMD5=1B8DC30D3E1603C9DFC6045DE267AF71,SHA256=9760764A3E526F12D9481D6A6D9590E737DDEDFAB481D8ECB2296CB32C0DF0AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:27.530{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\U97084HOD2\CustomMarshalers.ni.dllMD5=53F371A0174862A68DC878FBC0D61266,SHA256=9FB938EC3F9D66E64AD525DE4F30CF27153A929044D64DBB8874CE5B01F8697F,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:27.519{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\U1CZHJ5DIX\System.Configuration.Install.ni.dll.auxMD5=A0E11E0BEC75DF50BA4CB59C8483C494,SHA256=68F0122C6D2BBFCD2C635850D6AD3B76BCC1ADC8000F3FA8CF5789E4D3D22284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:27.517{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\U1CZHJ5DIX\System.Configuration.Install.ni.dllMD5=1DD56A8D74115084B36B430C8F146C9E,SHA256=DBF6E2FB1F4C8B1A8421FF476674013F8798BFF086A233EA9B94F1478DC2DCAF,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:27.512{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\U0PIT4VXCM\System.IO.Compression.ni.dll.auxMD5=41EEBA98CCE6653861F4C0A7CE5DABB0,SHA256=30029B1A6AB901F5296117A11EF64E86D2CD12CDE5513326A8322C7389B31923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:27.509{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\U0PIT4VXCM\System.IO.Compression.ni.dllMD5=222717FF5E045032C8546855A709602C,SHA256=A51C561900046AC9B7FA831C5499459E234999D2E48F326ECC85A94FC5E5C193,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:27.503{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\U0MLKMHPO2\System.Web.ni.dll.auxMD5=3BF11075FF377DABD00295A10B159897,SHA256=06CD7958ED343C21E2B632F48856453AB2FDB59C7C3B82D30FC94BE485E62884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:27.499{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\U0MLKMHPO2\System.Web.ni.dllMD5=A0A7A24BBB1337F0F402CA464D0270CF,SHA256=7A6208DE8BAF9327E0195E456E67B16729EACB4BF7CB6D9CD1C9A79F58B1F2FC,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000448863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:28.649{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C9711986DFAD292BE46927F70C8D322,SHA256=D4871B75D77216D6AAA134C0DC93DB094E698A6F2B74542481EED0B9469E0A04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:28.928{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\UEDSTXZKNT\System.Transactions.ni.dll.auxMD5=560017ABB720E97EBD29B91F1B0C94BE,SHA256=F031EA98BD2D59AA0BDA9C4D330A42BA25C58F5717F1830AA77F2768471B23B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:28.928{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\UEDSTXZKNT\System.Transactions.ni.dllMD5=F684A57BDF29DB0382B45635BA7B61C6,SHA256=377A2C8E71B2FF28495C441089A4ACC7F57BDCC2BBBC295802DC3A5831DF8A98,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:28.850{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\UDREXPIV9W\PresentationFramework.ni.dll.auxMD5=8F1FD4778E91747A58145154E17EA5AF,SHA256=5F51126070FAC3B2FE9EFFC6F556531FCF6A24E2CDABA5256662A878DFC9E787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:28.850{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\UDREXPIV9W\PresentationFramework.ni.dllMD5=4EB0ACB2849F125982D53B74DBA06226,SHA256=BAB44F496D0350D8D73DD0CC0D493CC1C5F26C6A4959F50CBBDA7560E58A220E,IMPHASH=00000000000000000000000000000000truetrue 354300x8000000000000000338849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:25.319{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51042-false10.0.1.12-8000- 23542300x8000000000000000338848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:28.128{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\UD49G3NY52\System.Core.ni.dll.auxMD5=4D66BF5119D58A48BD3F7A7AD7354010,SHA256=131D289921A8DADB218DF0D0E67B3EF964AD315171A92823D7FF5B7881E1CA98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:28.116{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\UD49G3NY52\System.Core.ni.dllMD5=2A6660246DC3C48C26515DC456C27404,SHA256=3A9DE09DE10C5F9F3A1D3B49FEF7A50181275A29E7A6B909E2850D80DD736457,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000448864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:29.735{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8060E0BA5484352F2F8C00977A285A7F,SHA256=D8BB0BEFC7EFD3EEE9D9BD10BB5BCAA524D92D925E0572A0C96360C0F4F1B135,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:29.815{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\UQL1XIGEP7\Microsoft.PowerShell.ConsoleHost.ni.dll.auxMD5=CC02FC426AD83403EEE196F407361273,SHA256=C845C5D2D8DFD5EA0B49F7020BE4816B578090418E668F3429B2B07445103E28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:29.815{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\UQL1XIGEP7\Microsoft.PowerShell.ConsoleHost.ni.dllMD5=1CA822E5E6C943763C64F2BA32DA82E2,SHA256=9FE137B57B29EB5113468E5B8A2C718F4AF5A3DDF20F23EFAAA3AC02E6FA3639,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:29.737{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ULGABFQ2FB\System.Windows.Forms.ni.dll.auxMD5=E9FE90D54FA2EB304C19A08EFBB3EBBA,SHA256=7F33C7EC45C5F39D373A2F13320A3FB02FE45F2C5FEEC67046E6E4A55105CB3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:29.737{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ULGABFQ2FB\System.Windows.Forms.ni.dllMD5=6B5E432D937E6AA00EF0ABF3D5D9C38A,SHA256=9A6CDEC7B23427EFC6856759E3D857AB5286759BE4A9A2987144C8C554021634,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:29.037{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F6BBB4CA59CAAE7D7E3A8F4E2550726,SHA256=3675E0D6BCA86AF2E334347892FBF5C049030F150BB4F3B9DCBCE7D1BC8D528D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000448865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:30.829{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49CEDA01596C1F6FE9A7034CF7FC021C,SHA256=5A59D3BF9F0C636F10BD8B83F2849DDAC3A01377273D121B425BDD1A027A03CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:30.847{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\UTJVOPP8SG\System.Data.ni.dll.auxMD5=A3A8748F52344D3636E50B0BB9AB7D0F,SHA256=635747067A5AC1FD1103FB026C5B6EE09183ADAFED601ACB4599BD077256F424,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:30.847{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\UTJVOPP8SG\System.Data.ni.dllMD5=204D54FBEFB0BF86FB890801766AA43B,SHA256=9EAAF66BA0FE1FD62107F8BFE02C633D8DC1000CB6BAB3152A4ECE13028E4670,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:30.485{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\USB3GDU08Q\System.ni.dll.auxMD5=3E37F06FB38530095A5E52EDFAA8D60E,SHA256=2929FBBD5565E1EC8D3B2CD52A903C76F4203019FF8650FA442F4C2E4DFD70AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:30.485{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\USB3GDU08Q\System.ni.dllMD5=7F0A5DBF2075D53BE5881B6557331A1D,SHA256=7EEEF2EC1F43BBAB9E50783C6F3333BA9DBDF55A626B20A9D9CC595AE89DE89F,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:30.129{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1E7215BCDF48044E2AE733C57CFFD08,SHA256=D3C2EDF56100190DC48121FD6EEB564274B5EDBC410C84CB6EFA2272B5A9F51D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000448866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:31.926{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=723BDBFA19A79E88ACA381C5845E7AC1,SHA256=192C15888813B0804EF3FBA0F48252CF517A1F4F21488209FAF3502FC5757545,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:31.965{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\VD5D72FXG6\System.Configuration.Install.ni.dll.auxMD5=35A313588DD8BF1C4A5557EAA79D2888,SHA256=8C1A5F0899AC55E471D0A266242CB849FA7A827C6DFB151597B962F19439A003,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:31.965{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\VD5D72FXG6\System.Configuration.Install.ni.dllMD5=E6EAB74B0CC7C40180FA4FE64126C927,SHA256=2B84A2239A9EADFF8DDEDB693D7C2DB00821062A8A2330814592705446E34CA6,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:31.965{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\V6PJ8FVQ98\System.Numerics.ni.dll.auxMD5=46C8A979AD3266DDEF725C7E593B0EC9,SHA256=44F41AE20DFD28ABE6EE0E04898C519AD9709FA50D948409B2ECD81BB20D3D37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:31.965{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\V6PJ8FVQ98\System.Numerics.ni.dllMD5=63A9B260BCFCC94E75F0B012DE2B32EF,SHA256=3BFD410197EBDCE1914F9CA077D5B2BE75A664A54D5D9B05169694327EC86CE3,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:31.918{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\V3NS22NA7V\Microsoft.PowerShell.Commands.Utility.ni.dll.auxMD5=9C97FBCC0753DEBC1C1248449428DECD,SHA256=AFD0147268B260955CB30890150455656896F285E2735BCFCA91B971F6D05E76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:31.918{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\V3NS22NA7V\Microsoft.PowerShell.Commands.Utility.ni.dllMD5=89933588F990CF88530F6D18EEA04915,SHA256=2146F02118BA95F4801A713A5754B3AF854CE09A40A919A5FF0CB77BA455D237,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:31.656{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE72AC642FBD7066189D0FBAD4395334,SHA256=6E82A71F881BB7A5FFCCEB88857BD9487C462DCC9BAA76C9CA0856C8C1DEDDDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:31.266{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\V0B98RUJ8S\System.Core.ni.dll.auxMD5=952B64D4882C741C3D0EE8D8BEFD35DE,SHA256=970C39703CE0EBCD93451BC76F25D06A9C47C75E3ED6DCC45ADEF215CC75EED8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:31.251{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\V0B98RUJ8S\System.Core.ni.dllMD5=CD0AE5AB227C80CD2904C2D3A91B69F4,SHA256=16605440A47722DCDAB1286F1F7F80843D51AF596D3BF4A07748EAB30B3C9DE3,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:31.220{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E25A8ABF13D70146FC7FD0906ED96F3,SHA256=63916C868022C63466C4B6D6A48E1EABD206E22F08CA88347281A2C141703805,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:32.463{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\VFP45VJMS1\System.ni.dll.auxMD5=9DB501C48DC60DBFB5B0DEA1779EE47C,SHA256=A0D973D80250931A6FB9EE13DF0B860E736D456AEA631120A0012B15DAA98562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:32.463{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\VFP45VJMS1\System.ni.dllMD5=250BD9B205730F5DAA6260EEF61B4390,SHA256=E2ED60C97B5D4342A06BE98C8930413714AE287B8E678833C0A81DF457D20101,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:32.307{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E46AA9E4654B62D9999BC32F933390CC,SHA256=DE1E762B5C8B958EF529FD7CF7CDE170A1CBB64FDB07C0AD256C639578D33BBE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000448867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:28.825{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52740-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000448868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:33.019{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00B07033C9D96B4DF67871A35EA1B840,SHA256=7D05E4EA8EE81291BF2BB4CCA63BB0F663DFACE161898D5D9791A7EF36254378,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:33.613{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\VQSE9P5C68\System.Management.ni.dll.auxMD5=3E61D2464C4E4AB4B4D3ECCAF651195A,SHA256=E45A9A9710EFC4CCC7649A51BEB67FA0C92C8AAE007D50554F876C0E86BB79E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:33.613{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\VQSE9P5C68\System.Management.ni.dllMD5=B05D7DA87351B11F85473ADC296D69E7,SHA256=875E1B76FE1F04097C454800EE709182120B0EA712F519266AF1B6FF6121E37B,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:33.519{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\VOKV399A76\System.Numerics.ni.dll.auxMD5=EB049ABA5517841C734115079F8BD603,SHA256=2877312EFE8951A61700B5A8981F42E506060308E5D402F8E5FC7F879EDAC5FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:33.519{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\VOKV399A76\System.Numerics.ni.dllMD5=D282D2158C31BBF5B31EE855F7B15EC7,SHA256=72E1074D33DC23AB1D680257B353F3C2210E1C9095D3284570DC678FA3E93907,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:33.519{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\VGSM4TUE6Y\System.Configuration.ni.dll.auxMD5=EA64890856D84601CF0F15F8F925876E,SHA256=BC3CBF89983AF4F608D30A0FA34FB62C3F716BF7B77DAF65A806DD567D4EEA24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:33.519{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\VGSM4TUE6Y\System.Configuration.ni.dllMD5=7C4B6B49CBB1C3DBAA853BD4E51B378B,SHA256=91DE196C16599FE3164E02F877E74D5F2526AC8C0B8DFDDD3A07D072654E8E98,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:33.457{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\VGH1GHAINK\PresentationFramework.ni.dll.auxMD5=8D90C9129E6C0396C3A50BA45F02E1F3,SHA256=1490FF5D33C4F034D88459EAB441DDF918F6015D7AA46396A01B910B0249570C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:33.457{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\VGH1GHAINK\PresentationFramework.ni.dllMD5=3A6F5ED2C31DE935C871E5686C126A1D,SHA256=9890E84E1ED917E5AADFCBE428C4879D8E4627586FEF6C3F4380D1581CBC2356,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:33.394{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF7A30BD342E7322FD27F18025686F60,SHA256=69867B85EDD990C7882ECE0D9326AB58631DDC9D3244DD1F602FA1BDF085BF81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000448870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:34.211{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000448869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:34.101{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC890A4433BEFE6ECDD6890F5C396F54,SHA256=BEC981F6F70F14E78B6983BECEFBE856593C11AE333082371CEC445A91EF6B8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:34.940{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\VZ6X191DJ2\System.Core.ni.dll.auxMD5=8E73D85C99077BFB0539E8520D981B3B,SHA256=8605E552A2ED79BC38EA9F92974A6C4E2C46914F44F8F3F24AB3BE5FC473E012,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:34.925{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\VZ6X191DJ2\System.Core.ni.dllMD5=3C17A421A4CF45767D85FF01275D0C0A,SHA256=07FB0B088257321962EEDB1092064C8D6353DCD40AA92F1EAEF09C31F2E8D2AF,IMPHASH=00000000000000000000000000000000truetrue 354300x8000000000000000338891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:31.307{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51043-false10.0.1.12-8000- 23542300x8000000000000000338890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:34.481{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96BF6C1DD59070D6E4EFC92C91611E70,SHA256=FBAF6FC3529328A920B4D27FCD3DA09FCD2A2C2F5B96B563A1B5AD6ACCCA90D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:34.434{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\VX4BCJ2LB7\System.Xml.ni.dll.auxMD5=040DE208CE1EB5D0024CE936E00E3392,SHA256=33953292338BFB6EE2756974051377A824A6C6DA3BA533A3FBA6D86218957BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:34.434{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\VX4BCJ2LB7\System.Xml.ni.dllMD5=6644706835E5D443B9822C53AED1B87C,SHA256=14CFCA3962038FEEFF28F93571BDA791D9DAF2FB8E34C066E027DBEF1D07F5F7,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:34.061{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\VVXB0YDRQE\Microsoft.PowerShell.Commands.Utility.ni.dll.auxMD5=4BE6B2C729D1C397289CE23CD3DC2E9B,SHA256=5B663B49A464E66F1B9E65E5B9065501ADCFB2A13DB5983A5E4E45954FBAC0E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:34.061{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\VVXB0YDRQE\Microsoft.PowerShell.Commands.Utility.ni.dllMD5=A374FDAD9D01176C27249E4E0DD22BFC,SHA256=E25F37F9B7DCAB269B244290EF20B53D7A0DC4CCF91825A1C3CB801E4255A86E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:35.979{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\WKZTAV0AK0\System.Numerics.ni.dll.auxMD5=1964D64FF04708A0CF5838B9DF1E6988,SHA256=30E5029EC1D69530F1631F056368F3DB0F87DFFCA5C3E7C0D8F81706B0BFE044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:35.979{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\WKZTAV0AK0\System.Numerics.ni.dllMD5=8E902B0115147C7B7399AC6133CFD38D,SHA256=D4DF764B7FA01B0EAFF612668AFA401B6BBE251A7F89E3B9D935479EF6259E43,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:35.963{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\WKV2LTCX14\System.Management.ni.dll.auxMD5=C2198BB3A427A79CEAC2BA77C9D0C7EA,SHA256=60369509C2526BD29714E83A68FC2274983F545D39F23171D68184A8D422B5AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:35.963{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\WKV2LTCX14\System.Management.ni.dllMD5=6F21DC360242F38389A416C54A78EC73,SHA256=E5CD935F728CBC8D6939CD9B71458EBEE0550664F3EE8BDB9D17ABCD7F249D0E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:35.885{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\WJWKZ6PUAL\System.Transactions.ni.dll.auxMD5=41883768C7D7479B1DB43486DB643490,SHA256=1BAEDD2A3F1CF3E8A6609E785516D4FE12A0A385C609C883D2E4C93C7A3CA1D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:35.885{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\WJWKZ6PUAL\System.Transactions.ni.dllMD5=633F934076A97D4532D53B525E93F9C7,SHA256=6E7917F3008778C89D0ADE04E311B5DE8E70E49881A956E4135A1835EF932960,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:35.841{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\WIAV2QPVKF\System.DirectoryServices.ni.dll.auxMD5=91B2F2790B225E9B80B1642A87D19DA5,SHA256=F23B64863222A016CF4439EEDC90057CFEC21BC75A0D7D8118CE8996F42E8B98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:35.841{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\WIAV2QPVKF\System.DirectoryServices.ni.dllMD5=EB699F153BF3322C608FA8EC593641AC,SHA256=C88E1D58C19711E2951ACAD7EFB6D6F420D52D13C93B77B4E80B36396EB5AF10,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:35.821{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\WFQN4O5QK0\System.Xml.ni.dll.auxMD5=0065E7A8A8E46E486B81AF49DEDC3662,SHA256=16EC780118ECB011D545094DA54471D9E80EEEBFD7B6FC6CC36C0950B74782BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:35.819{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\WFQN4O5QK0\System.Xml.ni.dllMD5=AE3813D8498A050E3F1C35361CBB502B,SHA256=D6ADECF0D79D00DE226C5558372C5A2AE2F662F9A9F0BAAB1CAE8FCCB77A525A,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:35.579{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F6AF1E23F2A2F89CCAE7AF61E14E002,SHA256=EC8C3791C07BD35FC448301AA02390D11016753F999381662388A67F6B4C5AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:35.563{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\W50MXUJNJZ\System.Numerics.ni.dll.auxMD5=46C8A979AD3266DDEF725C7E593B0EC9,SHA256=44F41AE20DFD28ABE6EE0E04898C519AD9709FA50D948409B2ECD81BB20D3D37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:35.563{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\W50MXUJNJZ\System.Numerics.ni.dllMD5=63A9B260BCFCC94E75F0B012DE2B32EF,SHA256=3BFD410197EBDCE1914F9CA077D5B2BE75A664A54D5D9B05169694327EC86CE3,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:35.548{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\W1OTATR3BA\UIAutomationClient.ni.dll.auxMD5=49EEFA3688F97076A8DC47723F5C4845,SHA256=D64824E803DF08D47FB0EC670C5695F98C0B58A6537ECE77006412EB6785766A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:35.548{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\W1OTATR3BA\UIAutomationClient.ni.dllMD5=1C08FF101FAAAFADEFC6F118ADE6297B,SHA256=126D05D508BAC0D8FBCC8E6863A936B443B5A47E03A34F956F0514918A00D001,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:35.532{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\W1OPDLC9L0\System.Xml.ni.dll.auxMD5=0DB1ADF94A9387905AED0534C47D0EEE,SHA256=C530974C58D0C70A7B8520D299017A384EA4BAF5868FAD3C3403EF77FCD1D4D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:35.532{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\W1OPDLC9L0\System.Xml.ni.dllMD5=695EB4BE24FC9DB279F2427D31AD35D4,SHA256=014EDA5BD7025A6F01BEA1F6E05663FE4BCE64FA95B7378EBF9C827991B32E64,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000448871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:35.194{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=737F4BF232944A2DC7363297B6B12F8B,SHA256=48BD79E03D472E7755E5A089CDC559E7442F97BDD14E8E15C05BC49829CF123B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:35.141{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\W0SJHH1P9V\System.Numerics.ni.dll.auxMD5=FC4A9B25E8155BEA4F2BAD2E9934B186,SHA256=E75825CDB00102013ED61BA8DC72868336265A7A43AFE27482A839A08E34DE0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:35.141{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\W0SJHH1P9V\System.Numerics.ni.dllMD5=0302AAD9C6C6C01BDD78B04909FF39FC,SHA256=EF8E4770CE7024DDF0796A901E32C0D76F1ABD6508ECF24129A56EB18CC7C677,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:35.065{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\VZQUKY3WBH\Microsoft.CSharp.ni.dll.auxMD5=657E82B143F4F6D421E3F26CB2555B1C,SHA256=CF20F8BE62BBD1EF68F1E5A13ED8A3C52E95DA8E14988BDDF138B2EC84DE7FF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:35.065{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\VZQUKY3WBH\Microsoft.CSharp.ni.dllMD5=CC0828C993E26F7CC65662065ABCA3ED,SHA256=102D1A9C79B7B0264F81B7C73B5658990739312CCEE7C22F39BDE28E38991E1C,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:36.786{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\X6F93FAOXU\System.Configuration.Install.ni.dll.auxMD5=19DCE4CF0E343FD43DD0946FEC2CFD31,SHA256=9C6D5E281C9A3EB2E18F197E2C6A02EF55081A69A97C59DAF14EB444C1262B41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:36.786{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\X6F93FAOXU\System.Configuration.Install.ni.dllMD5=9CB459211EEACFE422AC09F0D51BB565,SHA256=839E9CF7E2FCC05AC1635019C08EB7F51EC625C38E0ED515470EF9147D7CC5AA,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:36.770{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\X2S77D7DWO\System.Drawing.ni.dll.auxMD5=8BA67D8C1268098CFBBA2A626FF8FC6D,SHA256=4739DF54BA9C20953325031131B36E067190CF704B808F6886195A3426F3E43F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:36.770{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\X2S77D7DWO\System.Drawing.ni.dllMD5=25C1B73B943AFAA7C8CC9475EEB22DBD,SHA256=5C5CB8277339CD69DC9C42FD25678D6752321C18797CAA37349203D499EB5610,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:36.679{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\WXQSIRHCJ4\System.Security.ni.dll.auxMD5=88088A9420E89AD0891E9C2A0D79EE5C,SHA256=61B40F1DD323337E0C20C3E9C694C2586214883B1A0E0C4B73C015974A999AF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:36.679{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\WXQSIRHCJ4\System.Security.ni.dllMD5=6017657DD1CFB48244BA822DB912AD46,SHA256=68F4CC7E56E1169EDE1EAC3BDA890CBA03F5EAE90BCD8BBB8C1E6D6115A758DF,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:36.616{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\WTYF4WS952\System.Drawing.ni.dll.auxMD5=ED6F728EBAB3F9359BF38652E0A3BE96,SHA256=5B4FF2366465DD63029F18AEA31116E3A92B132C33B03B516400560F34B1D7CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:36.600{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\WTYF4WS952\System.Drawing.ni.dllMD5=FC675190F2508357D44C08353701D758,SHA256=B84A5EEC1D57708E0FC5D7DB9DD2C1AE39C579218933B855E5B27C3EF274CA91,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:36.553{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D62AA089EDFEE4DAB95E2AF77BE2EF44,SHA256=064BF097BF43FEA3D4BA50B8A5D4D30D2AA7FBB60B1CAA8CCDB9BB069D258A06,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000448873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:32.894{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52741-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000448872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:36.280{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB4C633902BAF1438E7D4381550BA3AE,SHA256=EBB47DE5B5D53E3A50592BE0F754736E652D4299A3BEA3361C02427EFAEC37EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:36.444{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\WPILUDZPG6\System.Transactions.ni.dll.auxMD5=799D1D6903AEF7B551CD4A4C6B265AA9,SHA256=EAE828D0DC70B8C0CADC0F2FB1EB4DAB7A5E36C371C4B8A27C807DE7C0974339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:36.444{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\WPILUDZPG6\System.Transactions.ni.dllMD5=8D18FAAB7987602078CF848438C95F88,SHA256=AB760B68DE4E3D55C85FBC48423AC7C47C8A8C34FC3964E0473DA960D0BC3C5D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:36.368{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\WLMOZX3B9O\System.ni.dll.auxMD5=FD6DE591D3545BD3186DE631F46BB80B,SHA256=D9B496E22C03C6FE99055B4F3BE41057867B2190F6032B0E7B386988E37046C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:36.368{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\WLMOZX3B9O\System.ni.dllMD5=94AE45817D7A11DB2165BC6DF4997AD3,SHA256=45879B1C723A5AE6F9577A9BC99A145C15487C5CD4FF456EEDBCC87403041C9A,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:37.660{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\X6YBSYVLCJ\System.Web.ni.dll.auxMD5=F75844856EE6FABD9C2BF434525D8F9F,SHA256=1F40EEB68BE036B5E0B884535BE71578A36B57947ED17056394FEF8E5E411B4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:37.660{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\X6YBSYVLCJ\System.Web.ni.dllMD5=42107A9680DD1F0C15ECA4BD0B4C3A45,SHA256=E865E3843039ED20DA42936DE4AE5A66B282101FC494E5676F6BAE458429D669,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:37.644{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58E87A44C34DBC72CE92584103977F1B,SHA256=DB515B1DE146DEEE87F3C166A24BF7578C8320BB938C418E1C66F8F45CDEAC3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000448875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:34.761{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52742-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000448874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:37.357{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A683F241B27024530CEF80982E522E60,SHA256=6E340354412ED9430A1E8570C782F36D6D1CAE99CC1147A1572E638C2DFA990B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:38.880{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:38.837{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D63C93B2260E4F4F116CB41268FC6C6F,SHA256=6EC9830A86924B6017DE5019E76E480F5D270743467AEC4643D97FEACD66DD67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:38.754{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\X87GI4UNCX\System.ni.dll.auxMD5=1DC80AF092033E5F42CB197DEDD9D65B,SHA256=78757835764F7844934DA117E6D44A2A6C304F7D2B4B1B719975E46FDAF91556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:38.739{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\X87GI4UNCX\System.ni.dllMD5=4C22A273D55A064EEDEA6322A97FE183,SHA256=1EAC51FA1BBE72ABE3A900139F940367098984AA98FBD5FC592C09C116555F13,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:38.723{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2126003E711021D42EF1E790A44B19C8,SHA256=7E08B96F7D427FDC22CF3114293DF56BAC29FB67DCA89F7A988C4FDEE9B63454,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000448876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:38.449{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD6CFE17ABEE86E8300B075A63B0A5CA,SHA256=E9B733AB857A256BD5C4879BC1677D3A5D7429D8BC5B6E56CA7EAAD86AEEACF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:38.192{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\X770DV9NA5\System.ni.dll.auxMD5=38FB7500511703557B2A490D76E5F3AF,SHA256=82F46FA003FED0DBA41032CD924E47376658DD9F6EF6F9949BC9A853AE793FDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:38.176{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\X770DV9NA5\System.ni.dllMD5=7FC9BC6F3421B57FEB848576BC809437,SHA256=F25EB9DBCC000D600320A0964A9EBF678A2220481AEC9C0284A5EDBD6ACAFE6C,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:39.816{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70D668EE11335ABD3FAD8D6C6020D678,SHA256=2819EC40FED81A4FE0E16E8E49FFB218A9FB7BF1BC835EF43B6C7DECB8858C6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:39.784{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XEFBNA36PH\System.Configuration.Install.ni.dll.auxMD5=5A370DF59B981781F12A7F3A37D66361,SHA256=110B34A25634C7C5EFD6242F5A78BB129C5DB3A8F7BCD745233898DF3B63153B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:39.784{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XEFBNA36PH\System.Configuration.Install.ni.dllMD5=BB79E90A6CDC752EC6FA8D004D881F82,SHA256=094F1E63ED0E7041F3C57AADFEA670CE53997439B064C4C5802CE19434004860,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:39.784{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XEDSLMTMXI\System.Core.ni.dll.auxMD5=D2B21C4EE4767889C67BBF4BA59F7819,SHA256=8D76019BAE0B23C732CDB47566D3B0FC6A80B6ECBC2B7DD3BA4101992D19181B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:39.784{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XEDSLMTMXI\System.Core.ni.dllMD5=27741782AAECFE54A201896D93BA1C9A,SHA256=7389517EE682897300DE398245D2C3EE37E5060CF6320138430A8AA86E6E737B,IMPHASH=00000000000000000000000000000000truetrue 10341000x8000000000000000448896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:39.578{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:39.566{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:39.560{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:39.557{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:39.554{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:39.551{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000448890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:39.533{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEC4323293B921E100AB36A46F63296F,SHA256=541629E613E6A0A217932899AB498A9530B145EC1AA45BB7EE8B54D0D44E907F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000448889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:39.524{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:39.515{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:39.504{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:39.498{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:39.490{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:39.481{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:39.473{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:39.460{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000338939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:39.300{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XAOAEWYN6S\System.ni.dll.auxMD5=97D37AFB390992CE3C6F1D4E1112CAA5,SHA256=E9BE5584192A17CDF882242AB2C104E2A185B276E589F81AEC50663E4BA6F881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:39.285{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XAOAEWYN6S\System.ni.dllMD5=709A692740777021A1BC08A50B61C807,SHA256=AD85D06B3912A64986318D87202BDCAD748D6E68E3B693D37459EF9874889CCF,IMPHASH=00000000000000000000000000000000truetrue 10341000x8000000000000000448881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:39.447{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:39.438{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:39.430{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:39.341{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:39.336{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000448902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:40.605{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=857157D207FDB091FCF21018D6834BE4,SHA256=3FCF533B579630EF637C8D14BD342F0A17C1952BDDE7D39ED48C94893FC72EBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000339007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.711{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A7-63D3-0904-00000000BD02}5936C:\Windows\System32\MsiExec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000339006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.708{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A6-63D3-0804-00000000BD02}4860C:\Windows\syswow64\MsiExec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000339005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.707{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A1-63D3-E803-00000000BD02}5548C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000339004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.703{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000339003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.694{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000339002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.694{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000339001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.692{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000339000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.675{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000338999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.662{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 23542300x8000000000000000338998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.656{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XLM6BX5T56\SMDiagnostics.ni.dll.auxMD5=EF5C14ECD2942930CBEF3F78811C4906,SHA256=0E1472E7112F197434E8D7BC4022A0175E43C87D88359F8DC0160FD1CD201B3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.655{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XLM6BX5T56\SMDiagnostics.ni.dllMD5=B757420CDCD64133145474F44A5C7244,SHA256=A82EC800BA2BE97D195321BF99EE6D030A8F1A999DCF882934F525A2EC66FA72,IMPHASH=00000000000000000000000000000000truetrue 10341000x8000000000000000338996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.652{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 23542300x8000000000000000338995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.649{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XKA9D1P1QR\System.Numerics.ni.dll.auxMD5=4DA08C47B1FD592045CE9C49E1CAB84A,SHA256=42B04A7F53796869C67104A9BEF30AD7E1FC9B5DDF2DA6C2ADB16173212E3928,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000338994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.649{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 23542300x8000000000000000338993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.647{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XKA9D1P1QR\System.Numerics.ni.dllMD5=E89DD3BB5A05BECF57343CB897726E53,SHA256=6875C3CA5102C47223504AD1E16751B7B128AE4B6AE9385A24E7520D2E0B63F9,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000338992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.639{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XJEI7DS9BV\System.DirectoryServices.ni.dll.auxMD5=59C110736777D69755BD9640210D5DBD,SHA256=ACBCFE5DF9F4481CB736A5EAD30EAA17287FE36A2A93EFEB7E6A563099100F71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000338991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.638{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 23542300x8000000000000000338990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.636{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XJEI7DS9BV\System.DirectoryServices.ni.dllMD5=0D805B76A05F5CE550EF1D8FFEF30169,SHA256=589EF92923F29A1D6169A89FD617812D186CE924E66E6061CA72EF73C28496BE,IMPHASH=00000000000000000000000000000000truetrue 10341000x8000000000000000338989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.629{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000338988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.617{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000338987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.614{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000338986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.581{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000338985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.574{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000338984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.562{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000338983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.554{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000338982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.552{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000338981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.548{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000338980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.546{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000338979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.544{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 354300x8000000000000000338978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:38.126{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51045-false10.0.1.12-8089- 354300x8000000000000000338977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:37.315{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51044-false10.0.1.12-8000- 10341000x8000000000000000338976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.540{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000338975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.539{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000338974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.537{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 23542300x8000000000000000338973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.536{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XGTN4JOG04\System.Configuration.Install.ni.dll.auxMD5=08DAC8470A6071A6F9D300CCECE11FDC,SHA256=F21F4F9BD5BEBE704971BBC058A01C007211FABC2BF86E2BDFF504394E89A5F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000338972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.535{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000338971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.534{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 23542300x8000000000000000338970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.533{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XGTN4JOG04\System.Configuration.Install.ni.dllMD5=6CEF29BBBE3A64E8EDA58C8614B58316,SHA256=D6B4C973DAA83DB08F6D1013643F3A287BE92A3DF7629A06421EA2370B126C58,IMPHASH=00000000000000000000000000000000truetrue 10341000x8000000000000000338969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.531{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000338968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.528{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 23542300x8000000000000000338967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.527{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XFUNQVI3MX\System.Core.ni.dll.auxMD5=D0325488413187592F5E2E4B03A2B55F,SHA256=3621EEC32897E03A80F1ED5B7D4F96C3C492C611D0688225EADB8ABC8683004D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.525{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XFUNQVI3MX\System.Core.ni.dllMD5=9D157C15904F94E7FE0F7153425B2B7D,SHA256=FC0BC5198652B9137CC55C074FF1CDB1CA0D6C5EB99DF5B6DEA0E76240B8AE48,IMPHASH=00000000000000000000000000000000truetrue 10341000x8000000000000000338965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.515{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000338964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.510{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000338963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.504{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000338962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.501{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000338961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.493{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000338960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.476{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000338959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.474{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000338958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.462{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000338957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.421{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000338956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.413{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000338955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.403{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000338954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.391{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000338953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.379{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000338952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.373{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000338951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.366{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000338950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.356{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000338949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.343{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000338948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.335{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000338947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.333{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 23542300x8000000000000000338946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.114{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XFM9ITHJMN\System.ni.dll.auxMD5=F974195E5ECE86B40F7C98CEAFF80650,SHA256=6FED5EE609434200BCCA2E954E4FF45678A458F016A429BD3AD7BE480AC33845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000338945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:40.113{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XFM9ITHJMN\System.ni.dllMD5=13DE7F98F0CB9EB352C90FC60D125E6B,SHA256=895BF50B6C923C70F9F96ED6117D4F5929607376E5F00531F7E0E9209D4A1028,IMPHASH=00000000000000000000000000000000truetrue 10341000x8000000000000000448901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:40.047{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:40.045{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:40.042{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:40.040{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:40.038{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000448903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:41.792{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C94ADDC20D5C4585A5DF2EF7A3DD114A,SHA256=DFECBB9D5FB6F500678F487C7B3677BC20F22C31F11B29C84DC936830BA362E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:41.915{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XV6XVN4JZ8\System.ni.dll.auxMD5=0FE2DA91CA727C5FDFB9683466098809,SHA256=DE9F5C5937D844B72D91CF96C0AF781757C79DA906EB3F5E9C80C79CDE977E1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:41.915{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XV6XVN4JZ8\System.ni.dllMD5=2FAB64A8785560F3831C0C7A07105E56,SHA256=F511E0987071071C6932C33C02B2C6F3D379482690813FA5212CA5E646068662,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000339013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:41.447{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XUPP61MRYD\System.Drawing.ni.dll.auxMD5=ED6F728EBAB3F9359BF38652E0A3BE96,SHA256=5B4FF2366465DD63029F18AEA31116E3A92B132C33B03B516400560F34B1D7CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:41.447{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XUPP61MRYD\System.Drawing.ni.dllMD5=FC675190F2508357D44C08353701D758,SHA256=B84A5EEC1D57708E0FC5D7DB9DD2C1AE39C579218933B855E5B27C3EF274CA91,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000339011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:41.371{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XRU5VZE5UP\System.Web.ni.dll.auxMD5=18501C55BA6FED106948D479C80AEBF8,SHA256=49012C302775B96DEE11CBF9165F5F92A9AB3D537C3846B7E0A79E0B89C55C46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:41.371{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XRU5VZE5UP\System.Web.ni.dllMD5=1C6F70C523489155218CE012BBBE5965,SHA256=6A4852280E7836828125E40087C815B4C7F9895D78CC2A2C576DC6D452496063,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000339009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:41.210{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54BA100567AC184B12757DEE41A9B3EB,SHA256=89F6C5D011886D587FA72384EDF58974316FFB2F5A17F496A64C6FC0163FA0CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:41.210{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04E67847D06009644C7220218053B92E,SHA256=C94EF8870DE514BF52E0739B6214694F942977FFE6D1B9019D0E5C1D7B25A3BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000448925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:42.873{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C847DEA56FB2C560F9E073B366AB03DB,SHA256=5BD1EC9E8809CD06472041B38B2449E603C310768C3ABB805CA374DDBDDA6757,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:42.317{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\Y6G9ZVC9EH\System.Configuration.ni.dll.auxMD5=E35793659F64FBC873ED394310E27B21,SHA256=F514B12A2858B8FBCDF4608FA28268C2B9BA2891965AFA2F4CDB39A35B8AC533,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:42.317{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\Y6G9ZVC9EH\System.Configuration.ni.dllMD5=32554B4A682D3D4DFB78C3F5887B14D7,SHA256=3B38EFE5708B8E4740514E3CC5A1E81B098C637BBAA3AAF8B31FEE9D9837A20C,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000339020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:42.317{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E164659480919AAD8699BB2222DD18AB,SHA256=334C3E6A2ACFCEAC2B8915355FA0DF4C8907470C500A9E65DCEFDE47DF78526E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:42.273{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\Y4IA8CF0NY\System.ServiceProcess.ni.dll.auxMD5=29E6A003183458CCF64AB3D7FD5E09A9,SHA256=60A7576757C609BEA9AC9B80C89C840C25628B230A49E43AE3297DC76FAF7D81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:42.273{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\Y4IA8CF0NY\System.ServiceProcess.ni.dllMD5=04E405537AA94EDFF3323F0467D26778,SHA256=68136A857028E1F557F9FBB105346CC072FF372608AB0F448A7BA6AEE555D34F,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000339017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:42.267{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XVFFVWAZ7P\System.Data.ni.dll.auxMD5=1048C0ED575A23FCAAD4A2A3D4AB051D,SHA256=4BF180857736CBED625371F3063FB75AFDCEA6BB064FB787B1CE79717F5B522C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:42.265{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XVFFVWAZ7P\System.Data.ni.dllMD5=97B08C7C842385FA82BB242375C02597,SHA256=12EDACC3503A34EE8F82B27C2E63D46FEE7F5C01CC2D8838A5ECD39FC615074D,IMPHASH=00000000000000000000000000000000truetrue 10341000x8000000000000000448924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:42.718{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:42.699{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:42.694{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:42.686{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:42.676{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:42.650{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:42.645{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:42.638{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:42.633{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:42.631{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:42.628{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:42.626{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:42.625{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:42.621{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 354300x8000000000000000448910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:39.765{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52743-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000448909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:42.341{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-3000-00000000BC02}2848C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:42.106{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:42.105{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:42.104{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:42.092{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000448904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:42.081{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000448926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:43.979{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6500B215FF4AD749B2BEDCB996D151B3,SHA256=1D6522C2CB1B8A630280D3CDF40BBD2DE3D65812F507468C5E33CCE0EFB9A972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:43.884{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YDXFKTM2LS\System.DirectoryServices.ni.dll.auxMD5=59C110736777D69755BD9640210D5DBD,SHA256=ACBCFE5DF9F4481CB736A5EAD30EAA17287FE36A2A93EFEB7E6A563099100F71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:43.884{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YDXFKTM2LS\System.DirectoryServices.ni.dllMD5=0D805B76A05F5CE550EF1D8FFEF30169,SHA256=589EF92923F29A1D6169A89FD617812D186CE924E66E6061CA72EF73C28496BE,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000339027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:43.790{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YBIDL94MA4\System.Management.ni.dll.auxMD5=9E113C3F173739443B36B19DD5C6669B,SHA256=E6D1A62EA7C191912AA011D805E8000EE89FE7281E888EF7A398F4FBA9AC4182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:43.790{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YBIDL94MA4\System.Management.ni.dllMD5=545B093E8C7408982436090E8E13BA3C,SHA256=CFFD545D318D02B523B06E28AFD09A3649D013965B45986CFCAEE54A07AF0C1A,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000339025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:43.728{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\Y6JA0I72H5\System.Management.Automation.ni.dll.auxMD5=7F40C8D7BB8B4A7C3CA1E88E0F4E3524,SHA256=0AC2FAD53EF554B765E6183B60E9DF797D83B2146E3E6D169F0FD6B5DEB848CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:43.728{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\Y6JA0I72H5\System.Management.Automation.ni.dllMD5=5A63FCFBF2097DF5FB66A208F02E90A6,SHA256=F6192DDD6B2DB0D70402061D784970DAFE316BAC34614D31393F73867FBDC79C,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000339023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:43.288{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F34C788F92532EB80DEE55057243C32,SHA256=18A8FCFD1B081E954B739BE6A101D03E20AF89A68B3C0D39F9BDCB39C13FFFD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:44.924{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YIB6DCCW6I\System.Windows.Forms.ni.dll.auxMD5=E5C9B000C104A386E05A7DECC7D57D10,SHA256=BC3E3B9EDF0E54B5CFAC2B351AA2FC8C56FC29FF421C7AF2FCD1C7C159EEFA08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:44.924{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YIB6DCCW6I\System.Windows.Forms.ni.dllMD5=813359EBC7268DD27EE491165E0CAB57,SHA256=3DD82C0168FAAE20147E50B24A05D2A5C9EF83E4EF9E0CE5FD8DCB4466BBAE26,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000339036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:44.404{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=670B3355985D33D01A967170A20A15B3,SHA256=5080121F9E1B476456F79D55C1E32050E44C733F65BD287E8D096809889B2D6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:44.179{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YGE550YJJ1\System.Numerics.ni.dll.auxMD5=3D584449D8994C8A6F53D6EA35FA327C,SHA256=1186AFEB65B6390E39B8A9F7DE621BAD52FAB94F71382CE854A7FDB820FE19B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:44.179{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YGE550YJJ1\System.Numerics.ni.dllMD5=B7046061FFE1EC155C9812796FB7A2D2,SHA256=4F1AAA6948C8B9F14673FE17A83438A868FD347A58F44DFE85831136466B723E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000339033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:44.179{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YF5AOMYMDR\System.Web.Extensions.ni.dll.auxMD5=E3501E76D9EF0B69A4026C6B590FB58D,SHA256=12ADFF882440F9EB5C27A056A218ED416F9DCD578D265D632B1B75C828662F8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:44.179{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YF5AOMYMDR\System.Web.Extensions.ni.dllMD5=BC1955AB148A91685B03B1BB941055AB,SHA256=D878F2A32362A0F1E85C7712D8FC5C8A8176F39970472B42987638B84169ED3E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000339031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:44.024{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YEGNJG6CVP\Microsoft.CSharp.ni.dll.auxMD5=0821BD65FA52F1E469DFB7056C40614F,SHA256=4797D4A57924FCCE2343888C30CDD1345E0AF98BCC73949EE0C74D94D01EE533,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:44.024{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YEGNJG6CVP\Microsoft.CSharp.ni.dllMD5=4A25A7443023AC698644ECF4F3F19552,SHA256=27E06A9FB4403425024AE4544A5532BE32C02F810E29731ECA8C7884E2D0D799,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000339047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:45.984{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YSCBITKRSN\System.Configuration.Install.ni.dllMD5=DF0A266E1C073131336B9597E2543820,SHA256=F1079A19E1C6E19EB1A2BA701A3919A0A0474EDFA579D8F3EC05965ECDF5F6FD,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000339046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:45.984{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YOZRJB6OIW\System.DirectoryServices.ni.dll.auxMD5=265F04E5825B5E1A073A49E9FD6F94D8,SHA256=A8B6EC43DD3C84912112E802A37DD9A21A55A71E3BDD72B2669BA444C67F3505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:45.984{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YOZRJB6OIW\System.DirectoryServices.ni.dllMD5=990497BD43A6D44F67F276C3330502C9,SHA256=C2964C860251228AAB56F30AFE308B638E28FF5F8289D29E270DB5B63DDB82F7,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000339044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:45.922{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YJGCJFGL1Y\System.Data.ni.dll.auxMD5=F1B0E3797E1FE78975EE40A12DCA905D,SHA256=97AC61F5AF042419CF86BC935D8B80BCD13C4DC023752ED10FF40200865C29B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:45.922{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YJGCJFGL1Y\System.Data.ni.dllMD5=2BEC529C281F6FAFE58502E23B896177,SHA256=24FCD1C5B352D391F19E7C8140E9A791DC7B57D2F18BA276ACC7DFDE27DD45A3,IMPHASH=00000000000000000000000000000000truetrue 354300x8000000000000000339042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:43.321{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51046-false10.0.1.12-8000- 23542300x8000000000000000339041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:45.485{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCF8AC6304287BD4B95BC00F81CCD765,SHA256=3BE98B13A9911C1D4AFCB67C53D29F3B032CB77A867FCBAE4F47432D14233819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:45.422{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YIHB6VWA4C\System.Core.ni.dll.auxMD5=8E73D85C99077BFB0539E8520D981B3B,SHA256=8605E552A2ED79BC38EA9F92974A6C4E2C46914F44F8F3F24AB3BE5FC473E012,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:45.422{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YIHB6VWA4C\System.Core.ni.dllMD5=3C17A421A4CF45767D85FF01275D0C0A,SHA256=07FB0B088257321962EEDB1092064C8D6353DCD40AA92F1EAEF09C31F2E8D2AF,IMPHASH=00000000000000000000000000000000truetrue 10341000x8000000000000000448935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:45.849{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B531-63D3-DF03-00000000BC02}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:45.844{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:45.844{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:45.844{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:45.844{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:45.843{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B531-63D3-DF03-00000000BC02}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000448929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:45.843{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B531-63D3-DF03-00000000BC02}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000448928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:45.843{45AAC21C-B531-63D3-DF03-00000000BC02}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000448927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:45.065{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F293DA32A4E452F4EB2C86688A13CE9,SHA256=E4BE646D61BA98105C20C0E3DFCC4D257CC2D30A522E11BC8EFA7A6332CA4A78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:46.465{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B4392196FBBD7361CF08C3856AC40C9,SHA256=DE05E2DEECBDCDA15D49441BC8F41C70ED4A2EC75B269B64A413679799CB7156,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:46.449{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YU4SH7L0A9\System.Security.ni.dll.auxMD5=88088A9420E89AD0891E9C2A0D79EE5C,SHA256=61B40F1DD323337E0C20C3E9C694C2586214883B1A0E0C4B73C015974A999AF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:46.449{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YU4SH7L0A9\System.Security.ni.dllMD5=6017657DD1CFB48244BA822DB912AD46,SHA256=68F4CC7E56E1169EDE1EAC3BDA890CBA03F5EAE90BCD8BBB8C1E6D6115A758DF,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000339050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:46.434{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YSHT48C7QA\System.ni.dll.auxMD5=1DC80AF092033E5F42CB197DEDD9D65B,SHA256=78757835764F7844934DA117E6D44A2A6C304F7D2B4B1B719975E46FDAF91556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:46.434{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YSHT48C7QA\System.ni.dllMD5=4C22A273D55A064EEDEA6322A97FE183,SHA256=1EAC51FA1BBE72ABE3A900139F940367098984AA98FBD5FC592C09C116555F13,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000448947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:46.976{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=97C3B8C9C65D38B3C3D2AA13341992F9,SHA256=7A84AC98268A2142A561FB71801428AFEBF8CEC6B7EB596BAE5059BB2CB9A018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000448946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:46.930{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62ED5AD0A3895B0E0479AD1C1F52BE02,SHA256=2C0A49365985E557AF799E0B404951D38848BBAFA7826BCDB325DBC7C69E599B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000448945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:46.749{45AAC21C-B532-63D3-E003-00000000BC02}57642272C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:46.516{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B532-63D3-E003-00000000BC02}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:46.516{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:46.516{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:46.516{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:46.516{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:46.516{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B532-63D3-E003-00000000BC02}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000448938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:46.516{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B532-63D3-E003-00000000BC02}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000448937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:46.517{45AAC21C-B532-63D3-E003-00000000BC02}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000448936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:46.159{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4145F3594D260557C94E71B714EB0BFA,SHA256=E6795C757A85BF6AD7761C8E5342F4B8406CAFB83F837B30CA6EF16D422BE964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:46.000{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YSCBITKRSN\System.Configuration.Install.ni.dll.auxMD5=2BE7BB6FFC007EE706B43A3240D6C1E6,SHA256=FE7984269A89E65AD319F1739F5B7E49F41DCB204FE9D8517AB010A61B2FF039,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:47.772{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=392EE1690086FD45A969BFD7408254F3,SHA256=0945C92CEAAD3086BA453D640E1FF925311842DFB181CD0521A318D49A19A411,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000448957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:44.874{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52744-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000448956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:47.248{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=027280FC4D605EB45B8886E34EA8B8DA,SHA256=2DB0C3C0E678B4B2DF6935C12F04316C37379F19D839448B1FEAF765B09D1A92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:47.495{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\Z9ZNHXO485\System.Core.ni.dll.auxMD5=FF4E2C92B938268E23AEED9F7BC732F8,SHA256=19FC78637B8A3B2A736A0ADD2E08F35E595E8854D68B668FB03022BD4AAECBBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:47.480{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\Z9ZNHXO485\System.Core.ni.dllMD5=95173A32BB22297C898788BECB82637B,SHA256=EA0063A4BEF0AD2C8C8BECBFF53222AF78D9E5C3199903A8CFCEA2E63BB78C24,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000339059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:47.167{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\Z0PRUN8CCW\System.Management.ni.dll.auxMD5=273226A4B0A33AA89913CD996E8D79EF,SHA256=19341A54F66D137E0F7EECF6733BF8004DE7965E2792A3A8BBCDF31B8179011C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:47.151{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\Z0PRUN8CCW\System.Management.ni.dllMD5=D1F81DF35BBF198E3551357BFB277DAB,SHA256=86937E0D0B91653A6F6462D33D9739CB6DE7BCAA666B734CF67F114B66D50041,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000339057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:47.075{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YXXUBQQD43\System.Management.ni.dll.auxMD5=D1FB47B13BEB3E3FB03751D019B8D15C,SHA256=8C6E70F4C3FEC15367AFDD3AB7E1A31225D13B8002E76E66F28E297090FBD149,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:47.075{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YXXUBQQD43\System.Management.ni.dllMD5=80E812D84EC5E760A33A174532E98ACE,SHA256=E2E98827A0D3A37F3B4562AEDE2CDDDB9EA45E33C40DEAEEDF862BE0282E3A51,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000339055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:47.028{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YW6H3N5KJN\System.Core.ni.dll.auxMD5=837ED7C37327AAC0A3D72346C92C1E33,SHA256=03CCB7D13D93251175DE2ABAAA91E995C4A2FD627167E2E150B73A0B68C288FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:47.028{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YW6H3N5KJN\System.Core.ni.dllMD5=FE8274D8E31521C1EE127F0B9A468B11,SHA256=5EC1AB20A6FC7C8B10B5915D6BFED9B96EF524DDE933816D521A21239C339D16,IMPHASH=00000000000000000000000000000000truetrue 10341000x8000000000000000448955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:47.004{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B533-63D3-E103-00000000BC02}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:47.004{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:47.004{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:47.004{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:47.004{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:47.004{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B533-63D3-E103-00000000BC02}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000448949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:47.004{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B533-63D3-E103-00000000BC02}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000448948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:47.007{45AAC21C-B533-63D3-E103-00000000BC02}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000339073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:48.865{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8833DE995CBB13DA011B5E8C1ADFA7B3,SHA256=D5B10496FF262ACA298D047BB2C9E8118AD286D5682585CF05B2A4C539B462AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000448961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:46.307{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52745-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000448960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:46.307{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52745-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 23542300x8000000000000000448959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:48.351{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A8B8186A02A01874A544578B644212F,SHA256=9AC82DCF92C33A0969DEB07ABA8451DB7B690AABD24AE10EE91B9B8932C81FA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:48.643{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZPFPMB2F9E\Microsoft.Management.Infrastructure.ni.dll.auxMD5=021E03515A4A37FE76AD9023046CEF73,SHA256=2781CF16A07EE3E4F9F4D099DA033F1070751F7AEDDD8748657CFD1626F4068A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:48.643{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZPFPMB2F9E\Microsoft.Management.Infrastructure.ni.dllMD5=5F54AAB05C6C35CEAA9657578130E5EC,SHA256=B43B463A62B5DD1B498204B1862DD9CEAADEC9B9DB7FEE4F14E0E913DE07945F,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000339070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:48.596{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZOG0PZAHAF\System.Xml.ni.dll.auxMD5=ED9496CE2223D4E1A165BEFC8A495F49,SHA256=4F40C0EB01C6D669BAD474D8A1EFA20E9875920DDBCB1E521BBFEFEE2ACC0FA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:48.596{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZOG0PZAHAF\System.Xml.ni.dllMD5=37E129A04ED511528A4B868C33DA4466,SHA256=ADF060A953F940FFAC3B248DE75B69860F955197BEABB73C56CF26EB8705E668,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000339068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:48.206{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZG5QUGH7L9\System.DirectoryServices.ni.dll.auxMD5=13D4EEF7A72BA3BC81F2574774D127B4,SHA256=25BD7A05FB07703BC09BF4DE8B751497395BBFF4E00A330AC0BDF61A08191AE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:48.206{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZG5QUGH7L9\System.DirectoryServices.ni.dllMD5=D5DA768CB16CA437D88F4C9B4EB81AE5,SHA256=2764D9D725755936779C4689CAFBA487F1D99A39F9D426696CDBE66FA74E751A,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000339066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:48.159{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZDY64GQMKG\System.Management.ni.dll.auxMD5=C2198BB3A427A79CEAC2BA77C9D0C7EA,SHA256=60369509C2526BD29714E83A68FC2274983F545D39F23171D68184A8D422B5AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:48.159{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZDY64GQMKG\System.Management.ni.dllMD5=6F21DC360242F38389A416C54A78EC73,SHA256=E5CD935F728CBC8D6939CD9B71458EBEE0550664F3EE8BDB9D17ABCD7F249D0E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000339064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:48.115{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZBR2H9XYXQ\System.Data.ni.dll.auxMD5=F1EF077C4BB70B4021D36F707F57A3F8,SHA256=01B665DD6BA952B62693C3A6D288EB05C580987B3479DBE0908135CF0690896F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:48.115{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZBR2H9XYXQ\System.Data.ni.dllMD5=E802CAD3E043456A3F9DE1C948A180F2,SHA256=40F614A3416ADE5D8D2D77D8351E86186838C22A0AFAC45E320C909EC2F5DDA9,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000448958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:48.042{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=ADF7C6EA5F40EAD54CA6ACDA10B77319,SHA256=0B06DE4601690C6A16E630F2B1299ABFEA5A4D84B8E4E52783A737604229DDE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:49.954{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZXIE4TWQX1\System.Numerics.ni.dll.auxMD5=03FB751D7366F1FADBD9267BF1C0D693,SHA256=5F68B3516C69DF888F1ACC44B0A716CE8E63DB995BEC4E8DB170237BC10908AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:49.954{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E30DC6CC047664FD4198732E92955DF8,SHA256=5539F235259750D13DDFC1B1323EE45F61484B94EFA84211A1FEC0208731108D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:49.954{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZXIE4TWQX1\System.Numerics.ni.dllMD5=282F0EF6FEB85C1AA8A4D5EAED7B0345,SHA256=9999B5F5E7F6A025582ABB469F2B898514033BC187344B9CA7E507DAE28CB542,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000339081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:49.907{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZXC84VB1B5\System.Transactions.ni.dll.auxMD5=799D1D6903AEF7B551CD4A4C6B265AA9,SHA256=EAE828D0DC70B8C0CADC0F2FB1EB4DAB7A5E36C371C4B8A27C807DE7C0974339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:49.907{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZXC84VB1B5\System.Transactions.ni.dllMD5=8D18FAAB7987602078CF848438C95F88,SHA256=AB760B68DE4E3D55C85FBC48423AC7C47C8A8C34FC3964E0473DA960D0BC3C5D,IMPHASH=00000000000000000000000000000000truetrue 10341000x8000000000000000448979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:49.754{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B535-63D3-E303-00000000BC02}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:49.754{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:49.754{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:49.754{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B535-63D3-E303-00000000BC02}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000448975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:49.754{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:49.754{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:49.754{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B535-63D3-E303-00000000BC02}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000448972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:49.755{45AAC21C-B535-63D3-E303-00000000BC02}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000448971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:49.582{45AAC21C-B535-63D3-E203-00000000BC02}22841136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000448970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:49.441{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53F717C45420A60132D21468FE9512A3,SHA256=12841CA35EA5D682F167032A2F362BB730DA6782D4B500567F604B416B9D108A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:49.876{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZWB27RLG8P\System.Management.ni.dll.auxMD5=DB8ADD4CB7AB7C2BECB6E5D2876DCD98,SHA256=C508A4E3185C74167CBFDFFFC0296BAE94CD0406996404244EA570FE5FD4FCDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:49.860{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZWB27RLG8P\System.Management.ni.dllMD5=4840576F30CADC46214E01EEB1DDEB0F,SHA256=182B6C71998AA6298C694DEE7047C8D4E74228A3B112BE72EA26694380F7E86B,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000339077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:49.813{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZUSAZW4RP0\System.Management.ni.dll.auxMD5=C2198BB3A427A79CEAC2BA77C9D0C7EA,SHA256=60369509C2526BD29714E83A68FC2274983F545D39F23171D68184A8D422B5AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:49.813{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZUSAZW4RP0\System.Management.ni.dllMD5=6F21DC360242F38389A416C54A78EC73,SHA256=E5CD935F728CBC8D6939CD9B71458EBEE0550664F3EE8BDB9D17ABCD7F249D0E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000339075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:49.675{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZPKA8HY1UE\System.Web.ni.dll.auxMD5=0AE404756377DD3703F455387A9879C4,SHA256=702C78135B42466A045ED4DBF7D95EF83F253557AC4353CE67D1D012C508AD29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:49.675{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZPKA8HY1UE\System.Web.ni.dllMD5=0A11ADF0A17756FC85A5CCC9D20311BC,SHA256=5B3613B14D659E370958E9D555EFB0A5B072E1B97621A2ECB516ED9972A0BA22,IMPHASH=00000000000000000000000000000000truetrue 10341000x8000000000000000448969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:49.254{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B535-63D3-E203-00000000BC02}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:49.254{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:49.254{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:49.254{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:49.254{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:49.254{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B535-63D3-E203-00000000BC02}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000448963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:49.254{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B535-63D3-E203-00000000BC02}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000448962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:49.255{45AAC21C-B535-63D3-E203-00000000BC02}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000339148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.940{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\inprogressinstallinfo.ipiMD5=4EC8546807E623DEB3184B29A7AFF26A,SHA256=9C55D80D91FE3D6543EBBCBB216D1E601A4A65F2B8FF125430B78B0219C6432B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.938{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFBF3DBE2E8485176A.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000339146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.938{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFF1451F9B560DD01D.TMPMD5=4EC8546807E623DEB3184B29A7AFF26A,SHA256=9C55D80D91FE3D6543EBBCBB216D1E601A4A65F2B8FF125430B78B0219C6432B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.932{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFA7CA78522A3F2015.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000339144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.932{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF4A92EB2ECABFE231.TMPMD5=4EC8546807E623DEB3184B29A7AFF26A,SHA256=9C55D80D91FE3D6543EBBCBB216D1E601A4A65F2B8FF125430B78B0219C6432B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.928{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\620527.msiMD5=E1BBB29285FF3E08C66F16A3F9BFB315,SHA256=33D432D7542DB245E327A2D549907E1E7CA98F785D9E0010F0AEEA568D1C1A16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000448990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:50.638{45AAC21C-B536-63D3-E403-00000000BC02}11245512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000448989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:50.528{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52DB8211C88B6D275CE2653C45A5C6AE,SHA256=A8D1BA421775E4438D0CD7149F3D0C764C0359B517FF770B4E7F737E406B26BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.911{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=BBECB98F22FEF51EE73060AB28159BEC,SHA256=79F27F94AD015AB0B199EFB27EE00B7F4ED7C08C7479D51C6066E39C3262F6C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.841{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF8C532FC3050D7E3F.TMPMD5=6D2C76E8E4A8342D13741CFBE5FB25C4,SHA256=171C1DC78F0224A66E083F3375421BAD8EEEF1498706FCEC5F083CEA111E3A21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.836{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF18F07D10DA69E709.TMPMD5=5894C4CF170F0669A294143767089A88,SHA256=3D3DF03FD4D982DF7CE692F8635732EEDD6747C3E36FEB2D8FC444B92BDCBCCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.826{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Config.Msi\620529.rbsMD5=966558AFA54E9EB399B601671F9328C8,SHA256=656B54CDD8ACD844F9F72F2443D6C5254091E17784BF32ED78E2BB6865A46AB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000339138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.807{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.807{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.806{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.806{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000339134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.781{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI6A07.tmpMD5=E4702B7D3A1300EDB9A51E0E1809B8F7,SHA256=074803CD0C68175E93026B1263D0FF6BB4254BF591997E318876EC34A8F5BFCB,IMPHASH=13700DFD4585238683BF19951BD9C7A9truetrue 10341000x8000000000000000339133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.765{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.765{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000339131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.765{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI69F6.tmpMD5=E4702B7D3A1300EDB9A51E0E1809B8F7,SHA256=074803CD0C68175E93026B1263D0FF6BB4254BF591997E318876EC34A8F5BFCB,IMPHASH=13700DFD4585238683BF19951BD9C7A9truetrue 10341000x8000000000000000339130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.750{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.750{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000339128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.718{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF319A15E711756C49.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000339127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.718{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF4E3FCE14F2F185F8.TMPMD5=96C0A5F8F7BEA1C0F159B136122BCBE8,SHA256=44CDC063075D5E20B6895118DEBB0D774B369D763F11DC9F3DFD6705FCC83B9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.718{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF5664F5C0DCFB5942.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000339125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.718{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF7854E0A85B61B8D6.TMPMD5=96C0A5F8F7BEA1C0F159B136122BCBE8,SHA256=44CDC063075D5E20B6895118DEBB0D774B369D763F11DC9F3DFD6705FCC83B9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.718{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI3929.tmpMD5=AE98844FE0EA7CB647F7FF2C6795E91C,SHA256=1F4C8142C134F52E1A9BBA09735F3AEC9E99C0F19C2F6BAA2A704628E51785FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.562{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.562{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.546{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.531{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.531{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.515{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.500{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.500{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.484{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.469{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.469{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.469{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.453{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.453{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.437{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.437{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.421{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.421{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.409{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.393{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.393{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.386{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.366{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.360{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.323{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.289{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.273{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.226{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.210{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.195{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.195{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.179{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.163{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.135{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.135{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.110{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZZT9OSN8RI\System.Transactions.ni.dll.auxMD5=999D14BCEA16BC6927359881D4D39D58,SHA256=E951F9BEEAFE791DF0F3CB3AFE9BD07BDE358EE20E01DC5F2018DDDB466EEC96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.110{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZZT9OSN8RI\System.Transactions.ni.dllMD5=069D6E12D3CAB923FD4E8AC75EE89BA1,SHA256=F4957C4BFCF882B16615546FCA8A910B09508E5520C62914203915BA51DC3DF1,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000339086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.095{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZYXWPU95DT\Microsoft.CSharp.ni.dll.auxMD5=EE3198D697C4B053EAD4413AFEBC40C4,SHA256=0EF2A165B7A3C7C5983348677CB79F7278D2D8D8BDFA16AEEF598A9D14904643,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:50.095{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZYXWPU95DT\Microsoft.CSharp.ni.dllMD5=CE241DA9296A06B251A4C1F54AEE5793,SHA256=F6F3E5B4313CC8B21F2750A73F7277C9C1152C7F7AF2C25B8654C4BB5B659124,IMPHASH=00000000000000000000000000000000truetrue 10341000x8000000000000000448988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:50.403{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B536-63D3-E403-00000000BC02}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:50.403{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:50.403{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:50.403{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:50.403{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:50.403{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B536-63D3-E403-00000000BC02}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000448982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:50.403{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B536-63D3-E403-00000000BC02}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000448981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:50.405{45AAC21C-B536-63D3-E403-00000000BC02}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000448980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:50.004{45AAC21C-B535-63D3-E303-00000000BC02}46765568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000448999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:51.646{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09F4170A68303AA5CFDDE34A1926BD66,SHA256=E8A3F10ACC2B41AA4A23A1ED7898C2C57F5B8E9F378D9ECF24E91249F5ECDD20,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000448998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:51.614{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B537-63D3-E503-00000000BC02}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:51.614{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:51.614{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:51.614{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:51.614{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:51.614{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B537-63D3-E503-00000000BC02}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000448992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:51.614{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B537-63D3-E503-00000000BC02}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000448991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:51.615{45AAC21C-B537-63D3-E503-00000000BC02}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000339181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:51.742{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI6DE2.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000339180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:51.742{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:51.742{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000339178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:48.329{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51047-false10.0.1.12-8000- 23542300x8000000000000000339177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:51.616{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI6CF7.tmpMD5=E4702B7D3A1300EDB9A51E0E1809B8F7,SHA256=074803CD0C68175E93026B1263D0FF6BB4254BF591997E318876EC34A8F5BFCB,IMPHASH=13700DFD4585238683BF19951BD9C7A9truetrue 10341000x8000000000000000339176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:51.538{72106695-B537-63D3-1B04-00000000BD02}51685840c:\Windows\System32\MsiExec.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\Windows\System32\MsiExec.exe+6bca|c:\Windows\System32\MsiExec.exe+7184|c:\Windows\System32\MsiExec.exe+8e17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:51.522{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B537-63D3-1B04-00000000BD02}5168c:\Windows\System32\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:51.506{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:51.506{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:51.506{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:51.506{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:51.506{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B537-63D3-1B04-00000000BD02}5168c:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000339169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:51.506{72106695-B499-63D3-D903-00000000BD02}57765808C:\Windows\system32\msiexec.exe{72106695-B537-63D3-1B04-00000000BD02}5168c:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Windows\system32\Msi.dll+ba748|C:\Windows\system32\Msi.dll+16e0a4|C:\Windows\system32\Msi.dll+16e71c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000339168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:51.511{72106695-B537-63D3-1B04-00000000BD02}5168C:\Windows\System32\msiexec.exe5.0.14393.5648 (rs1_release.230105-1654)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exec:\Windows\System32\MsiExec.exe -Embedding A4D80EABEBAD6DCA7E088E2C75131F97 E Global\MSI0000C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=9D709253D0D3EF4CBB4CF7BC10276AC7,SHA256=B2BE692D9794337588A16DB43A09371F3D18154E98171856CD4B739998C4D291,IMPHASH=C96E4BCFCDB1BA383604F04AB3452B2F{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\System32\msiexec.exeC:\Windows\system32\msiexec.exe /V 10341000x8000000000000000339167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:51.506{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:51.506{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000339165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:51.306{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF5D9BFECC04320F725FCC0757C5A0E9,SHA256=8FFB0191FD88D9AB13F9518C7BBDB887ABC0D5FC654E2B4ED6CB4CE5485600A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:51.228{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI6BAE.tmpMD5=9CADBFA797783FF9E7FC60301DE9E1FF,SHA256=C1EDA5C42BE64CFC08408A276340C9082F424EC1A4E96E78F85E9F80D0634141,IMPHASH=652859BF844DA7396CCD2DCBC07B8FD2truetrue 10341000x8000000000000000339163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:51.228{72106695-B537-63D3-1A04-00000000BD02}59085928c:\Windows\syswow64\MsiExec.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|c:\Windows\syswow64\MsiExec.exe+7291|c:\Windows\syswow64\MsiExec.exe+7887|c:\Windows\syswow64\MsiExec.exe+9201|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000339162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:51.213{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B537-63D3-1A04-00000000BD02}5908c:\Windows\syswow64\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:51.181{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:51.181{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:51.181{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:51.181{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:51.181{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B537-63D3-1A04-00000000BD02}5908c:\Windows\syswow64\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000339156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:51.181{72106695-B499-63D3-D903-00000000BD02}57765808C:\Windows\system32\msiexec.exe{72106695-B537-63D3-1A04-00000000BD02}5908c:\Windows\syswow64\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Windows\system32\Msi.dll+ba748|C:\Windows\system32\Msi.dll+16e0a4|C:\Windows\system32\Msi.dll+16e71c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000339155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:51.188{72106695-B537-63D3-1A04-00000000BD02}5908C:\Windows\SysWOW64\msiexec.exe5.0.14393.5648 (rs1_release.230105-1654)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exec:\Windows\syswow64\MsiExec.exe -Embedding 20579D8FA6C5E4074F12E3B1F7B1B682 E Global\MSI0000C:\Windows\SysWOW64\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=0E6BA8C0B882285D2B4FD61D0688D65B,SHA256=6929777BD6CEDDDFFF86FC7F505374D5AC0FA0F63722DC1C88594E16FBAFFAD1,IMPHASH=B4730776DFCE61DBCD10D002E3D530E1{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\System32\msiexec.exeC:\Windows\system32\msiexec.exe /V 10341000x8000000000000000339154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:51.181{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:51.181{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:51.128{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:51.123{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:51.123{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:51.122{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000449001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:52.711{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33F4B5DC5DCB42D418E4796E4C846D7C,SHA256=2A05E08BE474B55D9395E61E7D7C83B899E8E87062856F936A35AAADE578BD31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000449000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:52.696{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D321CC449BBD80815EB165B2CA0D8BE,SHA256=AFE8383CB32872DA0EA19C058C433FE69F54610FED6BC71C59FE7D04813BB4BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000339791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.988{72106695-B105-63D3-1F03-00000000BD02}39924528C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\shcore.dll+35586|C:\Windows\System32\shcore.dll+201ff|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 10341000x8000000000000000339790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.988{72106695-B105-63D3-1F03-00000000BD02}39924152C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\shcore.dll+35586|C:\Windows\System32\shcore.dll+201ff|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 10341000x8000000000000000339789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.985{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+2a3e9d|C:\Windows\System32\windows.storage.dll+9f4d7|C:\Windows\System32\windows.storage.dll+9f5ea|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000339788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.984{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+2c9542|C:\Windows\System32\windows.storage.dll+d1d5d|C:\Windows\System32\windows.storage.dll+2de04a|C:\Windows\System32\windows.storage.dll+9f1f4|C:\Windows\System32\windows.storage.dll+2a3e00|C:\Windows\System32\windows.storage.dll+9f4d7|C:\Windows\System32\windows.storage.dll+9f5ea|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f 10341000x8000000000000000339787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.982{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+2a3e9d|C:\Windows\System32\windows.storage.dll+9f4d7|C:\Windows\System32\windows.storage.dll+9f5ea|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000339786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.982{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+2c9542|C:\Windows\System32\windows.storage.dll+d1d5d|C:\Windows\System32\windows.storage.dll+2de04a|C:\Windows\System32\windows.storage.dll+9f1f4|C:\Windows\System32\windows.storage.dll+2a3e00|C:\Windows\System32\windows.storage.dll+9f4d7|C:\Windows\System32\windows.storage.dll+9f5ea|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f 10341000x8000000000000000339785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.967{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+67be3|C:\Windows\System32\windows.storage.dll+670a9|C:\Windows\System32\windows.storage.dll+66fbd|C:\Windows\System32\windows.storage.dll+6cd76|C:\Windows\System32\windows.storage.dll+6ed29|C:\Windows\System32\windows.storage.dll+17b166|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536 10341000x8000000000000000339784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.966{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+d1303|C:\Windows\System32\windows.storage.dll+6eba0|C:\Windows\System32\windows.storage.dll+6eaf7|C:\Windows\System32\windows.storage.dll+6ecc7|C:\Windows\System32\windows.storage.dll+17b166|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea 10341000x8000000000000000339783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.966{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+d1587|C:\Windows\System32\windows.storage.dll+169219|C:\Windows\System32\windows.storage.dll+17b148|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000339782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.966{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+1691ed|C:\Windows\System32\windows.storage.dll+17b148|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+6957c 10341000x8000000000000000339781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.966{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+67be3|C:\Windows\System32\windows.storage.dll+670a9|C:\Windows\System32\windows.storage.dll+66fbd|C:\Windows\System32\windows.storage.dll+6cd76|C:\Windows\System32\windows.storage.dll+6ed29|C:\Windows\System32\windows.storage.dll+17b166|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536 10341000x8000000000000000339780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.966{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+d1303|C:\Windows\System32\windows.storage.dll+6eba0|C:\Windows\System32\windows.storage.dll+6eaf7|C:\Windows\System32\windows.storage.dll+6ecc7|C:\Windows\System32\windows.storage.dll+17b166|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea 10341000x8000000000000000339779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.965{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+d1587|C:\Windows\System32\windows.storage.dll+169219|C:\Windows\System32\windows.storage.dll+17b148|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000339778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.965{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+1691ed|C:\Windows\System32\windows.storage.dll+17b148|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+6957c 10341000x8000000000000000339777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.965{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+67be3|C:\Windows\System32\windows.storage.dll+670a9|C:\Windows\System32\windows.storage.dll+66fbd|C:\Windows\System32\windows.storage.dll+6cd76|C:\Windows\System32\windows.storage.dll+6ed29|C:\Windows\System32\windows.storage.dll+17b166|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536 10341000x8000000000000000339776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.964{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+d1303|C:\Windows\System32\windows.storage.dll+6eba0|C:\Windows\System32\windows.storage.dll+6eaf7|C:\Windows\System32\windows.storage.dll+6ecc7|C:\Windows\System32\windows.storage.dll+17b166|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea 10341000x8000000000000000339775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.964{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+d1587|C:\Windows\System32\windows.storage.dll+169219|C:\Windows\System32\windows.storage.dll+17b148|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000339774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.964{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+1691ed|C:\Windows\System32\windows.storage.dll+17b148|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+6957c 10341000x8000000000000000339773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.932{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.920{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.920{72106695-B106-63D3-2B03-00000000BD02}9644732C:\Windows\Explorer.EXE{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b9b44|C:\Windows\System32\TwinUI.dll+ba1f7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000339770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.919{72106695-B106-63D3-2B03-00000000BD02}9644732C:\Windows\Explorer.EXE{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b9b44|C:\Windows\System32\TwinUI.dll+ba1f7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000339769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.919{72106695-B106-63D3-2B03-00000000BD02}9644732C:\Windows\Explorer.EXE{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+ac576|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.919{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.919{72106695-B106-63D3-2B03-00000000BD02}9644732C:\Windows\Explorer.EXE{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+ac576|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.919{72106695-B105-63D3-1F03-00000000BD02}39924596C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+d1518|C:\Windows\System32\windows.storage.dll+17c819|C:\Windows\System32\windows.storage.dll+17c675|C:\Windows\System32\windows.storage.dll+d2a06|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000339765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.919{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.912{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.912{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.911{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.908{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.896{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.896{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.893{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.892{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.892{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.891{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.888{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.888{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.886{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.885{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.884{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.884{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.880{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.880{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.848{72106695-9B85-63D3-1200-00000000BD02}10006076C:\Windows\System32\svchost.exe{72106695-B538-63D3-1C04-00000000BD02}6064C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.813{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.813{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.813{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.813{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000339741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.769{72106695-B4A1-63D3-E703-00000000BD02}668NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\integrator.exe.db-walMD5=D6AD9F950CA8EAAEFB58530E53F5B006,SHA256=66246EDDF788C75DFC11E3B6E6AB195A89A33E124A63E1D07DCA67C4DF0CC6C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.769{72106695-B4A1-63D3-E703-00000000BD02}668NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\integrator.exe.db-shmMD5=871C0CD8CBBD091C6CEC53006EFF91EB,SHA256=5FA5A7E714F62ACB4D47C169F137FC306D4353D56270CAAEB5172F52EF2F40AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000339739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.612{72106695-9B85-63D3-1700-00000000BD02}12241604C:\Windows\System32\svchost.exe{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\integration\integrator.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000339738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.471{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D06ED1699CEC5C512933F022309F66D,SHA256=5F1144C7B216EA28430094E51DBB52C950FEA05DFAB25E1A340E5C78329F16DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.425{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C529361D0B11E47C8D128BB03A7F760,SHA256=C9DF341E9D82843853999DD85D87E496F13F3023C2F9049129742BD7E3D271CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.425{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C551FDCE4F9864CED570050D3C88486A,SHA256=C66673604C9D1BD1639871F2340D47C1AAF09AA145FB9AE163EBFD964E54FA3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.409{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\inprogressinstallinfo.ipiMD5=78A2190D6535B99FDB5CBF55821BA9A4,SHA256=F932E7A30B0F0CA71E62590E0CBF1E15970AB2247E5011A655DAE102F182AAAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.409{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF26EA069412BE7471.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000339733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.409{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFC0D206D1ED12D998.TMPMD5=78A2190D6535B99FDB5CBF55821BA9A4,SHA256=F932E7A30B0F0CA71E62590E0CBF1E15970AB2247E5011A655DAE102F182AAAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.409{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF33178D6D948854E3.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000339731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.409{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF68E17D7315FE0F9B.TMPMD5=78A2190D6535B99FDB5CBF55821BA9A4,SHA256=F932E7A30B0F0CA71E62590E0CBF1E15970AB2247E5011A655DAE102F182AAAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.393{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF64849DA329FA6A78.TMPMD5=53B87EF137673C71A669E2D85491A2D0,SHA256=1CA2EBECBE70010DC874E69EDCD66E8F0CCEE0DA28985225C4AEE17E38FFCA6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.393{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Config.Msi\62052c.rbsMD5=C716F44AE83C27B743B043034C768AA7,SHA256=4DD4E8BC1B42E4AA0C72CEA9F46C887A251940188280749BEBFDBA00F8EFFFB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000339728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.378{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.378{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.378{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.378{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000339724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.378{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI7055.tmpMD5=E4702B7D3A1300EDB9A51E0E1809B8F7,SHA256=074803CD0C68175E93026B1263D0FF6BB4254BF591997E318876EC34A8F5BFCB,IMPHASH=13700DFD4585238683BF19951BD9C7A9truetrue 10341000x8000000000000000339723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.362{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.362{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000339721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.362{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI7054.tmpMD5=E4702B7D3A1300EDB9A51E0E1809B8F7,SHA256=074803CD0C68175E93026B1263D0FF6BB4254BF591997E318876EC34A8F5BFCB,IMPHASH=13700DFD4585238683BF19951BD9C7A9truetrue 10341000x8000000000000000339720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.362{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.362{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000339718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.362{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF5335E43D43C1607B.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000339717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.346{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF7AE41F1F8BE21C25.TMPMD5=691B9BC4C424CFA1C7D6B75BD43A220D,SHA256=DC5CEFFDC693776A54B5454859544AB32E17C986589E28267AF177FF357AD73E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.346{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFA387E14600FD940F.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000339715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.346{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF997C83EF30FDA245.TMPMD5=691B9BC4C424CFA1C7D6B75BD43A220D,SHA256=DC5CEFFDC693776A54B5454859544AB32E17C986589E28267AF177FF357AD73E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.346{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI6DE2.tmpMD5=BC9FC3EF2FF730B97B73EE74526D3E27,SHA256=E2A576C2B90A178DBD8D9BC2D95AE18A0D0A1228CEC76DDF72161D73CAEDEF70,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000339713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.346{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.346{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.346{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.346{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.346{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.331{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.315{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.303{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.303{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.303{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.303{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.303{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.303{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.303{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.303{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.303{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.303{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.303{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.303{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.303{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.303{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.303{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.303{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.303{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.303{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.303{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.303{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.303{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.303{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.303{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.303{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.303{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.303{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.303{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.303{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.303{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.303{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.303{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.303{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.303{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.303{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.287{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.286{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.286{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.286{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.286{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.270{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.255{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.239{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.227{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.211{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.210{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.210{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.210{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.193{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.177{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.162{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000339187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.162{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Config.Msi\62052c.rbsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.162{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF3387681C92950A89.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000339185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.162{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFB43509BAFC18E176.TMPMD5=691B9BC4C424CFA1C7D6B75BD43A220D,SHA256=DC5CEFFDC693776A54B5454859544AB32E17C986589E28267AF177FF357AD73E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000339184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.016{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B537-63D3-1A04-00000000BD02}5908c:\Windows\syswow64\MsiExec.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000339183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.016{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B537-63D3-1A04-00000000BD02}5908c:\Windows\syswow64\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000339182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:52.016{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B537-63D3-1A04-00000000BD02}5908c:\Windows\syswow64\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 354300x8000000000000000449004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:51.158{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A60017- 354300x8000000000000000449003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:50.767{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52746-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000449002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:53.808{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C86A0D9A45F4115A2BAE910A902698C,SHA256=D49C6D49A809B974F31A87024D2E1F622E6B4CA0DEE23AE9ECA292285590D845,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000339869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.984{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B539-63D3-1E04-00000000BD02}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.966{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.966{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.965{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.965{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.965{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B539-63D3-1E04-00000000BD02}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000339863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.964{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B539-63D3-1E04-00000000BD02}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000339862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.964{72106695-B539-63D3-1E04-00000000BD02}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000339861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:51.782{72106695-B4A1-63D3-E703-00000000BD02}668C:\Program Files\Microsoft Office\root\Integration\Integrator.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51048-false20.189.173.4-443https 10341000x8000000000000000339860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.725{72106695-B539-63D3-1D04-00000000BD02}56081436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000339859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.694{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B505F48D74C152066E108DD1CC2A453,SHA256=863B83C99CA0BE3C5F782D56B9DF1EB5237A0CD80C088DBEDDA37584B52D0385,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000339858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.616{72106695-9B85-63D3-1400-00000000BD02}10321432C:\Windows\system32\svchost.exe{72106695-B538-63D3-1C04-00000000BD02}6064C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.600{72106695-9B85-63D3-1400-00000000BD02}10321120C:\Windows\system32\svchost.exe{72106695-B538-63D3-1C04-00000000BD02}6064C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.585{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B538-63D3-1C04-00000000BD02}6064C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.585{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B538-63D3-1C04-00000000BD02}6064C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.554{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.554{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000339852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.554{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\62052d.msiMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000339851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.554{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.539{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.539{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.539{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.539{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.539{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.539{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.539{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.522{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.522{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.522{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.522{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.522{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.522{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.522{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.522{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.522{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.522{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.522{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.522{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.522{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.522{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.522{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.522{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.522{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.522{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.522{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.522{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.522{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.522{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.522{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.522{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.507{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.507{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.460{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B539-63D3-1D04-00000000BD02}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.460{72106695-9B85-63D3-1200-00000000BD02}10005968C:\Windows\System32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.460{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.460{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.460{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.460{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.460{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B539-63D3-1D04-00000000BD02}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000339810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.460{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B539-63D3-1D04-00000000BD02}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000339809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.461{72106695-B539-63D3-1D04-00000000BD02}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000339808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.444{72106695-B102-63D3-1003-00000000BD02}39441080C:\Windows\system32\csrss.exe{72106695-B538-63D3-1C04-00000000BD02}6064C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000339807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.444{72106695-B402-63D3-B003-00000000BD02}3780656C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B538-63D3-1C04-00000000BD02}6064C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+16d710|C:\Windows\System32\SHELL32.dll+599af|C:\Windows\System32\SHELL32.dll+5983c|C:\Windows\System32\SHELL32.dll+5958c|C:\Windows\System32\SHELL32.dll+125a17|C:\Windows\System32\SHELL32.dll+125975|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+597904|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+6e802c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+6d1caf|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+66dbc5|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+f8144|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+2e10d|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37e250 10341000x8000000000000000339806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.259{72106695-B105-63D3-2003-00000000BD02}36724108C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+3f342|C:\Windows\System32\modernexecserver.dll+3fc6e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2effb|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357b5|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.259{72106695-B105-63D3-2003-00000000BD02}36724108C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3f0db|C:\Windows\System32\modernexecserver.dll+3fbe5|C:\Windows\SYSTEM32\twinapi.appcore.dll+2effb|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357b5|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.191{72106695-B105-63D3-2003-00000000BD02}36724108C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3f0db|C:\Windows\System32\modernexecserver.dll+3f049|C:\Windows\System32\modernexecserver.dll+3fd2f|C:\Windows\System32\modernexecserver.dll+3fe52|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.190{72106695-B105-63D3-2003-00000000BD02}36724108C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3f6a2|C:\Windows\System32\modernexecserver.dll+3fd1e|C:\Windows\System32\modernexecserver.dll+3fe52|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.190{72106695-B105-63D3-2003-00000000BD02}36724108C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+3f342|C:\Windows\System32\modernexecserver.dll+3fd0b|C:\Windows\System32\modernexecserver.dll+3fe52|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.190{72106695-B105-63D3-2003-00000000BD02}36724108C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3fdee|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.187{72106695-B105-63D3-2003-00000000BD02}36721356C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f400|C:\Windows\System32\modernexecserver.dll+47a8c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000339799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.186{72106695-B105-63D3-2003-00000000BD02}36721356C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+478ab|C:\Windows\System32\modernexecserver.dll+476e0|C:\Windows\System32\modernexecserver.dll+4763b|C:\Windows\System32\modernexecserver.dll+3985d|C:\Windows\System32\Windows.Shell.ServiceHostBuilder.dll+1781|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c 10341000x8000000000000000339798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.182{72106695-B106-63D3-2B03-00000000BD02}9644640C:\Windows\Explorer.EXE{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\system32\twinui.pcshell.dll+27c24|C:\Windows\system32\twinui.pcshell.dll+17316|C:\Windows\system32\twinui.pcshell.dll+17671|C:\Windows\system32\twinui.pcshell.dll+176a9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.182{72106695-B106-63D3-2B03-00000000BD02}9644640C:\Windows\Explorer.EXE{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\system32\twinui.pcshell.dll+27c24|C:\Windows\system32\twinui.pcshell.dll+17316|C:\Windows\system32\twinui.pcshell.dll+17671|C:\Windows\system32\twinui.pcshell.dll+176a9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000339796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.135{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E2CA84E1F31F81E73A106787402DBD1,SHA256=9C59EE7FE6FD8BD8B2014E696D7C084AD5F084D456A096A676790C1107ED9265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.131{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=410E1C34FC85BF27E6931ABB73F4241F,SHA256=69988C4D1B3D49A82A580C81E252A12F5D16E0884EE1F1476E251368FF5F89EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000339794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.018{72106695-B105-63D3-1F03-00000000BD02}39924152C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\shcore.dll+35586|C:\Windows\System32\shcore.dll+201ff|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 10341000x8000000000000000339793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.016{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+2a3e9d|C:\Windows\System32\windows.storage.dll+9f4d7|C:\Windows\System32\windows.storage.dll+9f5ea|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000339792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.016{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+2c9542|C:\Windows\System32\windows.storage.dll+d1d5d|C:\Windows\System32\windows.storage.dll+2de04a|C:\Windows\System32\windows.storage.dll+9f1f4|C:\Windows\System32\windows.storage.dll+2a3e00|C:\Windows\System32\windows.storage.dll+9f4d7|C:\Windows\System32\windows.storage.dll+9f5ea|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f 354300x8000000000000000449006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:52.378{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A51222- 23542300x8000000000000000449005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:54.888{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E037163B9222C52FB09C3646A69D6706,SHA256=ECC8A8D14E4724C15A7320DC99C808F91FC23D7DAE1704D79F915AF6B8F49EDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.997{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Windows\Temp\tmp7A89.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.989{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\.sesMD5=26A12CDB1A6FB9A1F73B8F9BBC8B76BE,SHA256=BBE48F43C6B56257A78D766B956D4063F7214F40787879765D5A73424823D399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.981{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\setup\logs\machineTelemetryCache.otc-journalMD5=99E4CFFAB804F95E187559717AA2D478,SHA256=93BD6DC671C753B03817B798FD9E0BAD2A79593D75B1ADF1BE30DD80BF25BD1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.972{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\setup\logs\machineTelemetryCache.otc-journalMD5=2677F02E133170D795B08AFB3B26E1BF,SHA256=98C4E55FD0CC9A7DE32D0F57DF5C582CBB4B41DEF10FFC1BD4265CF656D268BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000339909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.965{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B538-63D3-1C04-00000000BD02}6064C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000339908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.965{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B538-63D3-1C04-00000000BD02}6064C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000339907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.965{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B538-63D3-1C04-00000000BD02}6064C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000339906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.887{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000339905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.887{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000339904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.887{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000339903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.746{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B53A-63D3-2004-00000000BD02}4336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.746{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.746{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.746{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.746{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.746{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B53A-63D3-2004-00000000BD02}4336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000339897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.746{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B53A-63D3-2004-00000000BD02}4336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000339896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.747{72106695-B53A-63D3-2004-00000000BD02}4336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000339895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.574{72106695-B53A-63D3-1F04-00000000BD02}1664136C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B538-63D3-1C04-00000000BD02}6064C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+5d65d|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+86876|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+60d9a|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+6b3c8|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+238dd8|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+239aa9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+183ba|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+af4d|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+18eeea|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000339894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.509{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\BIT7815.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000339893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.482{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B538-63D3-1C04-00000000BD02}6064C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000339892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.482{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B538-63D3-1C04-00000000BD02}6064C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000339891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.481{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B538-63D3-1C04-00000000BD02}6064C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x8000000000000000339890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.358{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\BIT7815.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000339889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.351{72106695-9B85-63D3-1400-00000000BD02}10321432C:\Windows\system32\svchost.exe{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b 10341000x8000000000000000339888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.341{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.333{72106695-9B85-63D3-1400-00000000BD02}10321432C:\Windows\system32\svchost.exe{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.333{72106695-9B85-63D3-1400-00000000BD02}10321120C:\Windows\system32\svchost.exe{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.326{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.325{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.285{72106695-9B85-63D3-1200-00000000BD02}10005968C:\Windows\System32\svchost.exe{72106695-B538-63D3-1C04-00000000BD02}6064C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.274{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.274{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.274{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.273{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.272{72106695-B102-63D3-1003-00000000BD02}3944400C:\Windows\system32\csrss.exe{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000339877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.271{72106695-B538-63D3-1C04-00000000BD02}60645460C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+d856c(wow64)|C:\Windows\System32\windows.storage.dll+1c6716(wow64)|C:\Windows\System32\windows.storage.dll+1c63d1(wow64)|C:\Windows\System32\windows.storage.dll+1c64a3(wow64)|C:\Windows\System32\windows.storage.dll+1c7175(wow64)|C:\Windows\System32\windows.storage.dll+1c6021(wow64)|C:\Windows\System32\windows.storage.dll+1c8182(wow64)|C:\Windows\System32\windows.storage.dll+1c85ec(wow64)|C:\Windows\System32\windows.storage.dll+1c8035(wow64)|C:\Windows\System32\SHELL32.dll+1a9394(wow64)|C:\Windows\System32\SHELL32.dll+1a926e(wow64)|C:\Windows\System32\SHELL32.dll+1431da(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x8000000000000000339876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.271{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe22.077.0410.0007Microsoft OneDrive (32 bit) SetupMicrosoft OneDriveMicrosoft CorporationOneDriveSetup.exe"C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe" C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe /silent /allusers /permachine /childprocess /cusid:S-1-5-21-2226226129-4232087961-3617130143-500 C:\Temp\WIN-HOST-CTUS-A\Administrator{72106695-B105-63D3-6E44-240000000000}0x24446e2HighMD5=57BD20860B333E1F0AE01D612BF5D8A4,SHA256=8E38A8A019E4EB0D2D12DDB43B5216CD3EB78EFB85531A598090E825DA640E08,IMPHASH=0E0F2D94DEC3CC19CD327330E4012D60{72106695-B538-63D3-1C04-00000000BD02}6064C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe"C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe" /silent /allusers 10341000x8000000000000000339875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.271{72106695-9B85-63D3-1200-00000000BD02}10006076C:\Windows\System32\svchost.exe{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.235{72106695-B539-63D3-1E04-00000000BD02}59244328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000339873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.174{72106695-B538-63D3-1C04-00000000BD02}6064WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\setup\logs\parentTelemetryCache.otc-journalMD5=3AEB24A47A0CF92C50A6D02811CCFA82,SHA256=B7AB1650F845C41EE2362BB66E32ECD52833C0485F51E3B86CAAECCB562E41AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.164{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85709B68CD9A4B7C343DF9BE00CA0CBD,SHA256=DEB71ED03162809DC7127A599EFD6704BD8D6C43CE6510D07AD8AAE96FA58BC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000339871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.162{72106695-B538-63D3-1C04-00000000BD02}6064WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\setup\logs\parentTelemetryCache.otc-journalMD5=64FE6ADC180E146961F9990892240985,SHA256=331D42B042DBF56505ED81C518667247E9A22E1AF12E2F799BDBC33398DC2066,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000339870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.126{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B538-63D3-1C04-00000000BD02}6064C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000449007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:55.977{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26C9838BB7AB4BAFF08C2166F296863A,SHA256=C08C6856C506A970FC604184CC63C67AF7F07E9B5F633D7E581F17C070796A1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000340009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:55.993{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000340008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.993{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\ipcsecproc.dll2023-01-27 11:27:55.992 10341000x8000000000000000340007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:55.990{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000340006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:55.990{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000340005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:55.990{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 11241100x8000000000000000340004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.989{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\ipcfile.dll2023-01-27 11:27:55.988 11241100x8000000000000000340003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.967{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\hermes.dll2023-01-27 11:27:55.967 11241100x8000000000000000340002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.946{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncViews.dll2023-01-27 11:27:55.946 11241100x8000000000000000340001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.945{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncTelemetryExtensions.dll2023-01-27 11:27:55.945 11241100x8000000000000000340000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.940{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncSqlite3.dll2023-01-27 11:27:55.940 11241100x8000000000000000339999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.929{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncShell.dll2023-01-27 11:27:55.929 11241100x8000000000000000339998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.871{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncSessions.dll2023-01-27 11:27:55.871 11241100x8000000000000000339997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.839{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncService.dll2023-01-27 11:27:55.839 11241100x8000000000000000339996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.839{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncRNWin32Lib.dll2023-01-27 11:27:55.839 11241100x8000000000000000339995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.839{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncRNUWP.dll2023-01-27 11:27:55.839 10341000x8000000000000000339994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:55.824{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:55.824{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:55.824{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:55.824{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000339990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:27:55.824{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe\REGISTRY\A\{8d647b99-4e7b-4679-5e7e-79717ad0c016}\Root\InventoryApplicationFile\officesetup.exe|4652edac3f357508\BinProductVersion16.0.13801.0 13241300x8000000000000000339989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:27:55.824{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe\REGISTRY\A\{8d647b99-4e7b-4679-5e7e-79717ad0c016}\Root\InventoryApplicationFile\officesetup.exe|4652edac3f357508\LinkDate02/27/2021 04:29:24 13241300x8000000000000000339988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:27:55.824{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe\REGISTRY\A\{8d647b99-4e7b-4679-5e7e-79717ad0c016}\Root\InventoryApplicationFile\officesetup.exe|4652edac3f357508\Publishermicrosoft corporation 13241300x8000000000000000339987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:27:55.824{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe\REGISTRY\A\{8d647b99-4e7b-4679-5e7e-79717ad0c016}\Root\InventoryApplicationFile\officesetup.exe|4652edac3f357508\LowerCaseLongPathc:\temp\officesetup.exe 354300x8000000000000000339986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.715{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51051-false23.219.53.18a23-219-53-18.deploy.static.akamaitechnologies.com443https 354300x8000000000000000339985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.649{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51050-false20.98.236.80-443https 354300x8000000000000000339984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.380{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51049-false10.0.1.12-8000- 11241100x8000000000000000339983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:27:55.808{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncHelper.exe2023-01-27 11:27:55.808 11241100x8000000000000000339982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.808{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncFALWB.dll2023-01-27 11:27:55.808 11241100x8000000000000000339981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.793{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncFAL.dll2023-01-27 11:27:55.793 11241100x8000000000000000339980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:27:55.793{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe2023-01-27 11:27:55.793 11241100x8000000000000000339979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.730{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncClient.dll2023-01-27 11:27:55.730 10341000x8000000000000000339978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:55.730{72106695-9B85-63D3-1200-00000000BD02}10005968C:\Windows\System32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+2b221|c:\windows\system32\pcasvc.dll+f70d|c:\windows\system32\pcasvc.dll+20e94|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000339977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.730{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSync.Resources.dll2023-01-27 11:27:55.730 11241100x8000000000000000339976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.730{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSync.LocalizedResources.dll2023-01-27 11:27:55.730 11241100x8000000000000000339975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.730{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileCoAuthLib.dll2023-01-27 11:27:55.730 11241100x8000000000000000339974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:27:55.714{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileCoAuth.exe2023-01-27 11:27:55.714 11241100x8000000000000000339973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.714{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\ETWlog.dll2023-01-27 11:27:55.714 11241100x8000000000000000339972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.714{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\concrt140_app.dll2023-01-27 11:27:55.714 11241100x8000000000000000339971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:55.714{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\CollectSyncLogs.bat2023-01-27 11:27:55.714 11241100x8000000000000000339970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.699{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-crt-utility-l1-1-0.dll2023-01-27 11:27:55.699 11241100x8000000000000000339969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.699{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-crt-time-l1-1-0.dll2023-01-27 11:27:55.699 11241100x8000000000000000339968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.699{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-crt-string-l1-1-0.dll2023-01-27 11:27:55.699 11241100x8000000000000000339967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.699{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-crt-stdio-l1-1-0.dll2023-01-27 11:27:55.699 11241100x8000000000000000339966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.699{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-crt-runtime-l1-1-0.dll2023-01-27 11:27:55.699 11241100x8000000000000000339965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.699{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-crt-process-l1-1-0.dll2023-01-27 11:27:55.699 11241100x8000000000000000339964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.699{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-crt-private-l1-1-0.dll2023-01-27 11:27:55.699 10341000x8000000000000000339963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:55.699{72106695-B499-63D3-D903-00000000BD02}57766060C:\Windows\system32\msiexec.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\apphelp.dll+20ffd|C:\Windows\system32\apphelp.dll+209c1|C:\Windows\system32\Msi.dll+19fbad|C:\Windows\system32\Msi.dll+2eb1e|C:\Windows\system32\Msi.dll+47575|C:\Windows\system32\Msi.dll+10b335|C:\Windows\system32\Msi.dll+10a556|C:\Windows\system32\Msi.dll+f4b1f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000339962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.699{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-crt-multibyte-l1-1-0.dll2023-01-27 11:27:55.699 11241100x8000000000000000339961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.699{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-crt-math-l1-1-0.dll2023-01-27 11:27:55.699 11241100x8000000000000000339960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.699{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-crt-locale-l1-1-0.dll2023-01-27 11:27:55.699 11241100x8000000000000000339959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.699{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-crt-heap-l1-1-0.dll2023-01-27 11:27:55.699 11241100x8000000000000000339958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.699{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-crt-filesystem-l1-1-0.dll2023-01-27 11:27:55.683 11241100x8000000000000000339957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.683{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-crt-environment-l1-1-0.dll2023-01-27 11:27:55.683 11241100x8000000000000000339956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.683{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-crt-convert-l1-1-0.dll2023-01-27 11:27:55.683 11241100x8000000000000000339955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.683{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-crt-conio-l1-1-0.dll2023-01-27 11:27:55.683 11241100x8000000000000000339954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.683{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-core-util-l1-1-0.dll2023-01-27 11:27:55.683 11241100x8000000000000000339953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.683{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-core-timezone-l1-1-0.dll2023-01-27 11:27:55.683 11241100x8000000000000000339952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.683{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-core-sysinfo-l1-1-0.dll2023-01-27 11:27:55.683 11241100x8000000000000000339951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.683{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-core-synch-l1-2-0.dll2023-01-27 11:27:55.683 11241100x8000000000000000339950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.683{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-core-synch-l1-1-0.dll2023-01-27 11:27:55.683 11241100x8000000000000000339949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.683{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-core-string-l1-1-0.dll2023-01-27 11:27:55.683 11241100x8000000000000000339948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.683{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-core-rtlsupport-l1-1-0.dll2023-01-27 11:27:55.683 11241100x8000000000000000339947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.683{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-core-profile-l1-1-0.dll2023-01-27 11:27:55.683 11241100x8000000000000000339946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.683{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-core-processthreads-l1-1-1.dll2023-01-27 11:27:55.683 11241100x8000000000000000339945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.683{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-core-processthreads-l1-1-0.dll2023-01-27 11:27:55.683 11241100x8000000000000000339944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.683{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-core-processenvironment-l1-1-0.dll2023-01-27 11:27:55.683 10341000x8000000000000000339943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:55.683{72106695-9B85-63D3-1700-00000000BD02}12241604C:\Windows\System32\svchost.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x100040C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+63c9|c:\windows\system32\cryptsvc.dll+62d1|c:\windows\system32\cryptsvc.dll+5e56|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000339942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.683{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-core-namedpipe-l1-1-0.dll2023-01-27 11:27:55.683 11241100x8000000000000000339941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.683{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-core-memory-l1-1-0.dll2023-01-27 11:27:55.683 11241100x8000000000000000339940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.683{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-core-localization-l1-2-0.dll2023-01-27 11:27:55.683 11241100x8000000000000000339939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.683{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-core-libraryloader-l1-1-0.dll2023-01-27 11:27:55.683 11241100x8000000000000000339938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.683{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-core-interlocked-l1-1-0.dll2023-01-27 11:27:55.683 11241100x8000000000000000339937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.683{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-core-heap-l1-1-0.dll2023-01-27 11:27:55.683 11241100x8000000000000000339936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.683{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-core-handle-l1-1-0.dll2023-01-27 11:27:55.683 11241100x8000000000000000339935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.683{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-core-file-l2-1-0.dll2023-01-27 11:27:55.683 11241100x8000000000000000339934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.683{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-core-file-l1-2-0.dll2023-01-27 11:27:55.683 11241100x8000000000000000339933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.683{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-core-file-l1-1-0.dll2023-01-27 11:27:55.683 11241100x8000000000000000339932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.683{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-core-fibers-l1-1-0.dll2023-01-27 11:27:55.683 11241100x8000000000000000339931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.668{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-core-errorhandling-l1-1-0.dll2023-01-27 11:27:55.668 11241100x8000000000000000339930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.668{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-core-debug-l1-1-0.dll2023-01-27 11:27:55.668 11241100x8000000000000000339929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.668{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-core-datetime-l1-1-0.dll2023-01-27 11:27:55.668 11241100x8000000000000000339928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.668{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-core-console-l1-2-0.dll2023-01-27 11:27:55.668 11241100x8000000000000000339927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.668{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\api-ms-win-core-console-l1-1-0.dll2023-01-27 11:27:55.668 11241100x8000000000000000339926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:55.668{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\adal.dll2023-01-27 11:27:55.668 10341000x8000000000000000339925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:55.574{72106695-B53B-63D3-2104-00000000BD02}20365516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000339924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:53.712{72106695-9B85-63D3-1400-00000000BD02}1032oneclient.sfx.ms0type: 5 oneclient.sfx.ms.edgekey.net;type: 5 e9659.dspg.akamaiedge.net;::ffff:23.219.53.18;C:\Windows\System32\svchost.exe 10341000x8000000000000000339923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:55.418{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B53B-63D3-2104-00000000BD02}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:55.418{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:55.418{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:55.418{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:55.418{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:55.418{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B53B-63D3-2104-00000000BD02}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000339917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:55.418{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B53B-63D3-2104-00000000BD02}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000339916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:55.418{72106695-B53B-63D3-2104-00000000BD02}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000339915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:55.199{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=737A671901D73A784BD5D633DC792B70,SHA256=BDD0EF0A6312BCF071B2E6F599F1C13ED749D00F27807F9A85AB8D8A285804F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000339914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:55.183{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.998{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.998{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.998{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.998{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.995{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.995{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.995{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.995{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.993{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.993{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.993{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.993{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.992{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.991{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.991{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.991{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.990{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.990{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.990{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.989{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.987{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.987{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.987{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.987{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.985{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.985{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.985{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.985{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.983{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.983{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.983{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.983{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.981{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.981{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.981{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.981{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.979{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.979{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.979{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.979{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.976{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.976{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.976{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.976{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.974{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.974{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.974{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.974{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.972{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.972{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.972{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.972{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.970{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.970{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.970{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.970{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.969{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.969{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.969{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.969{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.967{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.967{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.967{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.966{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.964{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.964{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.964{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.964{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.963{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.963{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.963{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.962{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.961{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.960{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.960{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.960{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.958{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.958{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.958{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.958{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.956{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.955{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.955{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.955{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.954{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.954{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.953{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.953{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.951{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.951{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.951{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.951{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.948{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.948{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.948{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.948{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.946{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.946{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.946{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.946{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 11241100x8000000000000000340396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.931{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\platforms\qwindows.dll2023-01-27 11:27:56.931 10341000x8000000000000000340395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.931{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.931{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.931{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.931{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.931{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.931{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.931{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.931{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.931{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.931{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.931{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.931{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.929{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.929{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.929{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.929{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.925{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.925{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.925{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.925{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.925{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.925{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.925{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.925{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.919{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.919{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.919{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.919{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.919{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.919{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.919{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.919{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.918{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.918{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.918{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.918{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.917{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.917{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.917{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.917{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.910{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.910{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.910{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.910{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.910{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.910{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.910{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.910{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.909{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.909{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.909{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.909{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.907{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.907{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.907{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.907{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.905{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.905{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.905{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.905{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.903{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.903{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.903{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.903{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.901{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.901{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.900{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.900{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.899{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.899{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.898{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.898{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.881{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.881{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.881{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.881{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 23542300x8000000000000000340319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.881{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51A9377785F6D1BFE5B336AB836C12A6,SHA256=AF0A1CC0D72A4EDEC2DFC81CACE5299759A19849C11AE1718947F6BBCF280ECC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x8000000000000000340318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:27:56.866{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Teams Installer\Teams.exe2023-01-27 11:27:56.866 23542300x8000000000000000340317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.866{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Config.Msi\62052f.rbsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000340316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.866{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF559523F89E622776.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000340315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.866{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFAD777DFC359AEE55.TMPMD5=B4B6461EAB62BE4079C96973D4196B78,SHA256=4BAF0FB96BBFFA88313C07F8F27314C4BCF4B4D04098A4A9481F248EEAE78FD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000340314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.535{72106695-B538-63D3-1C04-00000000BD02}6064C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51052-false20.189.173.4-443https 23542300x8000000000000000340313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.834{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI81CB.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000340312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.834{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.834{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000340310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.819{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7B1285F9287C117E4D5C23473BF2B052,SHA256=06487EF4CA8DE4B12684F23AC95244ADCE8FC619A287CFC5F44312C5436845BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000340309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.803{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.803{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.803{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.803{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.803{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.803{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.803{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.803{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.803{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.803{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.803{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.803{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.803{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.803{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.803{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.803{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.803{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.803{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.803{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.803{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.787{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.787{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.787{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.787{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.787{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.787{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.787{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.787{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.787{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.787{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.787{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.787{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.787{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.787{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.787{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.787{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.787{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.787{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.787{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.787{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.787{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.787{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.787{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.787{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.787{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.787{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.787{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.787{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 11241100x8000000000000000340261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.787{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\IRMProtectors\Microsoft.Office.Irm.OfcProtector.dll2023-01-27 11:27:56.772 11241100x8000000000000000340260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.772{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\IRMProtectors\Microsoft.Office.Irm.MsoProtector.dll2023-01-27 11:27:56.772 11241100x8000000000000000340259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.772{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\IRMProtectors\microsoft.aip.pdfprotector.dll2023-01-27 11:27:56.772 10341000x8000000000000000340258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.772{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.772{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.772{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.772{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 11241100x8000000000000000340254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.772{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\imageformats\qsvg.dll2023-01-27 11:27:56.772 11241100x8000000000000000340253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.759{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\imageformats\qjpeg.dll2023-01-27 11:27:56.759 11241100x8000000000000000340252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.759{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\imageformats\qgif.dll2023-01-27 11:27:56.759 10341000x8000000000000000340251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.759{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.759{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.759{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.759{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.759{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.759{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.759{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.759{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.759{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.759{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.759{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.759{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.759{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.759{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.759{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.759{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.744{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.744{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.744{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.744{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.744{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.744{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.744{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.744{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.744{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.744{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.744{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.744{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.744{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.744{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.744{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.744{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.744{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.744{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.744{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.744{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.742{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.742{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.742{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.742{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.739{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.739{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.739{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.739{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.736{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.736{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.736{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.736{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.733{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.733{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.732{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.732{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.730{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.730{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.730{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.729{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.727{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.727{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.727{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.726{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.724{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.724{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.723{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.723{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.721{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.721{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.721{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.721{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.718{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.718{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.717{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.717{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.716{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.716{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.716{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.716{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.714{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.714{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.714{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.713{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.711{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.711{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.711{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.711{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.708{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.708{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.708{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.708{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.705{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.705{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.705{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.704{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.696{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B53C-63D3-2304-00000000BD02}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.696{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.696{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.696{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.696{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.696{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.696{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.696{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.696{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.696{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B53C-63D3-2304-00000000BD02}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000340149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.696{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.696{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.696{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B53C-63D3-2304-00000000BD02}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.696{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.696{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 154100x8000000000000000340144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.700{72106695-B53C-63D3-2304-00000000BD02}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000340143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.696{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02EBEAF7E2460B862E4E0FA6DDA7F198,SHA256=26B42BAA39A978252F720C40858106917FABC2120769A409BBB5650FA19129D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000340142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.696{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.696{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.696{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.696{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.695{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.695{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.695{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.695{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.679{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.679{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.679{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.679{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.679{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.679{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.679{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.679{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.679{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.679{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.679{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.679{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.679{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.679{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.679{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.679{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.679{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.679{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.679{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.679{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.664{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.664{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.664{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.664{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.664{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.664{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.664{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.664{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 11241100x8000000000000000340106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.648{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\arm64\FileSyncShell64.dll2023-01-27 11:27:56.648 11241100x8000000000000000340105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.648{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\arm64\FileCoAuthLib64.dll2023-01-27 11:27:56.648 10341000x8000000000000000340104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.648{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.648{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.648{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.648{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.648{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.648{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.648{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.648{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 11241100x8000000000000000340096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.633{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\amd64\FileSyncShell64.dll2023-01-27 11:27:56.633 11241100x8000000000000000340095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.633{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\amd64\FileCoAuthLib64.dll2023-01-27 11:27:56.633 10341000x8000000000000000340094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.633{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.633{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.633{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.633{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.633{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.633{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.633{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.633{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.633{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.633{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.633{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.633{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.633{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.633{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.633{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.633{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.633{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\windows.storage.dll+1ce67f(wow64)|C:\Windows\System32\windows.storage.dll+1b8ec8(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.633{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1ce671(wow64)|C:\Windows\System32\windows.storage.dll+1b8ec8(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.633{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1ce671(wow64)|C:\Windows\System32\windows.storage.dll+1b8ec8(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9 11241100x8000000000000000340075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.617{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\WnsClientApi.dll2023-01-27 11:27:56.617 11241100x8000000000000000340074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.617{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\WebView2Loader.dll2023-01-27 11:27:56.617 11241100x8000000000000000340073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.617{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\vcruntime140_app.dll2023-01-27 11:27:56.617 11241100x8000000000000000340072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.617{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\vcruntime140.dll2023-01-27 11:27:56.617 11241100x8000000000000000340071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.617{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\vcomp140_app.dll2023-01-27 11:27:56.617 11241100x8000000000000000340070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.617{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\vccorlib140_app.dll2023-01-27 11:27:56.617 11241100x8000000000000000340069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.617{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\vcamp140_app.dll2023-01-27 11:27:56.617 11241100x8000000000000000340068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.617{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\UpdateRingSettings.dll2023-01-27 11:27:56.617 11241100x8000000000000000340067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.601{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\ucrtbase.dll2023-01-27 11:27:56.601 11241100x8000000000000000340066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.601{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\ThirdPartyNotices.txt2023-01-27 11:27:56.601 11241100x8000000000000000340065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.601{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\Telemetry.dll2023-01-27 11:27:56.601 11241100x8000000000000000340064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.539{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\SyncEngine.dll2023-01-27 11:27:56.539 11241100x8000000000000000340063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.523{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\ReactNativePicker.dll2023-01-27 11:27:56.523 11241100x8000000000000000340062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.523{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\Qt5WinExtras.dll2023-01-27 11:27:56.523 11241100x8000000000000000340061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.476{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\Qt5Widgets.dll2023-01-27 11:27:56.476 11241100x8000000000000000340060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.476{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\Qt5Svg.dll2023-01-27 11:27:56.476 11241100x8000000000000000340059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.476{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\Qt5QuickTemplates2.dll2023-01-27 11:27:56.476 11241100x8000000000000000340058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.476{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\Qt5QuickControls2.dll2023-01-27 11:27:56.476 11241100x8000000000000000340057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.445{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\Qt5Quick.dll2023-01-27 11:27:56.445 11241100x8000000000000000340056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.445{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\Qt5QmlWorkerScript.dll2023-01-27 11:27:56.445 11241100x8000000000000000340055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.445{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\Qt5QmlModels.dll2023-01-27 11:27:56.445 11241100x8000000000000000340054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.429{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\Qt5Qml.dll2023-01-27 11:27:56.429 11241100x8000000000000000340053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.429{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\Qt5PrintSupport.dll2023-01-27 11:27:56.429 11241100x8000000000000000340052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.417{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\Qt5Network.dll2023-01-27 11:27:56.417 11241100x8000000000000000340051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.384{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\Qt5Gui.dll2023-01-27 11:27:56.369 11241100x8000000000000000340050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.369{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\Qt5DBus.dll2023-01-27 11:27:56.369 23542300x8000000000000000340049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.338{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDB891726050133E440D8A29E30B5DBA,SHA256=F7462CD7436B4CBC226EFA23EC8473FD2DAA9125620ADC4E656670B6AAD42CCD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000340048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.338{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4639411B421E8812A7F5F5B8414C5696,SHA256=522A81C12C57AC1068EBEEA5C7AC08B61351563BEB6922E8F915BDBAD4853BCD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x8000000000000000340047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.338{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\Qt5Core.dll2023-01-27 11:27:56.338 11241100x8000000000000000340046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:27:56.306{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\OneDriveUpdaterService.exe2023-01-27 11:27:56.306 11241100x8000000000000000340045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.306{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\OneDriveTelemetryStable.dll2023-01-27 11:27:56.306 11241100x8000000000000000340044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.291{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\OneDriveTelemetryExperimental.dll2023-01-27 11:27:56.291 10341000x8000000000000000340043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.275{72106695-B53C-63D3-2204-00000000BD02}33044520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000340042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:27:56.263{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\OneDriveStandaloneUpdater.exe2023-01-27 11:27:56.263 11241100x8000000000000000340041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:27:56.263{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\OneDriveFileLauncher.exe2023-01-27 11:27:56.263 11241100x8000000000000000340040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:27:56.247{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\OneDrive.exe2023-01-27 11:27:56.247 11241100x8000000000000000340039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.247{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\msvcp140_atomic_wait.dll2023-01-27 11:27:56.247 11241100x8000000000000000340038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.247{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\msvcp140_app.dll2023-01-27 11:27:56.247 11241100x8000000000000000340037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.247{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\msvcp140_2_app.dll2023-01-27 11:27:56.247 11241100x8000000000000000340036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.247{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\msvcp140_1_app.dll2023-01-27 11:27:56.247 11241100x8000000000000000340035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.247{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\msvcp140_1.dll2023-01-27 11:27:56.247 11241100x8000000000000000340034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.247{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\msvcp140.dll2023-01-27 11:27:56.247 11241100x8000000000000000340033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.235{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\msipc.dll2023-01-27 11:27:56.235 11241100x8000000000000000340032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.199{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\Microsoft.UI.Xaml.dll2023-01-27 11:27:56.198 11241100x8000000000000000340031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.197{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\Microsoft.Toolkit.Win32.UI.XamlHost.dll2023-01-27 11:27:56.196 11241100x8000000000000000340030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.191{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\Microsoft.SharePoint.WebSocketClient.dll2023-01-27 11:27:56.191 11241100x8000000000000000340029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:27:56.190{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\Microsoft.SharePoint.NativeMessagingClient.exe2023-01-27 11:27:56.190 354300x8000000000000000449009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:53.156{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A54174- 354300x8000000000000000449008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:53.082{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A64636- 11241100x8000000000000000340028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.186{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\Microsoft.SharePoint.HttpSvr.dll2023-01-27 11:27:56.186 11241100x8000000000000000340027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:27:56.181{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\Microsoft.SharePoint.exe2023-01-27 11:27:56.181 11241100x8000000000000000340026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.100{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\Microsoft.SharePoint.dll2023-01-27 11:27:56.100 10341000x8000000000000000340025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.088{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B53C-63D3-2204-00000000BD02}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.086{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.086{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000340022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.085{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\Microsoft.SharePoint.Calc.dll2023-01-27 11:27:56.085 10341000x8000000000000000340021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.085{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.085{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B53C-63D3-2204-00000000BD02}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000340019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.085{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.085{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B53C-63D3-2204-00000000BD02}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000340017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:56.085{72106695-B53C-63D3-2204-00000000BD02}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000340016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.069{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\Microsoft.ReactNative.dll2023-01-27 11:27:56.069 11241100x8000000000000000340015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.060{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\LogUploader.dll2023-01-27 11:27:56.060 11241100x8000000000000000340014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.055{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\LoggingPlatform.dll2023-01-27 11:27:56.054 11241100x8000000000000000340013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.049{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\libssl-1_1.dll2023-01-27 11:27:56.049 11241100x8000000000000000340012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.026{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\libGLESv2.dll2023-01-27 11:27:56.026 11241100x8000000000000000340011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.026{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\libEGL.dll2023-01-27 11:27:56.026 11241100x8000000000000000340010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:56.005{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\libcrypto-1_1.dll2023-01-27 11:27:56.004 10341000x8000000000000000340770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.948{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B53D-63D3-2504-00000000BD02}6108C:\Windows\SysWOW64\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000340769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:54.646{72106695-B538-63D3-1C04-00000000BD02}6064C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51053-false72.21.91.29-80http 23542300x8000000000000000340768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.858{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\LogoImages\OneDriveSmallTile.scale-400.pngMD5=096D0E769212718B8DE5237B3427AACC,SHA256=9A0B901E97ABE02036C782EB6A2471E18160B89FD5141A5A9909F0BAAB67B1EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000340767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.857{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\LogoImages\OneDriveSmallTile.scale-200.pngMD5=D9D00ECB4BB933CDBB0CD1B5D511DCF5,SHA256=85823F7A5A4EBF8274F790A88B981E92EDE57BDE0BA804F00B03416EE4FEDA89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000340766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.856{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\LogoImages\OneDriveSmallTile.scale-150.pngMD5=ED306D8B1C42995188866A80D6B761DE,SHA256=7E3F35D5EB05435BE8D104A2EACF5BACE8301853104A4EA4768601C607DDF301,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000340765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.854{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\LogoImages\OneDriveSmallTile.scale-125.pngMD5=09F3F8485E79F57F0A34ABD5A67898CA,SHA256=69E432D1EEC44BED4AAD35F72A912E1F0036A4B501A50AEC401C9FA260A523E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000340764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.853{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\LogoImages\OneDriveSmallTile.scale-100.pngMD5=1F156044D43913EFD88CAD6AA6474D73,SHA256=4E11167708801727891E8DD9257152B7391FC483D46688D61F44B96360F76816,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000340763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.851{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\LogoImages\OneDriveSmallTile.contrast-white_scale-400.pngMD5=3C29933AB3BEDA6803C4B704FBA48C53,SHA256=3A7EF7C0BDA402FDAFF19A479D6C18577C436A5F4E188DA4C058A42EF09A7633,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000340762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.850{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\LogoImages\OneDriveSmallTile.contrast-white_scale-200.pngMD5=22E17842B11CD1CB17B24AA743A74E67,SHA256=9833B80DEF72B73FCA150AF17D4B98C8CD484401F0E2D44320ECD75B5BB57C42,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000340761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.849{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\LogoImages\OneDriveSmallTile.contrast-white_scale-150.pngMD5=552B0304F2E25A1283709AD56C4B1A85,SHA256=262B9A30BB8DB4FC59B5BC348AA3813C75E113066A087135D0946AD916F72535,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000340760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.846{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\LogoImages\OneDriveSmallTile.contrast-white_scale-125.pngMD5=2C7A9E323A69409F4B13B1C3244074C4,SHA256=8EFEACEFB92D64DFB1C4DF2568165DF6436777F176ACCFD24F4F7970605D16C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000340759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.845{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\LogoImages\OneDriveSmallTile.contrast-white_scale-100.pngMD5=F4E9F958ED6436AEF6D16EE6868FA657,SHA256=292CAC291AF7B45F12404F968759AFC7145B2189E778B14D681449132B14F06B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000340758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.843{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\LogoImages\OneDriveSmallTile.contrast-black_scale-400.pngMD5=3C29933AB3BEDA6803C4B704FBA48C53,SHA256=3A7EF7C0BDA402FDAFF19A479D6C18577C436A5F4E188DA4C058A42EF09A7633,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000340757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.842{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\LogoImages\OneDriveSmallTile.contrast-black_scale-200.pngMD5=22E17842B11CD1CB17B24AA743A74E67,SHA256=9833B80DEF72B73FCA150AF17D4B98C8CD484401F0E2D44320ECD75B5BB57C42,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000340756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.841{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\LogoImages\OneDriveSmallTile.contrast-black_scale-150.pngMD5=552B0304F2E25A1283709AD56C4B1A85,SHA256=262B9A30BB8DB4FC59B5BC348AA3813C75E113066A087135D0946AD916F72535,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000340755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.840{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\LogoImages\OneDriveSmallTile.contrast-black_scale-125.pngMD5=2C7A9E323A69409F4B13B1C3244074C4,SHA256=8EFEACEFB92D64DFB1C4DF2568165DF6436777F176ACCFD24F4F7970605D16C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000340754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.839{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\LogoImages\OneDriveSmallTile.contrast-black_scale-100.pngMD5=F4E9F958ED6436AEF6D16EE6868FA657,SHA256=292CAC291AF7B45F12404F968759AFC7145B2189E778B14D681449132B14F06B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000340753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.837{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\LogoImages\OneDriveMedTile.scale-400.pngMD5=E593676EE86A6183082112DF974A4706,SHA256=DEB0EC0EE8F1C4F7EA4DE2C28FF85087EE5FF8C7E3036C3B0A66D84BAE32B6BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000340752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.835{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\LogoImages\OneDriveMedTile.scale-200.pngMD5=13E6BAAC125114E87F50C21017B9E010,SHA256=3384357B6110F418B175E2F0910CFFE588C847C8E55F2FE3572D82999A62C18E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000340751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.834{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\LogoImages\OneDriveMedTile.scale-150.pngMD5=A23C55AE34E1B8D81AA34514EA792540,SHA256=3DF4590386671E0D6FEE7108E457EB805370A189F5FDFEAF2F2C32D5ADC76ABD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000340750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.833{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\LogoImages\OneDriveMedTile.scale-125.pngMD5=D03B7EDAFE4CB7889418F28AF439C9C1,SHA256=A5294E3C7CD855815F8D916849D87BD2357F5165EB4372F248FDF8B988601665,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000340749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.832{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\LogoImages\OneDriveMedTile.scale-100.pngMD5=57A6876000151C4303F99E9A05AB4265,SHA256=8ACBDD41252595B7410CA2ED438D6D8EDE10BD17FE3A18705EEDC65F46E4C1C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000340748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.831{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\LogoImages\OneDriveMedTile.contrast-white_scale-400.pngMD5=ADBBEB01272C8D8B14977481108400D6,SHA256=9250EF25EFC2A9765CF1126524256FDFC963C8687EDFDC4A2ECDE50D748ADA85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000340747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.829{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\LogoImages\OneDriveMedTile.contrast-white_scale-200.pngMD5=F1C75409C9A1B823E846CC746903E12C,SHA256=FBA9104432CBB8EBBD45C18EF1BA46A45DD374773E5AA37D411BB023DED8EFD6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000340746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.828{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\LogoImages\OneDriveMedTile.contrast-white_scale-150.pngMD5=DE5BA8348A73164C66750F70F4B59663,SHA256=A0BBE33B798C3ADAC36396E877908874CFFAADB240244095C68DFF840DCBBF73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000340745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.827{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\LogoImages\OneDriveMedTile.contrast-white_scale-125.pngMD5=8347D6F79F819FCF91E0C9D3791D6861,SHA256=E8B30BFCEE8041F1A70E61CA46764416FD1DF2E6086BA4C280BFA2220C226750,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000340744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.826{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\LogoImages\OneDriveMedTile.contrast-white_scale-100.pngMD5=19876B66DF75A2C358C37BE528F76991,SHA256=A024FC5DBE0973FD9267229DA4EBFD8FC41D73CA27A2055715AAFE0EFB4F3425,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000340743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.824{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\LogoImages\OneDriveMedTile.contrast-black_scale-400.pngMD5=E01CDBBD97EEBC41C63A280F65DB28E9,SHA256=5CB8FD670585DE8A7FC0CEEDE164847522D287EF17CD48806831EA18A0CEAC1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000340742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.823{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\LogoImages\OneDriveMedTile.contrast-black_scale-200.pngMD5=09773D7BB374AEEC469367708FCFE442,SHA256=67D1BB54FCB19C174DE1936D08B5DBDB31B98CFDD280BCC5122FB0693675E4F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000340741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.822{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\LogoImages\OneDriveMedTile.contrast-black_scale-150.pngMD5=771BC7583FE704745A763CD3F46D75D2,SHA256=36A6AAD9A9947AB3F6AC6AF900192F5A55870D798BCA70C46770CCF2108FD62D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000340740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.821{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\LogoImages\OneDriveMedTile.contrast-black_scale-125.pngMD5=B83AC69831FD735D5F3811CC214C7C43,SHA256=CBDCF248F8A0FCD583B475562A7CDCB58F8D01236C7D06E4CDBFE28E08B2A185,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000340739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.816{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\LogoImages\OneDriveMedTile.contrast-black_scale-100.pngMD5=72747C27B2F2A08700ECE584C576AF89,SHA256=6F028542F6FAEAAF1F564EAB2605BEDB20A2EE72CDD9930BDE1A3539344D721B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000340738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.815{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=141F4CE24A920A2483A9EF0B2222D61E,SHA256=5A096904A2FC2D79E3BAE47B1691CA3FC6696E50D170468B0F0A71DF0385FB4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000340737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.803{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\OneDrive.exeMD5=40A72EB7E94D181F59CD423FFB8D23DF,SHA256=E0E97299BCB8C5162C6A4D3F297ECFA8493E8AD15EB53BA6E6517D12B37B6018,IMPHASH=C793441793CCB8BFC2B34CCB967775E9truefalse - insufficient disk space 11241100x8000000000000000340736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:27:57.779{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\OneDrive.exe2023-01-27 11:27:57.779 10341000x8000000000000000340735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.779{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000340734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-ConnectPipe2023-01-27 11:27:57.768{72106695-B53D-63D3-2504-00000000BD02}6108\SfxCA_6587656C:\Windows\SysWOW64\rundll32.exe 10341000x8000000000000000340733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.768{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.766{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.760{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.754{72106695-9B85-63D3-1400-00000000BD02}10323544C:\Windows\system32\svchost.exe{72106695-B53D-63D3-2504-00000000BD02}6108C:\Windows\SysWOW64\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.754{72106695-9B85-63D3-1400-00000000BD02}10321120C:\Windows\system32\svchost.exe{72106695-B53D-63D3-2504-00000000BD02}6108C:\Windows\SysWOW64\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.701{72106695-B102-63D3-1003-00000000BD02}3944400C:\Windows\system32\csrss.exe{72106695-B53D-63D3-2504-00000000BD02}6108C:\Windows\SysWOW64\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 11241100x8000000000000000340727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:27:57.699{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\OneDriveSetup.exe2023-01-27 11:27:57.699 10341000x8000000000000000340726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.698{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.698{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.697{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.697{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.696{72106695-B53D-63D3-2404-00000000BD02}4848920C:\Windows\syswow64\MsiExec.exe{72106695-B53D-63D3-2504-00000000BD02}6108C:\Windows\SysWOW64\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+d856c(wow64)|C:\Windows\Installer\MSI84AA.tmp+28f8(wow64)|C:\Windows\Installer\MSI84AA.tmp+247f(wow64)|C:\Windows\Installer\MSI84AA.tmp+3a91(wow64)|C:\Windows\System32\msi.dll+ab3b3(wow64)|C:\Windows\System32\msi.dll+181346(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000340721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.695{72106695-B53D-63D3-2504-00000000BD02}6108C:\Windows\SysWOW64\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXErundll32.exe "C:\Windows\Installer\MSI84AA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6587656 1821 SetupConfigCustomAction!Squirrel.SetupConfigCustomAction.SettingsCustomActions.RemoveRegKeyFromPreviousInstallC:\Windows\SysWOW64\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e72SystemMD5=A6ED2B5513A128315EC73A300D215759,SHA256=9980CC59993DCDE34A20411E3FACFEE8E7B159EE0D6FA510BCFAECC8532B4C02,IMPHASH=B79A26282DC6494FFDA9173E830DAB0A{72106695-B53D-63D3-2404-00000000BD02}4848C:\Windows\SysWOW64\msiexec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9191914ACA3FC93DF32FA1302793A0DD E Global\MSI0000 17141700x8000000000000000340720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-CreatePipe2023-01-27 11:27:57.682{72106695-B53D-63D3-2404-00000000BD02}4848\SfxCA_6587656C:\Windows\syswow64\MsiExec.exe 10341000x8000000000000000340719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.618{72106695-B53D-63D3-2404-00000000BD02}48484628C:\Windows\syswow64\MsiExec.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\syswow64\MsiExec.exe+7291|C:\Windows\syswow64\MsiExec.exe+7887|C:\Windows\syswow64\MsiExec.exe+9201|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000340718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.615{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B53D-63D3-2404-00000000BD02}4848C:\Windows\syswow64\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000340717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:57.587{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\qml\QtQuick\Controls\Styles\Flat\qtquickextrasflatplugin.dll2023-01-27 11:27:57.587 10341000x8000000000000000340716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.587{72106695-B102-63D3-1003-00000000BD02}39441080C:\Windows\system32\csrss.exe{72106695-B53D-63D3-2404-00000000BD02}4848C:\Windows\syswow64\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000340715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.587{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.587{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.587{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.587{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.572{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.572{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.572{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.572{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.572{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B53D-63D3-2404-00000000BD02}4848C:\Windows\syswow64\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000340706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.572{72106695-B499-63D3-D903-00000000BD02}57764904C:\Windows\system32\msiexec.exe{72106695-B53D-63D3-2404-00000000BD02}4848C:\Windows\syswow64\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Windows\system32\Msi.dll+ba748|C:\Windows\system32\Msi.dll+16e0a4|C:\Windows\system32\Msi.dll+16e71c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000340705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.582{72106695-B53D-63D3-2404-00000000BD02}4848C:\Windows\SysWOW64\msiexec.exe5.0.14393.5648 (rs1_release.230105-1654)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9191914ACA3FC93DF32FA1302793A0DD E Global\MSI0000C:\Windows\SysWOW64\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e72SystemMD5=0E6BA8C0B882285D2B4FD61D0688D65B,SHA256=6929777BD6CEDDDFFF86FC7F505374D5AC0FA0F63722DC1C88594E16FBAFFAD1,IMPHASH=B4730776DFCE61DBCD10D002E3D530E1{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\System32\msiexec.exeC:\Windows\system32\msiexec.exe /V 10341000x8000000000000000340704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.572{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.572{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.572{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.572{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.572{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.572{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.572{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.572{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.572{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.572{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.572{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.572{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.572{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.572{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.572{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.572{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.572{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.572{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.571{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.571{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.571{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.570{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.570{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.570{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.569{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.569{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.569{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.568{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.568{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.568{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.567{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.567{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000340672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:57.567{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{731F6BAA-A986-45A4-8936-7C3AAAAA760B}\URLUpdateInfo(Empty) 13241300x8000000000000000340671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:27:57.567{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{731F6BAA-A986-45A4-8936-7C3AAAAA760B}\PublisherMicrosoft Corporation 13241300x8000000000000000340670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:57.567{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{731F6BAA-A986-45A4-8936-7C3AAAAA760B}\InstallSourceC:\Program Files\Microsoft Office\root\integration\Addons\ 10341000x8000000000000000340669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.566{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.566{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.565{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.565{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.557{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.557{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.557{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.557{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 11241100x8000000000000000340661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:57.556{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\qml\QtQuick\Window.2\windowplugin.dll2023-01-27 11:27:57.556 10341000x8000000000000000340660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.555{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.555{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.555{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.555{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 11241100x8000000000000000340656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:57.542{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\qml\QtQuick\Templates.2\qtquicktemplates2plugin.dll2023-01-27 11:27:57.542 10341000x8000000000000000340655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.542{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.542{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.542{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.542{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 11241100x8000000000000000340651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:57.529{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\qml\QtQuick\Layouts\qquicklayoutsplugin.dll2023-01-27 11:27:57.529 10341000x8000000000000000340650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.529{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.529{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.529{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.529{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 11241100x8000000000000000340646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:57.529{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\qml\QtQuick\Extras\qtquickextrasplugin.dll2023-01-27 11:27:57.529 10341000x8000000000000000340645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.529{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.529{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.529{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.529{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 11241100x8000000000000000340641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:57.514{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\qml\QtQuick\Controls.2\qtquickcontrols2plugin.dll2023-01-27 11:27:57.514 10341000x8000000000000000340640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.514{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.514{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.514{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.514{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 11241100x8000000000000000340636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:57.512{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\qml\QtQuick\Controls\qtquickcontrolsplugin.dll2023-01-27 11:27:57.492 10341000x8000000000000000340635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.492{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb 10341000x8000000000000000340634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.492{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb 10341000x8000000000000000340633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.492{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64) 10341000x8000000000000000340632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.492{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.492{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb 10341000x8000000000000000340630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.492{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb 10341000x8000000000000000340629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.492{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64) 10341000x8000000000000000340628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.492{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 11241100x8000000000000000340627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:57.492{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\qml\QtQml\Models.2\modelsplugin.dll2023-01-27 11:27:57.492 10341000x8000000000000000340626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.492{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.492{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.492{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.492{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 11241100x8000000000000000340622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:57.492{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\qml\QtQuick.2\qtquick2plugin.dll2023-01-27 11:27:57.492 10341000x8000000000000000340621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.492{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.492{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.492{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.492{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 11241100x8000000000000000340617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:27:57.492{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\qml\QtQml\qmlplugin.dll2023-01-27 11:27:57.492 10341000x8000000000000000340616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.492{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.492{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.491{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.491{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.468{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.467{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000340610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1060,RunKeySetValue2023-01-27 11:27:57.466{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TeamsMachineInstaller%%ProgramFiles%%\Teams Installer\Teams.exe --checkInstall --source=PROPLUS 254200x8000000000000000340609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T10992023-01-27 11:27:57.445{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Teams Installer\Teams.exe2022-03-21 23:27:06.0002023-01-27 11:27:56.866 10341000x8000000000000000340608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.404{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.403{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.403{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.403{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.061{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb 10341000x8000000000000000340603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.061{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb 10341000x8000000000000000340602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.061{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64) 10341000x8000000000000000340601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.061{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.060{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb 10341000x8000000000000000340599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.060{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb 10341000x8000000000000000340598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.060{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64) 10341000x8000000000000000340597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.060{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.059{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.059{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.059{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.059{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.057{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.057{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.057{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.057{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.054{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.054{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.054{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.054{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.052{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.052{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.052{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.052{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.050{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.050{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.050{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.050{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.049{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.048{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.048{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.048{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.047{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.047{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.047{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.047{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.045{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.045{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.045{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.045{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.043{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.043{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.043{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.043{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.041{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.041{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.041{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.041{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.040{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.039{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.039{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.039{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.038{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.038{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.038{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.038{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.036{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.036{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.036{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.036{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.035{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.034{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.034{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.034{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.032{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.032{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.032{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.032{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.030{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.030{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.030{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.030{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.028{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.028{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.028{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.027{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.025{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.025{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.025{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.025{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.023{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.023{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.023{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.023{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.020{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.020{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.020{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.020{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.018{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.018{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.018{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.018{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.016{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.016{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.016{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.016{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.014{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.014{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.014{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.013{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.011{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.011{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.011{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.011{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 10341000x8000000000000000340500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.009{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.009{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28a8a9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+28d4fb|C:\Windows\SYSTEM32\ntdll.dll+2b654(wow64) 10341000x8000000000000000340498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.009{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17 10341000x8000000000000000340497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:57.009{72106695-B53A-63D3-1F04-00000000BD02}16641712C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29439b|C:\Windows\SYSTEM32\Cabinet.dll+4bba(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+293e17|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+292b74 23542300x8000000000000000449013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:57.074{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0C6FBF5052854ACBEF66FFDAA8BC25E,SHA256=7D85AB83184A080E653E24910AA3FCDA82B132FB9720316D7C556C140F422BBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000449012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:54.397{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A50495- 354300x8000000000000000449011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:54.397{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A62647- 354300x8000000000000000449010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:54.087{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A62489- 10341000x8000000000000000340901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.994{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.988{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000340899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.988{72106695-B106-63D3-2B03-00000000BD02}964WIN-HOST-CTUS-A\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\ActionCenterCache\windows-systemtoast-securityandmaintenance_1_0.pngMD5=099BA37F81C044F6B2609537FDB7D872,SHA256=8C98C856E4D43F705FF9A5C9A55F92E1885765654912B4C75385C3EA2FDEF4A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000340898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.988{72106695-B106-63D3-2B03-00000000BD02}964WIN-HOST-CTUS-A\AdministratorC:\Windows\Explorer.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\{3ADAE358-04C6-4ECD-8021-C3FC61586448}.pngMD5=00E5FCFD833151F7CBDE607E2F7AFEB4,SHA256=B80192AAABE007BAECD0603E3CE183E9D554B8A6B0411D20716ACFA086AE3035,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000340897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.946{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.946{72106695-B106-63D3-2B03-00000000BD02}9644640C:\Windows\Explorer.EXE{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\system32\twinui.pcshell.dll+27c24|C:\Windows\system32\twinui.pcshell.dll+17316|C:\Windows\system32\twinui.pcshell.dll+17671|C:\Windows\system32\twinui.pcshell.dll+176a9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.946{72106695-B106-63D3-2B03-00000000BD02}9644640C:\Windows\Explorer.EXE{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\system32\twinui.pcshell.dll+27c24|C:\Windows\system32\twinui.pcshell.dll+17316|C:\Windows\system32\twinui.pcshell.dll+17671|C:\Windows\system32\twinui.pcshell.dll+176a9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.946{72106695-B106-63D3-2B03-00000000BD02}9644732C:\Windows\Explorer.EXE{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b9b44|C:\Windows\System32\TwinUI.dll+ba1f7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000340893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.946{72106695-B106-63D3-2B03-00000000BD02}9644732C:\Windows\Explorer.EXE{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b9b44|C:\Windows\System32\TwinUI.dll+ba1f7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000340892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.946{72106695-B105-63D3-2003-00000000BD02}36724108C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+3f342|C:\Windows\System32\modernexecserver.dll+3fc6e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2effb|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357b5|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.946{72106695-B105-63D3-2003-00000000BD02}36724108C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3f0db|C:\Windows\System32\modernexecserver.dll+3fbe5|C:\Windows\SYSTEM32\twinapi.appcore.dll+2effb|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357b5|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.946{72106695-B105-63D3-2003-00000000BD02}36724108C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3f0db|C:\Windows\System32\modernexecserver.dll+3f049|C:\Windows\System32\modernexecserver.dll+3fd2f|C:\Windows\System32\modernexecserver.dll+3fe52|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.946{72106695-B105-63D3-2003-00000000BD02}36724108C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3f6a2|C:\Windows\System32\modernexecserver.dll+3fd1e|C:\Windows\System32\modernexecserver.dll+3fe52|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.946{72106695-B105-63D3-2003-00000000BD02}36724108C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+3f342|C:\Windows\System32\modernexecserver.dll+3fd0b|C:\Windows\System32\modernexecserver.dll+3fe52|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.946{72106695-B105-63D3-2003-00000000BD02}36724108C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3fdee|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.946{72106695-B105-63D3-2003-00000000BD02}36721356C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f400|C:\Windows\System32\modernexecserver.dll+47a8c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000340885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.946{72106695-B105-63D3-2003-00000000BD02}36721356C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+478ab|C:\Windows\System32\modernexecserver.dll+476e0|C:\Windows\System32\modernexecserver.dll+4763b|C:\Windows\System32\modernexecserver.dll+3985d|C:\Windows\System32\Windows.Shell.ServiceHostBuilder.dll+1781|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c 23542300x8000000000000000340884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.946{72106695-B106-63D3-2B03-00000000BD02}964WIN-HOST-CTUS-A\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\ActionCenterCache\microsoft-explorer-notification--d1f6275c-b9a0-a25e-7f73-51b54487be4c-_5_0.pngMD5=00E5FCFD833151F7CBDE607E2F7AFEB4,SHA256=B80192AAABE007BAECD0603E3CE183E9D554B8A6B0411D20716ACFA086AE3035,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000340883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.946{72106695-B105-63D3-2003-00000000BD02}36724108C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+3f342|C:\Windows\System32\modernexecserver.dll+3fc6e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2effb|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357b5|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.946{72106695-B105-63D3-2003-00000000BD02}36724108C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3f0db|C:\Windows\System32\modernexecserver.dll+3fbe5|C:\Windows\SYSTEM32\twinapi.appcore.dll+2effb|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357b5|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.946{72106695-B105-63D3-2003-00000000BD02}36724108C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3f0db|C:\Windows\System32\modernexecserver.dll+3f049|C:\Windows\System32\modernexecserver.dll+3fd2f|C:\Windows\System32\modernexecserver.dll+3fe52|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.946{72106695-B105-63D3-2003-00000000BD02}36724108C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3f6a2|C:\Windows\System32\modernexecserver.dll+3fd1e|C:\Windows\System32\modernexecserver.dll+3fe52|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.946{72106695-B105-63D3-2003-00000000BD02}36724108C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+3f342|C:\Windows\System32\modernexecserver.dll+3fd0b|C:\Windows\System32\modernexecserver.dll+3fe52|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.946{72106695-B105-63D3-2003-00000000BD02}36724108C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3fdee|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.946{72106695-B105-63D3-2003-00000000BD02}3672372C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f400|C:\Windows\System32\modernexecserver.dll+47a8c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000340876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.946{72106695-B105-63D3-2003-00000000BD02}3672372C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+478ab|C:\Windows\System32\modernexecserver.dll+476e0|C:\Windows\System32\modernexecserver.dll+4763b|C:\Windows\System32\modernexecserver.dll+3985d|C:\Windows\System32\Windows.Shell.ServiceHostBuilder.dll+1781|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c 354300x8000000000000000340875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:55.334{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51054-false20.189.173.4-443https 10341000x8000000000000000340874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.355{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B53E-63D3-2604-00000000BD02}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000340873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.339{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C47147140255F34ABFF5240F3E81736,SHA256=B03935CF4951D8BEA1313E084EE2B828EDAD61EA46EFB9403971330C88B606B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000340872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.339{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.339{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.339{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.339{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.339{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B53E-63D3-2604-00000000BD02}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000340867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.339{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B53E-63D3-2604-00000000BD02}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000340866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.179{72106695-B53E-63D3-2604-00000000BD02}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000340865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.256{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\respondent-20230127093815-106MD5=FAFF531EDF0CFC03BCEBADF518BA5361,SHA256=88BF976C27BC6DB398DABD588375EB870CCDB2E8695A85E73E9E0CF078A2553A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x8000000000000000340864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T10532023-01-27 11:27:58.212{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\OneDrive Reporting Task-S-1-5-21-2226226129-4232087961-3617130143-5002023-01-27 11:27:58.212 13241300x8000000000000000340863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.209{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\FileSyncHelper\TriggerInfo\0\DataType0DWORD (0x00000002) 13241300x8000000000000000340862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.209{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\FileSyncHelper\TriggerInfo\0\Data0Binary Data 13241300x8000000000000000340861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.209{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\FileSyncHelper\TriggerInfo\0\GuidBinary Data 13241300x8000000000000000340860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.209{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\FileSyncHelper\TriggerInfo\0\ActionDWORD (0x00000001) 13241300x8000000000000000340859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.209{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\FileSyncHelper\TriggerInfo\0\TypeDWORD (0x00000006) 13241300x8000000000000000340858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.208{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\FileSyncHelper\DescriptionHelper service for OneDrive 13241300x8000000000000000340857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.208{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\FileSyncHelper\ObjectNameLocalSystem 13241300x8000000000000000340856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.208{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\FileSyncHelper\WOW64DWORD (0x00000001) 13241300x8000000000000000340855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.208{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\FileSyncHelper\DependOnServiceBinary Data 13241300x8000000000000000340854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.208{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\FileSyncHelper\DisplayNameFileSyncHelper 13241300x8000000000000000340853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1031,T1050SetValue2023-01-27 11:27:58.208{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\FileSyncHelper\ImagePath"C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncHelper.exe" 13241300x8000000000000000340852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.208{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\FileSyncHelper\ErrorControlDWORD (0x00000001) 13241300x8000000000000000340851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1031,T1050SetValue2023-01-27 11:27:58.208{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\FileSyncHelper\StartDWORD (0x00000003) 13241300x8000000000000000340850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.208{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\FileSyncHelper\TypeDWORD (0x00000010) 13241300x8000000000000000340849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.205{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneDrive Updater Service\TriggerInfo\0\DataType0DWORD (0x00000002) 13241300x8000000000000000340848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.205{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneDrive Updater Service\TriggerInfo\0\Data0Binary Data 13241300x8000000000000000340847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.205{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneDrive Updater Service\TriggerInfo\0\GuidBinary Data 13241300x8000000000000000340846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.205{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneDrive Updater Service\TriggerInfo\0\ActionDWORD (0x00000001) 13241300x8000000000000000340845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.205{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneDrive Updater Service\TriggerInfo\0\TypeDWORD (0x00000006) 13241300x8000000000000000340844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.204{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneDrive Updater Service\DescriptionKeeps your OneDrive up to date. 13241300x8000000000000000340843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.204{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneDrive Updater Service\ObjectNameLocalSystem 13241300x8000000000000000340842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.204{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneDrive Updater Service\WOW64DWORD (0x00000001) 13241300x8000000000000000340841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.204{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneDrive Updater Service\DependOnServiceBinary Data 13241300x8000000000000000340840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.204{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneDrive Updater Service\DisplayNameOneDrive Updater Service 13241300x8000000000000000340839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1031,T1050SetValue2023-01-27 11:27:58.204{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneDrive Updater Service\ImagePath"C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\OneDriveUpdaterService.exe" 13241300x8000000000000000340838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.204{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneDrive Updater Service\ErrorControlDWORD (0x00000001) 13241300x8000000000000000340837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1031,T1050SetValue2023-01-27 11:27:58.204{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneDrive Updater Service\StartDWORD (0x00000003) 13241300x8000000000000000340836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.204{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneDrive Updater Service\TypeDWORD (0x00000010) 13241300x8000000000000000340835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.199{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive7\(Default){C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} 13241300x8000000000000000340834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.199{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive6\(Default){9AA2F32D-362A-42D9-9328-24A483E2CCC3} 13241300x8000000000000000340833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.199{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive5\(Default){A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} 13241300x8000000000000000340832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.199{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive4\(Default){F241C880-6982-4CE5-8CF7-7085BA96DA5A} 13241300x8000000000000000340831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.199{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive3\(Default){A78ED123-AB77-406B-9962-2A5D9D2F7F30} 13241300x8000000000000000340830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.199{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive2\(Default){5AB7172C-9C11-405C-8DD5-AF20F3606282} 13241300x8000000000000000340829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.199{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive1\(Default){BBACC218-34EA-4666-9D7A-C78F2274A524} 13241300x8000000000000000340828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.193{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OneDriveFileLauncher.exe\SkipCloudDownloadDWORD (0x00000001) 13241300x8000000000000000340827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:27:58.193{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\.loop\shell\open\command\(Default)"C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\OneDriveFileLauncher.exe" "%%1" 13241300x8000000000000000340826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:27:58.193{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\.whiteboard\shell\open\command\(Default)"C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\OneDriveFileLauncher.exe" "%%1" 13241300x8000000000000000340825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:27:58.193{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\.note\shell\open\command\(Default)"C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\OneDriveFileLauncher.exe" "%%1" 13241300x8000000000000000340824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:27:58.192{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\.fluid\shell\open\command\(Default)"C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\OneDriveFileLauncher.exe" "%%1" 13241300x8000000000000000340823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:27:58.190{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\mssharepointclient\shell\open\command\(Default)"C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\Microsoft.SharePoint.exe" /protocol:"%%1" 13241300x8000000000000000340822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:27:58.190{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\mssharepointclient\shell\open\command\(Default)"C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\Microsoft.SharePoint.exe" /protocol:"%%1" 13241300x8000000000000000340821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:27:58.183{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\(Default)C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\amd64\FileCoAuthLib64.dll 13241300x8000000000000000340820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:27:58.181{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\(Default)C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileCoAuthLib.dll 13241300x8000000000000000340819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.169{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\(Default){CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} 13241300x8000000000000000340818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.169{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\(Default){CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} 13241300x8000000000000000340817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.169{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\IE.AssocFile.URL\ShellEx\ContextMenuHandlers\ FileSyncEx\(Default){CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} 13241300x8000000000000000340816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.169{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\IE.AssocFile.URL\ShellEx\ContextMenuHandlers\ FileSyncEx\(Default){CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} 13241300x8000000000000000340815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.169{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\Directory\shellex\ContextMenuHandlers\ FileSyncEx\(Default){CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} 13241300x8000000000000000340814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.169{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\Directory\shellex\ContextMenuHandlers\ FileSyncEx\(Default){CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} 13241300x8000000000000000340813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.168{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\Directory\background\shellex\ContextMenuHandlers\ FileSyncEx\(Default){CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} 13241300x8000000000000000340812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.168{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\Directory\background\shellex\ContextMenuHandlers\ FileSyncEx\(Default){CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} 13241300x8000000000000000340811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.168{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\*\shellex\ContextMenuHandlers\ FileSyncEx\(Default){CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} 13241300x8000000000000000340810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:58.168{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\*\shellex\ContextMenuHandlers\ FileSyncEx\(Default){CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} 13241300x8000000000000000340809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:27:58.168{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\(Default)C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncShell.dll 13241300x8000000000000000340808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:27:58.168{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\(Default)C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\amd64\FileSyncShell64.dll 13241300x8000000000000000340807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:27:58.168{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\WOW6432Node\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32\(Default)C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncShell.dll 13241300x8000000000000000340806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:27:58.168{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32\(Default)C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\amd64\FileSyncShell64.dll 13241300x8000000000000000340805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:27:58.167{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\(Default)C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncShell.dll 13241300x8000000000000000340804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:27:58.167{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\(Default)C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\amd64\FileSyncShell64.dll 13241300x8000000000000000340803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:27:58.167{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\(Default)C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncShell.dll 13241300x8000000000000000340802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:27:58.167{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\(Default)C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\amd64\FileSyncShell64.dll 13241300x8000000000000000340801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:27:58.166{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\(Default)C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncShell.dll 13241300x8000000000000000340800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:27:58.166{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\(Default)C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\amd64\FileSyncShell64.dll 13241300x8000000000000000340799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:27:58.166{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\(Default)C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncShell.dll 13241300x8000000000000000340798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:27:58.166{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\(Default)C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\amd64\FileSyncShell64.dll 13241300x8000000000000000340797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:27:58.165{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\(Default)C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncShell.dll 13241300x8000000000000000340796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:27:58.165{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\(Default)C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\amd64\FileSyncShell64.dll 13241300x8000000000000000340795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:27:58.165{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\(Default)C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncShell.dll 13241300x8000000000000000340794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:27:58.165{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\(Default)C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\amd64\FileSyncShell64.dll 13241300x8000000000000000340793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:27:58.165{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\(Default)C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncShell.dll 13241300x8000000000000000340792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:27:58.164{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\(Default)C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\amd64\FileSyncShell64.dll 13241300x8000000000000000340791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:27:58.164{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\(Default)C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncShell.dll 13241300x8000000000000000340790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:27:58.164{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\(Default)C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\amd64\FileSyncShell64.dll 13241300x8000000000000000340789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:27:58.164{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\(Default)C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncShell.dll 13241300x8000000000000000340788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:27:58.164{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\(Default)C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\amd64\FileSyncShell64.dll 13241300x8000000000000000340787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:27:58.163{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\(Default)C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncShell.dll 13241300x8000000000000000340786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1122SetValue2023-01-27 11:27:58.163{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\(Default)C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\amd64\FileSyncShell64.dll 13241300x8000000000000000340785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:27:58.108{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\odopen\shell\open\command\(Default)"C:\Program Files (x86)\Microsoft OneDrive\OneDrive.exe" /url:"%%1" 13241300x8000000000000000340784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:27:58.108{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKCR\odopen\shell\open\command\(Default)"C:\Program Files (x86)\Microsoft OneDrive\OneDrive.exe" /url:"%%1" 10341000x8000000000000000340783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.107{72106695-B53A-63D3-1F04-00000000BD02}16645520C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20de(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+2043c8|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+204ad6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+1f4667|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+236815|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+23cee0|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+23d493|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+23975b 10341000x8000000000000000340782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.107{72106695-B53A-63D3-1F04-00000000BD02}16645520C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20de(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+2043c8|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+204ad6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+1f4667|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+236815|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+23cee0|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+23d493|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+23975b 10341000x8000000000000000340781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.107{72106695-B53A-63D3-1F04-00000000BD02}16645520C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20de(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+2043c8|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+204ad6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+1f4667 10341000x8000000000000000340780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.107{72106695-B53A-63D3-1F04-00000000BD02}16645520C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20de(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+2043c8|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+204ad6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+1f4667|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+236815 10341000x8000000000000000340779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.107{72106695-B53A-63D3-1F04-00000000BD02}16645520C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20ce(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+2043c8|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+204ad6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+1f4667|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+236815|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+23cee0|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+23d493|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+23975b 10341000x8000000000000000340778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.106{72106695-B53A-63D3-1F04-00000000BD02}16645520C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20ce(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+2043c8|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+204ad6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+1f4667|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+236815|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+23cee0|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+23d493|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+23975b 10341000x8000000000000000340777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.106{72106695-B53A-63D3-1F04-00000000BD02}16645520C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20ce(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+2043c8|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+204ad6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+1f4667 10341000x8000000000000000340776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.106{72106695-B53A-63D3-1F04-00000000BD02}16645520C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20ce(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+2043c8|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+204ad6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+1f4667|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+236815 11241100x8000000000000000340775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T10232023-01-27 11:27:58.096{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk2023-01-27 11:27:58.095 23542300x8000000000000000340774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.052{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\OneDriveStandaloneUpdater.exeMD5=3EBB81E246FD9082650092BD6B744163,SHA256=D1340511F08C9998E496111149735600F103D43F3155084BA60F3E8FBF6ACFD0,IMPHASH=D67D4E687A8897FB27BC6F10D6CF8B28truefalse - insufficient disk space 11241100x8000000000000000340773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:27:58.023{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\OneDriveStandaloneUpdater.exe2023-01-27 11:27:58.023 23542300x8000000000000000340772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.021{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\OneDrive.VisualElementsManifest.xmlMD5=5AE2D05D894D1A55D9A1E4F593C68969,SHA256=D21077AD0C29A4C939B8C25F1186E2B542D054BB787B1D3210E9CAB48EC3080C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000340771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.018{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\LogoImages\Resources.priMD5=B877B5C461FCA673E7762DFC0DFC0724,SHA256=0139BC3A683AEA7362A9113A453F89ABEFD638CFF12548A637AF87CB15A71BC3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000449015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:55.883{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52747-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000449014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:58.075{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4810AA78BEED53153951424E2E181059,SHA256=1CD5A55E4E98FADCF5230B55FEC50C44E3DA6E07BD3DBAC8B31D96574E3651B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.687{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F0AA258E2CB275676EEC3EA69E1849F3,SHA256=D4C7BB7B1A5A0917E7E4D381AD9B12462DED527F37849F796E1D6A1FA4B035A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x8000000000000000341039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T10532023-01-27 11:27:59.549{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\OneDrive Per-Machine Standalone Update Task2023-01-27 11:27:59.549 13241300x8000000000000000341038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:59.548{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe\UrlUpdateInfohttp://go.microsoft.com/fwlink/?LinkID=223554 13241300x8000000000000000341037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:27:59.548{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe\UrlUpdateInfohttp://go.microsoft.com/fwlink/?LinkID=223554 13241300x8000000000000000341036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:27:59.548{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe\PublisherMicrosoft Corporation 23542300x8000000000000000341035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.545{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI8AF5.tmpMD5=ADC69F47AE1703171DC401C4B3495339,SHA256=A98FD9935A91BCA7C490C03F16C71BC9A49D6D2909D2DF928680301BF8BB6166,IMPHASH=C2AAC1B2B9FA36FBEA7CD3D2B4516228truefalse - insufficient disk space 10341000x8000000000000000341034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.545{72106695-9B85-63D3-1200-00000000BD02}10005968C:\Windows\System32\svchost.exe{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.539{72106695-B102-63D3-1003-00000000BD02}3944400C:\Windows\system32\csrss.exe{72106695-B53F-63D3-2904-00000000BD02}5620C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000341032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.536{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.536{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.536{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.535{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.535{72106695-B53A-63D3-1F04-00000000BD02}16646040C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{72106695-B53F-63D3-2904-00000000BD02}5620C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+d856c(wow64)|C:\Windows\System32\windows.storage.dll+1c6716(wow64)|C:\Windows\System32\windows.storage.dll+1c63d1(wow64)|C:\Windows\System32\windows.storage.dll+1c64a3(wow64)|C:\Windows\System32\windows.storage.dll+1c7175(wow64)|C:\Windows\System32\windows.storage.dll+1c6021(wow64)|C:\Windows\System32\windows.storage.dll+1c8182(wow64)|C:\Windows\System32\windows.storage.dll+1c85ec(wow64)|C:\Windows\System32\windows.storage.dll+1c8035(wow64)|C:\Windows\System32\SHELL32.dll+1a9394(wow64)|C:\Windows\System32\SHELL32.dll+1a926e(wow64)|C:\Windows\System32\SHELL32.dll+1431da(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x8000000000000000341027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.529{72106695-B53F-63D3-2904-00000000BD02}5620C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe22.077.0410.0007Microsoft OneDrive Configuration ApplicationMicrosoft OneDriveMicrosoft CorporationFileSyncConfig.exe"C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe" /allusers C:\Temp\WIN-HOST-CTUS-A\Administrator{72106695-B105-63D3-6E44-240000000000}0x24446e2HighMD5=1FFEFB786C378AD9B30A1D3DE59DE892,SHA256=DDCE7EFA99A92E4133D735438882E60FB204AA23F7332014A2679D840DC012D8,IMPHASH=440C2F0F8C962261512C6C54FC983051{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe"C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe" C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe /silent /allusers /permachine /childprocess /cusid:S-1-5-21-2226226129-4232087961-3617130143-500 10341000x8000000000000000341026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.529{72106695-9B85-63D3-1200-00000000BD02}10006076C:\Windows\System32\svchost.exe{72106695-B53F-63D3-2904-00000000BD02}5620C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000341025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.519{72106695-B53F-63D3-2804-00000000BD02}1064WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI8AF5.tmp-\wix.dllMD5=D9F47A9075497473BE3420BF25060416,SHA256=87EE93C7BF77B9D93A972BA5A640DEFC178C0505304D8EE3D3F2EE340E9CA510,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000341024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.504{72106695-B53F-63D3-2804-00000000BD02}1064WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI8AF5.tmp-\Telemetry.dllMD5=BD34E77891DB934AB5DC13E3768DFCE7,SHA256=897D33A6D47ADD4FACE95D47109EEB96C2DC6954D52CF48BF127E53FED2C0736,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000341023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.503{72106695-B53F-63D3-2804-00000000BD02}1064WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI8AF5.tmp-\System.Spatial.resources.dllMD5=AD73B408CD61BC349ECB29D018A90F25,SHA256=60225714F5F67C7AFE03ADAD6B06DE02396F687F441813847C7C5D083AB10FBD,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000341022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.503{72106695-B53F-63D3-2804-00000000BD02}1064WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI8AF5.tmp-\System.Spatial.dllMD5=539ECBA6ADC02BD1711E0C0883A502AF,SHA256=0B347698A279A88CF278759100A488941AAF7ACCA96C52194845290D08A26366,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000341021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.501{72106695-B53F-63D3-2804-00000000BD02}1064WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI8AF5.tmp-\Squirrel.dllMD5=072ED1002377E0C5A6EFFFA27AAFD94A,SHA256=509AEC427B86C24B47D34DEF489E0F9A237E5E1DE999EE0F2ACBD7F5DA9FFCFC,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000341020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.498{72106695-B53F-63D3-2804-00000000BD02}1064WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI8AF5.tmp-\Splat.dllMD5=9F5DC2E47908585E5A72F7AF09472504,SHA256=865E2B68580166AFF75D2E493D2564B44201A369ED7A4DA8645F42544726BBEF,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000341019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.497{72106695-B53F-63D3-2804-00000000BD02}1064WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI8AF5.tmp-\SetupConfigCustomAction.dllMD5=D7C45E1382B596096AF62AB465BEF017,SHA256=3782EED101B185C6CF4FCE661FB26C777718DE552D190E5B1F9255833DF0356E,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000341018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.496{72106695-B53F-63D3-2804-00000000BD02}1064WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI8AF5.tmp-\NuGet.Squirrel.dllMD5=927AB0F4C480D594DDFA36AEF1B06E52,SHA256=F38BCAD63B8CA88699BCCACC64F2FBD6D73B53E6818DC063DCAE17D7A7AC47CE,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000341017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.490{72106695-B53F-63D3-2804-00000000BD02}1064WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI8AF5.tmp-\Mono.Cecil.dllMD5=AF742B762F03A29F99A2558AB6141515,SHA256=0C66A01F3A2223F23E57171BCE47403ADBF4B48E34A5B2EFFC7E7412701B2129,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000341016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.486{72106695-B53F-63D3-2804-00000000BD02}1064WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI8AF5.tmp-\Microsoft.Web.XmlTransform.dllMD5=6AD7D1E92C9833F4BDDE6A4BC84F2E1A,SHA256=13DCF5066E00152238191314D4A46605204FFABDBB830BDD0C97DF3027D1261D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000341015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.485{72106695-B53F-63D3-2804-00000000BD02}1064WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI8AF5.tmp-\Microsoft.Deployment.WindowsInstaller.dllMD5=D4C41DEE6A605C3B23377E0F147AAAAB,SHA256=3D120584E867B84E5A9979E29D322E53F296798EE90535C5AB13243D654AA115,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000341014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.483{72106695-B53F-63D3-2804-00000000BD02}1064WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI8AF5.tmp-\Microsoft.Deployment.Resources.dllMD5=FEB6EB81F13E468415E8920C0899DB09,SHA256=64B02CCA1D92F782A8B03F2C8B1E195369CE3099B8AC35A9E2060BA5094797D4,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000341013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.482{72106695-B53F-63D3-2804-00000000BD02}1064WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI8AF5.tmp-\Microsoft.Data.Services.Client.resources.dllMD5=7F92069CFD4EA63487C25D6ECD96D1F3,SHA256=36DD5A40328C39E032F2CDB3B0F8CCF384716E46488A4E3356A387F74C03357B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000341012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.481{72106695-B53F-63D3-2804-00000000BD02}1064WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI8AF5.tmp-\Microsoft.Data.Services.Client.dllMD5=269BDEFAC8F933B2B133660BCEB81F13,SHA256=3CE056DD03533E4A8D9644B99ADE69B8CF6D5EDF3AB26FE2B9467AEC17A3C85D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000341011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.475{72106695-B53F-63D3-2804-00000000BD02}1064WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI8AF5.tmp-\Microsoft.Data.OData.resources.dllMD5=055CACF6D88D81AD52A8E30E83235CD2,SHA256=8435109572A7548A21C20CC0A3054060127F49376EFAF548AAA303828F257217,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000341010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.472{72106695-B53F-63D3-2804-00000000BD02}1064WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI8AF5.tmp-\Microsoft.Data.OData.dllMD5=2D8AEF0300B61BB6A075950900AEFFE3,SHA256=B37D4E017BB6444E00F7A840BD3562D194D199288A0B8406B6DCB431A867B702,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000341009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.460{72106695-B53F-63D3-2804-00000000BD02}1064WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI8AF5.tmp-\Microsoft.Data.Edm.resources.dllMD5=72CB6CEFD5CE2E63EF929EC63B5C84AF,SHA256=AFCC051B49B4A102BD618D8F3E914346D402588E42333F71C2AB43C9F90F5590,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000341008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.459{72106695-B53F-63D3-2804-00000000BD02}1064WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI8AF5.tmp-\Microsoft.Data.Edm.dllMD5=78131030AB1F627955BE3182345BD001,SHA256=E5B0363A26DB4A5C0EDBB8D0EFF0A7B7C071C6C31960832A4332D31FCD170170,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000341007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.454{72106695-B53F-63D3-2804-00000000BD02}1064WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI8AF5.tmp-\Microsoft.Bond.Interfaces.dllMD5=40F5CC234B7C95CD4262601B221E6D37,SHA256=064EF1F32289FCF01B400515504F5AABB29756C1D950999E190DCEBDF223071F,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000341006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.453{72106695-B53F-63D3-2804-00000000BD02}1064WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI8AF5.tmp-\Microsoft.Bond.dllMD5=4A2AD66E6441518620EC17C2DFC90C8F,SHA256=74438F99B73E1E1502878DDDDA9B09C87BBA22A0430A3A23283389D9713E3B1C,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000341005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.451{72106695-B53F-63D3-2804-00000000BD02}1064WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI8AF5.tmp-\Microsoft.Applications.Telemetry.dllMD5=042213980A7BBC0392EE29B3ACEBCD74,SHA256=C04516E0F713B0144ABCA7B20B0D6F7B1C474EE57FF4141780FC7DA2B14E1CCC,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000341004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.448{72106695-B53F-63D3-2804-00000000BD02}1064WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI8AF5.tmp-\Microsoft.Applications.Telemetry.Desktop.dllMD5=4BF7BCC420786AEFCE93860A6C7337D6,SHA256=DD1E379DEB9C13493B64CA1D773008419512E16F056CD01F95BBD4BFF1A6F3FD,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000341003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.448{72106695-B53F-63D3-2804-00000000BD02}1064WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI8AF5.tmp-\ICSharpCode.SharpZipLib.dllMD5=DC103AB6C9F59B5ECFEA159B42F56DC4,SHA256=68436B6288FCA7F1502CBDC506BFF118866831D2AE088A2550EE81574D1B14F5,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000341002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.446{72106695-B53F-63D3-2804-00000000BD02}1064WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI8AF5.tmp-\DeltaCompressionDotNet.MsDelta.dllMD5=BCF93B43FE5B1ACA8DD59A2B2967B455,SHA256=8105AD15B6798B5381A77F380D30EF1FF0CB2790619D2F936E64A026B5116784,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000341001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.445{72106695-B53F-63D3-2804-00000000BD02}1064WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI8AF5.tmp-\DeltaCompressionDotNet.dllMD5=0B067D5ED660D4207DA6D707668281C2,SHA256=26398BE075FC52E57E71920B954B5A37518E2F083472A68F8BC555945179E639,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000341000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.444{72106695-B53F-63D3-2804-00000000BD02}1064WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI8AF5.tmp-\CustomAction.configMD5=4BFDEF8658100D564788F676B4A63864,SHA256=A2E973CCE1F85A2AB9D6E7A90909B17B332C1EF4159FFC57BB3CF688E02BA9EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000340999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.444{72106695-B53F-63D3-2804-00000000BD02}1064WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI8AF5.tmp-\BootstrapperCore.dllMD5=ACF012BFAECBEEDD8BA4DD41032B6E43,SHA256=F6A4B50D9D9751A1C93157A5D019FD221A2BC50A0660ADE9505DB70CD647A361,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000340998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.441{72106695-B53F-63D3-2804-00000000BD02}1064WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Program Files (x86)\Teams Installer\setup.jsonMD5=19AD152B4BF6B7482CD1FF761CA0EBAA,SHA256=190C38F4F1B04B75B5CEC8D03D3946A94E54044662752ACA7D54C8193EBC5C70,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000340997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1060,RunKeySetValue2023-01-27 11:27:59.389{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\{CA0B7525-677D-453E-8375-5A0794E37710}\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\OneDriveC:\Program Files (x86)\Microsoft OneDrive\OneDrive.exe /background /setautostart 11241100x8000000000000000340996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DefaultUserModified2023-01-27 11:27:59.378{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Default\AppData\Local\Microsoft\Windows\UsrClass.dat{4f50aa2c-9e26-11ed-abf5-026fb152bae6}.TMContainer00000000000000000002.regtrans-ms2023-01-27 11:27:59.377 10341000x8000000000000000340995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.371{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B53F-63D3-2804-00000000BD02}1064C:\Windows\SysWOW64\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000340994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DefaultUserModified2023-01-27 11:27:59.367{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Default\AppData\Local\Microsoft\Windows\UsrClass.dat{4f50aa2c-9e26-11ed-abf5-026fb152bae6}.TMContainer00000000000000000001.regtrans-ms2023-01-27 11:27:59.366 11241100x8000000000000000340993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DefaultUserModified2023-01-27 11:27:59.357{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Default\AppData\Local\Microsoft\Windows\UsrClass.dat{4f50aa2c-9e26-11ed-abf5-026fb152bae6}.TM.blf2023-01-27 11:27:59.357 10341000x8000000000000000340992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.291{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000340991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.291{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000340990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.290{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000340989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.290{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000340988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.290{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000340987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.289{72106695-B105-63D3-2003-00000000BD02}36721356C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000340986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-ConnectPipe2023-01-27 11:27:59.284{72106695-B53F-63D3-2804-00000000BD02}1064\SfxCA_6589218C:\Windows\SysWOW64\rundll32.exe 10341000x8000000000000000340985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.282{72106695-9B85-63D3-1400-00000000BD02}10323544C:\Windows\system32\svchost.exe{72106695-B53F-63D3-2804-00000000BD02}1064C:\Windows\SysWOW64\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.281{72106695-9B85-63D3-1400-00000000BD02}10321120C:\Windows\system32\svchost.exe{72106695-B53F-63D3-2804-00000000BD02}1064C:\Windows\SysWOW64\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.251{72106695-B102-63D3-1003-00000000BD02}39442856C:\Windows\system32\csrss.exe{72106695-B53F-63D3-2804-00000000BD02}1064C:\Windows\SysWOW64\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000340982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.249{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.249{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.249{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.248{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.248{72106695-B53F-63D3-2704-00000000BD02}53762616C:\Windows\syswow64\MsiExec.exe{72106695-B53F-63D3-2804-00000000BD02}1064C:\Windows\SysWOW64\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+d856c(wow64)|C:\Windows\Installer\MSI8AF5.tmp+28f8(wow64)|C:\Windows\Installer\MSI8AF5.tmp+247f(wow64)|C:\Windows\Installer\MSI8AF5.tmp+3a7b(wow64)|C:\Windows\System32\msi.dll+ab3b3(wow64)|C:\Windows\System32\msi.dll+181346(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000340977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.248{72106695-B53F-63D3-2804-00000000BD02}1064C:\Windows\SysWOW64\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXErundll32.exe "C:\Windows\Installer\MSI8AF5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6589218 1827 SetupConfigCustomAction!Squirrel.SetupConfigCustomAction.SettingsCustomActions.CopyConfigC:\Windows\SysWOW64\WIN-HOST-CTUS-A\Administrator{72106695-B105-63D3-6E44-240000000000}0x24446e2HighMD5=A6ED2B5513A128315EC73A300D215759,SHA256=9980CC59993DCDE34A20411E3FACFEE8E7B159EE0D6FA510BCFAECC8532B4C02,IMPHASH=B79A26282DC6494FFDA9173E830DAB0A{72106695-B53F-63D3-2704-00000000BD02}5376C:\Windows\SysWOW64\msiexec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 26AE36FE0BB652ED9C4006EE36432C76 17141700x8000000000000000340976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-CreatePipe2023-01-27 11:27:59.247{72106695-B53F-63D3-2704-00000000BD02}5376\SfxCA_6589218C:\Windows\syswow64\MsiExec.exe 10341000x8000000000000000340975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.231{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000340974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.231{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000340973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.231{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000340972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.231{72106695-9B85-63D3-1E00-00000000BD02}19245068C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\tileobjserver.dll+bdb2|c:\windows\system32\tileobjserver.dll+26bf2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000340971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.231{72106695-9B85-63D3-1E00-00000000BD02}19245068C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\tileobjserver.dll+bd5f|c:\windows\system32\tileobjserver.dll+26bf2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 10341000x8000000000000000340970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.219{72106695-B53F-63D3-2704-00000000BD02}53762940C:\Windows\syswow64\MsiExec.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\syswow64\MsiExec.exe+7291|C:\Windows\syswow64\MsiExec.exe+7887|C:\Windows\syswow64\MsiExec.exe+9201|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000340969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.212{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B53F-63D3-2704-00000000BD02}5376C:\Windows\syswow64\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.189{72106695-B102-63D3-1003-00000000BD02}39441080C:\Windows\system32\csrss.exe{72106695-B53F-63D3-2704-00000000BD02}5376C:\Windows\syswow64\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000340967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.184{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.184{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.184{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.184{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.184{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B53F-63D3-2704-00000000BD02}5376C:\Windows\syswow64\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000340962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.183{72106695-B499-63D3-D903-00000000BD02}57764904C:\Windows\system32\msiexec.exe{72106695-B53F-63D3-2704-00000000BD02}5376C:\Windows\syswow64\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Windows\system32\Msi.dll+ba748|C:\Windows\system32\Msi.dll+16e0a4|C:\Windows\system32\Msi.dll+16e71c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000340961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.183{72106695-B53F-63D3-2704-00000000BD02}5376C:\Windows\SysWOW64\msiexec.exe5.0.14393.5648 (rs1_release.230105-1654)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 26AE36FE0BB652ED9C4006EE36432C76C:\Windows\SysWOW64\WIN-HOST-CTUS-A\Administrator{72106695-B105-63D3-6E44-240000000000}0x24446e2HighMD5=0E6BA8C0B882285D2B4FD61D0688D65B,SHA256=6929777BD6CEDDDFFF86FC7F505374D5AC0FA0F63722DC1C88594E16FBAFFAD1,IMPHASH=B4730776DFCE61DBCD10D002E3D530E1{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\System32\msiexec.exeC:\Windows\system32\msiexec.exe /V 23542300x8000000000000000340960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.180{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230127093814-107MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000340959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.180{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.180{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000340957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.174{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Config.Msi\62052f.rbsMD5=D47EC8739F799C47D7A41DD474D8D1A5,SHA256=8CFF73443013C6587F337B0C1AB5C4AAC6AC0AF84192D20F88913127B4EAAA5A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000340956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.174{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.174{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.173{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.173{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000340952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.171{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF2E585343198ACC31.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000340951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.171{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFF211AFA011CF72B4.TMPMD5=B4B6461EAB62BE4079C96973D4196B78,SHA256=4BAF0FB96BBFFA88313C07F8F27314C4BCF4B4D04098A4A9481F248EEAE78FD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000340950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.168{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFFD97C571C931613B.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000340949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.167{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF3743647F2CBA9CD1.TMPMD5=B4B6461EAB62BE4079C96973D4196B78,SHA256=4BAF0FB96BBFFA88313C07F8F27314C4BCF4B4D04098A4A9481F248EEAE78FD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000340948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.164{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI81CB.tmpMD5=1F3E07B05B866640BD99B345EB30097F,SHA256=1F27AD6F3D50E46EB01E988C497BE7DF343F573B5F8979C611BC9F586C9973AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000340947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.145{72106695-B402-63D3-B003-00000000BD02}3780656C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b35a|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\SYSTEM32\msi.dll+e283d|C:\Windows\SYSTEM32\msi.dll+f7af2|C:\Windows\SYSTEM32\msi.dll+f9eff|C:\Windows\SYSTEM32\msi.dll+f9684|C:\Windows\SYSTEM32\msi.dll+90a94|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+6e58ac|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+6d1caf|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+66dbc5|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+f8144|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+2e10d|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37e250|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37c243|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.145{72106695-B402-63D3-B003-00000000BD02}3780656C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b2c4|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\SYSTEM32\msi.dll+e283d|C:\Windows\SYSTEM32\msi.dll+f7af2|C:\Windows\SYSTEM32\msi.dll+f9eff|C:\Windows\SYSTEM32\msi.dll+f9684|C:\Windows\SYSTEM32\msi.dll+90a94|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+6e58ac|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+6d1caf|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+66dbc5|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+f8144|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+2e10d|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37e250|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37c243|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.145{72106695-B402-63D3-B003-00000000BD02}3780656C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\SYSTEM32\msi.dll+e283d|C:\Windows\SYSTEM32\msi.dll+f7af2|C:\Windows\SYSTEM32\msi.dll+f9eff|C:\Windows\SYSTEM32\msi.dll+f9684|C:\Windows\SYSTEM32\msi.dll+90a94|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+6e58ac|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+6d1caf|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+66dbc5|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+f8144|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+2e10d|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37e250|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37c243|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.145{72106695-B402-63D3-B003-00000000BD02}3780656C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\SYSTEM32\msi.dll+e283d|C:\Windows\SYSTEM32\msi.dll+f7af2|C:\Windows\SYSTEM32\msi.dll+f9eff|C:\Windows\SYSTEM32\msi.dll+f9684|C:\Windows\SYSTEM32\msi.dll+90a94|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+6e58ac|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+6d1caf|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+66dbc5|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+f8144|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+2e10d|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37e250|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37c243|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.144{72106695-B402-63D3-B003-00000000BD02}3780656C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+d6b7a|C:\Windows\System32\SHELL32.dll+9b704|C:\Windows\System32\SHELL32.dll+9b358|C:\Windows\SYSTEM32\msi.dll+e283d|C:\Windows\SYSTEM32\msi.dll+f7af2|C:\Windows\SYSTEM32\msi.dll+f9eff|C:\Windows\SYSTEM32\msi.dll+f9684|C:\Windows\SYSTEM32\msi.dll+90a94|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+6e58ac|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+6d1caf|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+66dbc5|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+f8144|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+2e10d|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37e250|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37c243|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.144{72106695-B402-63D3-B003-00000000BD02}3780656C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+d6b68|C:\Windows\System32\SHELL32.dll+9b704|C:\Windows\System32\SHELL32.dll+9b358|C:\Windows\SYSTEM32\msi.dll+e283d|C:\Windows\SYSTEM32\msi.dll+f7af2|C:\Windows\SYSTEM32\msi.dll+f9eff|C:\Windows\SYSTEM32\msi.dll+f9684|C:\Windows\SYSTEM32\msi.dll+90a94|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+6e58ac|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+6d1caf|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+66dbc5|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+f8144|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+2e10d|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37e250|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37c243|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000340941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.144{72106695-B402-63D3-B003-00000000BD02}3780656C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+d6b68|C:\Windows\System32\SHELL32.dll+9b704|C:\Windows\System32\SHELL32.dll+9b358|C:\Windows\SYSTEM32\msi.dll+e283d|C:\Windows\SYSTEM32\msi.dll+f7af2|C:\Windows\SYSTEM32\msi.dll+f9eff|C:\Windows\SYSTEM32\msi.dll+f9684|C:\Windows\SYSTEM32\msi.dll+90a94|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+6e58ac|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+6d1caf|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+66dbc5|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+f8144|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+2e10d|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37e250|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37c243|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000340940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.143{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI84AA.tmpMD5=ADC69F47AE1703171DC401C4B3495339,SHA256=A98FD9935A91BCA7C490C03F16C71BC9A49D6D2909D2DF928680301BF8BB6166,IMPHASH=C2AAC1B2B9FA36FBEA7CD3D2B4516228truefalse - insufficient disk space 23542300x8000000000000000340939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.118{72106695-B53D-63D3-2504-00000000BD02}6108NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI84AA.tmp-\wix.dllMD5=D9F47A9075497473BE3420BF25060416,SHA256=87EE93C7BF77B9D93A972BA5A640DEFC178C0505304D8EE3D3F2EE340E9CA510,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000340938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.104{72106695-B53D-63D3-2504-00000000BD02}6108NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI84AA.tmp-\Telemetry.dllMD5=BD34E77891DB934AB5DC13E3768DFCE7,SHA256=897D33A6D47ADD4FACE95D47109EEB96C2DC6954D52CF48BF127E53FED2C0736,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000340937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.103{72106695-B53D-63D3-2504-00000000BD02}6108NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI84AA.tmp-\System.Spatial.resources.dllMD5=AD73B408CD61BC349ECB29D018A90F25,SHA256=60225714F5F67C7AFE03ADAD6B06DE02396F687F441813847C7C5D083AB10FBD,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000340936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.102{72106695-B53D-63D3-2504-00000000BD02}6108NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI84AA.tmp-\System.Spatial.dllMD5=539ECBA6ADC02BD1711E0C0883A502AF,SHA256=0B347698A279A88CF278759100A488941AAF7ACCA96C52194845290D08A26366,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000340935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.101{72106695-B53D-63D3-2504-00000000BD02}6108NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI84AA.tmp-\Squirrel.dllMD5=072ED1002377E0C5A6EFFFA27AAFD94A,SHA256=509AEC427B86C24B47D34DEF489E0F9A237E5E1DE999EE0F2ACBD7F5DA9FFCFC,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000340934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.097{72106695-B53D-63D3-2504-00000000BD02}6108NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI84AA.tmp-\Splat.dllMD5=9F5DC2E47908585E5A72F7AF09472504,SHA256=865E2B68580166AFF75D2E493D2564B44201A369ED7A4DA8645F42544726BBEF,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000340933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.096{72106695-B53D-63D3-2504-00000000BD02}6108NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI84AA.tmp-\SetupConfigCustomAction.dllMD5=D7C45E1382B596096AF62AB465BEF017,SHA256=3782EED101B185C6CF4FCE661FB26C777718DE552D190E5B1F9255833DF0356E,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000340932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.095{72106695-B53D-63D3-2504-00000000BD02}6108NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI84AA.tmp-\NuGet.Squirrel.dllMD5=927AB0F4C480D594DDFA36AEF1B06E52,SHA256=F38BCAD63B8CA88699BCCACC64F2FBD6D73B53E6818DC063DCAE17D7A7AC47CE,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000340931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.091{72106695-B53D-63D3-2504-00000000BD02}6108NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI84AA.tmp-\Mono.Cecil.dllMD5=AF742B762F03A29F99A2558AB6141515,SHA256=0C66A01F3A2223F23E57171BCE47403ADBF4B48E34A5B2EFFC7E7412701B2129,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000340930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.087{72106695-B53D-63D3-2504-00000000BD02}6108NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI84AA.tmp-\Microsoft.Web.XmlTransform.dllMD5=6AD7D1E92C9833F4BDDE6A4BC84F2E1A,SHA256=13DCF5066E00152238191314D4A46605204FFABDBB830BDD0C97DF3027D1261D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000340929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.086{72106695-B53D-63D3-2504-00000000BD02}6108NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI84AA.tmp-\Microsoft.Deployment.WindowsInstaller.dllMD5=D4C41DEE6A605C3B23377E0F147AAAAB,SHA256=3D120584E867B84E5A9979E29D322E53F296798EE90535C5AB13243D654AA115,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000340928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.084{72106695-B53D-63D3-2504-00000000BD02}6108NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI84AA.tmp-\Microsoft.Deployment.Resources.dllMD5=FEB6EB81F13E468415E8920C0899DB09,SHA256=64B02CCA1D92F782A8B03F2C8B1E195369CE3099B8AC35A9E2060BA5094797D4,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000340927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.083{72106695-B53D-63D3-2504-00000000BD02}6108NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI84AA.tmp-\Microsoft.Data.Services.Client.resources.dllMD5=7F92069CFD4EA63487C25D6ECD96D1F3,SHA256=36DD5A40328C39E032F2CDB3B0F8CCF384716E46488A4E3356A387F74C03357B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000340926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.082{72106695-B53D-63D3-2504-00000000BD02}6108NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI84AA.tmp-\Microsoft.Data.Services.Client.dllMD5=269BDEFAC8F933B2B133660BCEB81F13,SHA256=3CE056DD03533E4A8D9644B99ADE69B8CF6D5EDF3AB26FE2B9467AEC17A3C85D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000340925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.076{72106695-B53D-63D3-2504-00000000BD02}6108NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI84AA.tmp-\Microsoft.Data.OData.resources.dllMD5=055CACF6D88D81AD52A8E30E83235CD2,SHA256=8435109572A7548A21C20CC0A3054060127F49376EFAF548AAA303828F257217,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000340924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.071{72106695-B53D-63D3-2504-00000000BD02}6108NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI84AA.tmp-\Microsoft.Data.OData.dllMD5=2D8AEF0300B61BB6A075950900AEFFE3,SHA256=B37D4E017BB6444E00F7A840BD3562D194D199288A0B8406B6DCB431A867B702,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000340923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.053{72106695-B53D-63D3-2504-00000000BD02}6108NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI84AA.tmp-\Microsoft.Data.Edm.resources.dllMD5=72CB6CEFD5CE2E63EF929EC63B5C84AF,SHA256=AFCC051B49B4A102BD618D8F3E914346D402588E42333F71C2AB43C9F90F5590,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000340922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.052{72106695-B53D-63D3-2504-00000000BD02}6108NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI84AA.tmp-\Microsoft.Data.Edm.dllMD5=78131030AB1F627955BE3182345BD001,SHA256=E5B0363A26DB4A5C0EDBB8D0EFF0A7B7C071C6C31960832A4332D31FCD170170,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000340921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.045{72106695-B53D-63D3-2504-00000000BD02}6108NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI84AA.tmp-\Microsoft.Bond.Interfaces.dllMD5=40F5CC234B7C95CD4262601B221E6D37,SHA256=064EF1F32289FCF01B400515504F5AABB29756C1D950999E190DCEBDF223071F,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000340920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.044{72106695-B53D-63D3-2504-00000000BD02}6108NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI84AA.tmp-\Microsoft.Bond.dllMD5=4A2AD66E6441518620EC17C2DFC90C8F,SHA256=74438F99B73E1E1502878DDDDA9B09C87BBA22A0430A3A23283389D9713E3B1C,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000340919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.043{72106695-B53D-63D3-2504-00000000BD02}6108NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI84AA.tmp-\Microsoft.Applications.Telemetry.dllMD5=042213980A7BBC0392EE29B3ACEBCD74,SHA256=C04516E0F713B0144ABCA7B20B0D6F7B1C474EE57FF4141780FC7DA2B14E1CCC,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000340918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.039{72106695-B53D-63D3-2504-00000000BD02}6108NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI84AA.tmp-\Microsoft.Applications.Telemetry.Desktop.dllMD5=4BF7BCC420786AEFCE93860A6C7337D6,SHA256=DD1E379DEB9C13493B64CA1D773008419512E16F056CD01F95BBD4BFF1A6F3FD,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000340917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.039{72106695-B53D-63D3-2504-00000000BD02}6108NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI84AA.tmp-\ICSharpCode.SharpZipLib.dllMD5=DC103AB6C9F59B5ECFEA159B42F56DC4,SHA256=68436B6288FCA7F1502CBDC506BFF118866831D2AE088A2550EE81574D1B14F5,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000340916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.036{72106695-B53D-63D3-2504-00000000BD02}6108NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI84AA.tmp-\DeltaCompressionDotNet.MsDelta.dllMD5=BCF93B43FE5B1ACA8DD59A2B2967B455,SHA256=8105AD15B6798B5381A77F380D30EF1FF0CB2790619D2F936E64A026B5116784,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000340915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.036{72106695-B53D-63D3-2504-00000000BD02}6108NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI84AA.tmp-\DeltaCompressionDotNet.dllMD5=0B067D5ED660D4207DA6D707668281C2,SHA256=26398BE075FC52E57E71920B954B5A37518E2F083472A68F8BC555945179E639,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000340914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.035{72106695-B53D-63D3-2504-00000000BD02}6108NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI84AA.tmp-\CustomAction.configMD5=4BFDEF8658100D564788F676B4A63864,SHA256=A2E973CCE1F85A2AB9D6E7A90909B17B332C1EF4159FFC57BB3CF688E02BA9EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000340913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.034{72106695-B53D-63D3-2504-00000000BD02}6108NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI84AA.tmp-\BootstrapperCore.dllMD5=ACF012BFAECBEEDD8BA4DD41032B6E43,SHA256=F6A4B50D9D9751A1C93157A5D019FD221A2BC50A0660ADE9505DB70CD647A361,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruefalse - insufficient disk space 23542300x8000000000000000340912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.009{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBBFA1C3ECC3704B2A6A5181E037660B,SHA256=0B7D7BC776E0C8946A7F6D6E16174D8978FF8EC55C03958E90647128B8CE63E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000340911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.006{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 23542300x8000000000000000340910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.006{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C78530DCED4910077BE0E6232C6B0650,SHA256=98119E978EAFF6CD3F318AEA359318C9F654977D99DE63D56D0E457C62C30611,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000340909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.006{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000340908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.003{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B53D-63D3-2404-00000000BD02}4848C:\Windows\syswow64\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000340907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.003{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B53D-63D3-2404-00000000BD02}4848C:\Windows\syswow64\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000340906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.003{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B53D-63D3-2404-00000000BD02}4848C:\Windows\syswow64\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000340905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.003{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B53D-63D3-2404-00000000BD02}4848C:\Windows\syswow64\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000340904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.003{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B53D-63D3-2404-00000000BD02}4848C:\Windows\syswow64\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000340903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.002{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:59.002{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:59.576{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000449034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:59.552{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000449033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:59.539{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000449032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:59.535{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000449031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:59.532{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000449030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:59.528{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000449029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:59.491{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000449028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:59.481{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000449027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:59.453{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000449026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:59.446{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000449025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:59.435{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000449024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:59.423{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000449023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:59.411{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000449022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:59.392{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000449021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:59.382{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000449020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:59.367{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000449019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:59.356{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000449018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:59.304{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000449017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:59.300{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 23542300x8000000000000000449016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:27:59.267{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37FA50A0A879CB401B5C35B90FC5B806,SHA256=DC4C756F481C625E4B98C9A0944FDDA2014093FED696ECB501990E86288FEE73,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000341128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:27:58.443{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51055-false10.0.1.12-8000- 13241300x8000000000000000341127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:28:00.770{72106695-B53F-63D3-2904-00000000BD02}5620C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exeHKU\{3DF72387-74FC-4457-A19F-3B8F516E8BC3}\grvopen\shell\open\command\(Default)"C:\Program Files (x86)\Microsoft OneDrive\OneDrive.exe" /url:"%%1" 13241300x8000000000000000341126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:28:00.770{72106695-B53F-63D3-2904-00000000BD02}5620C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exeHKU\{3DF72387-74FC-4457-A19F-3B8F516E8BC3}\grvopen\shell\open\command\(Default)"C:\Program Files (x86)\Microsoft OneDrive\OneDrive.exe" /url:"%%1" 10341000x8000000000000000341125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.767{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1939d9(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\shlwapi.dll+29aee(wow64)|C:\Windows\System32\SHELL32.dll+240797(wow64)|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+4a436|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+3c3c7|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+6ab7|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+6c78|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+66e0|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+9180|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c700 10341000x8000000000000000341124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.767{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19395a(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\shlwapi.dll+29aee(wow64)|C:\Windows\System32\SHELL32.dll+240797(wow64)|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+4a436|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+3c3c7|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+6ab7|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+6c78|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+66e0|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+9180|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c700 10341000x8000000000000000341123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.767{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\shlwapi.dll+29aee(wow64)|C:\Windows\System32\SHELL32.dll+240797(wow64)|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+4a436|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+3c3c7|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+6ab7 10341000x8000000000000000341122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.767{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\shlwapi.dll+29aee(wow64)|C:\Windows\System32\SHELL32.dll+240797(wow64)|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+4a436|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+3c3c7|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+6ab7|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+6c78 23542300x8000000000000000341121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.766{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Windows\Temp\tmp7A89.tmpMD5=1D2A96CCF730B0174CAAB94DF2218EEF,SHA256=5A1737D83970A1B1A10BCD321B9208A793925C8F276EC9866FDBB99D27C8DAD9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000341120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.766{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1939d9(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\shlwapi.dll+29aee(wow64)|C:\Windows\System32\windows.storage.dll+2ab915(wow64)|C:\Windows\System32\windows.storage.dll+fd74f(wow64)|C:\Windows\System32\SHELL32.dll+24085c(wow64)|C:\Windows\System32\SHELL32.dll+240ac9(wow64)|C:\Windows\System32\SHELL32.dll+24075d(wow64)|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+4a436|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+3c3c7|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+6ab7 10341000x8000000000000000341119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.766{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19395a(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\shlwapi.dll+29aee(wow64)|C:\Windows\System32\windows.storage.dll+2ab915(wow64)|C:\Windows\System32\windows.storage.dll+fd74f(wow64)|C:\Windows\System32\SHELL32.dll+24085c(wow64)|C:\Windows\System32\SHELL32.dll+240ac9(wow64)|C:\Windows\System32\SHELL32.dll+24075d(wow64)|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+4a436|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+3c3c7|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+6ab7 10341000x8000000000000000341118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.765{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\shlwapi.dll+29aee(wow64)|C:\Windows\System32\windows.storage.dll+2ab915(wow64)|C:\Windows\System32\windows.storage.dll+fd74f(wow64)|C:\Windows\System32\SHELL32.dll+24085c(wow64)|C:\Windows\System32\SHELL32.dll+240ac9(wow64) 10341000x8000000000000000341117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.765{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\shlwapi.dll+29aee(wow64)|C:\Windows\System32\windows.storage.dll+2ab915(wow64)|C:\Windows\System32\windows.storage.dll+fd74f(wow64)|C:\Windows\System32\SHELL32.dll+24085c(wow64)|C:\Windows\System32\SHELL32.dll+240ac9(wow64)|C:\Windows\System32\SHELL32.dll+24075d(wow64) 11241100x8000000000000000341116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DefaultUserModified2023-01-27 11:28:00.764{72106695-B53F-63D3-2904-00000000BD02}5620C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exeC:\Users\Default\OneDrive\desktop.ini2023-01-27 11:28:00.764 11241100x8000000000000000341115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DefaultUserModified2023-01-27 11:28:00.763{72106695-B53F-63D3-2904-00000000BD02}5620C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exeC:\Users\Default\OneDrive2023-01-27 11:28:00.763 10341000x8000000000000000341114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.576{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.566{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.557{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.556{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.554{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.548{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.548{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.545{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.544{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.533{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.527{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.523{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.519{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.510{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.499{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B53D-63D3-2404-00000000BD02}4848C:\Windows\syswow64\MsiExec.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000341099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.499{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B53D-63D3-2404-00000000BD02}4848C:\Windows\syswow64\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000341098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.499{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B53D-63D3-2404-00000000BD02}4848C:\Windows\syswow64\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000341097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.492{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.490{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.482{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.461{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1939d9(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+43d55|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+7e9a|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+82ed|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+90fe|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c700|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+9373|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c729|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+9534|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c746 10341000x8000000000000000341093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.461{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19395a(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+43d55|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+7e9a|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+82ed|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+90fe|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c700|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+9373|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c729|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+9534|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c746 10341000x8000000000000000341092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.461{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+43d55|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+7e9a|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+82ed|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+90fe|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c700 10341000x8000000000000000341091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.461{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+43d55|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+7e9a|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+82ed|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+90fe|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c700|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+9373 10341000x8000000000000000341090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.460{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1939d9(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+43d55|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+7e9a|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+82a3|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+90fe|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c700|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+9373|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c729|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+9534|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c746 10341000x8000000000000000341089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.460{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19395a(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+43d55|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+7e9a|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+82a3|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+90fe|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c700|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+9373|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c729|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+9534|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c746 10341000x8000000000000000341088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.459{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+43d55|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+7e9a|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+82a3|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+90fe|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c700 10341000x8000000000000000341087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.459{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+43d55|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+7e9a|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+82a3|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+90fe|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c700|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+9373 10341000x8000000000000000341086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.457{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1939d9(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+43d55|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+7e9a|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+8265|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+90fe|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c700|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+9373|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c729|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+9534|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c746 10341000x8000000000000000341085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.457{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19395a(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+43d55|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+7e9a|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+8265|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+90fe|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c700|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+9373|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c729|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+9534|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c746 10341000x8000000000000000341084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.457{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+43d55|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+7e9a|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+8265|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+90fe|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c700 10341000x8000000000000000341083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.456{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+43d55|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+7e9a|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+8265|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+90fe|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c700|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+9373 10341000x8000000000000000341082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.441{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.434{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.425{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.417{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.400{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.388{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.381{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.371{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.368{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B53F-63D3-2904-00000000BD02}5620C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.368{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B53F-63D3-2904-00000000BD02}5620C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000341072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:28:00.367{72106695-B53F-63D3-2904-00000000BD02}5620C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exeHKU\S-1-5-21-2226226129-4232087961-3617130143-500_Classes\grvopen\shell\open\command\(Default)"C:\Program Files (x86)\Microsoft OneDrive\OneDrive.exe" /url:"%%1" 13241300x8000000000000000341071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:28:00.367{72106695-B53F-63D3-2904-00000000BD02}5620C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exeHKU\S-1-5-21-2226226129-4232087961-3617130143-500_Classes\grvopen\shell\open\command\(Default)"C:\Program Files (x86)\Microsoft OneDrive\OneDrive.exe" /url:"%%1" 10341000x8000000000000000341070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.363{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1939d9(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\shlwapi.dll+29aee(wow64)|C:\Windows\System32\SHELL32.dll+240797(wow64)|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+4a436|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+3c3c7|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+6ab7|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+6c78|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+66e0|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+9180|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c700 10341000x8000000000000000341069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.362{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19395a(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\shlwapi.dll+29aee(wow64)|C:\Windows\System32\SHELL32.dll+240797(wow64)|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+4a436|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+3c3c7|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+6ab7|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+6c78|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+66e0|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+9180|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c700 10341000x8000000000000000341068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.362{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\shlwapi.dll+29aee(wow64)|C:\Windows\System32\SHELL32.dll+240797(wow64)|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+4a436|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+3c3c7|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+6ab7 10341000x8000000000000000341067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.362{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\shlwapi.dll+29aee(wow64)|C:\Windows\System32\SHELL32.dll+240797(wow64)|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+4a436|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+3c3c7|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+6ab7|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+6c78 10341000x8000000000000000341066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.361{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1939d9(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\shlwapi.dll+29aee(wow64)|C:\Windows\System32\windows.storage.dll+2ab915(wow64)|C:\Windows\System32\windows.storage.dll+fd74f(wow64)|C:\Windows\System32\SHELL32.dll+24085c(wow64)|C:\Windows\System32\SHELL32.dll+240ac9(wow64)|C:\Windows\System32\SHELL32.dll+24075d(wow64)|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+4a436|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+3c3c7|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+6ab7 10341000x8000000000000000341065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.361{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19395a(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\shlwapi.dll+29aee(wow64)|C:\Windows\System32\windows.storage.dll+2ab915(wow64)|C:\Windows\System32\windows.storage.dll+fd74f(wow64)|C:\Windows\System32\SHELL32.dll+24085c(wow64)|C:\Windows\System32\SHELL32.dll+240ac9(wow64)|C:\Windows\System32\SHELL32.dll+24075d(wow64)|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+4a436|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+3c3c7|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+6ab7 10341000x8000000000000000341064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.359{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\shlwapi.dll+29aee(wow64)|C:\Windows\System32\windows.storage.dll+2ab915(wow64)|C:\Windows\System32\windows.storage.dll+fd74f(wow64)|C:\Windows\System32\SHELL32.dll+24085c(wow64)|C:\Windows\System32\SHELL32.dll+240ac9(wow64) 10341000x8000000000000000341063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.359{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\shlwapi.dll+29aee(wow64)|C:\Windows\System32\windows.storage.dll+2ab915(wow64)|C:\Windows\System32\windows.storage.dll+fd74f(wow64)|C:\Windows\System32\SHELL32.dll+24085c(wow64)|C:\Windows\System32\SHELL32.dll+240ac9(wow64)|C:\Windows\System32\SHELL32.dll+24075d(wow64) 10341000x8000000000000000341062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.356{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.341{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.335{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.241{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1939d9(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+43d55|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+7e9a|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+82ed|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+90fe|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c700|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+9373|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c729|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+9457|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+970f 10341000x8000000000000000341058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.241{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19395a(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+43d55|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+7e9a|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+82ed|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+90fe|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c700|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+9373|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c729|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+9457|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+970f 10341000x8000000000000000341057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.239{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+43d55|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+7e9a|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+82ed|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+90fe|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c700 10341000x8000000000000000341056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.239{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+43d55|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+7e9a|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+82ed|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+90fe|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c700|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+9373 10341000x8000000000000000341055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.239{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1939d9(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+43d55|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+7e9a|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+82a3|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+90fe|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c700|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+9373|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c729|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+9457|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+970f 10341000x8000000000000000341054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.238{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19395a(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+43d55|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+7e9a|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+82a3|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+90fe|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c700|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+9373|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c729|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+9457|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+970f 10341000x8000000000000000341053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.238{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+43d55|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+7e9a|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+82a3|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+90fe|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c700 10341000x8000000000000000341052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.238{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+43d55|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+7e9a|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+82a3|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+90fe|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c700|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+9373 10341000x8000000000000000341051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.238{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1939d9(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+43d55|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+7e9a|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+8265|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+90fe|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c700|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+9373|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c729|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+9457|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+970f 10341000x8000000000000000341050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.238{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19395a(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+43d55|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+7e9a|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+8265|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+90fe|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c700|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+9373|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c729|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+9457|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+970f 10341000x8000000000000000341049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.237{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+43d55|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+7e9a|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+8265|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+90fe|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c700 10341000x8000000000000000341048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.237{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+43d55|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+7e9a|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+8265|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+90fe|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c700|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+9373 10341000x8000000000000000341047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.237{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\SHELL32.dll+130450(wow64)|C:\Windows\System32\SHELL32.dll+19361f(wow64)|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+43d55|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+7e9a|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+8265|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+90fe|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c700|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+9373|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c729|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+9457 10341000x8000000000000000341046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.237{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130442(wow64)|C:\Windows\System32\SHELL32.dll+19361f(wow64)|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+43d55|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+7e9a|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+8265|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+90fe|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c700 10341000x8000000000000000341045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.237{72106695-B53F-63D3-2904-00000000BD02}56205724C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130442(wow64)|C:\Windows\System32\SHELL32.dll+19361f(wow64)|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+43d55|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+7e9a|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+8265|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+90fe|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+1c700|C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe+9373 10341000x8000000000000000341044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.233{72106695-9B85-63D3-1400-00000000BD02}10323544C:\Windows\system32\svchost.exe{72106695-B53F-63D3-2904-00000000BD02}5620C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.232{72106695-9B85-63D3-1400-00000000BD02}10321120C:\Windows\system32\svchost.exe{72106695-B53F-63D3-2904-00000000BD02}5620C:\Program Files (x86)\Microsoft OneDrive\22.077.0410.0007\FileSyncConfig.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000341042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.203{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFBFB3277130AB5F15.TMPMD5=1A827696876E21D340A582CDB167E931,SHA256=596F9F03BDA21C455C0DC05B9FF5A737E8613DA1BDCD6359E4C3EA09C5C40DFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000341041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:00.187{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF2C2ED202CA43B9BD.TMPMD5=DE3C8DE45486FE9AD52B6A1F50719323,SHA256=1325E5F28BE561C49DCCDBBBB0C1AF9E8940FCC2DA67919F1D3620A93CD77C5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000449041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:00.306{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000449040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:00.302{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000449039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:00.299{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000449038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:00.296{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000449037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:00.294{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 23542300x8000000000000000449036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:00.286{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B318260AE304E00FA8FA29D63D4CEFB,SHA256=9139D331DBCE21E7121D275495EB80172B22E7A11E5E1FC2293CFB7055D29482,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000341283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.848{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B541-63D3-2A04-00000000BD02}4592C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonx64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000341282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.848{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B541-63D3-2A04-00000000BD02}4592C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonx64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000341281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.848{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B541-63D3-2A04-00000000BD02}4592C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonx64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000341280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.807{72106695-B105-63D3-2003-00000000BD02}36724108C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+3f342|C:\Windows\System32\modernexecserver.dll+3fc6e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2effb|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357b5|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.806{72106695-B105-63D3-2003-00000000BD02}36724108C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3f0db|C:\Windows\System32\modernexecserver.dll+3fbe5|C:\Windows\SYSTEM32\twinapi.appcore.dll+2effb|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357b5|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.802{72106695-B105-63D3-2003-00000000BD02}36724108C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3f0db|C:\Windows\System32\modernexecserver.dll+3f049|C:\Windows\System32\modernexecserver.dll+3fd2f|C:\Windows\System32\modernexecserver.dll+3fe52|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.802{72106695-B105-63D3-2003-00000000BD02}36724108C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3f6a2|C:\Windows\System32\modernexecserver.dll+3fd1e|C:\Windows\System32\modernexecserver.dll+3fe52|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.801{72106695-B105-63D3-2003-00000000BD02}36724108C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+3f342|C:\Windows\System32\modernexecserver.dll+3fd0b|C:\Windows\System32\modernexecserver.dll+3fe52|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.801{72106695-B105-63D3-2003-00000000BD02}36724108C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3fdee|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.800{72106695-B105-63D3-2003-00000000BD02}36721356C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f400|C:\Windows\System32\modernexecserver.dll+47a8c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000341273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.799{72106695-B105-63D3-2003-00000000BD02}36721356C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+478ab|C:\Windows\System32\modernexecserver.dll+476e0|C:\Windows\System32\modernexecserver.dll+4763b|C:\Windows\System32\modernexecserver.dll+3985d|C:\Windows\System32\Windows.Shell.ServiceHostBuilder.dll+1781|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c 10341000x8000000000000000341272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.771{72106695-B105-63D3-1F03-00000000BD02}39924596C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\shcore.dll+35586|C:\Windows\System32\shcore.dll+201ff|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 10341000x8000000000000000341271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.765{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+2a3e9d|C:\Windows\System32\windows.storage.dll+9f4d7|C:\Windows\System32\windows.storage.dll+9f5ea|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000341270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.765{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+2c9542|C:\Windows\System32\windows.storage.dll+d1d5d|C:\Windows\System32\windows.storage.dll+2de04a|C:\Windows\System32\windows.storage.dll+9f1f4|C:\Windows\System32\windows.storage.dll+2a3e00|C:\Windows\System32\windows.storage.dll+9f4d7|C:\Windows\System32\windows.storage.dll+9f5ea|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f 10341000x8000000000000000341269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.765{72106695-B106-63D3-2B03-00000000BD02}9644640C:\Windows\Explorer.EXE{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\system32\twinui.pcshell.dll+27c24|C:\Windows\system32\twinui.pcshell.dll+17316|C:\Windows\system32\twinui.pcshell.dll+17671|C:\Windows\system32\twinui.pcshell.dll+176a9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.765{72106695-B106-63D3-2B03-00000000BD02}9644640C:\Windows\Explorer.EXE{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\system32\twinui.pcshell.dll+27c24|C:\Windows\system32\twinui.pcshell.dll+17316|C:\Windows\system32\twinui.pcshell.dll+17671|C:\Windows\system32\twinui.pcshell.dll+176a9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.765{72106695-B403-63D3-B103-00000000BD02}60926104C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B541-63D3-2A04-00000000BD02}4592C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonx64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+47ede|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+50827|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+4fb68|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.765{72106695-B105-63D3-1F03-00000000BD02}39924152C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\shcore.dll+35586|C:\Windows\System32\shcore.dll+201ff|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 10341000x8000000000000000341265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.765{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+2a3e9d|C:\Windows\System32\windows.storage.dll+9f4d7|C:\Windows\System32\windows.storage.dll+9f5ea|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000341264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.765{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+2c9542|C:\Windows\System32\windows.storage.dll+d1d5d|C:\Windows\System32\windows.storage.dll+2de04a|C:\Windows\System32\windows.storage.dll+9f1f4|C:\Windows\System32\windows.storage.dll+2a3e00|C:\Windows\System32\windows.storage.dll+9f4d7|C:\Windows\System32\windows.storage.dll+9f5ea|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f 10341000x8000000000000000341263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.749{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+67be3|C:\Windows\System32\windows.storage.dll+670a9|C:\Windows\System32\windows.storage.dll+66fbd|C:\Windows\System32\windows.storage.dll+6cd76|C:\Windows\System32\windows.storage.dll+6ed29|C:\Windows\System32\windows.storage.dll+17b166|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536 10341000x8000000000000000341262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.749{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+d1303|C:\Windows\System32\windows.storage.dll+6eba0|C:\Windows\System32\windows.storage.dll+6eaf7|C:\Windows\System32\windows.storage.dll+6ecc7|C:\Windows\System32\windows.storage.dll+17b166|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea 10341000x8000000000000000341261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.749{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+d1587|C:\Windows\System32\windows.storage.dll+169219|C:\Windows\System32\windows.storage.dll+17b148|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000341260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.749{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+1691ed|C:\Windows\System32\windows.storage.dll+17b148|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+6957c 10341000x8000000000000000341259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.749{72106695-B105-63D3-1F03-00000000BD02}39924152C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\shcore.dll+35586|C:\Windows\System32\shcore.dll+201ff|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 10341000x8000000000000000341258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.749{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+2a3e9d|C:\Windows\System32\windows.storage.dll+9f4d7|C:\Windows\System32\windows.storage.dll+9f5ea|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000341257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.749{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+2c9542|C:\Windows\System32\windows.storage.dll+d1d5d|C:\Windows\System32\windows.storage.dll+2de04a|C:\Windows\System32\windows.storage.dll+9f1f4|C:\Windows\System32\windows.storage.dll+2a3e00|C:\Windows\System32\windows.storage.dll+9f4d7|C:\Windows\System32\windows.storage.dll+9f5ea|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f 10341000x8000000000000000341256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.749{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+67be3|C:\Windows\System32\windows.storage.dll+670a9|C:\Windows\System32\windows.storage.dll+66fbd|C:\Windows\System32\windows.storage.dll+6cd76|C:\Windows\System32\windows.storage.dll+6ed29|C:\Windows\System32\windows.storage.dll+17b166|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536 10341000x8000000000000000341255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.749{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+d1303|C:\Windows\System32\windows.storage.dll+6eba0|C:\Windows\System32\windows.storage.dll+6eaf7|C:\Windows\System32\windows.storage.dll+6ecc7|C:\Windows\System32\windows.storage.dll+17b166|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea 10341000x8000000000000000341254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.749{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+d1587|C:\Windows\System32\windows.storage.dll+169219|C:\Windows\System32\windows.storage.dll+17b148|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000341253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.749{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+1691ed|C:\Windows\System32\windows.storage.dll+17b148|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+6957c 10341000x8000000000000000341252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.749{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.749{72106695-B106-63D3-2B03-00000000BD02}9644732C:\Windows\Explorer.EXE{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b9b44|C:\Windows\System32\TwinUI.dll+ba1f7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000341250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.749{72106695-B106-63D3-2B03-00000000BD02}9644732C:\Windows\Explorer.EXE{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b9b44|C:\Windows\System32\TwinUI.dll+ba1f7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000341249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.749{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.749{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.749{72106695-B106-63D3-2B03-00000000BD02}9644732C:\Windows\Explorer.EXE{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b9b44|C:\Windows\System32\TwinUI.dll+ba1f7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000341246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.749{72106695-B106-63D3-2B03-00000000BD02}9644732C:\Windows\Explorer.EXE{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b9b44|C:\Windows\System32\TwinUI.dll+ba1f7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000341245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.749{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.749{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.749{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+67be3|C:\Windows\System32\windows.storage.dll+670a9|C:\Windows\System32\windows.storage.dll+66fbd|C:\Windows\System32\windows.storage.dll+6cd76|C:\Windows\System32\windows.storage.dll+6ed29|C:\Windows\System32\windows.storage.dll+17b166|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536 10341000x8000000000000000341242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.749{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+d1303|C:\Windows\System32\windows.storage.dll+6eba0|C:\Windows\System32\windows.storage.dll+6eaf7|C:\Windows\System32\windows.storage.dll+6ecc7|C:\Windows\System32\windows.storage.dll+17b166|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea 10341000x8000000000000000341241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.749{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+d1587|C:\Windows\System32\windows.storage.dll+169219|C:\Windows\System32\windows.storage.dll+17b148|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000341240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.749{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+1691ed|C:\Windows\System32\windows.storage.dll+17b148|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+6957c 10341000x8000000000000000341239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.749{72106695-B403-63D3-B103-00000000BD02}60926104C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B541-63D3-2A04-00000000BD02}4592C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonx64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe0x1438C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+5cbc9|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+5de97|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+17da6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+1c3e4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+c74c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+b0eb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+2c058|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+2bd43|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+943f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1311e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+20cf5|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+9482|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+8de7|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+7d07|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c 10341000x8000000000000000341238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.749{72106695-B403-63D3-B103-00000000BD02}60926104C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B541-63D3-2A04-00000000BD02}4592C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonx64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+3f53c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+1909b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+18604|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+19eeb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+1c3c3|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+c74c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+b0eb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+2c058|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+2bd43|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+943f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1311e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+20cf5|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+9482|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+8de7|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+7d07|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc 10341000x8000000000000000341237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.749{72106695-B105-63D3-1F03-00000000BD02}39924152C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\shcore.dll+35586|C:\Windows\System32\shcore.dll+201ff|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 10341000x8000000000000000341236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.749{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+2a3e9d|C:\Windows\System32\windows.storage.dll+9f4d7|C:\Windows\System32\windows.storage.dll+9f5ea|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000341235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.749{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+2c9542|C:\Windows\System32\windows.storage.dll+d1d5d|C:\Windows\System32\windows.storage.dll+2de04a|C:\Windows\System32\windows.storage.dll+9f1f4|C:\Windows\System32\windows.storage.dll+2a3e00|C:\Windows\System32\windows.storage.dll+9f4d7|C:\Windows\System32\windows.storage.dll+9f5ea|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f 10341000x8000000000000000341234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.747{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.746{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.746{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+67be3|C:\Windows\System32\windows.storage.dll+670a9|C:\Windows\System32\windows.storage.dll+66fbd|C:\Windows\System32\windows.storage.dll+6cd76|C:\Windows\System32\windows.storage.dll+6ed29|C:\Windows\System32\windows.storage.dll+17b166|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536 10341000x8000000000000000341231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.746{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+d1303|C:\Windows\System32\windows.storage.dll+6eba0|C:\Windows\System32\windows.storage.dll+6eaf7|C:\Windows\System32\windows.storage.dll+6ecc7|C:\Windows\System32\windows.storage.dll+17b166|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea 10341000x8000000000000000341230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.746{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+d1587|C:\Windows\System32\windows.storage.dll+169219|C:\Windows\System32\windows.storage.dll+17b148|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000341229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.746{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+1691ed|C:\Windows\System32\windows.storage.dll+17b148|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+6957c 10341000x8000000000000000341228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.745{72106695-B105-63D3-1F03-00000000BD02}39924152C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\combase.dll+24fc2|C:\Windows\System32\combase.dll+25cee|C:\Windows\System32\combase.dll+25aff|C:\Windows\System32\combase.dll+59488|C:\Windows\System32\combase.dll+590a0|C:\Windows\System32\combase.dll+65e74|C:\Windows\System32\combase.dll+c29a4|C:\Windows\System32\combase.dll+63133|C:\Windows\System32\combase.dll+648f0|C:\Windows\System32\combase.dll+217a|C:\Windows\System32\RPCRT4.dll+d5ff4|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000341227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.745{72106695-B105-63D3-1F03-00000000BD02}39924528C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\combase.dll+24fc2|C:\Windows\System32\combase.dll+25cee|C:\Windows\System32\combase.dll+25aff|C:\Windows\System32\combase.dll+59488|C:\Windows\System32\combase.dll+590a0|C:\Windows\System32\combase.dll+65e74|C:\Windows\System32\combase.dll+c29a4|C:\Windows\System32\combase.dll+63133|C:\Windows\System32\combase.dll+648f0|C:\Windows\System32\combase.dll+217a|C:\Windows\System32\RPCRT4.dll+d5ff4|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000341226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.743{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+67be3|C:\Windows\System32\windows.storage.dll+670a9|C:\Windows\System32\windows.storage.dll+66fbd|C:\Windows\System32\windows.storage.dll+6cd76|C:\Windows\System32\windows.storage.dll+6ed29|C:\Windows\System32\windows.storage.dll+17b166|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536 10341000x8000000000000000341225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.743{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+d1303|C:\Windows\System32\windows.storage.dll+6eba0|C:\Windows\System32\windows.storage.dll+6eaf7|C:\Windows\System32\windows.storage.dll+6ecc7|C:\Windows\System32\windows.storage.dll+17b166|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea 10341000x8000000000000000341224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.743{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+d1587|C:\Windows\System32\windows.storage.dll+169219|C:\Windows\System32\windows.storage.dll+17b148|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000341223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.743{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+1691ed|C:\Windows\System32\windows.storage.dll+17b148|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+6957c 10341000x8000000000000000341222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.742{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+67be3|C:\Windows\System32\windows.storage.dll+670a9|C:\Windows\System32\windows.storage.dll+66fbd|C:\Windows\System32\windows.storage.dll+6cd76|C:\Windows\System32\windows.storage.dll+6ed29|C:\Windows\System32\windows.storage.dll+17b166|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536 10341000x8000000000000000341221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.742{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+d1303|C:\Windows\System32\windows.storage.dll+6eba0|C:\Windows\System32\windows.storage.dll+6eaf7|C:\Windows\System32\windows.storage.dll+6ecc7|C:\Windows\System32\windows.storage.dll+17b166|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea 10341000x8000000000000000341220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.742{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+d1587|C:\Windows\System32\windows.storage.dll+169219|C:\Windows\System32\windows.storage.dll+17b148|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000341219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.741{72106695-B105-63D3-1F03-00000000BD02}39926012C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+1691ed|C:\Windows\System32\windows.storage.dll+17b148|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+6957c 10341000x8000000000000000341218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.741{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.741{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.741{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.741{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.741{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.740{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.740{72106695-B105-63D3-1F03-00000000BD02}39924152C:\Windows\System32\RuntimeBroker.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.storage.dll+d18cd|C:\Windows\System32\windows.storage.dll+d1518|C:\Windows\System32\windows.storage.dll+17c819|C:\Windows\System32\windows.storage.dll+17c675|C:\Windows\System32\windows.storage.dll+d2a06|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000341211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.739{72106695-B106-63D3-2B03-00000000BD02}9644732C:\Windows\Explorer.EXE{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b9b44|C:\Windows\System32\TwinUI.dll+ba1f7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000341210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.739{72106695-B106-63D3-2B03-00000000BD02}9644732C:\Windows\Explorer.EXE{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b9b44|C:\Windows\System32\TwinUI.dll+ba1f7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000341209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.738{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.737{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.737{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000341206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.736{72106695-B106-63D3-2B03-00000000BD02}964WIN-HOST-CTUS-A\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\ActionCenterCache\microsoft-explorer-notification--d1f6275c-b9a0-a25e-7f73-51b54487be4c-_7_0.pngMD5=00E5FCFD833151F7CBDE607E2F7AFEB4,SHA256=B80192AAABE007BAECD0603E3CE183E9D554B8A6B0411D20716ACFA086AE3035,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000341205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.732{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.731{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.731{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.715{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.715{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.715{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.715{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.715{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.715{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.715{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.715{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.715{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.715{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.699{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.699{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.699{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.699{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000341188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.699{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000341187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.699{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000341186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.699{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.699{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.683{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.683{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.683{72106695-B403-63D3-B103-00000000BD02}60926104C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B541-63D3-2A04-00000000BD02}4592C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonx64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+94f8|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+88fe|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+7d07|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.683{72106695-B403-63D3-B103-00000000BD02}60926104C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B541-63D3-2A04-00000000BD02}4592C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonx64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+8130|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+7d07|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000341180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.683{72106695-B106-63D3-2B03-00000000BD02}964WIN-HOST-CTUS-A\AdministratorC:\Windows\Explorer.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\{E5A7CA53-4837-4112-8C96-866387151EB9}.pngMD5=00E5FCFD833151F7CBDE607E2F7AFEB4,SHA256=B80192AAABE007BAECD0603E3CE183E9D554B8A6B0411D20716ACFA086AE3035,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000341179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.683{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.683{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.683{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.683{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.683{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.683{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.683{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B541-63D3-2A04-00000000BD02}4592C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonx64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.621{72106695-B102-63D3-1003-00000000BD02}39442856C:\Windows\system32\csrss.exe{72106695-B541-63D3-2A04-00000000BD02}4592C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonx64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000341171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.621{72106695-B402-63D3-B003-00000000BD02}3780656C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B541-63D3-2A04-00000000BD02}4592C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonx64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1d10b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1cf33|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+3e2d75|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+3e2994|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+66f668|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+66dc76|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+f8144|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+2e10d|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37e250|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+37c243|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.605{72106695-9B85-63D3-1200-00000000BD02}10006076C:\Windows\System32\svchost.exe{72106695-B541-63D3-2A04-00000000BD02}4592C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonx64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.605{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000341168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.605{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\inprogressinstallinfo.ipiMD5=A1E15E3957813315305363046DC5A203,SHA256=C1CA089A6DCBA4E867D76AE784B8F189B583607D7C680793F7C9AF5FDA36DC9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000341167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.605{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF1F79E0584554AC62.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000341166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.605{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF1BC713EBE344C011.TMPMD5=A1E15E3957813315305363046DC5A203,SHA256=C1CA089A6DCBA4E867D76AE784B8F189B583607D7C680793F7C9AF5FDA36DC9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000341165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.605{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFBC55658F6810F161.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000341164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.590{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFD4CC1A08226A1090.TMPMD5=A1E15E3957813315305363046DC5A203,SHA256=C1CA089A6DCBA4E867D76AE784B8F189B583607D7C680793F7C9AF5FDA36DC9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000341163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.574{72106695-B499-63D3-D903-00000000BD02}5776NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\62052d.msiMD5=F335C918ADC98C5E641A9B65B2083CB5,SHA256=861F955FD50DD3120E58436E0E943C02D4DC2027C0B180C6CD5B8AFF0BB9CFE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000341162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.468{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E10AC9E6D2E8E30A3217BED345FB9BB4,SHA256=14F5800465C0878C0EBD5000126955B8617C5F78F812BE996224EAD7AFDD0D39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000341161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.447{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41C84527027CA858A044103CB94A95C2,SHA256=C5AF4F3A2810B98E6A581EBABF078C1721996E6A2E318A16051530682D5F9463,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000341160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.234{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B53F-63D3-2704-00000000BD02}5376C:\Windows\syswow64\MsiExec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000341159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.231{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B53D-63D3-2404-00000000BD02}4848C:\Windows\syswow64\MsiExec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000341158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.226{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B53A-63D3-1F04-00000000BD02}1664C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000341157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.216{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B538-63D3-1C04-00000000BD02}6064C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000341156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.210{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000341155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.210{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000341154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.209{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000341153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.199{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000341152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.184{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000341151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.175{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000341150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.172{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000341149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.164{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000341148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.156{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000341147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.148{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000341146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.148{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000341145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.146{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000341144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.146{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000341143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.145{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000341142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.142{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 23542300x8000000000000000341141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.141{72106695-B106-63D3-2B03-00000000BD02}964WIN-HOST-CTUS-A\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000017.dbMD5=EABC65087FF0F9ED5B26C7F104E2816B,SHA256=0FC67CDF05337E855FE8E49268AB321B69594BAC6D8BF38F4AB179A95F14CA3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000341140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.120{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000341139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.115{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000341138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.106{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000341137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.093{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.087{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.081{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.081{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B53F-63D3-2704-00000000BD02}5376C:\Windows\syswow64\MsiExec.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000341133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.077{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B53F-63D3-2704-00000000BD02}5376C:\Windows\syswow64\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000341132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.077{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B53F-63D3-2704-00000000BD02}5376C:\Windows\syswow64\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000341131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.019{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B53F-63D3-2704-00000000BD02}5376C:\Windows\syswow64\MsiExec.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000341130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.019{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B53F-63D3-2704-00000000BD02}5376C:\Windows\syswow64\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000341129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.019{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B53F-63D3-2704-00000000BD02}5376C:\Windows\syswow64\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 23542300x8000000000000000449042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:01.379{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E67D5B13B4C768A1944963D4F21609,SHA256=2CB968989A846BDC46AA56C0C1666DF5EC1FAE32BE6FC46DED991DA5F6FE7DB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:02.614{72106695-B538-63D3-1C04-00000000BD02}6064WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\setup\logs\parentTelemetryCache.otc-walMD5=7B75353D6AC70D93B38BDE9E5C686F0F,SHA256=EED9AC33F1333DF78A7E09BBFFDF784B639957E4FCE0E4CC957D3C3EB3135B9E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000341297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:02.614{72106695-B538-63D3-1C04-00000000BD02}6064WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\setup\logs\parentTelemetryCache.otc-shmMD5=967282EE6B98E06D2CAD1A8EBEDE1ABE,SHA256=C81AA4F7FE65D427156515DA7A7BB0293A052A35FD6FCF23A05504926669A4E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000341296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:02.598{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000341295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:02.582{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\setup\logs\machineTelemetryCache.otc-walMD5=52987392F86A3649F96A52E85012C29E,SHA256=D8EB6A8896F6100E6888E76DD3E37A68F4902C3152F9C073CA2B94B00E0F46E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000341294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:02.582{72106695-B53A-63D3-1F04-00000000BD02}1664WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Program Files (x86)\Microsoft OneDrive\setup\logs\machineTelemetryCache.otc-shmMD5=FE49399299F49FE7F35F24626DC02DE4,SHA256=C03DD87B7E9BBE819F5A67FC25874F8BD8197F9BB68B55A8ACC6B068DB57A123,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000341293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:02.379{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D2805744CBE71438971B18BBEFCA314C,SHA256=F199A25F6CE5F215692DD8CCBF76FEDA655F05C0D3F2561B5CDC026DDBEA199D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000341292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:02.176{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000341291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:02.129{72106695-9B88-63D3-4200-00000000BD02}2308NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\disk.PNFMD5=D849ED614A45D39CE70FD9D8B0DCAEDD,SHA256=8F3D3B788D438E48DDEABAE259F6ABFED401F50EA64A2529CA8B1492677523BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000341290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:02.117{72106695-B402-63D3-B003-00000000BD02}3780WIN-HOST-CTUS-A\AdministratorC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-walMD5=1F9EA033B133E05B6609D9D9222FB275,SHA256=CD1E9C1FBFA3F900B7F9D5C39EDD665165568595A934D905CC1F449D67A03F92,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000341289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:02.117{72106695-B402-63D3-B003-00000000BD02}3780WIN-HOST-CTUS-A\AdministratorC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shmMD5=C08978387BDA3206325DCD9A63EB3A0E,SHA256=FB1E198AFCB99E35CB538ECE33AEEBFAB1BE25786682BFE29FBC006BAAE439EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000341288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:02.088{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B541-63D3-2A04-00000000BD02}4592C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonx64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:02.065{72106695-9B85-63D3-1400-00000000BD02}10323544C:\Windows\system32\svchost.exe{72106695-B541-63D3-2A04-00000000BD02}4592C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonx64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:02.065{72106695-9B85-63D3-1400-00000000BD02}10321120C:\Windows\system32\svchost.exe{72106695-B541-63D3-2A04-00000000BD02}4592C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonx64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:02.060{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B541-63D3-2A04-00000000BD02}4592C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonx64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:02.060{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B541-63D3-2A04-00000000BD02}4592C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonx64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:02.997{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000449061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:02.994{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000449060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:02.985{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000449059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:02.972{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 354300x8000000000000000449058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:00.425{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A51995- 10341000x8000000000000000449057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:02.935{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000449056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:02.927{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000449055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:02.911{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000449054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:02.905{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000449053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:02.903{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000449052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:02.900{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000449051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:02.896{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000449050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:02.895{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000449049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:02.892{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 23542300x8000000000000000449048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:02.562{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=481BEA93F5B656818B0AEB0B1EB35D9F,SHA256=E1736EF4E75A567B90A01B8211610FAA877761F4629538986F7890516064EE0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000449047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:02.378{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000449046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:02.375{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000449045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:02.372{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000449044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:02.357{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000449043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:02.344{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 354300x8000000000000000341307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.781{72106695-B541-63D3-2A04-00000000BD02}4592C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51060-false52.109.16.0-443https 354300x8000000000000000341306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.515{00000000-0000-0000-0000-000000000000}4592<unknown process>-tcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51058-false52.109.8.45-443https 354300x8000000000000000341305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.505{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51057-false20.126.106.131-443https 354300x8000000000000000341304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.489{00000000-0000-0000-0000-000000000000}4592<unknown process>-tcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51059-false52.113.194.132-443https 354300x8000000000000000341303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.046{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51056-false20.189.173.4-443https 22542200x8000000000000000341302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:01.477{00000000-0000-0000-0000-000000000000}4592ecs.office.com0type: 5 ecs.office.trafficmanager.net;type: 5 s-0005-office.config.skype.com;type: 5 ecs-office.s-0005.s-msedge.net;type: 5 s-0005.s-msedge.net;::ffff:52.113.194.132;<unknown process> 23542300x8000000000000000341301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:03.710{72106695-B106-63D3-2B03-00000000BD02}964WIN-HOST-CTUS-A\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000018.dbMD5=9ABCF939CBBEDAE6E91092FB47EAA8A3,SHA256=F7A02B910D1AB0D36BEE8A1A6E17396686F0AF21E154FECC6F473921C19FB597,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000341300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:03.380{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95BC9D3D130E4183DE79E1B6ABEE31D3,SHA256=A9192F4A2A985275E39F3B27E0BE1713E043E58F807AD9587713343A9FDD4ECA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000341299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:03.380{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C76EFEB32FDC93678B0AB5D5791A2715,SHA256=100110173963DD047BA861AC471E2334083858DDFB1B3C02D9E6B145C9F66E65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000449067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:01.209{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A56635- 354300x8000000000000000449066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:00.922{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A59312- 354300x8000000000000000449065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:00.922{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A56330- 23542300x8000000000000000449064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:03.648{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AE9AC04E64C5B65C119310F628E73D2,SHA256=9C7DE36DC1CBFDAFC0FB798DEB0F7A1E6C9A33DB23FB54DCAE3947E2D3237874,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000449063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:03.020{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 23542300x8000000000000000341310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:04.440{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E731C91FA1BD7C99991924C1DD1DCCFA,SHA256=87D12886E43329ABBD90C01ECDD88B4B2263A4136B1DAF4499B18FE3EBB98433,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000341309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:04.120{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C66AD08EC40552711CE2C9C6974BF333,SHA256=EAFBE4EDAF93036C9140FFBF522453C219CB5215582EBFF6901E6A31EE21802C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000341308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:04.111{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD00633B8EB6F8FF37F648FBA8690532,SHA256=7404293523E6BC6FFCD9C155A35AFC7145DAE9F4E69D3E6EFAA9408829F9493E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:04.851{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EDD08278CE4582273945C8A752631B3,SHA256=577C1858D2A86BE3E1174855BAFE4B814480886870D2BA6B4912066B78585454,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000341329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:05.946{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000341328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:05.946{72106695-9B85-63D3-1200-00000000BD02}10005968C:\Windows\System32\svchost.exe{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|c:\windows\system32\pcasvc.dll+43591|c:\windows\system32\pcasvc.dll+22bed|C:\Windows\SYSTEM32\ntdll.dll+7de2d|C:\Windows\SYSTEM32\ntdll.dll+3a979|C:\Windows\SYSTEM32\ntdll.dll+1e87f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:05.946{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:05.946{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:05.946{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:05.946{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:05.946{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:05.930{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000341321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:05.918{72106695-B405-63D3-B203-00000000BD02}4756WIN-HOST-CTUS-A\AdministratorC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exeC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db-walMD5=3273FE547498448054E8E022AD94521C,SHA256=C01B71D777828974E0F7FEB6DFF28041CE4D33B8FA5F0F8CABC66D0D8ADA6BA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000341320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:05.918{72106695-B405-63D3-B203-00000000BD02}4756WIN-HOST-CTUS-A\AdministratorC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exeC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db-shmMD5=C79578167AE5E5A53D7DE986E85CF9AD,SHA256=273DCA1EDE9BEF7D8B1AE7AAF0ACC825AC04711F5542FDF3AD401A3467AB028B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000341319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDBSetValue2023-01-27 11:28:05.918{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exeHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\OfficeSetup.exeBinary Data 10341000x8000000000000000341318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:05.761{72106695-B106-63D3-2B03-00000000BD02}9644656C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:05.761{72106695-B106-63D3-2B03-00000000BD02}9644656C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:05.761{72106695-B106-63D3-2B03-00000000BD02}9644656C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:05.731{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:05.731{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:05.731{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:05.731{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000341311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:05.492{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECB8B13B377C6B72DDA0DD3826C21BB5,SHA256=D964A489000E614DC0629C32FCEA42BF54F20192646390E66600D08AC4003F30,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:05.942{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3E597BBCD64C0F22BF05E71872E1DA4,SHA256=1C7E7B3C862FFD2BCB17B3F09AF779E7D5B9756C18B71EF6E4B5ACFC1F5A34CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000449070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:02.474{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A57145- 354300x8000000000000000449069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:01.879{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52748-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000341340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:06.996{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B545-63D3-2C04-00000000BD02}4104C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000341339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:06.996{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B545-63D3-2C04-00000000BD02}4104C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000341338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:06.996{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B545-63D3-2C04-00000000BD02}4104C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 354300x8000000000000000341337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:04.412{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51061-false10.0.1.12-8000- 23542300x8000000000000000341336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:06.578{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=060C56D8853F7157CCBF1E9C4BE91530,SHA256=C3605F52EB17C873F1C2BD6CBFC5BF4103B7E2D5A8CB873C3814A7E508B5D2CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000341335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:06.409{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:06.268{72106695-B545-63D3-2C04-00000000BD02}41042356C:\Windows\system32\conhost.exe{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:06.012{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000341332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:06.010{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000341331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:06.010{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000341330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:05.998{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B545-63D3-2C04-00000000BD02}4104C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000449072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:07.018{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD137AAF1A7817B98E9935DCB03401B,SHA256=F709690C2E05C3300C997036EEA05249EA82CC696E9580F2965F3A36B69A507F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000341401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDBSetValue2023-01-27 11:28:07.956{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exeHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeBinary Data 10341000x8000000000000000341400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:07.784{72106695-B106-63D3-2B03-00000000BD02}9644640C:\Windows\Explorer.EXE{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\system32\twinui.pcshell.dll+27c24|C:\Windows\system32\twinui.pcshell.dll+17316|C:\Windows\system32\twinui.pcshell.dll+17671|C:\Windows\system32\twinui.pcshell.dll+176a9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:07.784{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:07.784{72106695-B106-63D3-2B03-00000000BD02}9644640C:\Windows\Explorer.EXE{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\system32\twinui.pcshell.dll+27c24|C:\Windows\system32\twinui.pcshell.dll+17316|C:\Windows\system32\twinui.pcshell.dll+17671|C:\Windows\system32\twinui.pcshell.dll+176a9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:07.784{72106695-B106-63D3-2B03-00000000BD02}9644732C:\Windows\Explorer.EXE{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b9b44|C:\Windows\System32\TwinUI.dll+ba1f7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000341396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:07.784{72106695-B106-63D3-2B03-00000000BD02}9644732C:\Windows\Explorer.EXE{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b9b44|C:\Windows\System32\TwinUI.dll+ba1f7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000341395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:07.784{72106695-B105-63D3-2003-00000000BD02}36724108C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+3f342|C:\Windows\System32\modernexecserver.dll+3fc6e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2effb|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357b5|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:07.784{72106695-B105-63D3-2003-00000000BD02}36724108C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3f0db|C:\Windows\System32\modernexecserver.dll+3fbe5|C:\Windows\SYSTEM32\twinapi.appcore.dll+2effb|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357b5|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:07.784{72106695-B105-63D3-2003-00000000BD02}36724108C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3f0db|C:\Windows\System32\modernexecserver.dll+3f049|C:\Windows\System32\modernexecserver.dll+3fd2f|C:\Windows\System32\modernexecserver.dll+3fe52|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:07.784{72106695-B105-63D3-2003-00000000BD02}36724108C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3f6a2|C:\Windows\System32\modernexecserver.dll+3fd1e|C:\Windows\System32\modernexecserver.dll+3fe52|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:07.784{72106695-B105-63D3-2003-00000000BD02}36724108C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+3f342|C:\Windows\System32\modernexecserver.dll+3fd0b|C:\Windows\System32\modernexecserver.dll+3fe52|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:07.784{72106695-B105-63D3-2003-00000000BD02}36724108C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3fdee|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:07.784{72106695-B105-63D3-2003-00000000BD02}36721356C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f400|C:\Windows\System32\modernexecserver.dll+47a8c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000341388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:07.784{72106695-B105-63D3-2003-00000000BD02}36721356C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+478ab|C:\Windows\System32\modernexecserver.dll+476e0|C:\Windows\System32\modernexecserver.dll+4763b|C:\Windows\System32\modernexecserver.dll+3985d|C:\Windows\System32\Windows.Shell.ServiceHostBuilder.dll+1781|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c 23542300x8000000000000000341387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:07.784{72106695-B106-63D3-2B03-00000000BD02}964WIN-HOST-CTUS-A\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\ActionCenterCache\microsoft-explorer-notification--d1f6275c-b9a0-a25e-7f73-51b54487be4c-_8_0.pngMD5=00E5FCFD833151F7CBDE607E2F7AFEB4,SHA256=B80192AAABE007BAECD0603E3CE183E9D554B8A6B0411D20716ACFA086AE3035,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000341386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:07.784{72106695-B105-63D3-2003-00000000BD02}36724108C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+3f342|C:\Windows\System32\modernexecserver.dll+3fc6e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2effb|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357b5|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:07.784{72106695-B105-63D3-2003-00000000BD02}36724108C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3f0db|C:\Windows\System32\modernexecserver.dll+3fbe5|C:\Windows\SYSTEM32\twinapi.appcore.dll+2effb|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357b5|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:07.784{72106695-B105-63D3-2003-00000000BD02}36724108C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3f0db|C:\Windows\System32\modernexecserver.dll+3f049|C:\Windows\System32\modernexecserver.dll+3fd2f|C:\Windows\System32\modernexecserver.dll+3fe52|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:07.784{72106695-B105-63D3-2003-00000000BD02}36724108C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3f6a2|C:\Windows\System32\modernexecserver.dll+3fd1e|C:\Windows\System32\modernexecserver.dll+3fe52|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:07.784{72106695-B105-63D3-2003-00000000BD02}36724108C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+3f342|C:\Windows\System32\modernexecserver.dll+3fd0b|C:\Windows\System32\modernexecserver.dll+3fe52|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:07.784{72106695-B105-63D3-2003-00000000BD02}36724108C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3fdee|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:07.784{72106695-B105-63D3-2003-00000000BD02}36723472C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f400|C:\Windows\System32\modernexecserver.dll+47a8c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000341379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:07.784{72106695-B105-63D3-2003-00000000BD02}36723472C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+478ab|C:\Windows\System32\modernexecserver.dll+476e0|C:\Windows\System32\modernexecserver.dll+4763b|C:\Windows\System32\modernexecserver.dll+3985d|C:\Windows\System32\Windows.Shell.ServiceHostBuilder.dll+1781|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c 13241300x8000000000000000341378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:28:07.393{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{05f89118-7e3b-750d-8ee1-3fafd3d54a25}\Root\InventoryApplicationFile\teams.exe|5aad1169f41a3221\BinProductVersion1.5.0.8070 13241300x8000000000000000341377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:28:07.393{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{05f89118-7e3b-750d-8ee1-3fafd3d54a25}\Root\InventoryApplicationFile\teams.exe|5aad1169f41a3221\LinkDate12/09/2021 19:14:18 13241300x8000000000000000341376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:28:07.393{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{05f89118-7e3b-750d-8ee1-3fafd3d54a25}\Root\InventoryApplicationFile\teams.exe|5aad1169f41a3221\Publishermicrosoft corporation 13241300x8000000000000000341375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:28:07.393{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{05f89118-7e3b-750d-8ee1-3fafd3d54a25}\Root\InventoryApplicationFile\teams.exe|5aad1169f41a3221\LowerCaseLongPathc:\program files (x86)\teams installer\teams.exe 13241300x8000000000000000341374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:28:07.393{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{05f89118-7e3b-750d-8ee1-3fafd3d54a25}\Root\InventoryApplication\000089567ac59e59dcc31e4f7fc0948df0f700000904\PublisherMicrosoft Corporation 13241300x8000000000000000341373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:28:07.347{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{05f89118-7e3b-750d-8ee1-3fafd3d54a25}\Root\InventoryApplicationFile\onedriveupdaters|d0f18d9d26d582e5\BinProductVersion22.77.410.7 13241300x8000000000000000341372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:28:07.347{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{05f89118-7e3b-750d-8ee1-3fafd3d54a25}\Root\InventoryApplicationFile\onedriveupdaters|d0f18d9d26d582e5\LinkDate02/11/2088 18:00:05 13241300x8000000000000000341371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:28:07.347{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{05f89118-7e3b-750d-8ee1-3fafd3d54a25}\Root\InventoryApplicationFile\onedriveupdaters|d0f18d9d26d582e5\Publishermicrosoft corporation 13241300x8000000000000000341370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:28:07.347{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{05f89118-7e3b-750d-8ee1-3fafd3d54a25}\Root\InventoryApplicationFile\onedriveupdaters|d0f18d9d26d582e5\LowerCaseLongPathc:\program files (x86)\microsoft onedrive\22.077.0410.0007\onedriveupdaterservice.exe 13241300x8000000000000000341369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:28:07.331{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{05f89118-7e3b-750d-8ee1-3fafd3d54a25}\Root\InventoryApplicationFile\onedrivesetup.ex|52d14b13b9115e48\BinProductVersion22.77.410.7 13241300x8000000000000000341368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:28:07.331{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{05f89118-7e3b-750d-8ee1-3fafd3d54a25}\Root\InventoryApplicationFile\onedrivesetup.ex|52d14b13b9115e48\LinkDate04/14/1981 15:28:41 13241300x8000000000000000341367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:28:07.331{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{05f89118-7e3b-750d-8ee1-3fafd3d54a25}\Root\InventoryApplicationFile\onedrivesetup.ex|52d14b13b9115e48\Publishermicrosoft corporation 13241300x8000000000000000341366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:28:07.331{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{05f89118-7e3b-750d-8ee1-3fafd3d54a25}\Root\InventoryApplicationFile\onedrivesetup.ex|52d14b13b9115e48\LowerCaseLongPathc:\program files (x86)\microsoft onedrive\22.077.0410.0007\onedrivesetup.exe 13241300x8000000000000000341365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:28:07.331{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{05f89118-7e3b-750d-8ee1-3fafd3d54a25}\Root\InventoryApplicationFile\onedrivefilelaun|822e6efb6bb2bc82\BinProductVersion22.77.410.7 13241300x8000000000000000341364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:28:07.331{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{05f89118-7e3b-750d-8ee1-3fafd3d54a25}\Root\InventoryApplicationFile\onedrivefilelaun|822e6efb6bb2bc82\LinkDate12/17/2093 09:32:21 13241300x8000000000000000341363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:28:07.331{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{05f89118-7e3b-750d-8ee1-3fafd3d54a25}\Root\InventoryApplicationFile\onedrivefilelaun|822e6efb6bb2bc82\Publishermicrosoft corporation 13241300x8000000000000000341362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:28:07.331{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{05f89118-7e3b-750d-8ee1-3fafd3d54a25}\Root\InventoryApplicationFile\onedrivefilelaun|822e6efb6bb2bc82\LowerCaseLongPathc:\program files (x86)\microsoft onedrive\22.077.0410.0007\onedrivefilelauncher.exe 13241300x8000000000000000341361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:28:07.331{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{05f89118-7e3b-750d-8ee1-3fafd3d54a25}\Root\InventoryApplicationFile\microsoft.sharep|881e80cf23357a7\BinProductVersion22.77.410.7 13241300x8000000000000000341360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:28:07.331{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{05f89118-7e3b-750d-8ee1-3fafd3d54a25}\Root\InventoryApplicationFile\microsoft.sharep|881e80cf23357a7\LinkDate03/12/2016 08:46:59 13241300x8000000000000000341359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:28:07.331{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{05f89118-7e3b-750d-8ee1-3fafd3d54a25}\Root\InventoryApplicationFile\microsoft.sharep|881e80cf23357a7\Publishermicrosoft corporation 13241300x8000000000000000341358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:28:07.331{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{05f89118-7e3b-750d-8ee1-3fafd3d54a25}\Root\InventoryApplicationFile\microsoft.sharep|881e80cf23357a7\LowerCaseLongPathc:\program files (x86)\microsoft onedrive\22.077.0410.0007\microsoft.sharepoint.exe 13241300x8000000000000000341357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:28:07.331{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{05f89118-7e3b-750d-8ee1-3fafd3d54a25}\Root\InventoryApplicationFile\microsoft.sharep|547b2807ec12cb95\BinProductVersion22.77.410.7 13241300x8000000000000000341356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:28:07.331{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{05f89118-7e3b-750d-8ee1-3fafd3d54a25}\Root\InventoryApplicationFile\microsoft.sharep|547b2807ec12cb95\LinkDate05/13/2040 17:51:45 13241300x8000000000000000341355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:28:07.331{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{05f89118-7e3b-750d-8ee1-3fafd3d54a25}\Root\InventoryApplicationFile\microsoft.sharep|547b2807ec12cb95\Publishermicrosoft corporation 13241300x8000000000000000341354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:28:07.331{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{05f89118-7e3b-750d-8ee1-3fafd3d54a25}\Root\InventoryApplicationFile\microsoft.sharep|547b2807ec12cb95\LowerCaseLongPathc:\program files (x86)\microsoft onedrive\22.077.0410.0007\microsoft.sharepoint.nativemessagingclient.exe 13241300x8000000000000000341353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:28:07.331{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{05f89118-7e3b-750d-8ee1-3fafd3d54a25}\Root\InventoryApplicationFile\filesynchelper.e|15be8eda24ed1c79\BinProductVersion22.77.410.7 13241300x8000000000000000341352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:28:07.331{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{05f89118-7e3b-750d-8ee1-3fafd3d54a25}\Root\InventoryApplicationFile\filesynchelper.e|15be8eda24ed1c79\LinkDate07/23/2053 19:25:05 13241300x8000000000000000341351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:28:07.331{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{05f89118-7e3b-750d-8ee1-3fafd3d54a25}\Root\InventoryApplicationFile\filesynchelper.e|15be8eda24ed1c79\Publishermicrosoft corporation 13241300x8000000000000000341350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:28:07.331{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{05f89118-7e3b-750d-8ee1-3fafd3d54a25}\Root\InventoryApplicationFile\filesynchelper.e|15be8eda24ed1c79\LowerCaseLongPathc:\program files (x86)\microsoft onedrive\22.077.0410.0007\filesynchelper.exe 13241300x8000000000000000341349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:28:07.331{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{05f89118-7e3b-750d-8ee1-3fafd3d54a25}\Root\InventoryApplicationFile\filesyncconfig.e|b50b3d6f86ceb53a\BinProductVersion22.77.410.7 13241300x8000000000000000341348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:28:07.331{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{05f89118-7e3b-750d-8ee1-3fafd3d54a25}\Root\InventoryApplicationFile\filesyncconfig.e|b50b3d6f86ceb53a\LinkDate06/29/2049 06:16:20 13241300x8000000000000000341347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:28:07.331{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{05f89118-7e3b-750d-8ee1-3fafd3d54a25}\Root\InventoryApplicationFile\filesyncconfig.e|b50b3d6f86ceb53a\Publishermicrosoft corporation 13241300x8000000000000000341346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:28:07.331{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{05f89118-7e3b-750d-8ee1-3fafd3d54a25}\Root\InventoryApplicationFile\filesyncconfig.e|b50b3d6f86ceb53a\LowerCaseLongPathc:\program files (x86)\microsoft onedrive\22.077.0410.0007\filesyncconfig.exe 13241300x8000000000000000341345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:28:07.331{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{05f89118-7e3b-750d-8ee1-3fafd3d54a25}\Root\InventoryApplicationFile\filecoauth.exe|4e5eb51da9f369cc\BinProductVersion22.77.410.7 13241300x8000000000000000341344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:28:07.331{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{05f89118-7e3b-750d-8ee1-3fafd3d54a25}\Root\InventoryApplicationFile\filecoauth.exe|4e5eb51da9f369cc\LinkDate08/14/2033 01:51:33 13241300x8000000000000000341343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:28:07.331{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{05f89118-7e3b-750d-8ee1-3fafd3d54a25}\Root\InventoryApplicationFile\filecoauth.exe|4e5eb51da9f369cc\Publishermicrosoft corporation 13241300x8000000000000000341342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:28:07.331{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{05f89118-7e3b-750d-8ee1-3fafd3d54a25}\Root\InventoryApplicationFile\filecoauth.exe|4e5eb51da9f369cc\LowerCaseLongPathc:\program files (x86)\microsoft onedrive\22.077.0410.0007\filecoauth.exe 13241300x8000000000000000341341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:28:07.331{72106695-B545-63D3-2B04-00000000BD02}3452C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{05f89118-7e3b-750d-8ee1-3fafd3d54a25}\Root\InventoryApplication\00006853063d52f289a21ec6932622b7706e0000ffff\PublisherMicrosoft Corporation 23542300x8000000000000000341420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:08.947{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B251E7785B87B24268092FF61198AD2B,SHA256=7A3B77A9B6520512E9E92A954B72205D9C754A43A8BBE25E143415520EDF8B88,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000341419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:08.873{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6204D02BEA7A520FAA9249D51073B0B2,SHA256=BA4AD63EC2635860815E9333B9BAB155210C4C4C3D32867007FF3DBF0E871BAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:08.103{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ECA1119CE0F90B9204CE965C7875BA6,SHA256=027693883751397ECF15CBF7461420F21F5726BB1036C79407D1BA9F7223E6B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:08.325{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8800AC951BAFD62AE27A61032B5B7718,SHA256=108CF16F5C9AB6535831F1D3C06A32F0120963325A645A4E4E0D577E1B98D2CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000341417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:08.168{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000341416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:08.168{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000341415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:08.168{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000341414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:08.168{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000341413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:08.168{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000341412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:08.168{72106695-B105-63D3-2003-00000000BD02}36721356C:\Windows\system32\sihost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:08.083{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000341410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:08.083{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000341409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:08.083{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000341408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:08.083{72106695-9B85-63D3-1E00-00000000BD02}19245088C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\tileobjserver.dll+bdb2|c:\windows\system32\tileobjserver.dll+26bf2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000341407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:08.083{72106695-9B85-63D3-1E00-00000000BD02}19245088C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\tileobjserver.dll+bd5f|c:\windows\system32\tileobjserver.dll+26bf2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 23542300x8000000000000000341406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:08.036{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37B02D67D569ED625B7691372CEBB243,SHA256=96B9D2C6303E517F048C3FA9960BC0F914039FF9D52E736C91BE5802213A25E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000341405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-VerSetValue2023-01-27 11:28:08.029{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe\REGISTRY\A\{f1b18d92-25bd-9953-e664-b8d5067a439a}\Root\InventoryApplicationFile\officec2rclient.|62d1554663c79908\BinProductVersion16.0.15601.20362 13241300x8000000000000000341404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-CompileTimeClaimSetValue2023-01-27 11:28:08.029{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe\REGISTRY\A\{f1b18d92-25bd-9953-e664-b8d5067a439a}\Root\InventoryApplicationFile\officec2rclient.|62d1554663c79908\LinkDate11/29/2022 15:28:53 13241300x8000000000000000341403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:28:08.029{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe\REGISTRY\A\{f1b18d92-25bd-9953-e664-b8d5067a439a}\Root\InventoryApplicationFile\officec2rclient.|62d1554663c79908\Publishermicrosoft corporation 13241300x8000000000000000341402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PathSetValue2023-01-27 11:28:08.029{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe\REGISTRY\A\{f1b18d92-25bd-9953-e664-b8d5067a439a}\Root\InventoryApplicationFile\officec2rclient.|62d1554663c79908\LowerCaseLongPathc:\program files\common files\microsoft shared\clicktorun\officec2rclient.exe 23542300x8000000000000000341421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:09.949{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23539B0F840ED5BE0AB5FB3E6951FF51,SHA256=AF1007913548BE9EB94D8490FC916DE2D4962B6116CAC20A9253CE44A820569C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:09.186{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82B90118BD9D2F87ADCC755DFC3BA5D4,SHA256=52B7C010108FC4B318BE4B2B88889928A4AE9AEFAD5BA6903BE7C23C772C2E80,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000449076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:07.807{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52749-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000449075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:10.388{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B83055ECE5C375D65AE94B49470A408,SHA256=114851312886CF0F9C75733A672FF992A1073C1F097F46776AD7BE0FD45BD61F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000449077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:11.476{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C49DA6B050AE11E9428871115C93C99,SHA256=84FE612777280783527DF259D460401958F4F4706802064E58D5DFAEA8F1E26F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000341423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:09.427{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51062-false10.0.1.12-8000- 23542300x8000000000000000341422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:11.036{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B521557919848DD2D461295AC56FCA8,SHA256=53A901E5217D6D7203FBF83B7F057CC0829EE0D05B642DEF34346185EF3D3646,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:12.561{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=788F45FF2EF4E1AD0EB6CEFD23C805DA,SHA256=D19BC0AF2F18949B9719B9FA75DE7B989E15CA35A0F74196457594B81FB73A02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:12.117{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA72DB07A21D0915CFA21EC228F0E442,SHA256=13A48DC6F3AE6EA0CACEA92D2924B58858B6D67F5DA39D6AE3170B154725A482,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:13.667{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=849B9FAB53535FE762A72FC82D83DB33,SHA256=39AED8BCA48B4C4783665172925843532B4C65012AFA82BDFDA71D12873C92C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:13.301{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD492BADB99B07C1F6B0239C9E2B2A13,SHA256=D5C80CFE746D8991C058A1F52DC4B9F4FF6140938C7BD1D81BC1A10DE82827DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000341425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:13.069{72106695-B105-63D3-2303-00000000BD02}39524080C:\Windows\system32\taskhostw.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000449080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:14.759{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F66B139A99BCD096FACCF2663940257D,SHA256=02048CB4285500E314CE2D9E8C4277B6BB10316D497FA2B50C931B37A31AD513,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:14.386{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=772BBB3D9A1F1213C928235D282CC3F8,SHA256=47D3F8D01C43FDACEF8F27A1446E9C680189C726B77E0718F90A52814CEA57C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000341427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:11.336{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse171.244.61.138-64503-false10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal3389ms-wbt-server 23542300x8000000000000000449083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:15.837{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CBAEB8C10D9B1B0EDABE052D6BCB835,SHA256=99E219E82343C02252DDA7320266513B4941D6EF1B52E35BB100BC6AC9B4CC10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:15.478{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60FA6B72CDEB0D2B6F38D26AD5CAF6FE,SHA256=EF66E14AEC41891781107BF91A115083335EAD771FE7645C3241BE1C077B4AA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000449082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:15.413{45AAC21C-9B85-63D3-1600-00000000BC02}13005564C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:15.413{45AAC21C-9B85-63D3-1600-00000000BC02}13005564C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000341431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:16.599{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08FCD62BD45FE6363A938A485B24B789,SHA256=F87D0846C8302105730A86689E33BBD97946690B9101B0286B661C5803676C83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000449086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:12.942{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52750-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000449085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:16.260{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\respondent-20230127093833-106MD5=ABD21C848C86C8C4C327246443A18885,SHA256=621828FF48080C628607F27990B50D4C7839DD5149D1A5B05A104AE9C04F6CF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000449084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:16.257{45AAC21C-9B85-63D3-1000-00000000BC02}368NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=BE271C1C6F8E6C573A3CC3DE5861C052,SHA256=11FDA506FEB037B7386F0E732607A87F4A7A4E5636BDE3D6AF5BF4ABCBB85A65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:16.178{72106695-9B85-63D3-1100-00000000BD02}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1CB48844A9B87FD9A6F5E56F124A67C0,SHA256=85E2151EA439A4C3033BD974D96E55939FE7D703D0E3FAE5AA905BA08C1BF3B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000341439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:17.660{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8573AAF7E45A98FF2D3C359377FD78D7,SHA256=C3888FED9AD48EEE22EDEFA3197B0392CC893955F4EA776BDBF0868288D7A2CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:17.264{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\surveyor-20230127093831-107MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000449098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:17.247{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3A7F3C16ACDC33D756E35A84E218EB55,SHA256=16EEA1850856A00BC81B834CD1E197D0DEF6174398A054C1B7E5608378D347D6,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000449097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:28:17.115{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000449096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:28:17.115{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0064d6a2) 13241300x8000000000000000449095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:28:17.115{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d9323a-0x117ce4cd) 13241300x8000000000000000449094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:28:17.115{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d93242-0x73414ccd) 13241300x8000000000000000449093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:28:17.115{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d9324a-0xd505b4cd) 13241300x8000000000000000449092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:28:17.115{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000449091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:28:17.115{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0064d6a2) 13241300x8000000000000000449090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:28:17.115{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d9323a-0x117ce4cd) 13241300x8000000000000000449089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:28:17.115{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d93242-0x73414ccd) 13241300x8000000000000000449088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:28:17.115{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d9324a-0xd505b4cd) 23542300x8000000000000000449087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:17.038{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A0FC5579C76D46C12C46AC204787EC3,SHA256=BDFE2C08DA889605F50D30D1D0D6A3CD22682548731643BCAED48C2B4BA0A02F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000341438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:28:17.238{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFFBinary Data 13241300x8000000000000000341437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:28:17.238{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{9AA2F32D-362A-42D9-9328-24A483E2CCC3} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFFBinary Data 13241300x8000000000000000341436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:28:17.238{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFFBinary Data 13241300x8000000000000000341435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:28:17.238{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFFBinary Data 13241300x8000000000000000341434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:28:17.238{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A78ED123-AB77-406B-9962-2A5D9D2F7F30} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFFBinary Data 13241300x8000000000000000341433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:28:17.238{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5AB7172C-9C11-405C-8DD5-AF20F3606282} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFFBinary Data 13241300x8000000000000000341432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:28:17.164{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{BBACC218-34EA-4666-9D7A-C78F2274A524} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFFBinary Data 23542300x8000000000000000341441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:18.841{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC2CA90D217509E36FBF967DEC49A5B8,SHA256=C657D17829B21FB754071D64A0EE5A69E6039733007382E84A21CD58BD94FCD5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:18.110{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C127BF216147431C411749CCB097004,SHA256=6A7869A8ED53A197DE028FBB337EF3056872AD337579D0E0936515557E691FFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000341440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:15.364{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51063-false10.0.1.12-8000- 10341000x8000000000000000449120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:19.613{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:19.593{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:19.585{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:19.582{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:19.576{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:19.574{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:19.530{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:19.520{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:19.504{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:19.490{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:19.471{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:19.455{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:19.442{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:19.428{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:19.419{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:19.405{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:19.385{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:19.318{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:19.308{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 23542300x8000000000000000449101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:19.210{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C877F2313A1C65EB6903D66FBA988F03,SHA256=9BF8A1EB3E40948E6CE25D34CBA64ECE7C9CD4BD546DB683EFFFBF8C74A25E9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000449126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:20.343{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF8A40E6A93B63E23CE39109BA9321B4,SHA256=0DA9B36AD4F14AEDBE8776522AEE464FA2390F0BD0ADFD25ACBD2F886EC32FB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000341485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.727{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.726{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.725{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.713{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.710{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.702{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.690{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.687{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.657{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.650{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.635{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.630{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.628{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.623{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.621{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.618{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.615{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.615{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.613{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.612{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.611{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.609{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.606{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.599{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.595{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.590{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.587{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.580{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 23542300x8000000000000000341457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.579{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A38FE47739B298183CFB9D00E4CF0BB5,SHA256=F67A6E19D98C31F1876FC2ACCBEF044AC0F176B448FA647A826133876ACBD1B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000341456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.554{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.552{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.543{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.511{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.504{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.491{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.482{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.469{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.453{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.435{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.394{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.358{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.349{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.340{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 23542300x8000000000000000341442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.031{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07DA14B06BB1D54962CF10F7E0ADD6A7,SHA256=B1984346D3B2E9837CE10BC981E662BF39F52631C90AEF9F530B533724752EB7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000449125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:20.180{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:20.176{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:20.174{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:20.171{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:20.170{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 23542300x8000000000000000449128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:21.435{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBE9525E4FECB46C4507003E56845928,SHA256=6EAAD6A15A36BF04039EBCE1C73DC6C8DA127D0C59C640AE978F2C05BB13983B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000449127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:18.760{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52751-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000341486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:21.204{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFA8E3B64F4B8C0B3278639C8B387796,SHA256=11C34D97FFA15D6A3982B0DE7B3E38069FC8928ADC7BEF2270B54A6B7B54BE5A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000449149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:22.876{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:22.833{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:22.826{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:22.815{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:22.801{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:22.770{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:22.764{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:22.754{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:22.748{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:22.745{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:22.742{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:22.739{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:22.738{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:22.734{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:22.592{45AAC21C-9B83-63D3-0B00-00000000BC02}632756C:\Windows\system32\lsass.exe{45AAC21C-9B80-63D3-0100-00000000BC02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000449134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:22.530{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0A3BDCA2C2A7FE6B937E23ABB3A17E2,SHA256=36C77FE4A40F024B868EE9FEE95F3830887DA79FE84F8B406517689CC3CD3593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:22.292{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C2348EA8899BC6FD73D3F65C6783D6C,SHA256=AEE4D20CD6A7A1AA5A435A98F508CA39CC3A8E28A6A7C29F47C941F125ECDB37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000449133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:22.221{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:22.220{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:22.219{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:22.210{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 10341000x8000000000000000449129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:22.204{45AAC21C-9B96-63D3-3000-00000000BC02}28483460C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108850) 23542300x8000000000000000449151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:23.722{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7183189A4168A1627EEC24DE36246FC2,SHA256=68986E2FCA7D98F519346438A18D3D2A54E2FA017C2BAE9F3560F41D990D6909,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000449150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:23.613{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C5D5D0055CDD6A5922CDCCDE086BCE1,SHA256=378536CDAA52859B422A2266E920A6AF12ADA240A8825DEC69F2F1B9AF66900D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:23.370{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B47386D57AC13045DCBE1D4F71805025,SHA256=B243759E996C8005736DC4994F73284369DF429CAC816EA24CC90DF2BBCDA15B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000341489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:20.386{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51064-false10.0.1.12-8000- 10341000x8000000000000000341488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:23.146{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-2000-00000000BD02}2000C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000449154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:24.706{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0B4F2C0FBAF6892B69708B8E366B431,SHA256=111FDFA71695A1681A3058CCE252149DA677DC4A63086E4AEDB8D9F805701222,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:24.458{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4499B4C1922568E1AB667F1B6CA3263,SHA256=997CCB91C063CC5DEC22950D744B55E7705EFBC6D284C64F89538323107861D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000449153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:21.292{45AAC21C-9B80-63D3-0100-00000000BC02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52752-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local445microsoft-ds 354300x8000000000000000449152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:21.292{45AAC21C-9B80-63D3-0100-00000000BC02}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52752-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local445microsoft-ds 23542300x8000000000000000449155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:25.902{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20CA2EB088EEC2DEC8ED1825A8B6A9BA,SHA256=42F20373211B15AC89B2A2BFE78436CAB49D596C0E94F9528660BA2DE2CA6A5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:25.641{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E413ED1BF3FC546EBC26E1CF739D8E6E,SHA256=C29F5D8E89D67282B6DB3766798647567F752B66650099B9CE688C869474A283,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:26.984{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E00A744B1F6CC2B2A46B10A12E6B4DD0,SHA256=1E3CB1BD0FBC372B1E3A828B269A4B44DC93B2A93B1282D771712DC1AEE512DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:26.727{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F73493FE054A1DFC2710C8510F1DE61D,SHA256=4FD0E9870AC33101C7EED9B02AF370DCBEE44ACD3CE8CAA1B8C531E4DD5F1080,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000341494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:27.818{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1B55ABF095CD3E1463551B377B28A32,SHA256=F0ECF13D5D67765DA80A95B0B677C978FE07409FBFA2DDDD26D726DC8B207717,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000449157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:23.887{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52753-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000341498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:28.973{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3F1438B043E4A6FF1D34E62542248C65,SHA256=BA954BFEB2CA4227540635BB181E8211E5AD6E193E1F3358077AAB24E2257FF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000341497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:28.895{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38BC9CDBAAAF8DE035C70FBA92608E39,SHA256=69FFD3AF4C3AF37F6549AA8760142A7834428FB99FBAF0C744CEAB2E0DD2FE33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:28.059{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B33615726E304AB93C88FE642BF700A,SHA256=A778C38EF5C04A42D00E7235032BC6351A463B2F064AE26BF1C438ADE86B44B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000341496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:26.330{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51065-false10.0.1.12-8000- 23542300x8000000000000000341495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:28.045{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D483352E260CFEF683B63BC071CEF921,SHA256=E03AA4026B63CC36DA1712A0153953984DCB8847F1585FFDCE9B12823D875C66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000341499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:29.988{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D273ACF5AA873571D964D4F9D4AA0709,SHA256=EEA2823BAFFC82A2087058E89E72370C7AF3367E8471B95AA96BC37208E91BBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:29.255{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A1393EEBC2CF55839D907BBF2078BE3,SHA256=83FD77E667819178294602113D9FFC5812FD0CCC8417DAF72AF8ECE5BBADF2CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000449160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:30.350{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B5C567AE871585AD0F5C38899AD1C53,SHA256=D08981D4AD533D640EC74C7FFB6165EA8980F6D7F483924300A37539397DDEE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000449161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:31.440{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6669995A5AD097C803AAD85AA8194B67,SHA256=5651AF37ABF1F765F0BCB1F0AE09253B7AB9C9CB3DDD0E490A9E1C923FB553E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:31.173{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8435BB8C231A38E34CCF764683EED6D8,SHA256=CD3334D712B68DE95FBFEC4782F75C236981CC6CFAA91C3F17931B70EB45C18F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000341503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:31.130{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:31.130{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:31.130{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000341500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:31.130{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 354300x8000000000000000449163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:29.799{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52754-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000449162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:32.539{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C677FE765CCCA0111B3483FA992A06D,SHA256=7EE1F120E05C9E946E19B7392BD0DDFA96EE959D6B6158DC0C44FFF539E07AB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:32.149{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB987E00457E0B9B10E25D4708F92CA9,SHA256=80998AEFEC78BB0B11B76E7D08506A97302211D8C1D035BF66C0ABC5D5971923,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:33.620{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=642A3D0CE8101F64F7B35D0EF9D443B1,SHA256=9C44D7302FFCCA7970BFF3AA8DBAEB366C8264D1A2BA967101CBBEC87810D027,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:33.470{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=061EBED9A8D616A5DD41F9AAA596E4D7,SHA256=BA0FA3D90D1FFD26D793FF77F5DF64E0305F2F206D2454AC2164AAED4F54225B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:34.708{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2106D7B3577C60CC2FB2D0EFF95CBCD2,SHA256=56FF1EE3D54A0FA2FC696C9D990FB6AA2DA0F5904C03DAD704DCF497D5C29CA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000341535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:34.996{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:34.996{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:34.996{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:34.996{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:34.996{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:34.996{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:34.996{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:34.996{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:34.996{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:34.996{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:34.996{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:34.996{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:34.996{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:34.996{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:34.996{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:34.996{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:34.996{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:34.996{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:34.996{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:34.996{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:34.996{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:34.996{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:34.996{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:34.996{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:34.996{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:34.996{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:34.996{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000341508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:32.304{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51066-false10.0.1.12-8000- 23542300x8000000000000000341507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:34.559{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCD38D4298BC0336FA4D764D8DD1FF32,SHA256=6943F2CB9EC281DCA6E3377B8C003256A96B18E213F366A22B55A82227463535,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:34.615{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16FF04F9B207BF2CDC619703DC40E986,SHA256=7D63B79192D2B2888933AD4368D62FACD7B8B8A21780342D197A13B2651AD2F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000449165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:34.227{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000449169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:32.914{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52755-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000449168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:35.778{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F1725CD0C69F3BA6CC31636816E0A80,SHA256=934037883922828FFDF3C436EA7CA667A4912532C9393C9B7AA6718650B5DECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:35.812{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=023E72E4937F5BF02062FD8D47506A2F,SHA256=E8A4F032B32D6AF5DA57EC90C526040CA3E529B7C74CCC15F89B073153EF43FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:36.978{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C671374C60445554F5FE6D789447E60,SHA256=FE6B43FA9060E4D70B0735B46B729BDF8079F9414858CDD7D18C99D1722626ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:36.846{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0B423FBB16E1CBC5682BDFFF234DD98,SHA256=E3CF9D864A685D90DE5FE2EAC9846309FBCB187F27181FA091FCEFB10F75889D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000341539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:37.942{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CDAEA88930128F3E2F19A7C4DE10F2A,SHA256=3AAA7BDF279313069C76845695F6C98029C9EF9CD690B50637DAB759B1A5534E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000449171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:34.868{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52756-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000341538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:37.034{72106695-9B85-63D3-0D00-00000000BD02}7963468C:\Windows\system32\svchost.exe{72106695-B3FB-63D3-AC03-00000000BD02}5616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000449172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:38.292{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66A0D0093AEC2747A3878C17CE5C3D33,SHA256=2484B76D163E53988FD28C3D132DFB6FC65976BAB68C6ACB9BA66B49F338BAC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:38.902{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000449192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:39.650{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:39.632{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:39.623{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:39.617{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:39.613{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:39.610{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:39.560{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:39.552{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:39.530{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:39.522{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:39.492{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:39.470{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:39.454{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:39.431{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:39.418{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:39.400{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:39.376{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 23542300x8000000000000000449175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:39.363{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25D43E355F4977F6C8727E3FED458D61,SHA256=670427E8904E09EF27B09F3E329E8650F634349C803048B003603D95430DF0AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000449174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:39.320{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000449173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:39.319{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 354300x8000000000000000341543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:37.373{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51067-false10.0.1.12-8000- 10341000x8000000000000000341542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:39.523{72106695-9B85-63D3-0D00-00000000BD02}7963468C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000341541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:39.043{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4807111F96411AA7E37C4B16B22856F0,SHA256=C0D6F72E6E36153241E338969982B1BB31669EE6E87E030E1B0DED117D1D79C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:40.371{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D792EDE3060BE44EFA735980B010F8,SHA256=C1A927070239BD72B317A2E696110B773FE2BE26AF2DAFE1092ABB545F6276B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000341586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.647{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.647{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.644{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.630{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.626{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.617{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.603{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.601{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.567{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.561{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.547{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.541{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.540{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.535{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.532{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.529{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.526{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.525{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.520{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.518{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.516{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.515{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.512{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.503{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.498{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.491{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.489{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.476{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.461{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.458{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.449{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.417{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.411{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.403{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.392{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.380{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.372{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.362{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.353{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.340{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.332{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000341545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.330{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 23542300x8000000000000000341544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:40.240{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00B745E32E4E092F869210579802D132,SHA256=05EC6D7FC36BA13A3CF3E54D2493A679F53BC91FF2E4BDF7A2B9F00BF1E445AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000449197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:40.296{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:40.288{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:40.286{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:40.283{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:40.280{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 23542300x8000000000000000449199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:41.461{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5468740E48D0C3CE68AD6A09B6754B39,SHA256=AF80C66C783DB54009F70B68EA3A161302427C35C53AED56A7FC7637B4A94C54,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000341588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:38.152{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51068-false10.0.1.12-8089- 23542300x8000000000000000341587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:41.354{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03C0C06E2B82834242345BEA50AD8C79,SHA256=9337C905A8BD1598E7A3F2FD6284D088AD995C65C3E58BC4754F1F56ECF5F268,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000449222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:42.972{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:42.969{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:42.958{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:42.946{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:42.911{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:42.901{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:42.889{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:42.883{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:42.880{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:42.877{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:42.875{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:42.875{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:42.872{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 23542300x8000000000000000449209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:42.555{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B6F2C129358E17A5B8912B65EA94BD4,SHA256=70D13ABF41856940C84A714CFB85A17A0049D5B81FB0D2D5D248B88401C87185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:42.400{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C82439F3EF0D3A25A5DBED166C60184,SHA256=46487E588922109E75814ECA6C271C61B4D91B5F320DA82B6977155F00332588,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000449208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:42.365{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:42.364{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:42.361{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:42.358{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:42.358{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:42.357{45AAC21C-9B83-63D3-0B00-00000000BC02}6323868C:\Windows\system32\lsass.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:42.348{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:42.342{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-3000-00000000BC02}2848C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:42.341{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 23542300x8000000000000000449225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:43.753{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC383B96B31F2946F715C611BAFBF510,SHA256=22ADE231890FA633D64DC54939D8173CE68FDAC88B1FFF36BDE9A153B3BC88F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:43.485{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AE004CE88FB5FB0799F42F148185970,SHA256=2560A298B555E42B5A06A3C78897C05807CFD88F32273CB056C3DD36A994BA37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000449224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:39.928{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52757-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000449223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:43.001{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 23542300x8000000000000000449226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:44.844{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFE86E1F81D4F5CFEDB271B1CBDA8EB0,SHA256=7DFCF13218C110601EA0A48323CD342584AC58957441D0EC5FA13516AE1C2322,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000341593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:42.374{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51069-false10.0.1.12-8000- 23542300x8000000000000000341592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:44.576{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46A4B4597507DFEAED86C06E22D1D4E3,SHA256=A1EA80ACDFCFE9BADCA3483181D4E0A5FFDD9616003B5DDFE532E5FF6D624CFA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000341591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:44.110{72106695-9B85-63D3-0D00-00000000BD02}7963468C:\Windows\system32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000449235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:45.922{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=889A6334DBC3F7B9D3F033797B6116AC,SHA256=70D5052005A7AA1E2C57655EDD77FC8C6C60441B2DEB210A0658B8056854FA69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:45.656{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6FD260EA40E21405702D8FD4380F6D2,SHA256=F1BEF010663B1C0AF35B74656A07944B08C22D4A305A65FB4E4C2098597B96B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000449234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:45.844{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B56D-63D3-E603-00000000BC02}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:45.844{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:45.844{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:45.844{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:45.844{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:45.844{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B56D-63D3-E603-00000000BC02}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000449228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:45.844{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B56D-63D3-E603-00000000BC02}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000449227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:45.844{45AAC21C-B56D-63D3-E603-00000000BC02}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000341595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:46.741{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A8FB319E40AFF18816AD8A33FC73E31,SHA256=C572D790C766AF00E9416124C67D6FB8DD0DC592E4BB293E472E3C8A8443D114,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:46.884{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDC7057385CAADF97BA7C6F67B6C4B6B,SHA256=6C4E611440F6691504984C2B8577035893A1ABBFD03B7BA83EEFD2BAECED349E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000449252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:46.837{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B56E-63D3-E803-00000000BC02}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:46.837{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:46.837{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:46.837{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:46.837{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:46.837{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B56E-63D3-E803-00000000BC02}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000449246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:46.837{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B56E-63D3-E803-00000000BC02}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000449245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:46.838{45AAC21C-B56E-63D3-E803-00000000BC02}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000449244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:46.669{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8B6ED54E54230E8E5C5FAE7AA6DAECEA,SHA256=10691A423D82703F9EF2E851ED2A13688DE7A6980F3BEA1306206FD831E1DCD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000449243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:46.341{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B56E-63D3-E703-00000000BC02}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:46.341{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:46.341{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:46.341{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:46.341{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:46.341{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B56E-63D3-E703-00000000BC02}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000449237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:46.341{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B56E-63D3-E703-00000000BC02}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000449236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:46.342{45AAC21C-B56E-63D3-E703-00000000BC02}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000341596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:47.822{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F68734E5A09483BFFAFC0FA81BC019A,SHA256=45E960E6CE90A24801CC4574665CBC27CB5D356035BB69EFB1F67780CCDF4C88,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:47.481{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C4E677FAE028EC323A34F9F74253A660,SHA256=341586B7A0025DB5E41A299F511C376E1384EE8F2990FEAB41AE763EEB28F6A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000449255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:47.071{45AAC21C-B56E-63D3-E803-00000000BC02}38162752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000449254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:47.009{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E47791A9173BC9922FBAB3EA3459A888,SHA256=5EA802C56582E5EDB9159F1F341A2B4B4F34C2F59C0EFAE5C62802E93713F037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:48.919{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FE4599A163042F6C6F3D070FC372489,SHA256=1C96EC85351BFD3C9A52A4CF52E059ED1A6F69F6EB46A1BD01427FC64B6C6022,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:48.104{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61DAD41ED7F65CB67D0F2AB70E184345,SHA256=707447883ABA8DA193855C4F556DEF8282A3306C6A0F349828D6F714D74A747F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000449278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:49.948{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B571-63D3-EA03-00000000BC02}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:49.948{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:49.948{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:49.948{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:49.948{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:49.948{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B571-63D3-EA03-00000000BC02}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000449272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:49.948{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B571-63D3-EA03-00000000BC02}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000449271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:49.949{45AAC21C-B571-63D3-EA03-00000000BC02}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000449270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:49.427{45AAC21C-B571-63D3-E903-00000000BC02}10085448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000449269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:49.302{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8F89014D60412FC53FCE4A54ED83C66,SHA256=1C8ADBF54B445D87D0BCDB2257525BEBDA8B4BEB589CE035635B3B65792C7828,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000449268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:49.270{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B571-63D3-E903-00000000BC02}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:49.270{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:49.270{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:49.270{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:49.270{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:49.270{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B571-63D3-E903-00000000BC02}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000449262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:49.270{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B571-63D3-E903-00000000BC02}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000449261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:49.271{45AAC21C-B571-63D3-E903-00000000BC02}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000341599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:47.511{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51070-false10.0.1.12-8000- 10341000x8000000000000000341598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:49.151{72106695-9B85-63D3-0D00-00000000BD02}7963468C:\Windows\system32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000449260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:46.321{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52759-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000449259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:46.321{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52759-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000449258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:45.930{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52758-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000449292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:50.795{45AAC21C-B572-63D3-EB03-00000000BC02}17724808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:50.781{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B572-63D3-EB03-00000000BC02}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000449290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:50.781{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B572-63D3-EB03-00000000BC02}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000449289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:50.781{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B572-63D3-EB03-00000000BC02}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000449288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:50.445{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B572-63D3-EB03-00000000BC02}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:50.445{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:50.445{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:50.445{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:50.445{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:50.445{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B572-63D3-EB03-00000000BC02}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000449282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:50.445{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B572-63D3-EB03-00000000BC02}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000449281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:50.447{45AAC21C-B572-63D3-EB03-00000000BC02}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000449280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:50.383{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98BB1C59870B7FDE50EEA0554CF20088,SHA256=97DBC586625479F7006323C9DBF01DD1B03C118C4E31B6115F8BA754641C8528,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:50.255{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5803D674F227995F0EBF8EDC2EC495A,SHA256=4C039D7C46AD9BFCF936AE8CA91E0E47025422058D915D2B0BABA6F93D76A8F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000449279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:50.182{45AAC21C-B571-63D3-EA03-00000000BC02}55284712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:51.772{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B573-63D3-EC03-00000000BC02}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000449303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:51.772{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B573-63D3-EC03-00000000BC02}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000449302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:51.772{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B573-63D3-EC03-00000000BC02}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000449301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:51.620{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B573-63D3-EC03-00000000BC02}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:51.620{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:51.620{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:51.620{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:51.620{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:51.620{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B573-63D3-EC03-00000000BC02}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000449295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:51.620{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B573-63D3-EC03-00000000BC02}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000449294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:51.620{45AAC21C-B573-63D3-EC03-00000000BC02}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000449293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:51.557{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E546A6808031C803796A8AAB6DDC1E9B,SHA256=5C9BF13BB9F94AAF8B525A3DB4013DAD241D8F7D18155590F2B439DCB0C1DF67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:51.330{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABBFF1FB6A61C378A1CB83A73B56ED3F,SHA256=78FD7CB1A2FB66DBF4EE89C4B1256F6F62E51DBFDC48D361AA5FD4737782640E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:52.737{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B897ABE8E1828307A35480FB2CD0BFCD,SHA256=613E9765EB6F6A6915C4054C06228B92EAE7848C96275025BC0A4742D1FD4F9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000449305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:52.630{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE5DCA2E0FE93624320A2965BA353032,SHA256=FF6D7E55EDEFAF7699C59FFC4AEB00BD3B6B37DAE60FFAE128BFF477948C017F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:52.523{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE9FBF835FB9DC38C83A5BEA46E71466,SHA256=46601671FA914A89839C6F048E9B35A7DEF96C90074ED9D3F953B0A7F42F86CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:53.708{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B07EED36AE78ECB00D050A29195A339,SHA256=1F2A858D32D5431D3BC2B25536EBD2819A0EE1C1AED696D565E38B96D2EF82AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000341612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:53.922{72106695-B575-63D3-2D04-00000000BD02}58004676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:53.659{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B575-63D3-2D04-00000000BD02}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:53.659{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:53.659{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:53.659{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:53.659{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:53.659{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B575-63D3-2D04-00000000BD02}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000341605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:53.659{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B575-63D3-2D04-00000000BD02}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000341604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:53.470{72106695-B575-63D3-2D04-00000000BD02}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000341603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:53.610{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1203D530B1D84E277DB462FCC0C3D53,SHA256=384B5B1C33C87AF2F4B47CF1802EE8A1A12A99669CD372E028C537E7751B732A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:54.795{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31EB8211B3E94F12C18535969A23A39E,SHA256=034041192DC4994404F142E71ABE743559AB8732ED5319D29CE4CCD2CA36A9C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:54.699{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D74727FBF8BB39ED67B1F319EAFAD47,SHA256=0860366569FFA446E4BE73BDA851DC0773F73ECE8F0DA2D6EAC6E804FB1B5E30,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000341622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:54.527{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54E0ED5D34A51A9C42ED0C14EA84DC40,SHA256=C7E12EEFF2E1A945112ABB19C1F8D2BA491484A8AB975A70F96A77846E3B261E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000341621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:54.496{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B576-63D3-2E04-00000000BD02}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:54.480{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:54.480{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:54.480{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:54.480{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:54.480{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B576-63D3-2E04-00000000BD02}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000341615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:54.480{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B576-63D3-2E04-00000000BD02}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000341614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:54.356{72106695-B576-63D3-2E04-00000000BD02}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000341613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:54.371{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=908D97E8014ADC44D8663DA94A91700A,SHA256=6F4447A381F96512D18255621C27A72C6D870E82A10A50A1C74F36EC4D292300,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000341639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:55.787{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6221B9EE5147AE2F5CA4A8AA1F69A000,SHA256=82EF0F2673E5A56D44A4A96610EACE5379EEE4CAE17A2A44F9CBB55065112E5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000449309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:51.744{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52760-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000341638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:55.475{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B577-63D3-2F04-00000000BD02}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000341637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:55.475{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B577-63D3-2F04-00000000BD02}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000341636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:55.475{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B577-63D3-2F04-00000000BD02}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000341635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:55.474{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B577-63D3-2F04-00000000BD02}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000341634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:55.473{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B577-63D3-2F04-00000000BD02}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000341633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:55.473{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B577-63D3-2F04-00000000BD02}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000341632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:55.305{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B577-63D3-2F04-00000000BD02}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:55.305{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:55.305{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:55.305{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:55.305{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:55.305{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B577-63D3-2F04-00000000BD02}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000341626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:55.305{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B577-63D3-2F04-00000000BD02}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000341625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:55.150{72106695-B577-63D3-2F04-00000000BD02}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000341624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:52.535{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51071-false51.104.15.253-443https 10341000x8000000000000000341657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:56.882{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B578-63D3-3104-00000000BD02}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:56.882{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:56.882{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:56.882{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:56.882{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:56.882{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B578-63D3-3104-00000000BD02}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000341651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:56.882{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B578-63D3-3104-00000000BD02}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000341650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:56.697{72106695-B578-63D3-3104-00000000BD02}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000341649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:56.190{72106695-B578-63D3-3004-00000000BD02}50525044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000341648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:53.446{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51072-false10.0.1.12-8000- 10341000x8000000000000000341647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:56.021{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B578-63D3-3004-00000000BD02}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:56.021{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:56.021{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:56.021{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:56.021{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B578-63D3-3004-00000000BD02}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000341642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:56.021{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:56.021{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B578-63D3-3004-00000000BD02}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000341640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:56.022{72106695-B578-63D3-3004-00000000BD02}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000449310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:56.003{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A744BC4BCACFF802A5223564967282D,SHA256=7B4DFD2DFB3D95355A1833740BB43F6FAE7366D0FC0BCF547BAFCD546EF5A7D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000449311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:57.104{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A143734C9D55522C12DCDC0A538CFF79,SHA256=9902A93518D0A6F13A3E2718837C54F592E16DE59C35D21F2359F5411C0C45BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000341668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:57.951{72106695-B579-63D3-3204-00000000BD02}10642616C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:57.795{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B579-63D3-3204-00000000BD02}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:57.779{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:57.779{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:57.779{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:57.779{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:57.779{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B579-63D3-3204-00000000BD02}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000341661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:57.779{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B579-63D3-3204-00000000BD02}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000341660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:57.593{72106695-B579-63D3-3204-00000000BD02}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000341659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:57.053{72106695-B578-63D3-3104-00000000BD02}50721860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000341658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:56.991{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15F189400721BE89CD2F571BCF2C16B5,SHA256=460FC692A9BB871FA45FA173D09F0BF6C93BD67917D74922E2E81782384D36D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:58.213{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E29CA3A768DF58A63014DA97BF791CD,SHA256=F43DDA26D72A41260469E5B37214FD7432335B2D9D2EFD4B7302FDA56FEC3A7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000341678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:58.469{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B57A-63D3-3304-00000000BD02}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:58.467{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:58.467{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:58.467{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:58.467{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:58.466{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B57A-63D3-3304-00000000BD02}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000341672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:58.466{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B57A-63D3-3304-00000000BD02}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000341671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:58.466{72106695-B57A-63D3-3304-00000000BD02}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000341670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:58.208{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F8B188671A5F9E7E299EE59968A8B604,SHA256=63FEB9D7422BE04778666E538655DF55C9F79C0BE9B659129E89E2F7ACD3054A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000341669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:58.072{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=782FF488A3481FEAAC072E70D445D044,SHA256=844016D6D2EC9D3D52B9DC2E5E7D9E4A5AEC9272B9CAB649619128E9247DB70E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000341680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:59.723{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\respondent-20230127093815-107MD5=FAFF531EDF0CFC03BCEBADF518BA5361,SHA256=88BF976C27BC6DB398DABD588375EB870CCDB2E8695A85E73E9E0CF078A2553A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000341679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:59.153{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFB88706406B40A45DFEE02F53772B43,SHA256=2081B9C966A7EE37092C3C770D42F44C05A2A49A108DFC126251E96DD454801A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000449333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:59.547{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:59.531{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:59.524{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:59.521{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:59.518{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:59.515{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:59.490{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:59.485{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:59.474{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:59.469{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:59.461{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 354300x8000000000000000449322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:56.770{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52761-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000449321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:59.446{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:59.438{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:59.427{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:59.419{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:59.387{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:59.369{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:59.303{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:59.295{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 23542300x8000000000000000449313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:28:59.293{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B30CF3B19FA6E0FA6EB4348F00E0E244,SHA256=008286B75F60D1C11ED768775A90F53F88078C59795B0CC08E5C9DFB9615D280,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000341724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.726{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.725{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.724{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.713{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.710{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 23542300x8000000000000000341719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.700{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230127093814-108MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000341718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.699{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.672{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.669{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.644{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.638{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.621{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.609{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.607{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.605{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.603{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.600{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.597{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.596{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.594{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.593{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.592{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.590{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.587{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.578{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.574{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.567{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.563{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.549{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.536{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.534{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.526{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.461{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.451{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.437{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.424{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.402{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.395{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.384{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.371{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.358{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.346{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.342{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 23542300x8000000000000000341681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:00.229{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F1E11D33A0BDF6A9005CB3819704CB,SHA256=7859CB354B63E05DABD656C338116A93DD9BA3783EDD166A1AF63695B364CF60,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:00.312{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=658A3945A40EC931F8F919408EEB25F7,SHA256=56B6A06BE66BE94C3CD1EA3700D9304F4FABFB0A7FF9F76A1B85B542FC8F058D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000449338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:00.077{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:00.073{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:00.069{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:00.065{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:00.062{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 23542300x8000000000000000341727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:01.787{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA1210F01EC1868453BECD282B0FEACE,SHA256=E52D3D5CB7757AD675A778F1F69C2907CE5E870225702AF6B8D67076DAF4361C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:01.421{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A8ADD8C2AA6D2150228F958E54E5FE9,SHA256=8748D949A19F10DA7D8AFB46DD5ED2A1EDB1603BC4D1109BADAD63D2BDAF03E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000341726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:59.276{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse171.244.61.138-61756-false10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal3389ms-wbt-server 354300x8000000000000000341725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:28:58.477{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51073-false10.0.1.12-8000- 23542300x8000000000000000341728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:02.815{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B383DFCCADBF26CC06F7DEA65B7DFA24,SHA256=5F81BB74B65F6429BC19F8790DA5E75159F39A083ED710013E2A480134FBF9B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000449360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:02.785{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:02.763{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:02.758{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:02.745{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:02.736{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:02.708{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:02.701{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:02.692{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:02.685{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:02.684{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:02.678{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:02.676{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:02.674{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:02.670{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 23542300x8000000000000000449346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:02.528{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6F60B3106DF0D8BD193177D64B598BE,SHA256=C24F9BF15CADEAFC526940FC4F8290BD2E5150EC599406EC47D459893B4D1CDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000449345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:02.153{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:02.152{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:02.149{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:02.134{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000449341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:02.122{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 23542300x8000000000000000341729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:03.895{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2271D822D079170B4C29E50451867A1,SHA256=ACCB4BCB3F72840102612EDD0A8D7DD75FE04C656B81EDD890FC98DD44DACE41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:03.609{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56A843A1D0013F955D94EA3179121530,SHA256=36156E8C942BBBF50E2D63059DC2D10BBB84DD76E13F94FD8528A3815DA9D0DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000449363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:04.695{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C2179690C71455C5B53CD00B93E18A4,SHA256=3F80C47933447BAF67073A9A533898F38F1F16D36E8681AD3DBFDDD4E3067A11,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000449362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:01.954{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52762-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000449364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:05.781{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BBFE694F81F9BAB833B2E0EC0D347CC,SHA256=A7D1E11B2CB54DC4B0139C73842144A36007282F8FC0F960DDA6727294B1E631,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:05.089{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E88FC51E6E3BA8D8883F9D8268CC6320,SHA256=F8B5EEC969D83CEF1DAE17B2CECD156DF3E7ACB0BE6F8DE80647C8BB2D76DA11,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:06.858{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA93BA4A8B84408C8FB591D00066D702,SHA256=FC3E27BF40D63C698193BCE2C64ABC0D9FAB59F6FBD4DC8E022C3720AA5DAEB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:06.679{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73BAF1FF7C0AD4659F70657EAF38B688,SHA256=90B135574D847AD3BCCF5DB8912ACB66511D0FBD58564854157D34269D2CE1EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000341731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:06.166{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74217BA009B8FC656D563157ACA14E7A,SHA256=40AB1C19398184A5C21C629BE1C69F6D506661997466AC4FAC4C1EE6BB373DFA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000449367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:06.657{45AAC21C-9B83-63D3-0B00-00000000BC02}6323868C:\Windows\system32\lsass.exe{45AAC21C-9B80-63D3-0100-00000000BC02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000449366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:06.545{45AAC21C-9B83-63D3-0B00-00000000BC02}6323868C:\Windows\system32\lsass.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:06.532{45AAC21C-9B83-63D3-0B00-00000000BC02}632756C:\Windows\system32\lsass.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000449376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:07.947{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4397B00D4E2A1775019C59326DBD032E,SHA256=55EFAE48BED145465C3579E73F739245EACB3BE7D0A2C18BE9D6915A946CFB64,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000341734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:04.410{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51074-false10.0.1.12-8000- 23542300x8000000000000000341733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:07.233{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E908093C304765663A0A02EDEC69DC4C,SHA256=2083C53BE51626AB0AD4C02ABFD4B984524217163E91452974B0F07F242A39DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:07.760{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A14A4C2B0EB59BCC2E84C0BA751D475,SHA256=A08C531AA72EC15A065E97CDCBF3EAA0CDE2798BF3A1709E8C22883676E0D395,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000449374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:05.360{45AAC21C-9B80-63D3-0100-00000000BC02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local52765-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local445microsoft-ds 354300x8000000000000000449373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:05.360{45AAC21C-9B80-63D3-0100-00000000BC02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local52765-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local445microsoft-ds 354300x8000000000000000449372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:05.245{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52764-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000449371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:05.245{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52764-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000449370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:05.234{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local52763-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000449369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:05.234{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local52763-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local389ldap 23542300x8000000000000000341736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:08.974{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1FC34F3AEF6C67D37D56333A6EDF90AF,SHA256=37BA4E581EBFAC3619508AEC52213E64625CF66B2F2335616197E5346550E3D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000341735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:08.313{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63483D057945C56E7B5588F83530C1F0,SHA256=ADCA79DAEE0DE0509D2CCCAAF620D0F19A82DCC86C45938AA7A2A630FBEFB7E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000341737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:09.409{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60ABED820152D6EE20E19F29561A2752,SHA256=7162034E163A6C8BEEDE29BE1B6307D6B5288E7319D0CE533411D1F902E2AED2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:09.245{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A15F497E53DF0F85313F64FE9A917909,SHA256=F0813AED602A57ACDF61EBFD1432C16E51C532674E84E389291DE9C4BE9355F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:10.501{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06A33704F290A2E3DF49EACF547523BB,SHA256=C37AAECE6B33D317EA18B35677A06464C7A0CEF4E24AB04BFB13B2E7332DFD32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000449379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:07.790{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52766-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000449378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:10.310{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=062565BB9D0B37BCB1A9371D6BD56E4F,SHA256=145CAFB7D7EF6638D8F96FDBC5E50E61FCA041C093992DFFF96120409BFF7DAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:11.815{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DB1B0024E2DD8E4B1ADA17B2F76F479,SHA256=DA1282AAB6E61BB21A50F16101D4D677CC843B9EC3D9B2DFD5BBB8691752B9E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:11.393{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6F7E6A70FE34DC6D5648D46A7EDA5A6,SHA256=F040182F27167E325C5E0F1ED3F1128A6F993FF0B8CD4EFB91EADAE0ED476C86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000449381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:12.465{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8510E39512BFF350764EE36049572B5,SHA256=6B1AAED0E7E4046FECC11655C25556149D892448618D85ED876CEE8EE7E1473C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000341740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:09.434{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51075-false10.0.1.12-8000- 23542300x8000000000000000449382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:13.543{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=141412CF5E2A0122B9303D334CD4EB18,SHA256=125B0A774CBA5D04BE9DB31BC0AE918857AC1C5FC1AA6AC366B0206D9C99E0DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:13.015{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFE3914EE607B0B1F036B52CB0641AA1,SHA256=0D97DB239B77603B6FBBFC3A6EBE2719913C50F562FCFEE09A8536BD413FC14C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:14.652{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=968A8457CA0A97C4BD8A2D6612373538,SHA256=899283699AC8A84665C61150C8694229DFDFE0B4C826AECFDD76D4CEC2E879D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:14.192{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFCBB7C8075CD7195AEA372B84E6510A,SHA256=346F80725DA26D192E277F9892910F1F357B972FB315D7E7A21A90D6C06E2E7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000449389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:29:15.928{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\90005E51-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_90005E51-0000-0000-0000-100000000000.XML 13241300x8000000000000000449388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:29:15.928{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\3043171C-3022-4C0A-A8DB-5CE9390B74BF\Config SourceDWORD (0x00000001) 13241300x8000000000000000449387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:29:15.928{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\3043171C-3022-4C0A-A8DB-5CE9390B74BF\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_3043171C-3022-4C0A-A8DB-5CE9390B74BF.XML 10341000x8000000000000000449386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:15.913{45AAC21C-9B83-63D3-0B00-00000000BC02}6323868C:\Windows\system32\lsass.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:15.913{45AAC21C-9B83-63D3-0B00-00000000BC02}6323868C:\Windows\system32\lsass.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000449384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:15.727{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D11CFF717D3E93923FBF950FF083924D,SHA256=AB656D58C9F3DE8AE59041970D7A1A26D95C9604AC105216999F33E4DC5AE09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:15.500{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DC594BFA7D34206EC2BEC6424E6E294,SHA256=06879919192AD38482365100738756C1983E64B21E644132C00C92AAF24BC5BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:16.926{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A2B09C04BCF3E013114EF2B3B0B1679,SHA256=13E658D86EF6EA35C27504E6C50849DC88B111A24EB2FE77B2B6C3E8B561C55F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:16.685{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C18997B0248D011695F90815CE1A7FB,SHA256=03C5A6483BA0FDF93800A9E9723B30A51A7ABA2EFD20EE519D970C317C24D91D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000449394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:13.771{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52767-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000449393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:16.769{45AAC21C-9B83-63D3-0B00-00000000BC02}632756C:\Windows\system32\lsass.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:16.769{45AAC21C-9B83-63D3-0B00-00000000BC02}632756C:\Windows\system32\lsass.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:16.769{45AAC21C-9B83-63D3-0B00-00000000BC02}632756C:\Windows\system32\lsass.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000449390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:16.269{45AAC21C-9B85-63D3-1000-00000000BC02}368NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=97546AD1020E61B1C4A20BFFA1067357,SHA256=76005178DE58DAB8C19D4136CCAEB05B8BE315C6C570DA466DA3A48A15C4BEF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:16.188{72106695-9B85-63D3-1100-00000000BD02}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B789651043C55F4EBFE5D36A3A91CCDF,SHA256=39290AD654813160C4EAD207FE045F70D7774D1DD2FB3A16BEDF8D55C8CE34FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000341747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:17.875{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38C5AC46618B882CB9591D4289F411AC,SHA256=266F751BB3444DEA913C9844EA7966B0ECE964648F55AB6E555AEF2104B97DE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000449409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:14.639{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local50740- 354300x8000000000000000449408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:14.637{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local56068-false10.0.0.2ip-10-0-0-2.us-east-2.compute.internal53domain 354300x8000000000000000449407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:14.637{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local63646- 354300x8000000000000000449406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:14.637{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local63646-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domain 23542300x8000000000000000449405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:17.794{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24220B3DF5AAC0ED8CD1872FCF303035,SHA256=3810052328A4F4BCA838CF2702AB314B90F203AE3DAD9595C97F53B984B3A224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000449404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:17.787{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\respondent-20230127093833-107MD5=ABD21C848C86C8C4C327246443A18885,SHA256=621828FF48080C628607F27990B50D4C7839DD5149D1A5B05A104AE9C04F6CF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000449403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:17.784{45AAC21C-9B83-63D3-0B00-00000000BC02}6323868C:\Windows\system32\lsass.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:17.784{45AAC21C-9B83-63D3-0B00-00000000BC02}6323868C:\Windows\system32\lsass.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000449401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:17.688{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9A6AF21869173FB46686ED9951785A49,SHA256=CA287D75508FA884147A0D5BCB29E57664CC0DF5DF8F12B7977F5A86B84ECBD5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000449400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:17.610{45AAC21C-9B83-63D3-0B00-00000000BC02}632756C:\Windows\system32\lsass.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:17.610{45AAC21C-9B83-63D3-0B00-00000000BC02}632756C:\Windows\system32\lsass.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:17.610{45AAC21C-9B83-63D3-0B00-00000000BC02}632756C:\Windows\system32\lsass.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000449397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:14.615{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local52768-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local135epmap 354300x8000000000000000449396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:14.615{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local52768-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local135epmap 354300x8000000000000000341746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:15.374{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51076-false10.0.1.12-8000- 23542300x8000000000000000341748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:18.959{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59735DAD9C09D7602FF5CD8026B09D43,SHA256=C838BC997CE360781AE6D729FA077234DD84FE36BE5CE508710CE819A4F21C80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000449415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:16.309{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52770-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000449414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:16.309{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52770-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000449413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:15.468{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52769-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000449412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:15.468{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52769-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local389ldap 23542300x8000000000000000449411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:18.795{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\surveyor-20230127093831-108MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000449410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:18.001{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AFC3176833F723C5172994995E1F85B,SHA256=4286B6ADBA7159F07D194C09EE331FAD81E84933BDE92125ACA096DF9D9E242B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000449435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:19.624{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000449434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:19.604{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000449433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:19.592{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000449432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:19.587{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000449431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:19.583{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000449430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:19.575{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000449429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:19.530{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000449428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:19.518{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000449427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:19.492{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000449426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:19.484{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000449425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:19.470{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000449424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:19.454{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000449423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:19.438{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000449422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:19.418{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000449421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:19.406{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000449420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:19.388{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000449419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:19.372{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000449418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:19.312{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000449417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:19.309{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 23542300x8000000000000000449416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:19.091{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6FE002BDB7F4E19B5AAEB28C98C0A3,SHA256=B42756C040D62BED3BF4584EAD08931919B7A9E4BD6495ADA53A46D3F183FEFC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000341791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.713{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.713{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.712{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.695{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.694{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.676{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.657{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.653{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.616{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.611{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.597{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.592{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.591{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.588{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.586{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.584{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.581{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.580{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.578{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.577{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.576{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.574{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.571{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.563{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.558{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.553{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.549{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.541{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.527{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.525{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.511{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.468{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.462{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.452{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.444{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.432{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.425{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.417{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.407{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.383{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000341751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.348{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000341750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.346{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 23542300x8000000000000000341749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:20.159{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EB01A5CE86A316DC41E36CBFA7CF30D,SHA256=88C0544F7A73FCFCAC0765B3F6FE5F3AED856D713D3D2E730CE9208108BE38CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000449441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:20.290{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000449440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:20.285{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000449439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:20.282{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000449438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:20.280{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000449437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:20.279{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 23542300x8000000000000000449436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:20.221{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A06FF54D147A4192B81A8982D8A2C51F,SHA256=D6ED5841BEFF4F337B2DBDD6D7A77384518865C4C9ABAE45DE52D524F20AC1CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:21.787{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43BFD7DC90C534989F78BE3BD04DECAB,SHA256=8342291DBC1710CEB4158550F7D7784CA00E0B1330B22613F4A3F29BC0F16D4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000449443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:18.946{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52771-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000449442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:21.313{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D74A5543EF6AEAB76E714E347947D246,SHA256=EB2B14B0FF6423E89E6EECD3B16D2551D8A713A05C4A33978636CC6066866A91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:22.829{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63A3496BF8ECA2D679CBDA545E044F52,SHA256=879A8C3226B71EEAFD367DAF2C424BCBDD3ED71C8221CD893813C486A65FC82A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000449462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:22.993{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000449461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:22.988{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000449460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:22.970{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000449459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:22.953{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000449458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:22.904{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000449457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:22.892{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000449456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:22.877{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000449455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:22.868{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000449454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:22.866{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000449453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:22.860{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000449452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:22.856{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000449451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:22.854{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000449450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:22.850{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 23542300x8000000000000000449449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:22.408{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0BCB2E780FD8F27BC902B4CC5B3323B,SHA256=5B44343A97CAC5E14324AB7FE50354845D7E09E1F4150B7051C180DF4E419405,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000449448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:22.346{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000449447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:22.345{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000449446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:22.344{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000449445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:22.334{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000449444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:22.325{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 23542300x8000000000000000449464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:23.481{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAFEACBEA4EE14A8524568153CAB4080,SHA256=BE3C9713F5BC09EFF986ED4ABBC1E706F241A55D8044EE9BC936348487E6E62A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000341794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:23.146{72106695-9B84-63D3-0C00-00000000BD02}7324228C:\Windows\system32\svchost.exe{72106695-9B85-63D3-2000-00000000BD02}2000C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:23.028{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 23542300x8000000000000000449465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:24.586{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC4A4E22A87D7054790005BE185EECA,SHA256=AC46C10F455F4EACC7DF7A4C76ECDF5C0E6930E3BCFF33A7964A799FE7550648,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:24.027{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=637AD9FA4F30E351DCB2B6F69D9AC7D7,SHA256=992B255E27F28DB8A693D1027CEE7A708D25B667CFE5FC2C144FA6BFE3648AF2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:25.675{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E77C415B237C746D745047813C90690,SHA256=D9E6549EFCD1537C41B26C082DAE87555D85E6A5A00615F48484669E7CFF5E16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:25.144{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=060B320747233906D0ABEBCDDF2941AF,SHA256=927B4B22DA913E7951BD22991E760165298AFED0A0803CAD0C75A1BC1F7C4872,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000341796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:21.358{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51077-false10.0.1.12-8000- 23542300x8000000000000000449467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:26.763{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94B4560F3D8FDFAC023415E2D741F11B,SHA256=1B54D2181690D966DB03F2F3F6C140A51188558AD744C3A329149EC0DE7B22EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:26.239{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6860E9B081FDC88EE2333B495E7E446A,SHA256=7D8416B0B43E5E30AA1141FC307BFEEFF1105F7E1A2995D15968EE92F39812AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:27.840{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81C9B805B3AB6F07C9B14538F6EDBFC7,SHA256=470EBD5175177EE61579F0CF47C4FB20D0A5FC7DF0BB375076F272BBC637C31A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:27.329{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FD48D0A5D25091E6A63302405D17F9E,SHA256=ED31F17F2643F1C161C181A2CACE55E8D914B2E8CAB9C6EE812AECD360FCC320,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:28.918{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5285A51A8FB1363A19CE25B18835534A,SHA256=62D8AB516BFFA99186B45C3A81C9AC4507F1857C8C6FD7467575C7267E568339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:28.503{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3C3300AF82EB0682DF738F4390A9539D,SHA256=B22311D88F13B954710E5111722BD56276EFBE180A2244A16BA2925396C3290E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000341800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:28.409{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D349D0CB53603DFC6A76D724EC995CB7,SHA256=3EA4CADCDC530B613A6DC17E432416985F2FA2FEC0DABCA3A3B7BE1ACB556573,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000449469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:24.887{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52772-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000341803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:27.378{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51078-false10.0.1.12-8000- 23542300x8000000000000000341802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:29.498{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFD2F1915A53A97BDFDBAA6EDBB8AD08,SHA256=2C8A88CF303862442C73C8A2FF9FB23160273EEB46EC66D77A63628E0E118271,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000341804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:30.584{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBDFEC7BBEB8FFFD87D345A1C55DC955,SHA256=1AA062E53E98AB64C06AAC2CE970A184A5D9F497721CA6357DB80CC3F485EEB8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:30.102{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25B8363EEA2EE4E8EC1C98D50DF7D21E,SHA256=27EA8085AC0078A5C20414C6A66A1866A0CA6634FE6A23B6480E956DE3E9897A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:31.705{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39DBBEC8C0EF9F3038EBF6690BCA279D,SHA256=A5A4C64E573061CD8708EA809C9D0E26BC53306DB020A748EA63A6ABF96494C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:31.182{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C6B227A67BA8EF6E72A4642DE623DCA,SHA256=3686454842E90A426D9A8786E7F2621DEAA268128EB1B2113FB0091BE1644F6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:32.895{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D355EE0A49FB099A1F3ACB9BCEF3B9D4,SHA256=8070739C96F1F5BD0D484A4ABA0169BC3F1B6CB1B146B187C486E4AD8D6C0A34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:32.247{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3196088F50D9FA9EA1671B22E15885F,SHA256=6A8F74067C64CFFB14F4B2C98C0D054056CD377307BCE9EB0EDA5F96F29BD7DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000449474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:33.330{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81F49DB35AE495B0A2A1232B5D4DF848,SHA256=DB5A5FD70FF7B02FB74C241D883F56DB367BEF133DAE57ECCEB44EF86A95BEA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000449477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:34.407{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44654A862D412DAB39740BA329B7D66A,SHA256=79AA2807DB913B90404AF540CB90AD9A0BFF27CF93534C2E63D6CFE79F0AB254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:34.090{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E6200622126ABD857BACAECB6F7047B,SHA256=AE1C2B3F56DEB68E78C174BD1721EB19C51EFEA07527EDB8B3D86FC12AE17810,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:34.251{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000449475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:30.930{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52773-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000449478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:35.496{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16A8403290FB97AD47932E62B48FD91C,SHA256=3FCE920768F883DD8496100D3FD8886B27CC50D345A5F4FDB5FF6E0ED223F9C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:35.181{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54348EA3E7070DD83EAC4FAB141B67D2,SHA256=BCC431F8F30A12802A6594441E1A4CC4101B0D7F0EEC488A5F19996387D74D0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:36.591{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9A42EBCB30385527261B60E3F31BEA2,SHA256=C7CA643CA03B36A46E4BAAB67E6FBBF451B459E632D5C672426739A73FB2086C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:36.269{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A82124412E90512041CC112CB05CCD0D,SHA256=5343B52C8E05B47106F8F34BB0DC42A1AE136BE5060DA0E4F49D896AA66F126A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000449479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:32.934{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52774-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000341809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:32.415{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51079-false10.0.1.12-8000- 23542300x8000000000000000449481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:37.793{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90277E69D2B2C69ED3BAA8B21E3FE9E7,SHA256=D8200FA8E77D9AD794AD752D43B90190869D34F3DC2FA29F1E0BF5C57F7B7CB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:37.455{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFCD48BEF25A458A28FD0E2529D56E68,SHA256=77FDF8A49DD125ABEC6DF9F9D0E7E1AE5C535DAD24A36F0D7733EB0C8C3EB5C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:38.882{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A121D05CE55152A76EBF898C33520F3,SHA256=FD1F78A1C5A959E387677DBCF34D2778B249F6A2F817FAD0E8CA4A7087F95399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:38.922{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000341812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:38.545{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=523890E3517506988EB7FE4A775E1134,SHA256=5653331D45D10B8E8403F22AC874CB4878735217B0BAA15927FF188C5414E49F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:39.931{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C86027D74EFBBE10C9D9DE30ECE989D0,SHA256=5297ACBE4062E6576917ABA86C1220105CFB6BB0A9A8B48794BB697F4CEE46BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:39.639{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A47B8B92735AFCB5042DC62DD5119555,SHA256=27301BBFC01449074AE8BA37BA034C7C39799A221996612C535C23785944BA1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000449501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:39.540{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:39.519{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:39.508{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:39.503{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:39.499{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:39.495{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:39.458{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:39.448{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:39.432{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:39.426{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:39.416{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:39.405{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:39.391{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:39.374{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:39.363{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:39.346{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:39.335{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:39.302{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000449483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:39.300{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 23542300x8000000000000000449509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:40.993{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D52CA0E21E0E69E3277338CC27B416C,SHA256=C28206DEA1F25DAEF4AE5F7E71AC8D4424EE421F5BEB0AF5E957E3700EB0DA3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.876{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D777B5B15F7AFF1F8E2FF45B5DAC36DD,SHA256=C9B6445F5D7AA2ED0B740567693D3F0C9FDE3F9C85E2FEE006763EF537367562,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000341857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.718{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.717{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.716{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.701{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.699{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.684{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.665{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.662{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000449508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:40.195{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:40.192{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:40.189{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:40.186{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:40.184{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 354300x8000000000000000449503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:36.931{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52775-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000341849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.630{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.619{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.607{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.593{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.591{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.589{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.587{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.586{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.582{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.580{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.578{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.577{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.576{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.575{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.571{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.563{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.560{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.555{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.551{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.535{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.520{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.518{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.495{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.458{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.448{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.436{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.428{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.411{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.398{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.389{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.378{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.366{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.347{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000341816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:40.342{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 354300x8000000000000000341815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:37.464{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51080-false10.0.1.12-8000- 23542300x8000000000000000341860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:41.710{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BEF5EAE7CEB8652E8BC8A514ECF569E,SHA256=1160CF4D973171E1E3E2CBADC932B19873EB28EE19492A8384CB7BF77A151696,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000341859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:38.166{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51081-false10.0.1.12-8089- 23542300x8000000000000000341862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:42.800{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=239EFF4E6DDA888967AC86111633C90A,SHA256=20970D3435D6474D5EC46CA85F4FEFC49F647C475C66AF90C830D3A4EEE8B9EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000449533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:42.961{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:42.924{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:42.916{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:42.904{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:42.882{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:42.832{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:42.816{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:42.794{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:42.785{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:42.783{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:42.776{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:42.772{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:42.770{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:42.766{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:42.362{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:42.362{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:42.362{45AAC21C-9B83-63D3-0B00-00000000BC02}6323868C:\Windows\system32\lsass.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:42.336{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-3000-00000000BC02}2848C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:42.254{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:42.252{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:42.250{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:42.230{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:42.217{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 23542300x8000000000000000449510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:42.079{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCB7C2B3EA1D6EF43CC488D2F3EB7302,SHA256=F14DD75742C0B9A2185FDB0B4E370B60A1EE64E5643A275FC4375FBE69D9DFCD,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000341861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:29:42.269{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} {000214E4-0000-0000-C000-000000000046} 0xFFFFBinary Data 23542300x8000000000000000341863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:43.878{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F2508D4542DD28C1E326F4ED2B5672D,SHA256=32E574B69295AC433841CA2083A587484318CB91C36B5E6A5CE2B42331705CBD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:43.152{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=358F3DD2DA5C0A6B1969F086BEEA41F4,SHA256=3CDB55AEAA706F3A5A149B8234855E75492BFC8D34481795D1E67356DF2DCC9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:44.962{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC60AEA8DCFF9B3018D814BE02205A57,SHA256=FB7220F7ACD81FF9F6867AE963079D79718ACC1BB3410247857EC4F660C8278E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000341877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:44.944{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B5A8-63D3-3404-00000000BD02}2564C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:44.897{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B5A8-63D3-3404-00000000BD02}2564C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000449535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:44.255{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EB9DE6FA76FC2770ACA6F59084ED291,SHA256=713EFB52EA7F7641C3B3465FAEC671D527B14DE0998E77CB3E1B4FA5431CDFB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000341875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:44.866{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B5A8-63D3-3404-00000000BD02}2564C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:44.866{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B5A8-63D3-3404-00000000BD02}2564C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:44.866{72106695-9B85-63D3-1400-00000000BD02}10323544C:\Windows\system32\svchost.exe{72106695-B5A8-63D3-3404-00000000BD02}2564C:\Program Files\7-Zip\7zG.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:44.866{72106695-9B85-63D3-1400-00000000BD02}10321120C:\Windows\system32\svchost.exe{72106695-B5A8-63D3-3404-00000000BD02}2564C:\Program Files\7-Zip\7zG.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:44.819{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:44.819{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:44.819{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:44.819{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:44.819{72106695-B102-63D3-1003-00000000BD02}39441080C:\Windows\system32\csrss.exe{72106695-B5A8-63D3-3404-00000000BD02}2564C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000341866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:44.819{72106695-B106-63D3-2B03-00000000BD02}9645340C:\Windows\Explorer.EXE{72106695-B5A8-63D3-3404-00000000BD02}2564C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\7-Zip\7-zip.dll+558c|C:\Program Files\7-Zip\7-zip.dll+6955|C:\Program Files\7-Zip\7-zip.dll+712e|C:\Program Files\7-Zip\7-zip.dll+7275|C:\Program Files\7-Zip\7-zip.dll+8ff3|C:\Program Files\7-Zip\7-zip.dll+c541|C:\Windows\System32\SHELL32.dll+4d8ef|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\SHELL32.dll+16c38c|C:\Windows\System32\SHELL32.dll+19ebfc|C:\Windows\System32\SHELL32.dll+2846f3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+16c630|C:\Windows\System32\SHELL32.dll+169a0e|C:\Windows\System32\SHELL32.dll+40eb1|C:\Windows\System32\SHELL32.dll+43d96|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15 154100x8000000000000000341865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:44.822{72106695-B5A8-63D3-3404-00000000BD02}2564C:\Program Files\7-Zip\7zG.exe22.017-Zip GUI7-ZipIgor Pavlov7zg.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Temp\" -an -ai#7zMap6169:42:7zEvent31647C:\Windows\system32\WIN-HOST-CTUS-A\Administrator{72106695-B105-63D3-6E44-240000000000}0x24446e2HighMD5=5AB26FFD7B3C23A796138640B1737B48,SHA256=EB775B0E8CC349032187C2329FEFCF64F5FEED4D148034C060E227ADF6D38500,IMPHASH=F5976AA5B71D78D164DDC61EA72A2DA7{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\explorer.exeC:\Windows\Explorer.EXE 23542300x8000000000000000341864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:44.397{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=39BC2DADD10CF31BE76CC3511F19BB3E,SHA256=25702AD312690477C5A78D51DE38B52C4E37EE566FA25C4D49324035567C9223,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000341897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:45.950{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6FC7C4913985FB0D041736B23DA4917,SHA256=D39CC85EAD3C747785354FFEBF40491050E783148935E5E18D0165FE95A24EAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000341896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:45.919{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B7F98687670C7E8F7B0F07CFD3B45ED,SHA256=2B7D91897B2ED31C2922262A219B9AA884FD7CA45D656A8A1F24AF1B508C508A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000449544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:45.843{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B5A9-63D3-ED03-00000000BC02}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:45.843{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:45.843{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:45.843{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:45.843{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:45.843{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B5A9-63D3-ED03-00000000BC02}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000449538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:45.843{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B5A9-63D3-ED03-00000000BC02}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000449537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:45.844{45AAC21C-B5A9-63D3-ED03-00000000BC02}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000449536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:45.347{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B20209AC3C18336FA9BDCBE1B09E3AF8,SHA256=137E9616816C510C328E106981B367DC88D0CFED596AA3DF578F29938AE0EAA5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000341895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:45.314{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5A8-63D3-3404-00000000BD02}2564C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000341894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:45.314{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5A8-63D3-3404-00000000BD02}2564C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000341893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:45.314{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5A8-63D3-3404-00000000BD02}2564C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000341892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:45.069{72106695-B105-63D3-2303-00000000BD02}39524080C:\Windows\system32\taskhostw.exe{72106695-B5A8-63D3-3404-00000000BD02}2564C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:45.022{72106695-B106-63D3-2B03-00000000BD02}9644776C:\Windows\Explorer.EXE{72106695-B5A8-63D3-3404-00000000BD02}2564C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:45.022{72106695-B106-63D3-2B03-00000000BD02}9644776C:\Windows\Explorer.EXE{72106695-B5A8-63D3-3404-00000000BD02}2564C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:45.022{72106695-B106-63D3-2B03-00000000BD02}9644776C:\Windows\Explorer.EXE{72106695-B5A8-63D3-3404-00000000BD02}2564C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:45.022{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B5A8-63D3-3404-00000000BD02}2564C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:45.022{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B5A8-63D3-3404-00000000BD02}2564C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:45.022{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B5A8-63D3-3404-00000000BD02}2564C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:45.022{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B5A8-63D3-3404-00000000BD02}2564C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:45.006{72106695-B105-63D3-2303-00000000BD02}39524080C:\Windows\system32\taskhostw.exe{72106695-B5A8-63D3-3404-00000000BD02}2564C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:44.991{72106695-B105-63D3-2303-00000000BD02}39524080C:\Windows\system32\taskhostw.exe{72106695-B5A8-63D3-3404-00000000BD02}2564C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:44.991{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B5A8-63D3-3404-00000000BD02}2564C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:44.991{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B5A8-63D3-3404-00000000BD02}2564C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:44.991{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B5A8-63D3-3404-00000000BD02}2564C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:44.991{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B5A8-63D3-3404-00000000BD02}2564C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000449557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:46.927{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=022783C0EAF47DCF6448296D6AE23B04,SHA256=27B13BD32AB2AF1D67FBF4F039950200FF1C70E4259979CCDF7F966F3B289094,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000449556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:46.522{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B5AA-63D3-EE03-00000000BC02}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:46.522{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:46.522{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:46.522{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:46.522{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:46.522{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B5AA-63D3-EE03-00000000BC02}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000449550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:46.522{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B5AA-63D3-EE03-00000000BC02}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000449549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:46.523{45AAC21C-B5AA-63D3-EE03-00000000BC02}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000449548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:46.460{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1F5AD44B1757AEA84A3CD13E6485969C,SHA256=99BE24C5B67984272B135061D79E24FE393593CFFCA6BDAB8C8BD2E710F4EBA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000449547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:46.428{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF8D814317103FB8B6DBD1EDC162153C,SHA256=1325D3504178EAC339946F617884E7901B314BADC05ADB3FABBDD5122DE9C3D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000341901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:46.849{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5A8-63D3-3404-00000000BD02}2564C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000341900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:46.849{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5A8-63D3-3404-00000000BD02}2564C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000341899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:46.849{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5A8-63D3-3404-00000000BD02}2564C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 354300x8000000000000000341898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:43.464{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51082-false10.0.1.12-8000- 354300x8000000000000000449546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:42.833{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52776-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000449545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:46.030{45AAC21C-B5A9-63D3-ED03-00000000BC02}52925916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000449566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:47.518{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13C6E06160A9B3AD63BA743738F634CC,SHA256=25BBA29B62F90E1143978DDA299651514DA40C5B669AC3509CD28542DE39603D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:47.029{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9302A33D71F48CD1CC0F16B9A64944D,SHA256=4142934CCFE6018C1612F3DAE5DC9E68057762D663C8483FCFFDE0267DA827FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000449565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:47.021{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B5AB-63D3-EF03-00000000BC02}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:47.021{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:47.021{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:47.021{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:47.021{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:47.021{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B5AB-63D3-EF03-00000000BC02}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000449559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:47.021{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B5AB-63D3-EF03-00000000BC02}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000449558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:47.022{45AAC21C-B5AB-63D3-EF03-00000000BC02}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000449568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:48.587{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81C590FA0B57040BC96360B05766EE38,SHA256=0510A52F361B8AC29C2E1E1E0789FEDEC66A097673A08C65A236E0048A27BC22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:48.117{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7980E43169EA0594C655082247E8363F,SHA256=7EC8718C1282D385D36E83F1DFCEC185D63C9716AFA4FC045071FF206CA8A9A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:48.105{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=39F974490F73B49B01A78F29BE5C08E2,SHA256=8D70E4C44F567B0CBD76531D6A9C361DD0B9C71E09A442EE697C15C48090BF8C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000449594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:49.802{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B5AD-63D3-F103-00000000BC02}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:49.802{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:49.802{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:49.802{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:49.802{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:49.802{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B5AD-63D3-F103-00000000BC02}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000449588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:49.802{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B5AD-63D3-F103-00000000BC02}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000449587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:49.803{45AAC21C-B5AD-63D3-F103-00000000BC02}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000449586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:49.662{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A17490C3FDC485411D424C547954ADC,SHA256=3DD72177E0689F95C64DC54A63CF387C17F01CF8B6A03E296975D8AA867988D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000341904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:49.199{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0027867B8E2282AD8741AFCF567C5FD1,SHA256=CF443E97464F621C7BE46E761D40FD239BDD24A472C9A0E151B8A8EEF003D8FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000449585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:49.510{45AAC21C-B5AD-63D3-F003-00000000BC02}9443488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:49.460{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B5AD-63D3-F003-00000000BC02}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000449583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:49.459{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B5AD-63D3-F003-00000000BC02}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000449582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:49.459{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B5AD-63D3-F003-00000000BC02}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000449581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:49.457{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B5AD-63D3-F003-00000000BC02}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000449580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:49.457{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B5AD-63D3-F003-00000000BC02}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000449579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:49.457{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B5AD-63D3-F003-00000000BC02}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 354300x8000000000000000449578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:46.326{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52777-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000449577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:46.326{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52777-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 10341000x8000000000000000449576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:49.285{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B5AD-63D3-F003-00000000BC02}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:49.285{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:49.285{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:49.285{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B5AD-63D3-F003-00000000BC02}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000449572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:49.285{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:49.285{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:49.285{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B5AD-63D3-F003-00000000BC02}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000449569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:49.286{45AAC21C-B5AD-63D3-F003-00000000BC02}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000449611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:50.771{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F4DCD743E51663908CADFFC6DE589D7,SHA256=B21567E1E69526F94E1D1616BAFACC15B44AE76F027D4B7906AF1BD3FF0FB8E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000449610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:50.725{45AAC21C-B5AE-63D3-F203-00000000BC02}39365496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000341908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:50.288{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D1B8AA1B8262091436DF3D01756F054,SHA256=39C0B4506D689BDE9201C8D0743C999EC4EF1151F7F7156228087C486932F6D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000449609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:50.525{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B5AE-63D3-F203-00000000BC02}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000449608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:50.525{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B5AE-63D3-F203-00000000BC02}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000449607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:50.524{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B5AE-63D3-F203-00000000BC02}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000449606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:50.524{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B5AE-63D3-F203-00000000BC02}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000449605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:50.524{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B5AE-63D3-F203-00000000BC02}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000449604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:50.523{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B5AE-63D3-F203-00000000BC02}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000449603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:50.393{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B5AE-63D3-F203-00000000BC02}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:50.393{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:50.393{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:50.393{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:50.393{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:50.393{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B5AE-63D3-F203-00000000BC02}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000449597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:50.393{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B5AE-63D3-F203-00000000BC02}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000449596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:50.394{45AAC21C-B5AE-63D3-F203-00000000BC02}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000449595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:50.130{45AAC21C-B5AD-63D3-F103-00000000BC02}23324684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:50.026{72106695-B106-63D3-2B03-00000000BD02}9644776C:\Windows\Explorer.EXE{72106695-B5A8-63D3-3404-00000000BD02}2564C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:50.026{72106695-B106-63D3-2B03-00000000BD02}9644776C:\Windows\Explorer.EXE{72106695-B5A8-63D3-3404-00000000BD02}2564C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:50.026{72106695-B106-63D3-2B03-00000000BD02}9644776C:\Windows\Explorer.EXE{72106695-B5A8-63D3-3404-00000000BD02}2564C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000449621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:51.758{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B6EC9454A12C81CC1F05744189AA4CE,SHA256=6C0FBAA062699B67ADFD24A4F539EC29817B0C96DFD74BA7AFD5518C5B92272B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000341910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:48.522{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51083-false10.0.1.12-8000- 23542300x8000000000000000341909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:51.375{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E1583F858B3F67023D543C96F770493,SHA256=AAD10DE80196A37FBDD2A180859DD6FD6554CB11405730E03540905688398085,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000449620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:51.618{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B5AF-63D3-F303-00000000BC02}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:51.618{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:51.618{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:51.618{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:51.618{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:51.618{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B5AF-63D3-F303-00000000BC02}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000449614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:51.618{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B5AF-63D3-F303-00000000BC02}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000449613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:51.619{45AAC21C-B5AF-63D3-F303-00000000BC02}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000449612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:48.815{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52778-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000449623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:52.829{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7787AF0A32628375EC361B6B71DDFE9E,SHA256=6C171A829746AA77B5F1F3BE2A479C6EA53B3E62E716725807C5E7253D80883A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000341912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:49.824{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse171.244.61.138-58987-false10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal3389ms-wbt-server 23542300x8000000000000000341911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:52.465{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C81715B1D478CE89B03A890ABD3DD7DD,SHA256=8A21B2AF5965B1D1CAD342AAF93366BACEC9928BFC4B9107C2DACEA2D8F33C95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:52.657{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E90DF201FF062E3E55E2865A5E5B310,SHA256=20F580DDDBC81405BCDD935CE9BE29AD7574F6A086144AD886D21132D0725634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000449624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:53.933{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=012CBDAF008B7036FC015CCB2EC4043F,SHA256=EE5B4B3560BDE125CFEE7D43452AF9374BBAEB3D088C1802D52AC745A710835A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000341922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:53.738{72106695-B5B1-63D3-3504-00000000BD02}55963388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000341921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:53.584{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A22F57A008F6B976FBB8BCEF9C285799,SHA256=3B4E71CD14B93687B95687DF2FC9CAD4E331BAE64309646BE0A0A0E635248771,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000341920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:53.488{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B5B1-63D3-3504-00000000BD02}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:53.488{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:53.488{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:53.488{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:53.488{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:53.488{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B5B1-63D3-3504-00000000BD02}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000341914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:53.488{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B5B1-63D3-3504-00000000BD02}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000341913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:53.489{72106695-B5B1-63D3-3504-00000000BD02}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000341953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:29:54.927{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B8CDCB65-B1BF-4B42-9428-1DFDB7EE92AF} {000214E4-0000-0000-C000-000000000046} 0xFFFFBinary Data 10341000x8000000000000000341952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:54.911{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:54.911{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:54.911{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:54.911{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:54.822{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5B2-63D3-3704-00000000BD02}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000341947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:54.820{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5B2-63D3-3704-00000000BD02}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000341946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:54.820{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5B2-63D3-3704-00000000BD02}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000341945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:54.820{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5B2-63D3-3704-00000000BD02}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000341944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:54.819{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5B2-63D3-3704-00000000BD02}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000341943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:54.819{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5B2-63D3-3704-00000000BD02}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x8000000000000000341942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:54.800{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=BA5D0BD4546A12E4D2B1E472EDDFB4E1,SHA256=48C7BBFD70D40C74D15519D7FCDDCC67236504AB742530E4035F090C1B30DE52,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000341941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:54.683{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B5B2-63D3-3704-00000000BD02}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:54.683{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:54.683{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:54.683{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:54.683{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:54.683{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B5B2-63D3-3704-00000000BD02}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000341935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:54.683{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B5B2-63D3-3704-00000000BD02}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000341934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:54.684{72106695-B5B2-63D3-3704-00000000BD02}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000341933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:54.667{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=516FC513880843629E16EDAD06FFF43B,SHA256=B4703D76BACCF13FEC02AF1F03FF6CA6C247F7F53E403F318D2980045A0C85FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000341932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:54.589{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E9CF32F30B2694FC637B41D13C51E82F,SHA256=B5732E948B16E6A389A4BED0F9D95FEB3DABC87A4EC1930FCBFDF43C59C69A6D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000341931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:54.245{72106695-B5B2-63D3-3604-00000000BD02}58802572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:54.061{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B5B2-63D3-3604-00000000BD02}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:54.061{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:54.061{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:54.061{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:54.061{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:54.061{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B5B2-63D3-3604-00000000BD02}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000341924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:54.061{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B5B2-63D3-3604-00000000BD02}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000341923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:54.062{72106695-B5B2-63D3-3604-00000000BD02}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000341971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:55.902{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B5B3-63D3-3904-00000000BD02}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:55.902{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:55.902{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:55.902{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:55.902{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:55.902{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B5B3-63D3-3904-00000000BD02}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000341965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:55.902{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B5B3-63D3-3904-00000000BD02}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000341964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:55.904{72106695-B5B3-63D3-3904-00000000BD02}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000341963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:55.902{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8400C5DA270E4CFDF9C25D670854C15,SHA256=EB9FAF174313384E8CA56D42F1D541C93426F0B9D5BE909F9E935B9FBD3BD549,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:55.040{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0CE9C020A0B26F7F70522D0D537D03A,SHA256=463388F8FCD87097C932C186728C180681D729CDB235775CD48355AE00815974,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000341962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:55.564{72106695-B5B3-63D3-3804-00000000BD02}33005648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:55.345{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B5B3-63D3-3804-00000000BD02}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:55.345{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:55.345{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:55.345{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:55.345{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:55.345{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B5B3-63D3-3804-00000000BD02}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000341955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:55.345{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B5B3-63D3-3804-00000000BD02}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000341954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:55.346{72106695-B5B3-63D3-3804-00000000BD02}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000341982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:56.975{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B417FA29E61B3625B3126068FE5B84D2,SHA256=3DFCCFB867EACEC0FC9120E08A9A196AE17670DCF573A510BFD2DE68EE1268F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000449627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:53.954{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52779-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000449626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:56.232{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE081723CD9B82B367FEE1951B49C3EF,SHA256=9735B3A19936A513A3BF574F1261A2C71698CE7A9E300B9438C656760FBC89C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000341981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:56.733{72106695-B5B4-63D3-3A04-00000000BD02}24605148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000341980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:54.266{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51084-false10.0.1.12-8000- 10341000x8000000000000000341979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:56.570{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B5B4-63D3-3A04-00000000BD02}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:56.570{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:56.570{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:56.570{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:56.570{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:56.570{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B5B4-63D3-3A04-00000000BD02}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000341973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:56.570{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B5B4-63D3-3A04-00000000BD02}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000341972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:56.571{72106695-B5B4-63D3-3A04-00000000BD02}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000449628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:57.309{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3CFA7630AF61E7AC2D28F1C7003E2B7,SHA256=CDFE88B0D8B0E3691FB54E499343F1BBCB4DA72E8D7E86EE0FA494CD79E23E87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000342024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.855{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5B5-63D3-3C04-00000000BD02}1584C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000342023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.855{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5B5-63D3-3C04-00000000BD02}1584C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000342022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.855{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5B5-63D3-3C04-00000000BD02}1584C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000342021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.855{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5B5-63D3-3C04-00000000BD02}1584C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000342020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.855{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5B5-63D3-3C04-00000000BD02}1584C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000342019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.855{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5B5-63D3-3C04-00000000BD02}1584C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x8000000000000000342018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.756{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=467141BCD44611DCE200C235216D6C79,SHA256=8F7D8A32B35BD3E1495CC6B0B2332016788312F639079C488E8441F59CB76E14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000342017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.730{72106695-B105-63D3-2303-00000000BD02}39524080C:\Windows\system32\taskhostw.exe{72106695-B5B5-63D3-3C04-00000000BD02}1584C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.663{72106695-B106-63D3-2B03-00000000BD02}9644776C:\Windows\Explorer.EXE{72106695-B5B5-63D3-3C04-00000000BD02}1584C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.663{72106695-B106-63D3-2B03-00000000BD02}9644776C:\Windows\Explorer.EXE{72106695-B5B5-63D3-3C04-00000000BD02}1584C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.663{72106695-B106-63D3-2B03-00000000BD02}9644776C:\Windows\Explorer.EXE{72106695-B5B5-63D3-3C04-00000000BD02}1584C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.663{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B5B5-63D3-3C04-00000000BD02}1584C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.663{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B5B5-63D3-3C04-00000000BD02}1584C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.663{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B5B5-63D3-3C04-00000000BD02}1584C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.663{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B5B5-63D3-3C04-00000000BD02}1584C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.647{72106695-B105-63D3-2303-00000000BD02}39524080C:\Windows\system32\taskhostw.exe{72106695-B5B5-63D3-3C04-00000000BD02}1584C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.647{72106695-B105-63D3-2303-00000000BD02}39524080C:\Windows\system32\taskhostw.exe{72106695-B5B5-63D3-3C04-00000000BD02}1584C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.631{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B5B5-63D3-3C04-00000000BD02}1584C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.631{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B5B5-63D3-3C04-00000000BD02}1584C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.631{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B5B5-63D3-3C04-00000000BD02}1584C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.631{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B5B5-63D3-3C04-00000000BD02}1584C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.585{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B5B5-63D3-3C04-00000000BD02}1584C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.585{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B5B5-63D3-3C04-00000000BD02}1584C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.585{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B5B5-63D3-3C04-00000000BD02}1584C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.585{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B5B5-63D3-3C04-00000000BD02}1584C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.585{72106695-9B85-63D3-1400-00000000BD02}10323544C:\Windows\system32\svchost.exe{72106695-B5B5-63D3-3C04-00000000BD02}1584C:\Program Files\7-Zip\7zG.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.585{72106695-9B85-63D3-1400-00000000BD02}10321120C:\Windows\system32\svchost.exe{72106695-B5B5-63D3-3C04-00000000BD02}1584C:\Program Files\7-Zip\7zG.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.569{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.569{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.569{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.569{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.569{72106695-B102-63D3-1003-00000000BD02}3944400C:\Windows\system32\csrss.exe{72106695-B5B5-63D3-3C04-00000000BD02}1584C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000341992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.569{72106695-B106-63D3-2B03-00000000BD02}9645340C:\Windows\Explorer.EXE{72106695-B5B5-63D3-3C04-00000000BD02}1584C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\7-Zip\7-zip.dll+558c|C:\Program Files\7-Zip\7-zip.dll+6955|C:\Program Files\7-Zip\7-zip.dll+712e|C:\Program Files\7-Zip\7-zip.dll+7275|C:\Program Files\7-Zip\7-zip.dll+8ff3|C:\Program Files\7-Zip\7-zip.dll+c541|C:\Windows\System32\SHELL32.dll+4d8ef|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\SHELL32.dll+16c38c|C:\Windows\System32\SHELL32.dll+19ebfc|C:\Windows\System32\SHELL32.dll+2846f3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+16c630|C:\Windows\System32\SHELL32.dll+169a0e|C:\Windows\System32\SHELL32.dll+40eb1|C:\Windows\System32\SHELL32.dll+43d96|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15 154100x8000000000000000341991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.571{72106695-B5B5-63D3-3C04-00000000BD02}1584C:\Program Files\7-Zip\7zG.exe22.017-Zip GUI7-ZipIgor Pavlov7zg.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Temp\asyncrat\loader\" -an -ai#7zMap15037:188:7zEvent5285C:\Windows\system32\WIN-HOST-CTUS-A\Administrator{72106695-B105-63D3-6E44-240000000000}0x24446e2HighMD5=5AB26FFD7B3C23A796138640B1737B48,SHA256=EB775B0E8CC349032187C2329FEFCF64F5FEED4D148034C060E227ADF6D38500,IMPHASH=F5976AA5B71D78D164DDC61EA72A2DA7{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\explorer.exeC:\Windows\Explorer.EXE 10341000x8000000000000000341990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.241{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B5B5-63D3-3B04-00000000BD02}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.241{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.241{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.241{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.241{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.241{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B5B5-63D3-3B04-00000000BD02}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000341984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.241{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B5B5-63D3-3B04-00000000BD02}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000341983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:57.241{72106695-B5B5-63D3-3B04-00000000BD02}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000449631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:58.578{45AAC21C-9B83-63D3-0B00-00000000BC02}6323868C:\Windows\system32\lsass.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:58.578{45AAC21C-9B83-63D3-0B00-00000000BC02}632796C:\Windows\system32\lsass.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000449629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:58.392{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BE070B72F838AF67F7B5624FA683240,SHA256=D80817B9A2968FD94A791A090A50811A58ABE447EC6A03EE1F207A8BC611A83C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000342028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:58.733{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5B5-63D3-3C04-00000000BD02}1584C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000342027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:58.733{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5B5-63D3-3C04-00000000BD02}1584C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000342026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:58.732{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5B5-63D3-3C04-00000000BD02}1584C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 23542300x8000000000000000342025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:58.153{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BD97FD21239E320D1034E65B18D622F,SHA256=08CEA013F2A2BF13AFE4D97439ADCA94E43956B33405A3FD8DC3E6DA0462BEBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000449656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:57.281{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local52781-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local49666- 354300x8000000000000000449655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:57.281{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local52781-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local49666- 354300x8000000000000000449654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:57.280{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local52780-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local135epmap 354300x8000000000000000449653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:57.280{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local52780-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local135epmap 23542300x8000000000000000449652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:59.614{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EC381C767612251632C7A6E56B67D6B,SHA256=6A5E57E9AA3028831A64F648CAACDAD987B39CF6834E67108AEE7D5523CFF252,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000449651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:59.578{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:59.565{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:59.554{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:59.550{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:59.548{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:59.545{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:59.502{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:59.493{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 23542300x8000000000000000449643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:59.473{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89F764B1E805D91F61864F922FC03A8D,SHA256=C3E0973110B0247CBCBFA9A97B3DEEF9A883D68FEB4A5C7D83C86A55E105F9F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000449642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:59.470{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:59.462{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:59.446{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:59.429{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:59.410{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 23542300x8000000000000000342029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:59.264{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B0FFFF51097DCBDEBD48B053BED619F,SHA256=2C00512F69B3C5D84483F29BAC5166EAD80B6FBC39489F0EB03FF1A8B67B1884,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000449637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:59.389{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:59.374{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:59.353{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:59.344{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:59.299{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:59.296{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 354300x8000000000000000449664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:57.282{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local52782-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000449663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:57.282{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local52782-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local389ldap 23542300x8000000000000000449662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:00.512{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=585E065B88460764E741B85D683F3AE7,SHA256=F4699707E5CD069EB35B840181015BF5DE1617CCDA0E720A87FDBCF540EE6474,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000342076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.846{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.845{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.841{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.824{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.819{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.806{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.783{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.726{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.718{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.703{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.696{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.695{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.692{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.689{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.685{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.680{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.679{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.675{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.674{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.672{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.668{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.662{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.650{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.643{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.634{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.629{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.607{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.569{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.567{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.545{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 23542300x8000000000000000342046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.514{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D6B35382F331A7F90964CBF4EA27609,SHA256=D7B5DF7AEEDEE5C518C1B094016E318B07DD3292711C60993645DC9440ADA9AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000342045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.502{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.491{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.473{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.451{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.425{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.418{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.410{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.393{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.371{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 23542300x8000000000000000342036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.353{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63734126838B194E93C9247539B30108,SHA256=AA7AE9CA4FEBFEA21E60619BBB4D2D2451D45F9803EF3D1E90DE4B06E03BE30F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000342035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.350{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.341{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000449661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:00.126{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:00.123{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:00.121{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:00.119{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:00.117{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 23542300x8000000000000000342033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.202{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=90ECB7A3F35F51F537F0E46039B8F242,SHA256=662E683A475F72C43B23AF932350DC1AEC56CC710C4159AB4CA9A8C56B6EC645,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000342032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.017{72106695-B106-63D3-2B03-00000000BD02}9644776C:\Windows\Explorer.EXE{72106695-B5B5-63D3-3C04-00000000BD02}1584C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.017{72106695-B106-63D3-2B03-00000000BD02}9644776C:\Windows\Explorer.EXE{72106695-B5B5-63D3-3C04-00000000BD02}1584C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:00.017{72106695-B106-63D3-2B03-00000000BD02}9644776C:\Windows\Explorer.EXE{72106695-B5B5-63D3-3C04-00000000BD02}1584C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000342079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:29:59.449{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51085-false10.0.1.12-8000- 23542300x8000000000000000342078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:01.572{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=203F5D941FE1344F545FB1FFD2839F33,SHA256=4539632A3DA2DC114808CF84A67C5BA6315FB6317E5262730B9B8C6DCB22B5D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000449667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:57.290{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52783-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000449666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:57.290{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52783-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local389ldap 23542300x8000000000000000449665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:01.590{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CAC25C0A26FDD1AF23C70BE51602312,SHA256=7D67615A5AA34A7A027AE431F71E45D96D21FBCD54052597B9C36E1F8EDA6392,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:01.220{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\respondent-20230127093815-108MD5=FAFF531EDF0CFC03BCEBADF518BA5361,SHA256=88BF976C27BC6DB398DABD588375EB870CCDB2E8695A85E73E9E0CF078A2553A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000449688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:02.832{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:02.810{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:02.807{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:02.796{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:02.774{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:02.737{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:02.728{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 354300x8000000000000000449681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:29:59.833{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52784-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000449680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:02.713{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:02.705{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:02.701{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:02.694{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:02.691{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:02.689{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 23542300x8000000000000000449674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:02.687{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E8542BD667787BEC0508C9324338020,SHA256=8B808D583CDC2E9FDFD5E386B3F5E949C1D48C94278BC3FE29C8FEBDBD767F7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000449673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:02.685{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 23542300x8000000000000000342081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:02.715{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=371CE91656F4B372A7F7E65BBCD62DE0,SHA256=EE092139325849FB2D80830F193F7CA055A2F1BE5DA0A08419D5DA11F1A26D8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:02.222{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230127093814-109MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000449672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:02.179{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:02.179{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:02.177{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:02.166{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:02.158{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 12241200x8000000000000000342083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-DeleteValue2023-01-27 11:30:03.895{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BITS\Performance\PerfMMFileName 23542300x8000000000000000342082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:03.801{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1C2BFE00C1F495D5DD0C8443DF47EB3,SHA256=4C74402C8BE638B923C0A7E142B926AACAD87EF2610A6A9B22DCBCB759DA30EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000449715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:03.348{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:03.348{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:03.348{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:03.348{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:03.348{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:03.348{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:03.348{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:03.348{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:03.348{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:03.348{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:03.348{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:03.348{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:03.348{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:03.348{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:03.348{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:03.348{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:03.348{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:03.348{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:03.348{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:03.348{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:03.348{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:03.348{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:03.348{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:03.348{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:03.348{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:03.348{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:03.348{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000342084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:04.894{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78B28C24F08A88DDB6957738370E0598,SHA256=82C4D0BBC4E452382E172412F944F4168C8A6DFC88AB1300399257230C91AEAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:04.160{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27AF3A7AA6AA78B16CBB8AE6698BFAAB,SHA256=8FB60E6F61C50DB5C09B8FEEF9BBBED8B0C22EAAC624AA77B6AE00F6E905CD81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000449717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:05.322{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48BC20690546FC42AFEBDE30934C6A4B,SHA256=EA87784038CFF815C4EA5ADFAA8B289989A09AB687339AD2525E33836FFFDF94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000449718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:06.408{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92225B7D00E472DDCC8A4871FE466643,SHA256=89B29D232733E47A50D40639878F38B193A7190A5DC350284A31477F5D78C519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:06.088{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0388FF8A622EE0DBB42E976692A3CD4A,SHA256=C9D6D2ACC1408C27C2D1417CD877552CAAAFA90B43C35F18553C3424576378F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:07.499{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DF99D1093309DA80A5B20CDCBA19417,SHA256=6C87BC690F8F5255E21680F67C6D708A4D2EDEBEDA31CBB8A91D9449AB0290ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000342087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:05.301{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51086-false10.0.1.12-8000- 23542300x8000000000000000342086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:07.288{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C595585A948A1162B7D8576FAA69B268,SHA256=B08D4C68BF517C660F36FF690DAEBF74746F4FD87631820642184BE482B69517,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000449721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:05.825{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52785-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000449720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:08.617{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8132C0A817DF2D437EC925860FF5751A,SHA256=3C2CC1BC36079E3C961AE9317291FEABC7984CA5D22FC584A0272B0F551C6956,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:08.381{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=876B2EB3A110B709D43F3ADA3668B533,SHA256=6FDA093BBDE79DAA0ABE96815578FA60A61939821445122E264ED0CBFFC3CB0F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:09.672{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16A76CB0F66C71F798DDA65978F60DD7,SHA256=16B548DFABDFB696905A39C069C386795BFB473B13E28B65C744C73D40F84977,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:09.478{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=999707451936D3481E499E68B8BCE565,SHA256=FCF8D4CAECD1A7278B9718257867CC447136D516559EEDA00CF6F3480B54395F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:09.034{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F54784E7BD17F014BF9F3CCA1C66B7C5,SHA256=12462B525F12EA6C11B0446738DC24C1FBB27096FBE5A469516F2C1A29990369,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:10.745{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A288965A84F31923C41D230DA817E625,SHA256=D4023ED392EFFF43C7BD79ACFA07A2F192EE74450E52DCCD89A7AF3B490E5279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:10.556{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1635D9C3E4C573DE5B8609DEE34ACE17,SHA256=ECA9BE84D4A14E7AE1BEE966F873B8A03E3F9757C9EF6528A4DF8BD666049D71,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:11.816{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA4D47DF23107F00989BEEF9AE768764,SHA256=B611C55C330FCC5CD1E13DF4C2262F52CCFD7A664CD7CA52FA1733CFDDAF322C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000342109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:11.970{72106695-B403-63D3-B103-00000000BD02}60922860C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+47ede|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+50827|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+4fb68|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:11.955{72106695-B403-63D3-B103-00000000BD02}60922860C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1438C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+5cbc9|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+5de97|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+17da6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+1c3e4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+c74c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+b0eb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+2c058|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+2bd43|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+943f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1311e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+20cf5|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+9482|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+8de7|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+7d07|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c 10341000x8000000000000000342107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:11.955{72106695-B403-63D3-B103-00000000BD02}60922860C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+3f53c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+1909b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+18604|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+19eeb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+1c3c3|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+c74c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+b0eb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+2c058|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+2bd43|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+943f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1311e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+20cf5|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+9482|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+8de7|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+7d07|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc 10341000x8000000000000000342106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:11.939{72106695-B403-63D3-B103-00000000BD02}60922860C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+94f8|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+88fe|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+7d07|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:11.939{72106695-B403-63D3-B103-00000000BD02}60922860C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+8130|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+7d07|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:11.923{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000342103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDBSetValue2023-01-27 11:30:11.908{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exeHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEBinary Data 10341000x8000000000000000342102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:11.892{72106695-9B85-63D3-1200-00000000BD02}10004264C:\Windows\System32\svchost.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:11.892{72106695-9B85-63D3-1200-00000000BD02}10004264C:\Windows\System32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:11.876{72106695-B102-63D3-1003-00000000BD02}3944400C:\Windows\system32\csrss.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000342099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:11.876{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:11.876{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:11.876{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:11.876{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:11.876{72106695-B106-63D3-2B03-00000000BD02}9643776C:\Windows\Explorer.EXE{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+16d710|C:\Windows\System32\windows.storage.dll+16fcea|C:\Windows\System32\windows.storage.dll+16faa6|C:\Windows\System32\SHELL32.dll+5c3dd|C:\Windows\System32\SHELL32.dll+5b256|C:\Windows\System32\SHELL32.dll+4d869|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\SHELL32.dll+177a30|C:\Windows\System32\SHELL32.dll+177683|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000342094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:11.855{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE16.0.15601.20456Microsoft WordMicrosoft OfficeMicrosoft CorporationWinWord.exe"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Temp\asyncrat\loader\asyncrat.doc" /o ""C:\Temp\asyncrat\loader\WIN-HOST-CTUS-A\Administrator{72106695-B105-63D3-6E44-240000000000}0x24446e2HighMD5=9C8E266B670CAAB8E2960F10827E60CD,SHA256=D2E821116801AC66409200516449B8476ED8496A7B85EAAA07AB51DD1B62323D,IMPHASH=EF259630987458939F79CE186A332DEB{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\explorer.exeC:\Windows\Explorer.EXE 13241300x8000000000000000342093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:30:11.845{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFFBinary Data 23542300x8000000000000000342092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:11.642{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D319278511DBA6E27D2ABA8FB1CB341,SHA256=013604BB08EE46197E46EE1EE07A8A87CC5AD2A04A676436DB17FF3949C8A875,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:12.934{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=354E791DA4DFC6193026654E1303D7D1,SHA256=E4755826B0F81CF39B7615BEE2C3C76D5869A2B81545CD1695144CA351B59C2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:12.960{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF840FBD1A21FF137078AAD0392A349D,SHA256=CD5B44C5E3DA4FACEEF1E20259AF5B992750380A50A4980CB3FA6EB9B805CF9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:12.726{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5C56A414E6DF93F34CD446C3C7EFFD0,SHA256=714E6739FC3C2801A8735C7F9247BC961CB7A453C85C17383E6B7CA3E1DC47ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000342114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:12.605{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000342113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:12.605{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000342112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:12.604{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 11241100x8000000000000000342111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:12.048{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\loader.lnk2023-01-27 11:30:12.048 11241100x8000000000000000342110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:12.017{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\asyncrat.doc.lnk2023-01-27 11:30:12.017 10341000x8000000000000000342143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:13.916{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000342142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:13.916{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000342141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:13.916{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 23542300x8000000000000000342140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:13.853{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAD4AEB02FEFB07F85E245F953048E71,SHA256=6201AF66B4CD2CEF47925113A7D654841499BC9BE1E2D1E2B698E1A444801542,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000342139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:13.837{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:13.837{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:13.837{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:13.837{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000342135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1137SetValue2023-01-27 11:30:13.775{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Office\Outlook\Addins\AccessAddin.DC\CommandLineSafeDWORD (0x00000000) 13241300x8000000000000000342134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1137SetValue2023-01-27 11:30:13.775{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Office\Outlook\Addins\AccessAddin.DC\DescriptionThe Add-in allows Microsoft Access to integrate with and enable automated scenarios around Data Collection and Publishing around user created Access solutions 13241300x8000000000000000342133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1137SetValue2023-01-27 11:30:13.775{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Office\Outlook\Addins\AccessAddin.DC\FriendlyNameMicrosoft Access Outlook Add-in for Data Collection and Publishing 13241300x8000000000000000342132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1137SetValue2023-01-27 11:30:13.775{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Office\Outlook\Addins\AccessAddin.DC\LoadBehaviorDWORD (0x00000002) 13241300x8000000000000000342131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212Context,DeviceConntectedOrUpdatedSetValue2023-01-27 11:30:13.775{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Office\Word\Addins\OneNote.WordAddinTakeNotesService\FriendlyNameOneNote Notes about Word Documents 13241300x8000000000000000342130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212Context,DeviceConntectedOrUpdatedSetValue2023-01-27 11:30:13.775{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Office\PowerPoint\Addins\OneNote.PowerPointAddinTakeNotesService\FriendlyNameOneNote Notes about PowerPoint Presentations 13241300x8000000000000000342129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1176SetValue2023-01-27 11:30:13.759{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButtonYes 13241300x8000000000000000342128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1137SetValue2023-01-27 11:30:13.759{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Office\Outlook\Addins\ColleagueImport.ColleagueImportAddin\CommandLineSafeDWORD (0x00000000) 13241300x8000000000000000342127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1137SetValue2023-01-27 11:30:13.759{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Office\Outlook\Addins\ColleagueImport.ColleagueImportAddin\DescriptionThe Add-in allows Microsoft SharePoint Server to import colleague suggestions based on your Outlook content 13241300x8000000000000000342126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1137SetValue2023-01-27 11:30:13.759{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Office\Outlook\Addins\ColleagueImport.ColleagueImportAddin\FriendlyNameMicrosoft SharePoint Server Colleague Import Add-in 13241300x8000000000000000342125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1137SetValue2023-01-27 11:30:13.759{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Office\Outlook\Addins\ColleagueImport.ColleagueImportAddin\LoadBehaviorDWORD (0x00000003) 13241300x8000000000000000342124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:30:13.759{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500_Classes\ocsmeet_auto_file\shell\open\command\(Default)"C:\Program Files\Microsoft Office\root\Office16\lync.exe" "%%1" 13241300x8000000000000000342123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1042SetValue2023-01-27 11:30:13.759{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500_Classes\ocsmeet_auto_file\shell\edit\command\(Default)"C:\Program Files\Microsoft Office\root\Office16\lync.exe" "%%1" 13241300x8000000000000000342122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212Context,DeviceConntectedOrUpdatedSetValue2023-01-27 11:30:13.744{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Office\Excel\Addins\PowerPivotExcelClientAddIn.NativeEntry.1\FriendlyNameMicrosoft Power Pivot for Excel 354300x8000000000000000449726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:10.830{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52786-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000342121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:13.712{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:13.712{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:13.697{72106695-9B85-63D3-1400-00000000BD02}10321432C:\Windows\system32\svchost.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:13.697{72106695-9B85-63D3-1400-00000000BD02}10321120C:\Windows\system32\svchost.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000342117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:10.501{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51087-false10.0.1.12-8000- 10341000x8000000000000000342167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:14.925{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B5C6-63D3-3E04-00000000BD02}3916C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:14.925{72106695-9B84-63D3-0A00-00000000BD02}6201144C:\Windows\system32\services.exe{72106695-B5C6-63D3-3E04-00000000BD02}3916C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:14.925{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-B5C6-63D3-3E04-00000000BD02}3916C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000342164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:14.865{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB00287DB4C36FF0BF3CEC06B395AEB,SHA256=A30DE4C5532D04AC0CCCF8F5CC7BE3FE99674956CBA8289310D66AB350E692B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000342163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:14.815{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B5C6-63D3-3E04-00000000BD02}3916C:\Windows\system32\sppsvc.exe0x103800C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000342162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:14.815{72106695-9B84-63D3-0A00-00000000BD02}6202468C:\Windows\system32\services.exe{72106695-B5C6-63D3-3E04-00000000BD02}3916C:\Windows\system32\sppsvc.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000449727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:14.025{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1305E0995727545B1304A6F9C988F937,SHA256=59B4B33D5EFDB10392BA4DC7F56F6B3512A5BF27F0D41583D3C2FD1012D38596,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000342161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:14.742{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:14.742{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:14.742{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000342158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:14.661{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D490CE277ED4A31FF8E2C427669FD751,SHA256=0C58A515AD6972049F2F0B7E7626EB91CF6B62E3C97D74D1933A17F64CA6A4AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000342157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:14.333{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:14.333{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:14.333{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:14.318{72106695-B105-63D3-2303-00000000BD02}39524080C:\Windows\system32\taskhostw.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:14.318{72106695-B105-63D3-2303-00000000BD02}39524080C:\Windows\system32\taskhostw.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:14.237{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:14.193{72106695-9B85-63D3-1400-00000000BD02}10321808C:\Windows\system32\svchost.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+8d212|C:\Windows\system32\wbem\wmiprvsd.dll+8dfd1|C:\Windows\system32\wbem\wmiprvsd.dll+3b42f|C:\Windows\system32\wbem\wmiprvsd.dll+d4be|C:\Windows\system32\wbem\wbemcore.dll+2af3f|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:14.193{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:14.193{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:14.193{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:14.135{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:14.100{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:13.990{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:13.990{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000342179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:14.007{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51091-false52.109.8.44-443https 354300x8000000000000000342178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:13.965{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51090-false184.31.205.109a184-31-205-109.deploy.static.akamaitechnologies.com443https 354300x8000000000000000342177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:13.963{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51089-false52.113.194.132-443https 354300x8000000000000000342176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:13.603{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51088-false52.109.2.151-443https 23542300x8000000000000000342175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:15.953{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=FC7992126320DDFE2ADEDF7077C27138,SHA256=3F6FB8985A2B1DAA24C7FC68F493C903FD7355990C183BEFEB01B06416C73120,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:15.937{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=779C01F0FF2F00AD59FF67B30DCE4C4E,SHA256=A54A5586F819141A629EBE2BB409A1F6C88CBAB4E0D6249593CC1261481F7587,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000449732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:13.415{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A49191- 354300x8000000000000000449731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:13.406{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A56193- 354300x8000000000000000449730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:13.400{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A64802- 354300x8000000000000000449729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:12.968{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A52506- 23542300x8000000000000000449728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:15.124{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75ACEADF5C576089E0522FA3AD40DCCA,SHA256=65598881430645894A9BDBADACA3162D55D8C02B108D4245843C1E1B268449E5,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000342173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:30:15.689{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\CurrentSkuIdAggregationForApp\Publisher{3AD61E22-E4FE-497F-BDB1-3E51BD872173} 10341000x8000000000000000342172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:15.637{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5C6-63D3-3E04-00000000BD02}3916C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000342171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:15.637{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5C6-63D3-3E04-00000000BD02}3916C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000342170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:15.522{72106695-B5C6-63D3-3E04-00000000BD02}39161848C:\Windows\system32\sppsvc.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\KERNELBASE.dll+2c44d|C:\Windows\system32\sppsvc.exe+8d719|C:\Windows\system32\sppsvc.exe+7eaa8|C:\Windows\system32\sppsvc.exe+748f0|C:\Windows\system32\sppsvc.exe+957de|C:\Windows\system32\sppsvc.exe+5454f|C:\Windows\system32\sppsvc.exe+a1cdb|C:\Windows\system32\sppsvc.exe+b414a|C:\Windows\system32\sppsvc.exe+b443f|C:\Windows\system32\RPCRT4.dll+7b183|C:\Windows\system32\RPCRT4.dll+d5bc1|C:\Windows\system32\RPCRT4.dll+538bc|C:\Windows\system32\RPCRT4.dll+35824|C:\Windows\system32\RPCRT4.dll+3473d|C:\Windows\system32\RPCRT4.dll+34feb|C:\Windows\system32\RPCRT4.dll+20ddc|C:\Windows\system32\RPCRT4.dll+2125c|C:\Windows\system32\RPCRT4.dll+106bc|C:\Windows\system32\RPCRT4.dll+11f1b|C:\Windows\system32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4 10341000x8000000000000000342169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:15.522{72106695-B5C6-63D3-3E04-00000000BD02}39161848C:\Windows\system32\sppsvc.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\KERNELBASE.dll+2c44d|C:\Windows\system32\sppsvc.exe+8d719|C:\Windows\system32\sppsvc.exe+74a0a|C:\Windows\system32\sppsvc.exe+95791|C:\Windows\system32\sppsvc.exe+5454f|C:\Windows\system32\sppsvc.exe+a1cdb|C:\Windows\system32\sppsvc.exe+b414a|C:\Windows\system32\sppsvc.exe+b443f|C:\Windows\system32\RPCRT4.dll+7b183|C:\Windows\system32\RPCRT4.dll+d5bc1|C:\Windows\system32\RPCRT4.dll+538bc|C:\Windows\system32\RPCRT4.dll+35824|C:\Windows\system32\RPCRT4.dll+3473d|C:\Windows\system32\RPCRT4.dll+34feb|C:\Windows\system32\RPCRT4.dll+20ddc|C:\Windows\system32\RPCRT4.dll+2125c|C:\Windows\system32\RPCRT4.dll+106bc|C:\Windows\system32\RPCRT4.dll+11f1b|C:\Windows\system32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000342168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:15.034{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1ED02ABF.wmfMD5=C4E6B3035AC3828D375E5479E8485D0D,SHA256=591890CBBED60EF32252835A3F13362E9204F1088E5EFA9E164A3526B612C4D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000449738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:14.226{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A63383- 354300x8000000000000000449737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:13.956{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A60306- 354300x8000000000000000449736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:13.739{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A58020- 354300x8000000000000000449735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:13.630{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A60239- 23542300x8000000000000000449734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:16.272{45AAC21C-9B85-63D3-1000-00000000BC02}368NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F04A59788F4F1BEC6FBD1CFF12D7B044,SHA256=39DEBCD3478718108F73929298EE64AEF75B8AC63C8ABF29DE6B6FEC59124C7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000449733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:16.241{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ED806833B3F6E5F304722AF100C4859,SHA256=1D0F0F90C2CE33B4A3FA68F878F740601C98D4DBB1D045ACAF36B721CAC212B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000342191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:16.881{72106695-B106-63D3-2B03-00000000BD02}9644776C:\Windows\Explorer.EXE{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:16.866{72106695-B106-63D3-2B03-00000000BD02}9644764C:\Windows\Explorer.EXE{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:16.866{72106695-B106-63D3-2B03-00000000BD02}9644764C:\Windows\Explorer.EXE{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:16.758{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5C6-63D3-3E04-00000000BD02}3916C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000342187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:16.758{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5C6-63D3-3E04-00000000BD02}3916C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000342186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:16.294{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B5C6-63D3-3E04-00000000BD02}3916C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26bca|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:16.294{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B5C6-63D3-3E04-00000000BD02}3916C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000342184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:14.523{72106695-B5C3-63D3-3D04-00000000BD02}4200www.mediafire.com0::ffff:104.16.54.48;::ffff:104.16.53.48;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 22542200x8000000000000000342183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:13.961{72106695-B5C3-63D3-3D04-00000000BD02}4200support.content.office.net0type: 5 support.content.office.net.edgekey.net;type: 5 e12627.g.akamaiedge.net;::ffff:184.31.205.109;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 22542200x8000000000000000342182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:13.957{72106695-B5C3-63D3-3D04-00000000BD02}4200ecs.office.com0type: 5 ecs.office.trafficmanager.net;type: 5 s-0005-office.config.skype.com;type: 5 ecs-office.s-0005.s-msedge.net;type: 5 s-0005.s-msedge.net;::ffff:52.113.194.132;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 23542300x8000000000000000342181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:16.200{72106695-9B85-63D3-1100-00000000BD02}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A824C79CB968D0AF24B7282BBEA80110,SHA256=B49FADE9395D0A0FB2C189525F5A4C83960D190C9D327B19BDC97214C603EAEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:16.031{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\A9AA4225.wmfMD5=C4E6B3035AC3828D375E5479E8485D0D,SHA256=591890CBBED60EF32252835A3F13362E9204F1088E5EFA9E164A3526B612C4D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000449743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:14.667{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A59038- 354300x8000000000000000449742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:14.667{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A50025- 354300x8000000000000000449741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:14.667{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A59338- 23542300x8000000000000000449740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:17.340{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81633D6426CDA97D7DA7C9ED36957AF0,SHA256=5328E2DB532902CAD05980C9808104FC8C3739CC068516C5ADEBC66760CB863F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000449739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:17.324{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F70D84B4DAEE4A8639E5657BD8A77822,SHA256=702C8FD1FFF09812B9983A7AF1120900EB33B1F7BD8F5BA26301BE5D8A36A4B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000342197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:17.442{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:17.442{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:17.442{72106695-9B84-63D3-0C00-00000000BD02}7323180C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000342194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:17.037{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F066BCDF8B42608892C90F3CD022843,SHA256=EC083BE5206D3E20D38933755D611BE65925D6CC881FAF95DDCB205C9870D81E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000342193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:14.298{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51093-false72.21.91.29-80http 354300x8000000000000000342192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:14.226{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51092-false52.109.8.84-443https 23542300x8000000000000000449744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:18.418{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F5C17DBC7B52C8EBAC745F33618229A,SHA256=D5CDBB2A885908423EA3321A87CEE59E51CBA2DCBEFFE61FCADF40187371EB68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:18.129{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F3813D9880031FABEE115A43060CF0D,SHA256=0B6329AEBD470568D14863459978551C1F5D0B6AC2BDD0EE76E8C1AA8F7851C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000342200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:14.787{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51096-false172.64.155.188-80http 354300x8000000000000000342199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:14.750{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51095-false104.16.54.48-443https 354300x8000000000000000342198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:14.528{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51094-false104.16.54.48-443https 10341000x8000000000000000449766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:19.684{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000449765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:19.663{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000449764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:19.647{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000449763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:19.642{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000449762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:19.640{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000449761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:19.635{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000449760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:19.568{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000449759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:19.552{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000449758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:19.531{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000449757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:19.509{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000449756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:19.491{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 23542300x8000000000000000449755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:19.483{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9444C634EFB47C0E855FA49BA117206C,SHA256=671718A599667920CE30C79DCFC82D1BAEF6762EA5682F41B3E7C6D74D4A2330,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000449754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:19.456{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000449753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:19.443{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000449752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:19.423{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 23542300x8000000000000000342205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:19.254{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\winword.exe.db-journalMD5=75890FF4B11A583DE3C4189239243C4B,SHA256=CBE388683AA85478B9D71B65AF995ADA7E9F58B2C06117DFDC51D82A4912DCE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:19.239{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\winword.exe.db-journalMD5=AB40D0A0B6B89CB389CCF045EB999F95,SHA256=AFC1CD66F6C58241F004936DEE19753176C655EEB33B6367C0013BED8A4E4F90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:19.103{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40E2919D42EFB0358FE1077A35F3E2F7,SHA256=461D9A879783F7DB148081E0A35614A5E277AB6A253063FA424C6EE48D40BDA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000342202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:16.361{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51097-false10.0.1.12-8000- 10341000x8000000000000000449751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:19.399{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000449750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:19.388{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000449749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:19.376{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000449748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:19.308{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000449747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:19.304{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 23542300x8000000000000000449746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:19.301{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\respondent-20230127093833-108MD5=ABD21C848C86C8C4C327246443A18885,SHA256=621828FF48080C628607F27990B50D4C7839DD5149D1A5B05A104AE9C04F6CF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000449745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:15.673{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A58501- 23542300x8000000000000000449776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:20.500{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E32F8D296CF04DB3BB33B1678760A2C7,SHA256=BE162B207F6A4FD59917B6E705114DCDF04359449A19210DF7445FF907C5F486,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000449775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:20.493{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000449774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:20.483{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000449773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:20.478{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000449772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:20.474{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000449771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:20.470{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000342248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.825{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.814{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.813{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.811{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.790{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.786{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.771{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.746{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.697{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.687{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.666{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.659{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.657{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.654{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.643{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.634{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.628{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.626{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.622{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.620{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.614{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.611{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.607{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.597{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.589{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.580{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.577{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.566{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.544{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.542{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.530{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.473{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.458{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.448{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.435{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.394{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.366{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.354{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.354{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.350{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.350{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000342207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.347{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 23542300x8000000000000000342206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:20.183{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D121A9A62506F0E51334623E72F77310,SHA256=E03216C3274477A27613C1072CB9353136D45A28B3EB9BCDE3CDEDCE28CAFF16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:20.299{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\surveyor-20230127093831-109MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000449769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:16.688{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A54037- 354300x8000000000000000449768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:16.688{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A53167- 354300x8000000000000000449767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:15.904{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52787-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000342249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:21.698{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76D4389457449C52CA1478C654D422A6,SHA256=5A21C2155255D286416ACCF6DF216E3C06604B96FEB4B50C66673CE2A7E4C9B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:21.601{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCCAEE1389E94AAE0EAAF7686648FE89,SHA256=750C9BEBF55A30AF9D524A59997ABF8A0302137E21158DE830F7923141591C9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000449783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:22.675{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=637F67AA3A8316B80DCF022D37DBDFA9,SHA256=577AC4213E3C6E533F4608CA8262090E1D13B0C1ED6EE8BA60CEDF7C29BA9B69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:22.863{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30A98AFABDF62FABA8A170EA17378622,SHA256=E3C0756216B8ADF10EA0F6565211ECDCD383CCA0068EA481959384B51ECA2FE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000449782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:22.550{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000449781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:22.548{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000449780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:22.545{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000449779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:22.535{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000449778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:22.528{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 23542300x8000000000000000449798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:23.752{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF396BE12F05EFC1CA21C4DAF41A2095,SHA256=E303DAE41846371B5A28635C055CEC4B45926F6F7B4694D431D0467E6714DAA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000449797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:23.197{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000449796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:23.163{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000449795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:23.158{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000449794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:23.145{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000449793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:23.133{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000449792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:23.099{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000449791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:23.092{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000449790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:23.079{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000449789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:23.073{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000449788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:23.071{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000449787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:23.065{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000449786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:23.060{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000449785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:23.059{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 10341000x8000000000000000449784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:23.055{45AAC21C-9B96-63D3-3000-00000000BC02}28483472C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C39150) 23542300x8000000000000000342253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:23.833{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5AD240C10D844A9D4DA78785AFF89FBA,SHA256=6F9AFD670DBAC3381A26A8A7645CFECB839E5594A126761853C56ACF6AD5379F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000342252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:21.420{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51098-false10.0.1.12-8000- 10341000x8000000000000000342251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:23.147{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-2000-00000000BD02}2000C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000449799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:24.834{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE58C6FED1D0F952F6DB3740002D645D,SHA256=431DD6A64F5D2DF91987D5C94C53F61A752C256EBEFB2A290124A4427F6C790D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000342255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:24.155{72106695-9B85-63D3-0D00-00000000BD02}7963468C:\Windows\system32\svchost.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000342254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:24.049{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF3474B11162628EAD29E161597B1368,SHA256=E0E1EB75468BD1BEDCA2CB373A9A19F8AA1CCC2D29EAA7AED5A70EDD3ED3525A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:25.916{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DB5C2BDF4601C1B970CCF54126948BC,SHA256=4A17529BE3B8039A8FE9EF2651F1674A17D978F9B4E4FE71DB02DADDD1ADF98E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:25.145{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F31C3D4A7D3DD1A6F985760E1B2BF28D,SHA256=E8F92FE44B0773FC9BD1AB366467E96557ABD1380927F595A15FCE0BB1941BCF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000449800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:21.831{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52788-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000449803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:26.987{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5261A27053AD739009E089ACE3D7C54D,SHA256=276E97A32759B2E7ECB87939718AF1D4094A58D2AD32402216C031B3F5B43767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:26.260{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DCD73199C6BB676D24354007DDA3F89,SHA256=FBDFC4BBACE56BC3F79E86B61199B00CFC1C594C2B4A8900BE5B2D691B6DDA52,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000449802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:23.198{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A52848- 354300x8000000000000000342259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:23.968{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51099-false104.46.162.226-443https 23542300x8000000000000000342258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:27.326{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1209E595344AA332D7922CD37FB5E980,SHA256=D28B36E7AD4E5C6F0FC5E9444B7A9814EA2E4E1EAAF308D327B7692084C7CF5A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:28.517{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D68FA620F6DE5253430679739016F24E,SHA256=2AE8FCF06D34067B903AB8121C76ED44C52E04B22114BD4DD6EA4F0CCFD71F9E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:28.070{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E52604D3FEE690543D645EAF9576A9EA,SHA256=1E5EE51D0A443D60E65D2EE2635001E40EDCB8B846DA50DF1AEC2FA268ACDE82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:28.093{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0C2335FF95BF2838CF6B8220C4DC59FF,SHA256=B0E525446058D8DF63A479D7E49E63BD81E8E40F473046CC25933B8E020B6950,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:29.701{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=142250CF548174A423AFD2C5D6087920,SHA256=ED20FD5798ED2EC85FF9C7B399FCC2D00E1836BCA3A7706684CE33B872FFAD79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000449806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:26.055{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A54602- 23542300x8000000000000000449805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:29.162{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF803554E7A2611BA62B818DBB354047,SHA256=7C99BA80C22B6510B06F215F68AE662AA0259AEA32F04F5E7DE9AC9B1CC6AA9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:30.790{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94D18B8A064B824C1D4EC1AE5A79889E,SHA256=1FC240240990C28CD7E7C1913D834E01B79107ACC8A5A1744B36166C194EB30D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000449808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:27.752{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52789-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000449807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:30.241{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D99B95DCA8FB447A08BA3021AAFD65C,SHA256=5682CB1AB5024C298962F78884547A25559091A8624520AFF8B783DBF76AB715,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000342263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:27.433{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51100-false10.0.1.12-8000- 23542300x8000000000000000342265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:31.876{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C12609A9373EF43336F971B7FB0BDFEF,SHA256=C3D20CFF9B321E3C61183B189546C4435B9B467E940BF9C0F63879C6D1690C74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:31.308{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96AF2B79BAEDED86479F86CDC8F60C29,SHA256=58601BC32AD53A68FC617F83717EA4516D101BDDB9ABE033DEC3B28F0DF500AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:32.957{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B53BECD8715CC1FA3DF5E8D0BC8BE64,SHA256=EBF312DE1178E491AB704576F4A1CB14B97CC8D7863F136846681921D437618D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:32.402{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79A4FD2A523AB07423382E8A6E01CA52,SHA256=801A9660D54DF19B9C0503E5A3B9E8FA3C445D074DF336866B3C3D5B3D75A086,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000342267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:33.981{72106695-9B85-63D3-0D00-00000000BD02}7963468C:\Windows\system32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000449811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:33.586{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60BA06C9C1DBD4AFC864554430112EAB,SHA256=3A0E6DE52E5067D99999F9D6688D2FB16824E75FB22914EA2B812B0D6F105F0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000449813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:34.668{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71B081392BCD62B1E0F7056221F9C197,SHA256=3C49C57900ED34A00728D6D272C421EDE060AE28E1771D3C8D98B39999928B5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:34.043{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5391E85E286BBE121A1761819CCDB73B,SHA256=D7DDCBB50B2E7F2221A08926F4E79AA59E38CD3E3AF72CAE7BD249B1C99150D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:34.277{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000449821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:35.758{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEEA41940A1EFF7273176B80377B29A3,SHA256=C95BAA961D4D02D1C6B155692684CD597222655FFC3024AF023018BE7465C05A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000342270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:33.456{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51101-false10.0.1.12-8000- 23542300x8000000000000000342269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:35.245{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4DD6B59E0E45904735CECE174C8AE26,SHA256=6BD08E5F86C5D7A533F4CF2308103C1C75C8114D7DCF5499E1CAAF9FED90279F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000449820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:35.601{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:35.601{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:35.601{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000449817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:32.961{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52791-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000449816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:32.761{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52790-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000449815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:32.059{45AAC21C-9B80-63D3-0100-00000000BC02}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local138netbios-dgm 354300x8000000000000000449814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:32.059{45AAC21C-9B80-63D3-0100-00000000BC02}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x8000000000000000449822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:36.834{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06859624796B865D25C65CDCA1CE8DA8,SHA256=B38D98541DA558743D611DE53AB40B290AD825E4FADBF0882067200EC06AF71B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:36.506{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=015F114A9821C990D5F7C0722465782D,SHA256=A16E817285FF415920FB817886595424C109461AF19C0A0E65492FA17741DDEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000342298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:36.010{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:36.010{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:36.010{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:36.010{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:36.010{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:36.010{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:36.010{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:36.010{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:36.010{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:36.010{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:36.010{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:36.010{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:36.010{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:36.010{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:36.010{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:36.010{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:36.010{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:36.010{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:36.010{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:36.010{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:36.010{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:36.010{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:36.010{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:36.010{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:36.010{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:36.010{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:36.010{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:36.010{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000449823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:37.929{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F988390E4BDE9B6F5798CB375E9F0EC,SHA256=F780EFE4C16B16C3D25A657AB7D142F5321598A2A40F41C2C2E15D079D567415,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:37.533{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C97322206124CD7DFA969519B4A7833,SHA256=0952AC77DB77802ACA96295EF76EE7AE15BAC17D44342350C623C6427C655574,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:38.949{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:38.628{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D23D39CA72AFB158D642669C5A65625C,SHA256=C4CFA7101C191CED23F52D274EFAABB42EA1443886CBC24DE4FDECFE02A19594,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:39.722{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F14F3B981B910EAFD7869F2C4EC8658,SHA256=41AFD548353B4DC50EABBC70A7D64E1058219DD5BAEF7B5001E80E0780E9FA8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000449843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:39.704{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:39.681{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:39.670{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:39.665{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:39.660{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:39.657{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:39.614{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:39.603{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:39.570{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:39.560{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:39.539{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:39.517{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:39.497{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:39.471{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:39.459{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:39.440{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:39.425{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:39.330{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:39.323{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 23542300x8000000000000000449824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:39.027{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A44C6AE4A202060CE543196FB9CE1FF9,SHA256=BFC9E74F3EB77D04BB96CD1D00A682EDD9847CDB5C3A01EE7635BEEEB6D04BB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.931{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA2E51530D9D90EF76A64A3B500AE5C4,SHA256=2C00270774E8FB0A5EC4115FC7F6D32020760027B3D11DAD0C7F12949E2CA84C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000342347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.888{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000342346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.865{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000342345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.862{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000342344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.858{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000449849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:40.355{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:40.349{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:40.346{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:40.343{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:40.341{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000449844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:40.047{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81FB0B81AB6A3BF2E11447EAD38C1A27,SHA256=8D9E7AAF2DB492090CF58499BE0EA6F49F77C939FCF40AE81E0055F65637BE96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000342343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.815{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 354300x8000000000000000342342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:38.816{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse171.244.61.138-56186-false10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal3389ms-wbt-server 354300x8000000000000000342341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:38.194{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51102-false10.0.1.12-8089- 10341000x8000000000000000342340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.798{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000342339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.755{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000342338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.713{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000342337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.663{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000342336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.655{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000342335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.638{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000342334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.632{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000342333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.629{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000342332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.626{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000342331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.622{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000342330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.620{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000342329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.615{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000342328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.613{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000342327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.610{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000342326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.608{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000342325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.601{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000342324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.599{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000342323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.597{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000342322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.587{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000342321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.580{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000342320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.575{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000342319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.572{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000342318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.560{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000342317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.538{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000342316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.535{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000342315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.524{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000342314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.481{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000342313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.473{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000342312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.462{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000342311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.422{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000342310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.381{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000342309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.376{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000342308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.368{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000342307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.358{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000342306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.349{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000342305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.340{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000342304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:40.338{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 354300x8000000000000000449851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:37.915{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52792-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000449850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:41.113{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98BB4D2F30135F44A7C10019D97882F4,SHA256=0C463065C1F039C7BAA93CF76714B7932766983CA71E19E459E58F8FA7A89637,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000342350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:39.447{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51103-false10.0.1.12-8000- 23542300x8000000000000000342349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:42.059{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5840EDB6C0C97A6F34E8D3458845151,SHA256=40FCE4922953A6F051A0F791166F53180C7C8ED8E1EAE175FDCE829BDE45B3E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000449871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:42.991{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:42.987{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:42.980{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:42.969{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:42.945{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:42.938{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:42.930{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:42.924{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:42.921{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:42.916{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:42.914{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:42.913{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:42.910{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:42.395{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:42.394{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:42.393{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:42.383{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:42.374{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000449853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:42.342{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-3000-00000000BC02}2848C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000449852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:42.278{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CBD234DCEB4E2D9057C40DBCA4BBE18,SHA256=FBEB1C4171189994DB28204F405D7BF602B2FD9447420DF937250DF319AEC21D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000449874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:43.357{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78B2EF6971F0284DEA6C3435B1FDC47D,SHA256=697BF3BD22E1460A0E1E82E257C22B585EE11677768E5104A1C3E3EACDEB01BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000449873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:43.341{45AAC21C-9B85-63D3-0D00-00000000BC02}8924856C:\Windows\system32\svchost.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000342351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:43.248{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DE3F957C333E8A6B197A7480D55D422,SHA256=E9B687D5C22B3D88E99E37309403BBD8842310B64C50F76D2A9F9948A039F1AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000449872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:43.012{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000449875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:44.569{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10C8A9246BC8966624FD51CBBA09198B,SHA256=37FCD82888DDA312992CE8F336316D0F4704CBDEAC17CFC5D35C8584C204726F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:44.343{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A58B7155D11849C17F07127131398996,SHA256=B8CC552E6EF7D8AA76F7F497CEA10646ACA89960370B60622C8E3B6B4A609423,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:45.648{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCCC2AFFFC70F33C71CB6098F9D4CD82,SHA256=27AA6B894F5A7D55B812AFACEEBB51A00F298C375EA83B29356FB52E30EE54A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000449884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:45.853{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B5E5-63D3-F403-00000000BC02}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:45.853{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:45.853{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:45.853{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:45.853{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:45.853{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B5E5-63D3-F403-00000000BC02}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000449878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:45.853{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B5E5-63D3-F403-00000000BC02}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000449877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:45.854{45AAC21C-B5E5-63D3-F403-00000000BC02}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000449876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:45.654{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFD56D7A2DB3A7120F15DAF5EB1ED81D,SHA256=B2C5B8871D065F1A01883FA8999BDACF301A057A9FAC3C0538885ADB33D3A9A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:45.308{72106695-B5C6-63D3-3E04-00000000BD02}3916NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\sppsvc.exeC:\Windows\System32\spp\store\2.0\cache\cache.datMD5=6B806FB0A65D8F592D189BF38AEB70DC,SHA256=BA997BE53FC964823D430EA7F8A2ABE64513B61D2BCA95E0B088CEE3F21D3E16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:46.735{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64845C298B0D5D7918F1AF86D56C7357,SHA256=48BEC0B92ADCC46FEADB1DF7F7F9249221BE7C499D8230D2F35D4AE42AA11F54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:46.838{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2EAB6BC2E688C61DC81E0CD11981F06,SHA256=1E5A056F35D61CC087407053C4C2B542C67276AFF38B9A1438F3739712B06B03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000449894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:46.807{45AAC21C-B5E6-63D3-F503-00000000BC02}39043780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:46.526{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B5E6-63D3-F503-00000000BC02}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:46.526{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:46.526{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:46.526{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:46.526{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:46.526{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B5E6-63D3-F503-00000000BC02}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000449887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:46.526{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B5E6-63D3-F503-00000000BC02}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000449886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:46.527{45AAC21C-B5E6-63D3-F503-00000000BC02}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000449885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:46.245{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8A1311D52E490F5EF50C672220ED6548,SHA256=7B62F38F9C7129F74969247A20BE4BA9A51BA81B4BA3B965850A65561A6701C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000449907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:47.925{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0370A0D5CF7B7023E83B9CC90A48EEFF,SHA256=5C77546C477CD2A7CDAFA72DDFB08E88A0636B5CA458EA3A9D8CA5226D025828,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000342357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:45.420{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51104-false10.0.1.12-8000- 23542300x8000000000000000342356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:47.806{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E456997E0032FF02D9F473C0C674906,SHA256=1AD0B867758EC3E61B2909BE2A3F5EE2C45DBF03218EA4443BEA7385AE5A8EE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:47.697{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=43AC313EFA686F91000C3B98427752A7,SHA256=8CA0E9F3177024EDE33B095FFA788BD8565DCBF816073E18722654124DAAB173,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000449905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:43.737{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52793-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000449904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:47.024{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B5E7-63D3-F603-00000000BC02}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:47.024{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:47.024{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:47.024{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:47.024{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:47.024{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B5E7-63D3-F603-00000000BC02}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000449898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:47.024{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B5E7-63D3-F603-00000000BC02}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000449897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:47.025{45AAC21C-B5E7-63D3-F603-00000000BC02}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000449896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:47.008{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11FFD8BD51127636C1FE0E7C054EB874,SHA256=FBE553670C437579BC0FD27AE52D88E966F35F178E01C354F6A1E1543AF78000,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:48.916{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C998A1A742EF706327BD8A88FF0CB52,SHA256=AD4270F313E28A445296266C963FA20F56D8D37D34171127C496D145583F7241,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:48.551{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B303DE8ACB903B6658F81A3F4359563,SHA256=D8017B97811FAA1C2A2A4E2AC7085E7BE43F2BF70C1F0C169C0585EBBEF1E6AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:49.994{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E99D19E2.pngMD5=5AD0F041B46D24B99EBAAC256ABE639A,SHA256=E604F965FF2AA4395ED3618570114BF55071E8BE0E46432531A5F0C06E94A4CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000449930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:49.904{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B5E9-63D3-F803-00000000BC02}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:49.904{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:49.904{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:49.904{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:49.904{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:49.904{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B5E9-63D3-F803-00000000BC02}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000449924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:49.904{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B5E9-63D3-F803-00000000BC02}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000449923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:49.905{45AAC21C-B5E9-63D3-F803-00000000BC02}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000449922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:49.451{45AAC21C-B5E9-63D3-F703-00000000BC02}21924564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:49.277{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B5E9-63D3-F703-00000000BC02}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000449920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:49.277{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B5E9-63D3-F703-00000000BC02}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000449919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:49.277{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B5E9-63D3-F703-00000000BC02}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000449918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:49.234{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B5E9-63D3-F703-00000000BC02}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:49.234{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:49.234{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:49.234{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:49.234{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:49.234{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B5E9-63D3-F703-00000000BC02}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000449912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:49.234{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B5E9-63D3-F703-00000000BC02}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000449911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:49.235{45AAC21C-B5E9-63D3-F703-00000000BC02}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000449910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:46.334{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52794-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000449909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:46.334{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52794-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 23542300x8000000000000000449908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:49.019{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1412069B75337D75466DE9F1272D34E8,SHA256=91F4C23EA256136C31164BC46F8867757CDC6CC5EB063A565AF1C076532CD46D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000342391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:49.931{72106695-B5C3-63D3-3D04-00000000BD02}42002356C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+13eb73|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\windows.storage.dll+3dd832|C:\Windows\System32\windows.storage.dll+3daeeb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+22a48d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229fbe|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229e50|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229db1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+72b6c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15932d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+d132c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cf7a5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+9fbb6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:49.931{72106695-B5C3-63D3-3D04-00000000BD02}42002356C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+13eade|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\windows.storage.dll+3dd832|C:\Windows\System32\windows.storage.dll+3daeeb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+22a48d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229fbe|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229e50|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229db1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+72b6c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15932d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+d132c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cf7a5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+9fbb6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:49.931{72106695-B5C3-63D3-3D04-00000000BD02}42002356C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+13eac3|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\windows.storage.dll+3dd832|C:\Windows\System32\windows.storage.dll+3daeeb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+22a48d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229fbe|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229e50|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229db1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+72b6c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15932d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+d132c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cf7a5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+9fbb6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:49.931{72106695-B5C3-63D3-3D04-00000000BD02}42002356C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+13eac3|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\windows.storage.dll+3dd832|C:\Windows\System32\windows.storage.dll+3daeeb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+22a48d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229fbe|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229e50|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229db1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+72b6c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15932d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+d132c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cf7a5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+9fbb6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:49.931{72106695-B5C3-63D3-3D04-00000000BD02}42002356C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+13eb73|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\windows.storage.dll+3dd820|C:\Windows\System32\windows.storage.dll+3daeeb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+22a48d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229fbe|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229e50|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229db1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+72b6c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15932d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+d132c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cf7a5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+9fbb6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:49.931{72106695-B5C3-63D3-3D04-00000000BD02}42002356C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+13eade|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\windows.storage.dll+3dd820|C:\Windows\System32\windows.storage.dll+3daeeb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+22a48d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229fbe|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229e50|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229db1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+72b6c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15932d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+d132c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cf7a5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+9fbb6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:49.915{72106695-B5C3-63D3-3D04-00000000BD02}42002356C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+13eac3|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\windows.storage.dll+3dd820|C:\Windows\System32\windows.storage.dll+3daeeb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+22a48d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229fbe|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229e50|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229db1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+72b6c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15932d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+d132c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cf7a5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+9fbb6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:49.915{72106695-B5C3-63D3-3D04-00000000BD02}42002356C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+13eac3|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\windows.storage.dll+3dd820|C:\Windows\System32\windows.storage.dll+3daeeb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+22a48d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229fbe|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229e50|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229db1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+72b6c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15932d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+d132c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cf7a5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+9fbb6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000342383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:49.915{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\asyncrat.doc.LNK2023-01-27 11:30:49.853 23542300x8000000000000000342382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:49.915{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\asyncrat.doc.LNKMD5=2353FC5415B7A82F571906EF041A3B15,SHA256=EF13470977113851AFEF394380B600B228FD5253DE523DCB1107B79C030E761D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000342381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:49.915{72106695-B5C3-63D3-3D04-00000000BD02}42002356C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+13eb73|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\windows.storage.dll+3dd832|C:\Windows\System32\windows.storage.dll+3daeeb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+22a48d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229fbe|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229e29|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229db1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+72b6c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15932d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+d132c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cf7a5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+9fbb6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:49.915{72106695-B5C3-63D3-3D04-00000000BD02}42002356C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+13eade|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\windows.storage.dll+3dd832|C:\Windows\System32\windows.storage.dll+3daeeb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+22a48d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229fbe|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229e29|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229db1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+72b6c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15932d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+d132c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cf7a5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+9fbb6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:49.915{72106695-B5C3-63D3-3D04-00000000BD02}42002356C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+13eac3|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\windows.storage.dll+3dd832|C:\Windows\System32\windows.storage.dll+3daeeb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+22a48d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229fbe|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229e29|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229db1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+72b6c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15932d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+d132c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cf7a5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+9fbb6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:49.915{72106695-B5C3-63D3-3D04-00000000BD02}42002356C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+13eac3|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\windows.storage.dll+3dd832|C:\Windows\System32\windows.storage.dll+3daeeb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+22a48d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229fbe|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229e29|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229db1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+72b6c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15932d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+d132c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cf7a5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+9fbb6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:49.915{72106695-B5C3-63D3-3D04-00000000BD02}42002356C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+13eb73|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\windows.storage.dll+3dd820|C:\Windows\System32\windows.storage.dll+3daeeb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+22a48d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229fbe|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229e29|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229db1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+72b6c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15932d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+d132c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cf7a5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+9fbb6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:49.915{72106695-B5C3-63D3-3D04-00000000BD02}42002356C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+13eade|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\windows.storage.dll+3dd820|C:\Windows\System32\windows.storage.dll+3daeeb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+22a48d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229fbe|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229e29|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229db1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+72b6c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15932d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+d132c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cf7a5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+9fbb6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:49.915{72106695-B5C3-63D3-3D04-00000000BD02}42002356C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+13eac3|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\windows.storage.dll+3dd820|C:\Windows\System32\windows.storage.dll+3daeeb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+22a48d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229fbe|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229e29|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229db1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+72b6c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15932d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+d132c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cf7a5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+9fbb6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:49.915{72106695-B5C3-63D3-3D04-00000000BD02}42002356C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+13eac3|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\windows.storage.dll+3dd820|C:\Windows\System32\windows.storage.dll+3daeeb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+22a48d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229fbe|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229e29|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229db1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+72b6c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15932d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+d132c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cf7a5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+9fbb6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:49.915{72106695-B5C3-63D3-3D04-00000000BD02}42002356C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+140a0a|C:\Windows\System32\windows.storage.dll+13dd6c|C:\Windows\System32\windows.storage.dll+13db48|C:\Windows\System32\windows.storage.dll+3dd820|C:\Windows\System32\windows.storage.dll+3daeeb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+22a48d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229fbe|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229e29|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229db1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+72b6c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15932d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+d132c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cf7a5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+9fbb6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:49.884{72106695-B5C3-63D3-3D04-00000000BD02}42002356C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1409f8|C:\Windows\System32\windows.storage.dll+13dd6c|C:\Windows\System32\windows.storage.dll+13db48|C:\Windows\System32\windows.storage.dll+3dd820|C:\Windows\System32\windows.storage.dll+3daeeb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+22a48d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229fbe|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229e29|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229db1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+72b6c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15932d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+d132c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cf7a5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+9fbb6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:49.884{72106695-B5C3-63D3-3D04-00000000BD02}42002356C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1409f8|C:\Windows\System32\windows.storage.dll+13dd6c|C:\Windows\System32\windows.storage.dll+13db48|C:\Windows\System32\windows.storage.dll+3dd820|C:\Windows\System32\windows.storage.dll+3daeeb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+22a48d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229fbe|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229e29|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+229db1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+72b6c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15932d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+d132c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cf7a5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+9fbb6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000342370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:49.853{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\asyncrat.doc.LNK2023-01-27 11:30:49.853 10341000x8000000000000000342369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:49.822{72106695-B106-63D3-2B03-00000000BD02}9644660C:\Windows\Explorer.EXE{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\windows.storage.dll+3c8b3e|C:\Windows\System32\windows.storage.dll+3cab0e|C:\Windows\System32\windows.storage.dll+125c93|C:\Windows\System32\windows.storage.dll+127079|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:49.822{72106695-B106-63D3-2B03-00000000BD02}9644660C:\Windows\Explorer.EXE{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\windows.storage.dll+3cbc7e|C:\Windows\System32\windows.storage.dll+3c796f|C:\Windows\System32\windows.storage.dll+3c8ab0|C:\Windows\System32\windows.storage.dll+3cab0e|C:\Windows\System32\windows.storage.dll+125c93|C:\Windows\System32\windows.storage.dll+127079|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:49.822{72106695-B5C3-63D3-3D04-00000000BD02}42004328C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+3c9208|C:\Windows\System32\windows.storage.dll+3cd7df|C:\Windows\System32\windows.storage.dll+3cdd38|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+22a6e8|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+22a5c9|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+72b6c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15932d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+d132c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cf7a5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+9fbb6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:49.822{72106695-B5C3-63D3-3D04-00000000BD02}42004328C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c91ec|C:\Windows\System32\windows.storage.dll+3cd7df|C:\Windows\System32\windows.storage.dll+3cdd38|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+22a6e8|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+22a5c9|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+72b6c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15932d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+d132c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cf7a5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+9fbb6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:49.822{72106695-B5C3-63D3-3D04-00000000BD02}42004328C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c91ec|C:\Windows\System32\windows.storage.dll+3cd7df|C:\Windows\System32\windows.storage.dll+3cdd38|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+22a6e8|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+22a5c9|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+72b6c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15932d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+d132c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cf7a5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+9fbb6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:49.254{72106695-B106-63D3-2B03-00000000BD02}9644776C:\Windows\Explorer.EXE{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:49.129{72106695-B106-63D3-2B03-00000000BD02}9644776C:\Windows\Explorer.EXE{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:49.129{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:49.129{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000342360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:49.119{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B4FC1DA8800D3BE1015B24EDAD9CD098,SHA256=2AD18FBBC932116994300572C2F0B3094BE6BE92F9DED9CA92BCCA22E4229CEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000449941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:50.869{45AAC21C-B5EA-63D3-F903-00000000BC02}46921320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:50.572{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B5EA-63D3-F903-00000000BC02}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:50.572{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:50.572{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:50.572{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:50.572{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:50.572{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B5EA-63D3-F903-00000000BC02}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000449934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:50.572{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B5EA-63D3-F903-00000000BC02}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000449933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:50.573{45AAC21C-B5EA-63D3-F903-00000000BC02}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000449932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:50.123{45AAC21C-B5E9-63D3-F803-00000000BC02}54801928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000449931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:50.123{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99C7C97E6AB44D133D48BEA2C7F76898,SHA256=795836134C492153FE08629C04B7361D46058AC3536164B7D9B4E59227208699,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000342395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:50.763{72106695-B5C3-63D3-3D04-00000000BD02}42004756C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+139203|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1391a2|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+76292|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+75a4f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+7d5ce|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+11ebec|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+12b6|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1612|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:50.763{72106695-B5C3-63D3-3D04-00000000BD02}42004756C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+139203|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1391a2|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+76292|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+75a4f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+7d5ce|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+11ebec|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+12b6|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1612|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000342393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:50.286{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FEE9E8A55A832BA87D1B26C1C8185BA,SHA256=E20FFEA225B7B847A77DC315A074C460CFF0BA0A7D8AE7F0119AAA2E42923CA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000449950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:51.527{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B5EB-63D3-FA03-00000000BC02}3404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:51.527{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:51.527{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:51.527{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:51.527{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:51.527{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B5EB-63D3-FA03-00000000BC02}3404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000449944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:51.527{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B5EB-63D3-FA03-00000000BC02}3404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000449943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:51.528{45AAC21C-B5EB-63D3-FA03-00000000BC02}3404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000449942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:51.351{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B73A754C0A13A69692FA32D309CE7BA2,SHA256=573EE759FF10F046E6AF96D5A958AF22D3B35DCCD30EDB4E5B7EE48065E1A3B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000342398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:50.074{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51106-false104.16.54.48-443https 354300x8000000000000000342397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:49.468{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51105-false23.45.146.25a23-45-146-25.deploy.static.akamaitechnologies.com443https 23542300x8000000000000000342396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:51.028{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2686410773810835069A781EAD2B3A77,SHA256=02E34EEC412BE939A0BAE951B3C54325C8B5246A13E50C971332009B582A7AED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000449952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:52.542{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C23D65365A8ECC7C8E6E74A1A5FBD7C1,SHA256=431215A2BEE8430213A825F4940375F9360207EBFCDA4CD54E3A276628674C8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000342401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:50.977{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51108-false204.79.197.203a-0003.a-msedge.net80http 354300x8000000000000000342400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:50.915{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51107-false52.111.230.3-443https 23542300x8000000000000000342399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:52.205{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CF8CA1514FDAEE88CCEA0EFD33F190C,SHA256=818EAD6AA9F7768DC4EE248C545DC766F9C28CEFCC11CD1F02D8A200D9FA3C5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000449951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:48.897{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A60687- 23542300x8000000000000000449957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:53.625{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01AC8DD3179EEE1D6E8D81119D295F96,SHA256=7BEA1DA4CAA48D350494760DE7734E2A63FD8461CF97529411EEA9E34F9217ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000342420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:51.376{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51110-false10.0.1.12-8000- 354300x8000000000000000342419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:51.178{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51109-false52.111.230.3-443https 10341000x8000000000000000342418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:53.716{72106695-B5ED-63D3-3F04-00000000BD02}52406020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:53.639{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5ED-63D3-3F04-00000000BD02}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000342416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:53.639{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5ED-63D3-3F04-00000000BD02}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000342415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:53.637{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5ED-63D3-3F04-00000000BD02}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000342414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:53.636{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5ED-63D3-3F04-00000000BD02}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000342413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:53.635{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5ED-63D3-3F04-00000000BD02}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000342412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:53.635{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5ED-63D3-3F04-00000000BD02}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000342411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:53.505{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B5ED-63D3-3F04-00000000BD02}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:53.489{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:53.489{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:53.489{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:53.489{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:53.489{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B5ED-63D3-3F04-00000000BD02}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000342405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:53.489{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B5ED-63D3-3F04-00000000BD02}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000342404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:53.490{72106695-B5ED-63D3-3F04-00000000BD02}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000342403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:53.395{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F479EBF78A49D65581AFD264FC82975,SHA256=DB6E086834F3A2232CBCB8D132E7E40D6C786238ED3221258AE20A619DF4E0E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 22542200x8000000000000000342402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:50.904{72106695-B5C3-63D3-3D04-00000000BD02}4200augloop.office.com0type: 5 augloop-prod.trafficmanager.net;type: 5 augloop-prod-pd02.eastus2.cloudapp.azure.com;::ffff:52.111.230.3;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 354300x8000000000000000449956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:50.599{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A58102- 354300x8000000000000000449955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:50.412{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A55616- 354300x8000000000000000449954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:50.323{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A64736- 354300x8000000000000000449953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:48.943{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52795-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000449960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:54.712{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E915E1299E1A710569AAA08DB77269EA,SHA256=84F11CEFAD74C1415B073A78CCD173619C08BECDCFE59F1AEBD0BD30728E3AB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:54.980{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D47CE14DE7DF77A642E3DA665249CABC,SHA256=6CA2493A826D531E4B06C143DFF852923FA19A71F2BB39ABB4EF362769CAD225,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:54.980{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8A1311D52E490F5EF50C672220ED6548,SHA256=7B62F38F9C7129F74969247A20BE4BA9A51BA81B4BA3B965850A65561A6701C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:54.980{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CD57FDDF30268406CECC91A1075C72F,SHA256=C842ED43896833217E4CB9F78BEBC03A9F150FDA857D278023BDE4D636E54EE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000342438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:54.839{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B5EE-63D3-4104-00000000BD02}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:54.839{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:54.839{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:54.839{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:54.839{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:54.839{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B5EE-63D3-4104-00000000BD02}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000342432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:54.839{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B5EE-63D3-4104-00000000BD02}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000342431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:54.840{72106695-B5EE-63D3-4104-00000000BD02}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000342430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:54.385{72106695-B5EE-63D3-4004-00000000BD02}5692920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000449959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:51.603{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A60508- 354300x8000000000000000449958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:51.603{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A53158- 10341000x8000000000000000342429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:54.165{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B5EE-63D3-4004-00000000BD02}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:54.165{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:54.165{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:54.165{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B5EE-63D3-4004-00000000BD02}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000342425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:54.165{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:54.165{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:54.165{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B5EE-63D3-4004-00000000BD02}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000342422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:54.168{72106695-B5EE-63D3-4004-00000000BD02}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000342421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:54.108{72106695-B106-63D3-2B03-00000000BD02}9644776C:\Windows\Explorer.EXE{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000449961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:55.787{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16538E07527F3EC277E216B38FFD6230,SHA256=BCC9DFEE8E9F4D1B7D7E4D6938705B8B6AC69742CB218BBB64C333F15939A033,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000342458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:55.966{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B5EF-63D3-4304-00000000BD02}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:55.966{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:55.966{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:55.966{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:55.966{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:55.966{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B5EF-63D3-4304-00000000BD02}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000342452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:55.966{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B5EF-63D3-4304-00000000BD02}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000342451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:55.967{72106695-B5EF-63D3-4304-00000000BD02}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000342450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:55.460{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=038C2C0D2A14545A4A6CE8B6A38ACD39,SHA256=E3A8BD18440EF60F4B8A297D900CAFC0EB38BD61F61667B4A9966C592C795B2B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000342449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:55.335{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B5EF-63D3-4204-00000000BD02}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:55.335{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:55.335{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:55.335{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:55.335{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:55.335{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B5EF-63D3-4204-00000000BD02}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000342443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:55.335{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B5EF-63D3-4204-00000000BD02}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000342442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:55.337{72106695-B5EF-63D3-4204-00000000BD02}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000449963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:56.876{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=062CA12897549C51D9495B4EB23D175C,SHA256=808B2612642455D8D8BD00E587C7DEC9B1918D345AEF024C13EC2E0571493E46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000342470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:56.899{72106695-B106-63D3-2B03-00000000BD02}9644776C:\Windows\Explorer.EXE{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:56.751{72106695-B5F0-63D3-4404-00000000BD02}50201064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:56.541{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B5F0-63D3-4404-00000000BD02}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000342467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:56.539{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C1F854AFB62E0482A9895BFA93D8D40,SHA256=F80C8C2644E455ADD7CE6285E1240D0035408A790008C868CD81A816ADD6A862,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000342466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:56.537{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:56.537{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:56.537{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:56.536{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:56.536{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B5F0-63D3-4404-00000000BD02}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000342461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:56.536{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B5F0-63D3-4404-00000000BD02}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000342460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:56.536{72106695-B5F0-63D3-4404-00000000BD02}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000449962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:53.367{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A58923- 10341000x8000000000000000342459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:56.129{72106695-B5EF-63D3-4304-00000000BD02}50485016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000449965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:57.957{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=231C8FFEE3190EDE0C3473754721D8BF,SHA256=433D88EF0B51797ACC5A012339FEABC4669D1EA16C70C6B677652D335C356FF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:57.613{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=483762FB498F5397B7CA40A05BBD09E3,SHA256=E885D4587CF47FB3D834D5CDA66106199B00613521D4F60D4398F4B8E64DC8D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000449964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:54.931{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52796-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000342479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:57.097{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B5F1-63D3-4504-00000000BD02}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:57.097{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:57.097{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:57.097{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:57.097{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:57.097{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B5F1-63D3-4504-00000000BD02}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000342473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:57.097{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B5F1-63D3-4504-00000000BD02}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000342472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:57.098{72106695-B5F1-63D3-4504-00000000BD02}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000342471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:53.935{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51111-false52.109.6.44-443https 23542300x8000000000000000342483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:58.680{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B34890DB7353337DF4DCC0B17514235,SHA256=049FB79A7945F10D96DFFA7E707895C23CCB30738BAC198AEA2ED1891F29F770,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000449966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:55.674{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A49242- 10341000x8000000000000000342482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:58.592{72106695-B106-63D3-2B03-00000000BD02}9644776C:\Windows\Explorer.EXE{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000342481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:58.369{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=60B3D60BF679C66128F6F4704894FE9B,SHA256=2572BD77D99BE0B0C21A5BDFB01A38C52DCCDFB93BC1216A02F42DD2B5F07B4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:59.764{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDD885BCCC0757823FEA6CF3F1CCA0C3,SHA256=C304F0EFA5E42AB934E412BECC46C1BF341074C4B585B85F8CC421AAB4A00116,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000449986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:59.662{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:59.637{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:59.619{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:59.616{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:59.613{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:59.608{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:59.569{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:59.548{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:59.521{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:59.506{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:59.481{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:59.450{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:59.437{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:59.421{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:59.407{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:59.393{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:59.381{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:59.313{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:59.309{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 23542300x8000000000000000449967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:59.044{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=041F877176E3EC9B7395F5C66F703AC7,SHA256=384F1C5EA1B9115135D5C78F998B0A1A47CA8AD432313056BE8732238EAC2D10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000342494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:59.530{72106695-B5C3-63D3-3D04-00000000BD02}42006036C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+13eb73|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\windows.storage.dll+30059|C:\Windows\System32\windows.storage.dll+2ffa1|C:\Windows\System32\windows.storage.dll+2f256|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000342493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:59.530{72106695-B5C3-63D3-3D04-00000000BD02}42006036C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+13eade|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\windows.storage.dll+30059|C:\Windows\System32\windows.storage.dll+2ffa1|C:\Windows\System32\windows.storage.dll+2f256|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000342492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:59.530{72106695-B5C3-63D3-3D04-00000000BD02}42006036C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+13eac3|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\windows.storage.dll+30059|C:\Windows\System32\windows.storage.dll+2ffa1|C:\Windows\System32\windows.storage.dll+2f256|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f 10341000x8000000000000000342491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:59.530{72106695-B5C3-63D3-3D04-00000000BD02}42006036C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+13eac3|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\windows.storage.dll+30059|C:\Windows\System32\windows.storage.dll+2ffa1|C:\Windows\System32\windows.storage.dll+2f256|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536 23542300x8000000000000000342490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:59.530{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RF674b5c.TMPMD5=4FCB2A3EE025E4A10D21E1B154873FE2,SHA256=90BF6BAA6F968A285F88620FBF91E1F5AA3E66E2BAD50FD16F37913280AD8228,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000342489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:59.499{72106695-B5C3-63D3-3D04-00000000BD02}42006036C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+13eb73|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\windows.storage.dll+30059|C:\Windows\System32\windows.storage.dll+2ffa1|C:\Windows\System32\windows.storage.dll+2f256|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000342488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:59.499{72106695-B5C3-63D3-3D04-00000000BD02}42006036C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+13eade|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\windows.storage.dll+30059|C:\Windows\System32\windows.storage.dll+2ffa1|C:\Windows\System32\windows.storage.dll+2f256|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000342487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:59.499{72106695-B5C3-63D3-3D04-00000000BD02}42006036C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+13eac3|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\windows.storage.dll+30059|C:\Windows\System32\windows.storage.dll+2ffa1|C:\Windows\System32\windows.storage.dll+2f256|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f 10341000x8000000000000000342486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:59.499{72106695-B5C3-63D3-3D04-00000000BD02}42006036C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+13eac3|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\windows.storage.dll+30059|C:\Windows\System32\windows.storage.dll+2ffa1|C:\Windows\System32\windows.storage.dll+2f256|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536 354300x8000000000000000342485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:30:56.416{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51112-false10.0.1.12-8000- 13241300x8000000000000000342484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:30:59.049{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\CurrentSkuIdAggregationForApp\Publisher{3AD61E22-E4FE-497F-BDB1-3E51BD872173}, 23542300x8000000000000000342540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.973{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=318AD1D2287BA45C11046E5A8BCAEE53,SHA256=25494C51CC7B11C0FC3F6BEFB3B56C1F96FBECD6D3F5B4F8BD93BB71FF4430A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000449992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:00.392{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:00.389{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:00.386{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:00.384{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:00.381{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 23542300x8000000000000000449987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:00.082{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3A0421E46D8C833AA1CABE93256CDF0,SHA256=95CE1097431B4FC151C837ED658DFEEE728AB31573B4CB2CE8C6AC8B82AB0830,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000342539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.714{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.708{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.708{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.707{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.697{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.694{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.685{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.674{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.648{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.636{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.626{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.621{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.620{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.615{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.610{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.602{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.593{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.591{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.589{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.589{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.588{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.586{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.585{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.568{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.564{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.557{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.556{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.538{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.507{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.505{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.493{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.446{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.432{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.423{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.415{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.397{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.392{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.382{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.365{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.356{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.341{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.334{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000342497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.242{72106695-9B85-63D3-0D00-00000000BD02}7963468C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.242{72106695-9B85-63D3-0D00-00000000BD02}7963468C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000342542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDB-PubSetValue2023-01-27 11:31:01.083{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LastKnownC2RProductReleaseId\PublisherO365ProPlusRetail 10341000x8000000000000000342541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:01.083{72106695-B106-63D3-2B03-00000000BD02}9644776C:\Windows\Explorer.EXE{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000449993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:01.137{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=421A5F451CF0723DE7479D81A2A3214E,SHA256=BE7F696E211A6475C9B9CD3DF07BE370503FE978F7B97F026C76DF2CB52E5F75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:02.736{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\respondent-20230127093815-109MD5=FAFF531EDF0CFC03BCEBADF518BA5361,SHA256=88BF976C27BC6DB398DABD588375EB870CCDB2E8695A85E73E9E0CF078A2553A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000342544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.402{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51113-false52.109.16.68-443https 23542300x8000000000000000342543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:02.028{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95A71F5F4E9F8C1B4F02D65B55783850,SHA256=4D186F002CE9E774964D85D2F435543B92876CF881036C1F838D92D369A83499,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000450007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:02.998{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:02.987{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:02.986{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:02.982{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:02.980{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:02.979{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:02.976{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 354300x8000000000000000450000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:30:59.816{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A62407- 10341000x8000000000000000449999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:02.460{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:02.458{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:02.457{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:02.441{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000449995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:02.433{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 23542300x8000000000000000449994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:02.214{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AD04FF7DF35C40932D115BDF6C41206,SHA256=5A62C8F3F5257405E28DD3B1ACD6E37663CF378550D6A3A5EBFC769A34085657,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.748{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230127093814-110MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.631{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD3545DFEC8806DEA48CFA6BCC2E68A2,SHA256=6757BACC421ABCD6289FDDC3B8A38368E543BE810018A535C9C2FEB61B4A29B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.543{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab5AA4.tmpMD5=749C3615E54C8E6875518CFD84E5A1B2,SHA256=F2D2DF37366F8E49106980377D2448080879027C380D90D5A25DA3BDAD771F8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.540{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab5AA5.tmpMD5=8867BDF5FC754DA9DA6F5BA341334595,SHA256=42323DD1D3E88C3207E16E0C95CA1048F2E4CD66183AD23B90171DA381D37B58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.514{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab5A8D.tmpMD5=BEB12A0464D096CA33BAEA4352CE800F,SHA256=A44166F5C9F2553555A43586BA5DB1C1DE54D72D308A48268F27C6A00076B1CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.501{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD5ADC.tmp\Content.infMD5=55BA5B2974A072B131249FD9FD42EB91,SHA256=13FFAAFFC987BAAEF7833CD6A8994E504873290395DC2BD9B8E1D7E7E64199E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.500{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD5ADB.tmp\content.infMD5=0FEA64606C519B78B7A52639FEA11492,SHA256=60059C4DD87A74A2DC36748941CF5A421ED394368E0AA19ACA90D850FA6E4A13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.491{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab5AA0.tmpMD5=53C5F45B22E133B28D4BD3B5A350FDBD,SHA256=8AF4C7CAC47D2B9C7ADEADF276EDAE830B4CC5FFE7E765E3C3D7B3FADCB5F273,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.488{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab5A8C.tmpMD5=F256ACA509B4C6C0144D278C7036B0A8,SHA256=AD26761D59F1FA9783C2F49184A2E8FE55FCD46CD3C49FFC099C02310649DC67,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.483{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab5AA3.tmpMD5=828F96031F40BF8EBCB5E52AAEEB7E4C,SHA256=640AD075B555D4A2143F909EAFD91F54076F5DDE42A2B11CD897BC564B5D7FF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.478{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab5A7C.tmpMD5=9C9F49A47222C18025CC25575337A965,SHA256=ADA7EFF0676D9CCE1935D5485F3DDE35C594D343658FB1DA42CB5A48FC3FC16A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.463{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD5AB7.tmp\content.infMD5=8D1E1991838307E4C2197ECB5BA9FA79,SHA256=4ABA3D10F65D050A19A3C2F57A024DBA342D1E05706A8A3F66B6B8E16A980DB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.447{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD5AD9.tmp\content.infMD5=06B3DDEFF905F75FA5FA5C5B70DCB938,SHA256=72D49BDDE44DAE251AEADF963C336F72FA870C969766A2BB343951E756B3C28A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.447{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD5AA6.tmp\content.infMD5=AA7B919B21FD42C457948DE1E2988CB3,SHA256=5FFF5F1EC1686C138192317D5A67E22A6B02E5AAE89D73D4B19A492C2F5BE2F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.447{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD5ADA.tmp\content.infMD5=5402138088A9CF0993C08A0CA81287B8,SHA256=5C9F5E03EEA4415043E65172AD2729F34BBBFC1A1156A630C65A71CE578EF137,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.447{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD5AC7.tmp\content.infMD5=C9812793A4E94320C49C7CA054EE6AA4,SHA256=A535AE7DD5EDA6D31E1B5053E64D0D7600A7805C6C8F8AF1DB65451822848FFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.447{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab5AA2.tmpMD5=D4EAC009E9E7B64B8B001AE82B8102FA,SHA256=8B0631DA4DC79E036251379A0A68C3BA977F14BCC797BA0EB9692F8BB90DDB4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.432{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab5A67.tmpMD5=E1101CCA6E3FEDB28B57AF4C41B50D37,SHA256=69B2675E47917A9469F771D0C634BD62B2DFA0F5D4AF3FD7AFE9196BF889C19E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.432{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD5AC8.tmp\content.infMD5=1C5D58A5ED3B40486BC22B254D17D1DD,SHA256=EBE031C340F04BB0235FE62C5A675CF65C5CC8CE908F4621A4F5D7EE85F83055,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.400{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab5A66.tmpMD5=BF95E967E7D1CEC8EFE426BC0127D3DE,SHA256=4C3B008E0EB10A722D8FEDB325BFB97EDAA609B1E901295F224DD4CB4DF5FC26,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.400{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab5A54.tmpMD5=E29CE2663A56A1444EAA3732FFB82940,SHA256=3732EB6166945DB2BF792DA04199B5C4A0FB3C96621ECBFDEAF2EA1699BA88EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.385{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD5AA1.tmp\content.infMD5=CD465E8DA15E26569897213CA9F6BC9C,SHA256=D4109317C2DBA1D7A94FC1A4B23FA51F4D0FC8E1D9433697AAFA72E335192610,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.385{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD5A8F.tmp\content.infMD5=40FF521ED2BA1B015F17F0B0E5D95068,SHA256=CC3575BA195F0F271FFEBA6F6634BC9A2CF5F3BE448F58DBC002907D7C81CBBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.385{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab5A68.tmpMD5=93FA9F779520AB2D22AC4EA864B7BB34,SHA256=6A3801C1D4CF0C19A990282D93AC16007F6CACB645F0E0684EF2EDAC02647833,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.385{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab5A56.tmpMD5=F93364EEC6C4FFA5768DE545A2C34F07,SHA256=296B915148B29751E68687AE37D3FAFD9FFDDF458C48EB059A964D8F2291E899,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.369{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD5A7B.tmp\content.infMD5=327DA4A5C757C0F1449976BE82653129,SHA256=341BABD413AA5E8F0A921AC309A8C760A4E9BA9CFF3CAD3FB2DD9DF70FD257A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.369{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD5A8E.tmp\content.infMD5=960E28B1E0AB3522A8A8558C02694ECF,SHA256=2707FCA8CEC54DF696F19F7BCAD5F0D824A2AC01B73815DE58F3FCF0AAB3F6A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.369{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab5A43.tmpMD5=26BEAB9CCEAFE4FBF0B7C0362681A9D2,SHA256=217EC1B6E00A24583B166026DEC480D447FB564CF3BCA81984684648C272F767,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.359{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD5A7A.tmp\content.infMD5=BD6B5A98CA4E6C5DBA57C5AD167EDD00,SHA256=F22248FE60A55B6C7C1EB31908FAB7726813090DE887316791605714E6E3CEF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.343{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD5A69.tmp\content.infMD5=35AFE8D8724F3E19EB08274906926A0B,SHA256=97B8B2E246E4DAB15E494D2FB5F8BE3E6361A76C8B406C77902CE4DFF7AC1A35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.343{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab5A10.tmpMD5=1C12315C862A745A647DAD546EB4267E,SHA256=4E2E93EBAC4AD3F8690B020040D1AE3F8E7905AB7286FC25671E07AA0282CAC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.335{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab59FC.tmpMD5=65828DC7BE8BA1CE61AD7142252ACC54,SHA256=849E2E915AA61E2F831E54F337A745A5946467D539CCBD0214B4742F4E7E94FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000450017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:00.928{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52797-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000450016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:00.889{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A55570- 23542300x8000000000000000450015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:03.271{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A28FE4FFC7CD0AB72BD423C4EDD1E75,SHA256=9D905005583FEB5905683D0E3E00F46AFF2B0522282CC6A5504642F2288CA36C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.331{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab5A0D.tmpMD5=21A4B7B71631C2CCDA5FBBA63751F0D2,SHA256=AE0C5A2C8377DBA613C576B1FF73F01AE8EF4A3A4A10B078B5752FB712B3776C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.328{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD5A42.tmp\content.infMD5=7956D2B60E2A254A07D46BCA07D0EFF0,SHA256=C92B7FD46B4553FF2A656FF5102616479F3B503341ED7A349ECCA2E12455969E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.324{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD5A22.tmp\content.infMD5=23D59577F4AE6C6D1527A1B8CDB9AB19,SHA256=9ADD2C3912E01C2AC7FAD6737901E4EECBCCE6EC60F8E4D78585469A440E1E2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.324{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD5A55.tmp\Content.infMD5=0F98498818DC28E82597356E2650773C,SHA256=4587CA0B2A60728FF0A5B8E87D35BF6C6FDF396747E13436EC856612AC1C6288,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.299{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab59EA.tmpMD5=84D8F3848E7424CBE3801F9570E05018,SHA256=B4BC3CD34BD328AAF68289CC0ED4D5CF8167F1EE1D7BE20232ED4747FF96A80A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.292{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD5A21.tmp\content.infMD5=76340C3F8A0BFCEDAB48B08C57D9B559,SHA256=78FE546321EDB34EBFA1C06F2B6ADE375F3B7C12552AB2A04892A26E121B3ECC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.289{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab59EB.tmpMD5=9A07035EF802BF89F6ED254D0DB02AB0,SHA256=6CB03CEBAB2C28BF5318B13EEEE49FBED8DCEDAF771DE78126D1BFE9BD81C674,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.282{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD5A0F.tmp\content.infMD5=133D126F0DE2CC4B29ECE38194983265,SHA256=08485EBF168364D846C6FD55CD9089FE2090D1EE9D1A27C1812E1247B9005E68,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.280{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab59FB.tmpMD5=21437897C9B88AC2CB2BB2FEF922D191,SHA256=372572DCBAD590F64F5D18727757CBDF9366DDE90955C79A0FCC9F536DAB0384,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.270{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab59C0.tmpMD5=EE0129C7CC1AC92BBC3D6CB0F653FCAE,SHA256=345AA5CA2496F975B7E33C182D5E57377F8B740F23E9A55F4B2B446723947B72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.270{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD5A0E.tmp\content.infMD5=71CCB69AF8DD9821F463270FB8CBB285,SHA256=8E63D7ABA97DABF9C20D2FAC6EB1665A5D3FDEAB5FA29E4750566424AE6E40B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.264{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab59C2.tmpMD5=E532038762503FFA1371DF03FA2E222D,SHA256=5C70DD1551EB8B9B13EFAFEEAF70F08B307E110CAEE75AD9908A6A42BBCCB07E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.264{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab59BF.tmpMD5=8B29FAB506FD65C21C9CD6FE6BBBC146,SHA256=773AC516C9B9B28058128EC9BE099F817F3F90211AC70DC68077599929683D6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.264{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab59BE.tmpMD5=D30AD26DBB6DECA4FDD294F48EDAD55D,SHA256=6B1633DD765A11E7ED26F8F9A4DD45023B3E4ADB903C934DF3917D07A3856BFF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.264{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab5951.tmpMD5=748A53C6BDD5CE97BD54A76C7A334286,SHA256=9AF92B1671772E8E781B58217DAB481F0AFBCF646DE36BC1BFFC7D411D14E351,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.260{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab59C3.tmpMD5=97F5B7B7E9E1281999468A5C42CB12E7,SHA256=1CF5C2D0F6188FFFF117932C424CC55D1459E0852564C09D7779263ABD116118,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.252{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab594E.tmpMD5=0EBC45AA0E67CC435D0745438371F948,SHA256=3744BFA286CFCFF46E51E6A68823A23F55416CD6619156B5929FED1F7778F1C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.251{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab59C1.tmpMD5=B9A6FF715719EE9DE16421AB983CA745,SHA256=E3BE3F1E341C0FA5E9CB79E2739CF0565C6EA6C189EA3E53ACF04320459A7070,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.248{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab59BD.tmpMD5=EF9CB8BDFBC08F03BEF519AD66BA642F,SHA256=93A2F873ACF5BEAD4BC0D1CC17B5E89A928D63619F70A1918B29E5230ABEAD8E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.240{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD59D5.tmp\Content.infMD5=6C489D45F3B56845E68BE07EA804C698,SHA256=3FE447260CDCDEE287B8D01CF5F9F53738BFD6AAEC9FB9787F2826F8DEF1CA45,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.240{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD59E8.tmp\Content.infMD5=3D52060B74D7D448DC733FFE5B92CB52,SHA256=BB980559C6FC38B703D1E9C41720D5CE8D00D2FF86D4F25136DB02B1E54B1518,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.234{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD59E7.tmp\Content.infMD5=6F8FE7B05855C203F6DEC5C31885DD08,SHA256=B7F58DF058C938CCF39054B31472DC76E18A3764B78B414088A261E440870175,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.233{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab58FE.tmpMD5=92A819D434A8AAEA2C65F0CC2F33BB3A,SHA256=5D13F9907AC381D19F0A7552FD6D9FC07C9BD42C0F9CE017FFF75587E1890375,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.232{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD59E9.tmp\Content.infMD5=2240CF2315F2EB448CEA6E9CE21B5AC5,SHA256=0F7D0BD5A8CED523CFF4F99D7854C0EE007F5793FA9E1BA1CD933B0894BFBD0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.232{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD59E6.tmp\Content.infMD5=63E8B0621B5DEFE1EF17F02EFBFC2436,SHA256=9243D99795DCDAD26FA857CB2740E58E3ED581E3FAEF0CB3781CBCD25FB4EE06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.229{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD59D4.tmp\Content.infMD5=A6B2731ECC78E7CED9ED5408AB4F2931,SHA256=6A2F9E46087B1F0ED0E847AF05C4D4CC9F246989794993E8F3E15B633EFDD744,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.229{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab5929.tmpMD5=53EE9DA49D0B84357038ECF376838D2E,SHA256=9E46B8BA0BAD6E534AF33015C86396C33C5088D3AE5389217A5E90BA68252374,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.228{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD59D3.tmp\Content.infMD5=16711B951E1130126E240A6E4CC2E382,SHA256=855342FE16234F72DA0C2765455B69CF412948CFBE70DE5F6D75A20ACDE29AE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.223{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab5952.tmpMD5=C47E3430AF813DF8B02E1CB4829DD94B,SHA256=F2DB1E60533F0D108D5FB1004904C1F2E8557D4493F3B251A1B3055F8F1507A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.223{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab5923.tmpMD5=89A9818E6658D73A73B642522FF8701F,SHA256=F747DD8B79FC69217FA3E36FAE0AB417C1A0759C28C2C4F8B7450C70171228E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.222{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab5922.tmpMD5=69EDB3BF81C99FE8A94BBA03408C5AE1,SHA256=CEBE759BC4509700E3D23C6A5DF8D889132A60EBC92260A74947EAA1089E2789,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.222{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab5927.tmpMD5=62863124CDCDA135ECC0E722782CB888,SHA256=23CCFB7206A8F77A13080998EC6EF95B59B3C3E12B72B2D2AD4E53B0B26BB8C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.222{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab5925.tmpMD5=ABBF10CEE9480E41D81277E9538F98CB,SHA256=557E0714D5536070131E7E7CDD18F0EF23FE6FB12381040812D022EC0FEE7957,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.222{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab5924.tmpMD5=51804E255C573176039F4D5B55C12AB2,SHA256=3C6F66790C543D4E9D8E0E6F476B1ACADF0A5FCDD561B8484D8DDDADFDF8134B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.222{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab5953.tmpMD5=486CBCB223B873132FFAF4B8AD0AD044,SHA256=B217393FD2F95A11E2C594E736067870212E3C5242A212D6F9539450E8684616,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.215{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab58FD.tmpMD5=91AADBEC4171CFA8292B618492F5EF34,SHA256=7E1A90CDB2BA7F03ABCB4687F0931858BF57E13552E0E4E54EC69A27325011EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.215{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab58FF.tmpMD5=C455C4BC4BEC9E0DA67C4D1E53E46D5A,SHA256=40E9AF9284FF07FDB75C33A11A794F5333712BAA4A6CF82FA529FBAF5AD0FED0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.215{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab5950.tmpMD5=66C5199CF4FB18BD4F9F3F2CCB074007,SHA256=4A7DC4ED098E580C8D623C51B57C0BC1D601C45F40B60F39BBA5F063377C3C1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.215{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD59B3.tmp\content.infMD5=5728F26DF04D174DE9BDFF51D0668E2A,SHA256=979DAFD61C23C185830AA3D771EDDC897BEE87587251B84F61776E720ACF9840,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.215{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD59B4.tmp\content.infMD5=487E25E610F3FC2EEA27AB54324EA8F6,SHA256=022EC5077279A8E447B590F7260E1DBFF764DE5F9CDFD4FDEE32C94C66D4A1A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.208{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab592A.tmpMD5=6D787B1E223DB6B91B69238062CCA872,SHA256=DA2F261C3C82E229A097A9302C8580F014BB6442825DB47C008DA097CFCE0EE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.208{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD59B0.tmp\Content.infMD5=C15EB3F4306EBF75D1E7C3C9382DEECC,SHA256=23C262DF3AEACB125E88C8FFB7DBF56FD23F66E0D476AFD842A68DDE69658C7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.207{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD59B9.tmp\Content.infMD5=8D9B02CC69FA40564E6C781A9CC9E626,SHA256=1D4483830710EF4A2CC173C3514A9F4B0ACA6C44DB22729B7BE074D18C625BAE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.207{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD59BC.tmp\Content.infMD5=C3216C3FC73A4B3FFFE7ED67153AB7B5,SHA256=7CF1D6A4F0BE5E6184F59BFB1304509F38E480B59A3B091DBDC43B052D2137CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.205{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD59B2.tmp\Content.infMD5=877A8A960B2140E3A0A2752550959DB9,SHA256=FE07084A41CF7DB58B06D2C0D11BCACB603D6574261D1E7EBADCFF85F39AFB47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.205{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD59AD.tmp\Content.infMD5=D04EC08EFE18D1611BDB9A5EC0CC00B1,SHA256=FA60500F951AFAF8FFDB6D1828456D60004AE1558E8E1364ADC6ECB59F5450C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.204{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD59AC.tmp\Content.infMD5=4A9A2E8DB82C90608C96008A5B6160EF,SHA256=4FA948EEB075DFCB8DCA773A3F994560C69D275690953625731C4743CD5729F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.204{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD59B5.tmp\Content.infMD5=1309D172F10DD53911779C89A06BBF65,SHA256=C190F9E7D00E053596C3477455D1639C337C0BE01012C0D4F12DFCB432F5EC56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.201{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD59B7.tmp\Content.infMD5=D79B5DE6D93AC06005761D88783B3EE6,SHA256=96125D6804544B8D4E6AE8638EFD4BD1F96A1BFB9EEF57337FFF40BA9FF4CDD1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.201{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD59AE.tmp\Content.infMD5=2F7A8FE4E5046175500AFFA228F99576,SHA256=1495B4EC56B371148EA195D790562E5621FDBF163CDD8A5F3C119F8CA3BD2363,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.201{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD5999.tmp\Content.infMD5=149948E41627BE5DC454558E12AF2DA4,SHA256=1B981DC422A042CDDEBE2543C57ED3D468288C20D280FF9A9E2BB4CC8F4776ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.201{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD59BA.tmp\Content.infMD5=E8B30D1070779CC14FBE93C8F5CF65BE,SHA256=2E90434BE1F6DCEA9257D42C331CD9A8D06B848859FD4742A15612B2CA6EFACB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.201{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD59AF.tmp\Content.infMD5=69757AF3677EA8D80A2FBE44DEE7B9E4,SHA256=0F14CA656CDD95CAB385F9B722580DDE2F46F8622E17A63F4534072D86DF97C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.198{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab5921.tmpMD5=F10DF902980F1D5BEEA96B2C668408A7,SHA256=E0100320A4F63E07C77138A89EA24A1CBD69784A89FE3BF83E35576114B4CE02,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.196{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab58FC.tmpMD5=205AF51604EF96EF1E8E60212541F742,SHA256=DF3FFF163924D08517B41455F2D06788BA4E49C68337D15ECF329BE48CF7DA2D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.195{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD5998.tmp\Content.infMD5=F25AC64EC63FA98D9E37782E2E49D6E6,SHA256=834046A829D1EA836131B470884905856DBF2C3C136C98ADEEFA0F206F38F8AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.194{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab594C.tmpMD5=E3C64173B2F4AA7AB72E1396A9514BD8,SHA256=16C08547239E5B969041AB201EB55A3E30EAD400433E926257331CB945DFF094,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.191{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab592B.tmpMD5=4EFA48EC307EAF2F9B346A073C67FCFB,SHA256=3EE9AE1F8DAB4C498BD561D8FCC66D83E58F11B7BB4B2776DF99F4CDA4B850C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.188{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab594D.tmpMD5=7C645EC505982FE529D0E5035B378FFC,SHA256=298FD9DADF0ACEBB2AA058A09EEBFAE15E5D1C5A8982DEE6669C63FB6119A13D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.188{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD59BB.tmp\Content.infMD5=A0D51783BFEE86F3AC46A810404B6796,SHA256=47B43E7DBDF8B25565D874E4E071547666B08D7DF4D736EA8521591D0DED640F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.186{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD599A.tmp\Content.infMD5=9B8D7EFE8A69E41CDC2439C38FE59FAF,SHA256=70042F1285C3CD91DDE8D4A424A5948AE8F1551495D8AF4612D59709BEF69DF2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.185{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab594F.tmpMD5=7BF88B3CA20EB71ED453A3361908E010,SHA256=E555A610A61DB4F45A29A7FB196A9726C25772594252AD534453E69F05345283,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.184{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD59B1.tmp\Content.infMD5=1A314B08BB9194A41E3794EF54017811,SHA256=9025DD691FCAD181D5FD5952C7AA3728CD8A2CAF20DEA14930876419BED9B379,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.183{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD59B6.tmp\Content.infMD5=4DD225E2A305B50AF39084CE568B8110,SHA256=6F00DD73F169C73D425CB9895DAC12387E21C6E4C9C7DDCFB03AC32552E577F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.182{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD59B8.tmp\Content.infMD5=C1B36A0547FB75445957A619201143AC,SHA256=4DFF7D1CEF6DD85CC73E1554D705FA6586A1FBD10E4A73EEE44EAABA2D2FFED9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.181{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD59AB.tmp\Content.infMD5=52BD0762F3DC77334807DDFC60D5F304,SHA256=30C20CC835E912A6DD89FD1BF5F7D92B233B2EC24594F1C1FE0CADB03A8C3FAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.176{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab5926.tmpMD5=1D6F8E73A0662A48D332090A4C8C898F,SHA256=8077C92C66D15D7E03FBFF3A48BD9576B80F698A36A44316EABA81EE8043B673,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.172{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD5997.tmp\Content.infMD5=4EC6724CBBA516CF202A6BD17226D02C,SHA256=18E408155A2C2A24D91CD45E065927FFDA726356AAB115D290A3C1D0B7100402,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.172{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab5911.tmpMD5=D3C9036E4E1159E832B1B4D2E9D42BF0,SHA256=434576EB1A16C2D14D666A33EDDE76717C896D79F45DF56742AFD90ACB9F21CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.167{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD5977.tmp\Content.infMD5=9C00979164E78E3B890E56BE2DF00666,SHA256=21CCB63A82F1E6ACD6BAB6875ABBB37001721675455C746B17529EE793382C7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.148{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab593C.tmpMD5=F913DD84915753042D856CEC4E5DABA5,SHA256=AA03AFB681A76C86C1BD8902EE2BBA31A644841CE6BCB913C8B5032713265578,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.147{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab5910.tmpMD5=DA3380458170E60CBEA72602FDD0D955,SHA256=6F8FFB225F3B8C7ADE31A17A02F941FC534E4F7B5EE678B21CD9060282034701,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.146{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cab5928.tmpMD5=E033CCBC7BA787A2F824CE0952E57D44,SHA256=D250EB1F93B43EFB7654B831B4183C9CAEC2D12D4EFEE8607FEE70B9FAB20730,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.146{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD5976.tmp\Content.infMD5=923D406B2170497AD4832F0AD3403168,SHA256=EBF9CF474B25DDFE0F6032BA910D5250CBA2F5EDF9CF7E4B3107EDB5C13B50BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.144{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD5974.tmp\Content.infMD5=93149E194021B37162FD86684ED22401,SHA256=50BE99A154A6F632D49B04FCEE6BCA4D6B3B4B7C1377A31CE9FB45C462D697B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.144{72106695-B5C3-63D3-3D04-00000000BD02}4200WIN-HOST-CTUS-A\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCD5975.tmp\Content.infMD5=333BA58FCE326DEA1E4A9DE67475AA95,SHA256=66142D15C7325B98B199AB6EE6F35B7409DE64EBD5C0AB50412D18CBE6894097,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:03.132{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08B42548042193036FDC57DADE841E4E,SHA256=D0827AED0529EE74785857FB8187B8A99BD10EFA5EE30DFD7892ABC32B7FA529,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000450014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:03.084{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:03.061{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:03.058{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:03.050{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:03.041{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:03.014{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:03.008{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 354300x8000000000000000450020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:01.653{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A61917- 354300x8000000000000000450019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:01.545{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A49567- 23542300x8000000000000000450018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:04.366{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B4A3C839B8C49FA85EF6395ECF0EC85,SHA256=3713109BB5FD4F2AF71608B66674CEBCC6A2EB6FF9B7FF6D59C41CFA2366E90A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:04.710{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81E4892627210C9C9B7A6317558B9044,SHA256=8DD35C2950E6E9B5068D0FE367D71120B7EAA06E80987D74850735C90534D40A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000342683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:02.271{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51139-false23.33.22.152a23-33-22-152.deploy.static.akamaitechnologies.com443https 354300x8000000000000000342682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:02.270{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51138-false23.33.22.152a23-33-22-152.deploy.static.akamaitechnologies.com443https 354300x8000000000000000342681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:02.267{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51137-false23.33.22.152a23-33-22-152.deploy.static.akamaitechnologies.com443https 354300x8000000000000000342680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:02.234{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51136-false23.33.22.152a23-33-22-152.deploy.static.akamaitechnologies.com443https 354300x8000000000000000342679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:02.234{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51135-false23.33.22.152a23-33-22-152.deploy.static.akamaitechnologies.com443https 354300x8000000000000000342678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:02.230{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51133-false23.33.22.152a23-33-22-152.deploy.static.akamaitechnologies.com443https 354300x8000000000000000342677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:02.229{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51134-false23.33.22.152a23-33-22-152.deploy.static.akamaitechnologies.com443https 354300x8000000000000000342676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:02.229{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51126-false23.33.22.152a23-33-22-152.deploy.static.akamaitechnologies.com443https 354300x8000000000000000342675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:02.228{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51129-false23.33.22.152a23-33-22-152.deploy.static.akamaitechnologies.com443https 354300x8000000000000000342674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:02.228{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51128-false23.33.22.152a23-33-22-152.deploy.static.akamaitechnologies.com443https 354300x8000000000000000342673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:02.228{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51132-false23.33.22.152a23-33-22-152.deploy.static.akamaitechnologies.com443https 354300x8000000000000000342672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:02.228{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51127-false23.33.22.152a23-33-22-152.deploy.static.akamaitechnologies.com443https 354300x8000000000000000342671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:02.228{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51130-false23.33.22.152a23-33-22-152.deploy.static.akamaitechnologies.com443https 354300x8000000000000000342670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:02.228{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51124-false23.33.22.152a23-33-22-152.deploy.static.akamaitechnologies.com443https 354300x8000000000000000342669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:02.227{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51131-false23.33.22.152a23-33-22-152.deploy.static.akamaitechnologies.com443https 354300x8000000000000000342668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:02.227{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51123-false23.33.22.152a23-33-22-152.deploy.static.akamaitechnologies.com443https 354300x8000000000000000342667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:02.227{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51125-false23.33.22.152a23-33-22-152.deploy.static.akamaitechnologies.com443https 354300x8000000000000000342666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:02.226{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51122-false23.33.22.152a23-33-22-152.deploy.static.akamaitechnologies.com443https 354300x8000000000000000342665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:02.224{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51121-false23.33.22.152a23-33-22-152.deploy.static.akamaitechnologies.com443https 354300x8000000000000000342664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:02.224{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51120-false23.33.22.152a23-33-22-152.deploy.static.akamaitechnologies.com443https 354300x8000000000000000342663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:02.224{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51118-false23.33.22.152a23-33-22-152.deploy.static.akamaitechnologies.com443https 354300x8000000000000000342662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:02.224{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51119-false23.33.22.152a23-33-22-152.deploy.static.akamaitechnologies.com443https 354300x8000000000000000342661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:02.223{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51117-false23.33.22.152a23-33-22-152.deploy.static.akamaitechnologies.com443https 354300x8000000000000000342660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:02.223{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51116-false23.33.22.152a23-33-22-152.deploy.static.akamaitechnologies.com443https 354300x8000000000000000342659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:02.114{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51115-false23.213.203.88a23-213-203-88.deploy.static.akamaitechnologies.com443https 354300x8000000000000000342658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:01.515{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51114-false10.0.1.12-8000- 22542200x8000000000000000342657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:02.217{72106695-B5C3-63D3-3D04-00000000BD02}4200binaries.templates.cdn.office.net0type: 5 binaries.templates.cdn.office.net.edgesuite.net;type: 5 a1847.dscg2.akamai.net;::ffff:23.33.22.152;::ffff:23.33.22.141;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 22542200x8000000000000000342656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:02.111{72106695-B5C3-63D3-3D04-00000000BD02}4200metadata.templates.cdn.office.net0type: 5 templatesmetadata.office.net;type: 5 templatesmetadata.office.net.edgekey.net;type: 5 e26769.b.akamaiedge.net;::ffff:23.213.203.88;::ffff:23.213.203.25;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 22542200x8000000000000000342655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:00.390{72106695-B5C3-63D3-3D04-00000000BD02}4200messaging.lifecycle.office.com0type: 5 prod-custommessage.omexexternallfb.office.net.akadns.net;::ffff:52.109.16.68;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 23542300x8000000000000000450023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:05.562{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25BB11DFC0C70C5BE8D8D58058B1B809,SHA256=2BEC1C500FF980F8633A423F054ED328BBECC605CD2138CF99CA83F3C525415B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000450022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:02.898{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A63774- 354300x8000000000000000450021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:02.898{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A54270- 23542300x8000000000000000342685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:05.321{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69F77E934895D2505127452256799264,SHA256=194F326017B596F490452AA33FBCB6A24994E9396969596584A2A2E49EF7A7CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:06.638{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3AF8FCB044130DF0AFE9B881FC313F9,SHA256=3CCAAFCEAD0ECB8D95D1534501D801739B86CC506B68FAC7AA76C9459D870A26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:06.422{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2105020C4E696BEC1B1F1A99CFA1686C,SHA256=0A447A2ABA4115DC22A936509AC505F049BF90E8A45D28E25FC225A833035408,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:07.730{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5EB29E774CB1AC72AAC1AEC4FF26297,SHA256=C60762A24542AB4F566133C26ED3D4DB0EA1E7A065606F5F0928535E0048754B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:07.496{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA824F29CF6F3D78DB16E27037F17E71,SHA256=FC5BB406B289019D02A79C1F06CDF8532FC83DA30630DEDFE1CA2F826D1A4440,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:08.815{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFE84FA4E2DACA63BF7BF529DA216598,SHA256=49FC8023D63BE9B32C0322625492A21468BC754B0550B4C2F2A75512E13E3B02,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000342693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:06.106{72106695-B5C3-63D3-3D04-00000000BD02}4200uci.cdn.office.net0type: 5 uci.cdn.office.net.edgekey.net;type: 5 e1324.dscd.akamaiedge.net;::ffff:23.2.72.43;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 23542300x8000000000000000342692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:08.688{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=901A9D18EF196E28A594E5C041968D73,SHA256=E278B2FD9CE128EC9E884EDBE235A80B73FB902DF50BC1AA8E835D9BE780394F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000450026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:05.551{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A53998- 354300x8000000000000000342691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:06.294{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51143-false23.2.72.43a23-2-72-43.deploy.static.akamaitechnologies.com443https 354300x8000000000000000342690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:06.292{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51142-false23.2.72.43a23-2-72-43.deploy.static.akamaitechnologies.com443https 354300x8000000000000000342689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:06.224{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51141-false23.2.72.43a23-2-72-43.deploy.static.akamaitechnologies.com443https 354300x8000000000000000342688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:06.111{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51140-false23.2.72.43a23-2-72-43.deploy.static.akamaitechnologies.com443https 23542300x8000000000000000450030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:09.875{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3F8DC1B0B4E24A9CA75C2C282E96FD5,SHA256=322EC9AE17F0536F7CC1A7D561C3D86B16CE2935310C803D14C348EA9CF2570F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:09.777{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DAE30A5AA7E026F2427649859BB4086,SHA256=BDA42F52A0D60150D6FCE41896E89587608D9FFF9CCF01CA7220AFB634351A23,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000450029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:06.937{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A49315- 354300x8000000000000000450028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:06.773{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52798-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000450031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:10.965{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD8EA2CBA705B3A8F3A0A79D8B967FAB,SHA256=EDA1A5A354A8ABCA5B4CBB8D764AE446B819CE62D9C981A60A7A6B38C51C68A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:10.861{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44A33DCFA6DBAAB82587252BF613007F,SHA256=B64A99660EA56692EE72DFE6E073AF3E2196FC389FA71C2E11A0E7FEA6357ED4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000342695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:07.452{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51144-false10.0.1.12-8000- 23542300x8000000000000000342697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:11.936{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0D285C5C2FB77A6574A2B5708E5E675,SHA256=123B867B25A51961987C576D4CB9745524A84E0845B55E0E96B5265094CD0B56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000450034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:09.688{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A50310- 354300x8000000000000000450033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:09.686{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A56284- 23542300x8000000000000000450032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:12.148{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECEDA4439B312A812BDE1C0349498B3B,SHA256=8DE52A485E3819412FFEDC3EEAE34437939E99D25C9019EDFD9640506F1FF6B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000342698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:12.151{72106695-9B85-63D3-0D00-00000000BD02}7963468C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000450035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:13.230{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B6ABFAEFC621C715F7F1BFA4EFC9CDF,SHA256=9653EF0296182B88434C0628A4EB8C855CBB273EFD226BBAB0D69AEC8CC2F8C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:13.031{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4A4067AC3B94616A5FED9F392B75882,SHA256=A2C83CE078273F521D5AA5F7F86880731A0AEEEF138372B3C6A8BDD9BDE53AF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000450037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:11.945{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52799-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000450036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:14.308{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F36A3C2CC1AC637CBC943AC9B66C9372,SHA256=D3AAF374B6CE8EE090A9CDB41456DF73B70941AB35C0473ACCBDD125CE4A843F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000342702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:14.758{72106695-9B85-63D3-0D00-00000000BD02}7963468C:\Windows\system32\svchost.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000342701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:12.514{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51145-false10.0.1.12-8000- 23542300x8000000000000000342700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:14.123{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0EB2898EDCEA4B889102E7C035951C0,SHA256=7890AF400EA64F0A20AE5E4A83140E057FA2E551AD0545E5D58CBC78DD6E7E2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:15.386{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98C1AACB5E9F1B871BC952BF5234AFB5,SHA256=E1AC1B9AA7FCA3595B7E9B48520E6EE12B70FD7AC438220135EBC69453DDC5F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:15.426{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F167E9BCB8D6CDA8118374A0E6BDC04,SHA256=9E410BF506C0A4E8009C8F9487C2A597F2C1A8317977743C24D54C715E314720,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000342713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:31:15.410{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000342712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:31:15.410{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0067896e) 13241300x8000000000000000342711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:31:15.410{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d9323a-0x7bb2d8c3) 13241300x8000000000000000342710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:31:15.410{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d93242-0xdd7740c3) 13241300x8000000000000000342709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:31:15.410{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d9324b-0x3f3ba8c3) 13241300x8000000000000000342708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:31:15.410{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000342707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:31:15.410{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0067896e) 13241300x8000000000000000342706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:31:15.410{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d9323a-0x7bb2d8c3) 13241300x8000000000000000342705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:31:15.410{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d93242-0xdd7740c3) 13241300x8000000000000000342704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:31:15.410{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d9324b-0x3f3ba8c3) 23542300x8000000000000000342703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:15.301{72106695-B5C6-63D3-3E04-00000000BD02}3916NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\sppsvc.exeC:\Windows\System32\spp\store\2.0\cache\cache.datMD5=551D1F97F31B5CD643EB5BDD6622F737,SHA256=590854E7B8B04A0631C0D8FFABACD845F35D457399AD119BFBDC457422FFEEC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:16.517{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2665CE0CE6893D9A13573EFBA914030,SHA256=5C1B034DE0D7C583015E52DF448C48B7819C4452CF3319D03D2C2A156E79D052,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:16.589{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBA42451EBA78649DBDB8DF28378E0EE,SHA256=103F94B56B1053C3A3340F0E5201ABE7A2DBC8B4A513880A20C951FF62EA086E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000450039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:16.277{45AAC21C-9B85-63D3-1000-00000000BC02}368NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8C6DA65F377516B8EEAB66B01C09A546,SHA256=1428CFAF85C8ED7D0EA1AA37C257C68C6191B61D4A4C75BD67D9B8837F8F1A9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:16.283{72106695-B5C6-63D3-3E04-00000000BD02}3916NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\sppsvc.exeC:\Windows\System32\spp\store\2.0\tokens.dat.bakMD5=7BA58957CD401DC362B25624E2DFA150,SHA256=CE1B8C2B2C4C586391DAE776DD35F96AB00F25A058CF534885B00FFE3DEBE9F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:16.205{72106695-9B85-63D3-1100-00000000BD02}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7CDDDDA163D61AEC5FFE73C232355B24,SHA256=6F29C991CACB282B5355DA867BA16898BDFD4528B7E8AF8B46D5A22FED8DBAFB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:17.720{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8C13210E16BF584AEFC7547A83F961B,SHA256=AE709AF8911154D8AEFBEF1C89062EE09A813FD31C053B95A75F93B6EAD9B89D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:17.913{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=96A83F895676672C66EFD5B94FBA830A,SHA256=906C7D4C1B083BC2270489AFD5DF7261F79D4BC54083007C4DAA14564C34FD09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000450041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:17.804{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38E17BBA294A83D473DAE5F819A681C9,SHA256=817277586E85FA6A534E2C87A0CDE96CBCEB235EC3669CA9C3A45D21867E0EF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:18.800{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=987736EFF77CB985FFC30B5D9022950F,SHA256=BA4ADB6E973A51477ECF1CB4B75113EFC5D706B2912D629335BBD37E0F959FEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:18.993{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBAEBC598C4F179565C2BC9B32DA4D43,SHA256=682F14AB4A8899E881D36A31EA5785F74BED0F34BABD75AEA3FEFB48A07471D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000450062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:19.562{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:19.529{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:19.513{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:19.502{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:19.500{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:19.497{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:19.458{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:19.449{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:19.435{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:19.428{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:19.418{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:19.405{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:19.396{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:19.382{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:19.374{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:19.363{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:19.354{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:19.301{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:19.298{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000342765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.783{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.777{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.776{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.773{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.762{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.758{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.746{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.723{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.679{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.671{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.656{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.638{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.626{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.624{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.620{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.617{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.613{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.613{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.610{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.609{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.608{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.607{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.601{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.592{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.583{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.566{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.564{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.552{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.535{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.532{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.518{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.472{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.465{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.446{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.438{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.420{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.420{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.420{72106695-9B84-63D3-0B00-00000000BD02}6285764C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.418{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.399{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.392{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.375{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.363{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.358{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000342721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:20.352{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000342720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:19.999{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA99A1E03B01230FADD7C9F0E7C1716,SHA256=CB887553ABE39932BC3AAD234B3D98882E21A7FA24E3B49D29C2EA173A8565B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:20.817{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\respondent-20230127093833-109MD5=ABD21C848C86C8C4C327246443A18885,SHA256=621828FF48080C628607F27990B50D4C7839DD5149D1A5B05A104AE9C04F6CF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000450068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:20.183{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:20.180{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:20.178{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:20.176{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:20.175{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 23542300x8000000000000000450063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:20.034{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4456C4FB3342D864C309B5410DDEC97E,SHA256=7985F50DD65845140C6776290AE08808AFCF20EFCC862C16CE046DDDA8C24446,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000342767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:18.476{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51146-false10.0.1.12-8000- 23542300x8000000000000000342766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:21.435{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A01EAE8B3DFD828605EF56E5FAE02F6E,SHA256=BF7B7C7787D8EC751FFB6ADB1398CB35D7DC96C66C2C4BAD0710700674EA8FEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:21.819{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\surveyor-20230127093831-110MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000450071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:21.090{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3E18E1027BE8964B8DAD3FCD20D8FC4,SHA256=C5692E03B233B450CC1C2293EFB35BFD78A73077978A65F281BD98EE3D273FB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000450070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:17.912{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52800-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000342808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.801{72106695-9B85-63D3-1400-00000000BD02}10324048C:\Windows\system32\svchost.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+261b7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000342807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.801{72106695-9B85-63D3-1400-00000000BD02}10324048C:\Windows\system32\svchost.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+25d35|C:\Windows\system32\wbem\wmiprvsd.dll+2619d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000342806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.801{72106695-9B85-63D3-1400-00000000BD02}10324048C:\Windows\system32\svchost.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c 10341000x8000000000000000342805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.801{72106695-9B85-63D3-1400-00000000BD02}10324048C:\Windows\system32\svchost.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000342804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.801{72106695-9B85-63D3-1400-00000000BD02}10324048C:\Windows\system32\svchost.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+264a1|C:\Windows\system32\wbem\wmiprvsd.dll+2669f|C:\Windows\system32\wbem\wmiprvsd.dll+25c4b|C:\Windows\system32\wbem\wmiprvsd.dll+27476|C:\Windows\system32\wbem\wmiprvsd.dll+27db2|C:\Windows\system32\wbem\wmiprvsd.dll+277c9|C:\Windows\system32\wbem\wmiprvsd.dll+26100|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c 10341000x8000000000000000342803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.801{72106695-9B85-63D3-1400-00000000BD02}10324048C:\Windows\system32\svchost.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+264a1|C:\Windows\system32\wbem\wmiprvsd.dll+2669f|C:\Windows\system32\wbem\wmiprvsd.dll+25c4b|C:\Windows\system32\wbem\wmiprvsd.dll+27476|C:\Windows\system32\wbem\wmiprvsd.dll+27db2|C:\Windows\system32\wbem\wmiprvsd.dll+277c9|C:\Windows\system32\wbem\wmiprvsd.dll+26100|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c 10341000x8000000000000000342802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.801{72106695-9B85-63D3-1400-00000000BD02}10324048C:\Windows\system32\svchost.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+264a1|C:\Windows\system32\wbem\wmiprvsd.dll+2669f|C:\Windows\system32\wbem\wmiprvsd.dll+25c4b|C:\Windows\system32\wbem\wmiprvsd.dll+27476|C:\Windows\system32\wbem\wmiprvsd.dll+27db2|C:\Windows\system32\wbem\wmiprvsd.dll+277c9|C:\Windows\system32\wbem\wmiprvsd.dll+26100|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c 10341000x8000000000000000342801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.718{72106695-9B85-63D3-1400-00000000BD02}10324048C:\Windows\system32\svchost.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+261b7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000342800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.718{72106695-9B85-63D3-1400-00000000BD02}10324048C:\Windows\system32\svchost.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+25d35|C:\Windows\system32\wbem\wmiprvsd.dll+2619d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000342799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.717{72106695-9B85-63D3-1400-00000000BD02}10324048C:\Windows\system32\svchost.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c 10341000x8000000000000000342798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.717{72106695-9B85-63D3-1400-00000000BD02}10324048C:\Windows\system32\svchost.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000342797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.715{72106695-9B85-63D3-1400-00000000BD02}10324048C:\Windows\system32\svchost.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+264a1|C:\Windows\system32\wbem\wmiprvsd.dll+2669f|C:\Windows\system32\wbem\wmiprvsd.dll+25c4b|C:\Windows\system32\wbem\wmiprvsd.dll+27476|C:\Windows\system32\wbem\wmiprvsd.dll+27db2|C:\Windows\system32\wbem\wmiprvsd.dll+277c9|C:\Windows\system32\wbem\wmiprvsd.dll+26100|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c 10341000x8000000000000000342796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.715{72106695-9B85-63D3-1400-00000000BD02}10324048C:\Windows\system32\svchost.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+264a1|C:\Windows\system32\wbem\wmiprvsd.dll+2669f|C:\Windows\system32\wbem\wmiprvsd.dll+25c4b|C:\Windows\system32\wbem\wmiprvsd.dll+27476|C:\Windows\system32\wbem\wmiprvsd.dll+27db2|C:\Windows\system32\wbem\wmiprvsd.dll+277c9|C:\Windows\system32\wbem\wmiprvsd.dll+26100|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c 10341000x8000000000000000342795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.633{72106695-9B85-63D3-1400-00000000BD02}10324048C:\Windows\system32\svchost.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+261b7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000342794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.633{72106695-9B85-63D3-1400-00000000BD02}10324048C:\Windows\system32\svchost.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+25d35|C:\Windows\system32\wbem\wmiprvsd.dll+2619d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000342793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.631{72106695-9B85-63D3-1400-00000000BD02}10324048C:\Windows\system32\svchost.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c 10341000x8000000000000000342792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.630{72106695-9B85-63D3-1400-00000000BD02}10324048C:\Windows\system32\svchost.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000342791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.630{72106695-9B85-63D3-1400-00000000BD02}10324048C:\Windows\system32\svchost.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+264a1|C:\Windows\system32\wbem\wmiprvsd.dll+2669f|C:\Windows\system32\wbem\wmiprvsd.dll+25c4b|C:\Windows\system32\wbem\wmiprvsd.dll+27476|C:\Windows\system32\wbem\wmiprvsd.dll+27db2|C:\Windows\system32\wbem\wmiprvsd.dll+277c9|C:\Windows\system32\wbem\wmiprvsd.dll+26100|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c 10341000x8000000000000000342790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.617{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000342789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.617{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000342788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.617{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000342787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.513{72106695-9B85-63D3-1400-00000000BD02}10324048C:\Windows\system32\svchost.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+261b7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000342786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.513{72106695-9B85-63D3-1400-00000000BD02}10324048C:\Windows\system32\svchost.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+25d35|C:\Windows\system32\wbem\wmiprvsd.dll+2619d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000342785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.513{72106695-9B85-63D3-1400-00000000BD02}10324048C:\Windows\system32\svchost.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c 10341000x8000000000000000342784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.513{72106695-9B85-63D3-1400-00000000BD02}10324048C:\Windows\system32\svchost.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 23542300x8000000000000000342783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.481{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02C5E444936F6342058B9FDFA3008282,SHA256=5D0D81DB14E90991C12A21C761FA4D35532E9D4A762080C74412F797FE1A864E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000342782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.466{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:22.872{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:22.841{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:22.837{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:22.823{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:22.809{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:22.786{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:22.775{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:22.765{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:22.760{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:22.758{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:22.755{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:22.753{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:22.752{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:22.749{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:22.237{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:22.235{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:22.233{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:22.221{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:22.214{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 23542300x8000000000000000450073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:22.203{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B45C7768CF13B1EAAB594A05AA56EAB9,SHA256=61720B5B4FEA66A9CEBF3F8ED36C6B7A5D8C0FA689692F7AE282C6DDC370CD53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000342781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.157{72106695-9B84-63D3-0A00-00000000BD02}6201144C:\Windows\system32\services.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.157{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.157{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.157{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000342777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.157{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.157{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.157{72106695-9B84-63D3-0A00-00000000BD02}6202468C:\Windows\system32\services.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000342774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.163{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe10.0.14393.5582 (rs1_release.221130-1719)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k smphostC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{72106695-9B85-63D3-E403-000000000000}0x3e40SystemMD5=83557C9B0E94FCB9D5181D928563991C,SHA256=11FAEB577FAF552BE4FF2275195CD0B3471228EE56C25D38DE5261BF87DF48BA,IMPHASH=9C33C8C3DCCAC65606FE5A9180D15924{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000342773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.157{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.157{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.157{72106695-9B84-63D3-0B00-00000000BD02}6285764C:\Windows\system32\lsass.exe{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.083{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.083{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:22.083{72106695-9B84-63D3-0B00-00000000BD02}6285764C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:23.978{72106695-9B85-63D3-0D00-00000000BD02}7963468C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000342814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:23.900{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=78034A27CF979C5B7F94D82FC739F837,SHA256=A20120268A58045661A98B7630CD12415A4A536D445468F92F2166A008174B8E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:23.681{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0C7327DBD2372A58E2D9D93E202FF5F,SHA256=7B1C47D0607337608AB0A4EF243ABA6933691C489FC008FF53661FCDB3ECE4A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000450094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:23.450{45AAC21C-9B83-63D3-0B00-00000000BC02}6323604C:\Windows\system32\lsass.exe{45AAC21C-9B80-63D3-0100-00000000BC02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+7ec7e|C:\Windows\system32\lsass.exe+38f4|C:\Windows\SYSTEM32\ntdll.dll+80a34|C:\Windows\SYSTEM32\ntdll.dll+1e8a2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000450093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:23.294{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06B8BC970EFF9D173FDFF7FA1DC8B9C6,SHA256=6C482F7BC19FA24A1D4B0DCAE98AF126FA69267D3984CA715AA50786C21BEB25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:23.250{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B233CA33FFF6AE81986E8772330AB531,SHA256=08104D60BDBD351584105CE36B646754B971B43840C366221ACE8E03835E9BA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000342811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:23.177{72106695-9B85-63D3-1400-00000000BD02}10325860C:\Windows\system32\svchost.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+5660c|C:\Windows\system32\wbem\wmiprvsd.dll+88d34|C:\Windows\system32\wbem\wbemcore.dll+c1ee|C:\Windows\system32\wbem\wbemcore.dll+313d|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:23.177{72106695-9B85-63D3-1400-00000000BD02}10325860C:\Windows\system32\svchost.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+5660c|C:\Windows\system32\wbem\wmiprvsd.dll+88d34|C:\Windows\system32\wbem\wbemcore.dll+c1ee|C:\Windows\system32\wbem\wbemcore.dll+313d|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:23.148{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-2000-00000000BD02}2000C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000342821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:24.769{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=082B61CB12EEEAD316061405F1E4788B,SHA256=9F027D36A57F7886B301E8E2AACD3673A42C2939E7A12AF5C30E3409F14ECA09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000342820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:21.873{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse171.244.61.138-53374-false10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal3389ms-wbt-server 23542300x8000000000000000450096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:24.533{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85FDE68E102904DB583DF8C59C4CEC4F,SHA256=C551864B753CA710A2B87C963F15076E10BE07050D1AAB8C5D26DFBFF91A4306,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000450095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:24.377{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEDEEC7E08D52BEEF37A1E74912C70D6,SHA256=8AD3C5C36D6C28EF63124D7122640B0A837FBC05532DA73E7B0A50AA201ACFF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:24.665{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E90E505D14031D5B0FD0068CFCBB0DA6,SHA256=4E3D5ED093E29956EEC0E09507EDF2B405AB0E954097CC772ACD107D1EB94474,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000342818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:24.161{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000342817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:24.161{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000342816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:24.161{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 23542300x8000000000000000342822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:25.843{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58524D6EE2014085FB668C04C254DDD2,SHA256=C34BE1C3A42FB1B80A5FE3E22123D64CF8A952083DC67921CBEE167F2CE2A9BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:25.453{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB0B2BF874EB6E19C41AD63FE590845F,SHA256=A01FA3B1F276A7D772D383131832A84E1653174FB28071224D5CCD1D80717079,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000450097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:22.152{45AAC21C-9B80-63D3-0100-00000000BC02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse64.62.197.218scan-43g.shadowserver.org43295-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local5986- 23542300x8000000000000000450099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:26.650{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C96B7FAE9561D4314E216F0F26B7E021,SHA256=A09ABBB6553BB73AA9C88585D2AEAA652DAA0386BA2A1E8DD1B40E862F001468,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000342823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:24.295{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51147-false10.0.1.12-8000- 23542300x8000000000000000450101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:27.729{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D47686657942883C6F6B563E2E959F01,SHA256=70C9BE68F8CC017CC0E19FA2FFEBF826F362A0F3C28D5B8F77EFEA8D271A7A72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:27.537{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=89D1EDB43DECDC8F2AEC2731DB7F81FC,SHA256=BA8ABE9F2ED4791FA89022D945FF9C7FD6CBF4FADF7F1E26592E4AE0774CCE81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:27.027{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=763DE93E2816CB12C34677B4F4789539,SHA256=044C24D2B2B6BE529E957DFBE0665C7F281628C01A003193A65F66CE8F550A17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000450100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:23.654{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53668- 23542300x8000000000000000450103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:28.805{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D427290B15573E233F6C47CDCF4D83EB,SHA256=6FBB14415B6947ECF9110C860020E4703C44B4058DCA403CE109E926721FF0F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:28.126{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ABD194374DCD83FAB1BABC2830C84CA,SHA256=C9567351F75B78DB6C037A7EE701C2B38F5431B49DE72CD79D9B5B942D9854F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000450102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:23.947{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52801-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000450104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:29.894{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4BEA6F05A951D5205FA8BBC2205A3EE,SHA256=EAA44D6797E39AB6F8C782E10D7747C346497BB969A1738B35855B321505BECB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:29.317{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB083E524431028D4BF7F32754BAAD08,SHA256=278F82BBBA7FE504EB986A124046C2AE337EF35D0F6C12A76089A9DE6B5FCC78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:30.966{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4052A79711F630B79D71681C9B7953B3,SHA256=C09646116918DA6DC1D05441DF846C0F2906982B78EFB575A56A4553D2C06C5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:30.834{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA2C93C211CEDE32AE775A2B4E63E386,SHA256=50345C5CD03C9F4D766CC7CF21D21633CA4F751B518556C4EECEE171E91E8DB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:30.623{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F41D51F2D23980E90918B0A6CD00A7E4,SHA256=1E5A9F2456DE5259C5EB4B275546F2DDE74B5009472784D698D17E0A1F89D47D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:31.699{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C681FD46A459E6A24A9B517B2B9C191,SHA256=9F75D0B06A7963F4EC8999A64D5DC6A5BF217B387ABB663D3A5FE7451D643062,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:31.152{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=EFDC1546C982ED0F850E71BEA3053380,SHA256=A96C2FBB815A67B562B8A304D40CEC30F06D83219F9B3B0C3CCFB5E0C266A8FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:32.801{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EBC657037A63AAC27B45A54AB7C4349,SHA256=7CCA2894153D6089FF52F1C65EC6355A52313D3289F2CF781E67A17CE0DAC4DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000342833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:30.322{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51148-false10.0.1.12-8000- 354300x8000000000000000450107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:29.743{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52802-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000450106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:32.057{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ABBFBF28B4B9D2F6BC198C622641377,SHA256=84E3B64236392A487AC65E35D1568C54902479949013D26FAE69C0DD9A9D6020,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:32.348{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=CB39B79C994EA9A6D6D5D26854434995,SHA256=248516B8422E48F8BA62297164CA4CD0F1DEA7CB57AD0F488DA2DD3F05A5D1CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:33.877{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B823AC06FB887037FAFFA98887D493ED,SHA256=4DA35B42618D9A3766A1E69A4556845893F19C9E3E9AB72ECBC4B5CFA82F3542,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000450109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:29.842{45AAC21C-9B80-63D3-0100-00000000BC02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse64.62.197.212scan-43a.shadowserver.org63774-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local5986- 23542300x8000000000000000450108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:33.138{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=060DF2E7AA5542844930EF2A12DADB22,SHA256=0DE5ED522C93E837DE0D432D37038CCEC0980A64F44A61FB0D89231A962C0B4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000450111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:34.333{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7E7218AB32AB6543D1C6B5FEEA4E08B,SHA256=F34B508107B6529E52EF1D7326D0DFA03DDE915AB4F2C7590B7002758F7F3307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000450110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:34.302{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000450112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:35.421{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC824ADA431DC3826339FE83DBCCD757,SHA256=F5AF69A099B6BB83C9893197CDE48776B7EE2DB6B3CA881D0AFE3B3D17CAEBD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:35.187{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17EF33F14B6230BFE6857B48541DAA1F,SHA256=835A1DBF7DEC407991D3948B526B77F4CE4A2FAC5F419CAB4F7D11F1DF4576F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000450114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:32.985{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52803-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000450113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:36.500{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=384BF5282FD49C889AF4D9A815A0C9D7,SHA256=06FE4BED5CE742F22236E38D3417BE49C5ED686458F0A512470145E71C640EA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:36.391{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C32361887B56F97E180D385D2C4BE6F,SHA256=8F5D2D7B0667C210C45BE4E9C004D66F18A835F2ACAC398F73A77258FD72C43D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000450116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:34.766{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52804-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000450115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:37.588{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58B9536F201AF4FC90B744338EF9C9EB,SHA256=9F6B1C2B4186690DD8D12083F86D1AC0DE90328A76C8AF9697B2A0E47858CC7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:37.458{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEA0FD4512BE0328FA1DD52D78F3C80E,SHA256=245738B265722BC4EBB0EFB746ECD9F8C7E08CF5D1876993B3C087DED67C3694,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:38.678{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B228CA0768F5790C9F4855C14187AFA6,SHA256=0E99FEBA786A6D831E4EE12C4549D731770598E7519CED313B7BDA7CEB3E88E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000342841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:36.345{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51149-false10.0.1.12-8000- 23542300x8000000000000000342840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:38.968{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:38.546{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6EE8EC407D3956FD0066E328B92A873,SHA256=594F916804C14DDA01A1072FCC88C873B38A0C9F9B83664C541257B58579573B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:39.745{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83346D059E381ED21564F8555DE3C407,SHA256=D0234C3ADC45C3A68A82CEC391C8B5CB72A0CE4BC0F344A37FF648F94C8955AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:39.636{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7BA1017B0A6F0F99E08ABD0B88B2E41,SHA256=7D57FBEF399F9765A6DCFB69A506A9ECB519E1FE82BA71FA99E7183D5A4F4146,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000450136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:39.500{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:39.482{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:39.474{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:39.471{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:39.468{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:39.466{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:39.438{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:39.429{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:39.418{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:39.412{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:39.404{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:39.391{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:39.383{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:39.371{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:39.362{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:39.343{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:39.326{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:39.296{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:39.294{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 23542300x8000000000000000342842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:39.087{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=414B55F2362DD2B1A2CF754F654E7209,SHA256=8B2A3123D17116119E3D496A168A3F3F89E7A328E4C121A4AAC3C643C96F0221,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:40.818{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF27EF1CA760110E91B4EF85E264E523,SHA256=22EF2743466A143C60484CC5486079534578AFBFDA1A436202FEA7F659AB3D8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.790{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50D7CB5944B843A9839C53F339BFF011,SHA256=EE16EC8DAD03C0F2BBEB2774479106562A871FBA5F5F6671747937FC3F66527F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000342886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.738{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.713{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.708{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.707{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.706{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.685{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.682{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.673{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.657{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000450142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:40.014{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:40.009{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:40.004{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:40.002{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:40.000{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000342877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.621{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.612{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.596{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.590{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.588{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.585{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.583{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.581{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.575{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.574{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.571{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.570{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.569{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.567{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.563{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.555{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.550{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.537{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.535{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.525{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.507{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.505{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.493{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.460{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.453{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.440{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.425{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.394{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.381{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.374{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.363{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.348{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.326{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000342844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:40.323{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 23542300x8000000000000000450144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:41.908{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBC3AED67605ED60D3A226233FC71489,SHA256=BD496B02D67182EA8DDBC737FC07E17AC927180681DC91847CED62AABE790FBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:41.691{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B3286B0CBF6E8080EC27A347E1DADE3,SHA256=C9D17469B7D5832B523A344D842C33AA5A0583D38EBD81E78399EC255F6B8EEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000342888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:38.212{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51150-false10.0.1.12-8089- 23542300x8000000000000000342890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:42.775{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E637DABD29B6C0F1DE64F08CC1313FBB,SHA256=9DF5F6082CFEB9752EC1110142EB597452BD71D6FB70809F8DA0CEB90C3CAC56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000450170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:42.692{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:42.672{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:42.669{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:42.661{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:42.648{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:42.626{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:42.618{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:42.606{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:42.601{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:42.600{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:42.597{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:42.595{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:42.594{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:42.591{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 354300x8000000000000000450156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:39.956{45AAC21C-9B80-63D3-0100-00000000BC02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse64.62.197.212scan-43a.shadowserver.org49848-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local5986- 354300x8000000000000000450155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:39.851{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52805-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000450154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:42.352{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:42.352{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:42.352{45AAC21C-9B83-63D3-0B00-00000000BC02}632796C:\Windows\system32\lsass.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000450151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:42.341{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F93C80896351B8CAF7CA154798EAABC8,SHA256=5041EDCEDD8176C4A59539FBFB45D4C5163F004BE4740CCD3B5699739ADEAC84,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000450150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:42.340{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-3000-00000000BC02}2848C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:42.085{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:42.084{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:42.082{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:42.058{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:42.044{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 23542300x8000000000000000342891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:43.863{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52960C5EAD918EE2BC733BF2A364E0FC,SHA256=01873BD487C06D1805597187ACC24C0174A0BEF733E22AB9B5A0D2C2C3974CCA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:43.135{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFDB7CE017CA18352E2D094785C5DE47,SHA256=BC402436885FAEC7DFAFA7AE62A56111F863A0417530DE39435BB74D382FABA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:44.949{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E21AE3F794F4A85A9B997E94A0DA206E,SHA256=8CAE66BF52365BA4694EAED0B73E2887CA1BF19A7C5A577C584F2CA9FEC0900F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:44.213{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=177A1294F16F4D23DB1194B81214D972,SHA256=D47DB46FD34FA9CBB76C855D55F08F2ED1E23851EB96C5C46C7A1CDAA31D90F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000342892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:41.385{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51151-false10.0.1.12-8000- 10341000x8000000000000000450181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:45.863{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B621-63D3-FB03-00000000BC02}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:45.861{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:45.861{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:45.861{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:45.861{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:45.860{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B621-63D3-FB03-00000000BC02}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000450175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:45.860{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B621-63D3-FB03-00000000BC02}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000450174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:45.860{45AAC21C-B621-63D3-FB03-00000000BC02}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000450173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:45.280{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCF73BC4DA35D2A92BCDB48BC30FDF01,SHA256=FCF8630A0ECAF6C679003151622C71F504EA97B90D90689A6FD0B481F51194C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000450191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:46.919{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A8BB2245417E3853AC5D54E9FFD423E,SHA256=BD59035B92441E59946B392AF7EBFB30CC6249B646187F53C49DB3223C994466,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000450190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:46.488{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B622-63D3-FC03-00000000BC02}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:46.488{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:46.488{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:46.488{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:46.488{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:46.488{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B622-63D3-FC03-00000000BC02}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000450184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:46.488{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B622-63D3-FC03-00000000BC02}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000450183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:46.489{45AAC21C-B622-63D3-FC03-00000000BC02}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000450182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:46.379{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09F83C9246DAAE253A4125C25CAEE08F,SHA256=0DEB317C414608803A911EDD1033795C4A793558BDC03D81ADBC4BB9D417AFCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:46.153{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DAEBFEAFE84053B4CCAE46B923FCBE6,SHA256=1F07CD9ACB6D3E3C14F6D7D63F9BF4CE3AE3595B94D226191103859B6FF75C1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:47.557{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73955392F39E7826AC04A15CD943C404,SHA256=98FD6AC32F79211BBBFCC9C203FA938BB2FE85F75AC29AC5531540879527F86E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:47.338{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=412387BB3CDD4C60EED4ED952A890C00,SHA256=C4F02221FDC122516FCD5684128E7B0A27D14BBFA4137A318B8CC556D0C3A0FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000450202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:47.307{45AAC21C-B623-63D3-FD03-00000000BC02}29125548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000450201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:47.276{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F45225D5E7DF3365815FFCDB6E9399C0,SHA256=81F642A04DE9B8F84220159830EA9583484FED672CA3A4C1AAF7CA29ADFBCD69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000450200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:47.105{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B623-63D3-FD03-00000000BC02}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:47.105{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:47.105{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:47.105{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:47.105{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B623-63D3-FD03-00000000BC02}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000450195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:47.105{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:47.105{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B623-63D3-FD03-00000000BC02}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000450193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:47.106{45AAC21C-B623-63D3-FD03-00000000BC02}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000450192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:47.002{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=579D143696A4170B808996228C29179B,SHA256=3EC3B7D26252432DC727A8352591B8F34FDE9E0661437AD219F30308AF07367D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:48.519{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D81A6956257D73CA8A2F03178A05C514,SHA256=70B6C9F9E8797888E2E7242962E95D67901C2AEA81886DBADE1C017C7ED24C24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:48.643{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4A2E86E1DF86FDC106E811197AA2FE0,SHA256=9A60A62AA26C64F0F48B61AA7FF6AE524055D97B9E98EECD2AE2A49CEE5C8354,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000450226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:49.960{45AAC21C-B625-63D3-FF03-00000000BC02}54644100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000450225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:46.335{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52807-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000450224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:46.335{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52807-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000450223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:45.742{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52806-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000450222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:49.742{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B625-63D3-FF03-00000000BC02}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:49.742{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:49.742{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:49.742{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:49.742{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:49.742{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B625-63D3-FF03-00000000BC02}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000450216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:49.742{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B625-63D3-FF03-00000000BC02}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000450215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:49.743{45AAC21C-B625-63D3-FF03-00000000BC02}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000450214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:49.727{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB0328741CB2BF29EF65C72B77A35FB2,SHA256=27A06D3DF25F51F13F44AE985D9CEAF5808F4CC4DFEEBAEF2E70CCC00906BC01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:49.722{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24933A4122ADE8A0373E1CB6FA3FA538,SHA256=32557A689183B819ABC9240E7DD6F9C39E106F11DF4D912D3E47DBEFE498A2ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000342897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:47.286{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51152-false10.0.1.12-8000- 10341000x8000000000000000450213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:49.492{45AAC21C-B625-63D3-FE03-00000000BC02}5624620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:49.242{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B625-63D3-FE03-00000000BC02}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:49.242{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:49.242{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:49.242{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:49.242{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:49.242{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B625-63D3-FE03-00000000BC02}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000450206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:49.242{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B625-63D3-FE03-00000000BC02}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000450205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:49.243{45AAC21C-B625-63D3-FE03-00000000BC02}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000342899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:50.796{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ACC20A85AA4E6F7E95DCAD1BEDB4DFB,SHA256=DBC473E7875068210B682B09A036FA2728E524D03EFEA21D6DE07F01FF9341C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:50.804{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CFCF0DFCE25237073B8CF7ACA6DF54D,SHA256=4BEDE2EB878E66A4C9426EAD41AAEE07AA1B1C285D9C0FDBB829975119848ED3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000450235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:50.429{45AAC21C-B626-63D3-0004-00000000BC02}29324756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:50.241{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B626-63D3-0004-00000000BC02}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:50.241{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:50.241{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:50.241{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:50.241{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:50.241{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B626-63D3-0004-00000000BC02}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000450228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:50.241{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B626-63D3-0004-00000000BC02}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000450227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:50.242{45AAC21C-B626-63D3-0004-00000000BC02}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000450245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:51.892{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6994E83BAC1DF90034097510D7F3FA02,SHA256=60522E5F5F0BA61E46148E8D7625619B80A7E1A7D28598C2721367C5E506E183,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:51.960{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4C2A8DB5BB8A6D239B189C253C3BA27,SHA256=27682944A6C9138261968B6008C10EDFBB60AB8A562E2B6BCF4AA734C0171827,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000450244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:51.533{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B627-63D3-0104-00000000BC02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:51.533{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:51.533{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:51.533{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:51.533{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:51.533{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B627-63D3-0104-00000000BC02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000450238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:51.533{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B627-63D3-0104-00000000BC02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000450237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:51.534{45AAC21C-B627-63D3-0104-00000000BC02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000450247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:52.585{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=112F8332861499834F6BEC67567A9B47,SHA256=D083D1C5B4561171089902D0B82609576E6EABCB2FFD9CCD45985D6580EF13CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000450246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:52.522{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D8009058C5C0F25BFFF714F946D32206,SHA256=99F2F1BF3030429626AFF009DD660D3446EF39FC7490945B12C4EB44E7315F5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000450249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:50.134{45AAC21C-9B80-63D3-0100-00000000BC02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse64.62.197.221scan-43j.shadowserver.org4941-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local5986- 23542300x8000000000000000450248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:53.069{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A868C0A7FAC9B685E87BCCA6F115327,SHA256=2BAA9F65EDA326ED3CB98D0AFA84793B6253829B886C9AA50E889B7E19BAB7A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000342910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:53.784{72106695-B629-63D3-4704-00000000BD02}27484460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:53.503{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B629-63D3-4704-00000000BD02}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:53.503{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:53.503{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:53.503{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:53.503{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:53.503{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B629-63D3-4704-00000000BD02}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000342903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:53.503{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B629-63D3-4704-00000000BD02}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000342902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:53.504{72106695-B629-63D3-4704-00000000BD02}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000342901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:53.026{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31E48365D4599ECDA8AEF45281A28751,SHA256=CF3FB7272B5518287B86149EBDF0E9E9FDAE187663F4078352FDEAD91ACFDD4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:54.138{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4643BAC9CD82266E6D9B138070966944,SHA256=1AAAE9AAD91CBDDFC2F5EAC452801D208D2AC9A770E0C1CADE41167FC3D5BB01,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000450250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:50.763{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52808-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000342931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:54.978{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=98A197A624788973BDF850B357737460,SHA256=E21202FF9301FCE39C23CCA203B1CFA0C43CDE216AB5B7FC231F07B9F58A9C39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000342930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:54.688{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B62A-63D3-4904-00000000BD02}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:54.688{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:54.688{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:54.688{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:54.688{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:54.688{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B62A-63D3-4904-00000000BD02}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000342924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:54.688{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B62A-63D3-4904-00000000BD02}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000342923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:54.689{72106695-B62A-63D3-4904-00000000BD02}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000342922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:54.657{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60390A5D86FF072C875E11B10B7224EF,SHA256=F0EA47C63EACA4A559767323C5F60DF91EC7EA3174E704AF98AA42B5EFF4D611,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000342921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:54.219{72106695-B62A-63D3-4804-00000000BD02}23923572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000342920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:52.286{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51153-false10.0.1.12-8000- 23542300x8000000000000000342919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:54.116{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA733FA8DD21BD5728B41E99C18BD74D,SHA256=4114CBA8B6B4B9DA3EF9273884412CB6F4D4F9BAD8C0DAF118D7F8982FF68063,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000342918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:54.005{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B62A-63D3-4804-00000000BD02}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:54.005{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:54.005{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:54.005{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:54.005{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:54.005{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B62A-63D3-4804-00000000BD02}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000342912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:54.005{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B62A-63D3-4804-00000000BD02}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000342911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:54.006{72106695-B62A-63D3-4804-00000000BD02}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000450253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:55.229{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE6B90821C71E839D0ECC68BA0389FCF,SHA256=0B5B38200935640FA6942F4AD784118A94B7D5A7ED6C7B44B99BF2BF4145AAB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000450252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:51.721{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local60370- 10341000x8000000000000000342955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:55.980{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B62B-63D3-4B04-00000000BD02}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000342954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:55.980{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B62B-63D3-4B04-00000000BD02}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000342953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:55.980{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B62B-63D3-4B04-00000000BD02}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000342952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:55.980{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B62B-63D3-4B04-00000000BD02}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000342951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:55.980{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B62B-63D3-4B04-00000000BD02}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000342950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:55.980{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B62B-63D3-4B04-00000000BD02}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000342949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:55.830{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B62B-63D3-4B04-00000000BD02}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:55.830{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:55.830{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:55.830{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:55.830{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:55.830{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B62B-63D3-4B04-00000000BD02}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000342943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:55.830{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B62B-63D3-4B04-00000000BD02}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000342942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:55.831{72106695-B62B-63D3-4B04-00000000BD02}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000342941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:55.368{72106695-B62B-63D3-4A04-00000000BD02}32682736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:55.212{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B62B-63D3-4A04-00000000BD02}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:55.212{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:55.212{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:55.212{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:55.212{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:55.212{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B62B-63D3-4A04-00000000BD02}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000342934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:55.212{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B62B-63D3-4A04-00000000BD02}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000342933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:55.214{72106695-B62B-63D3-4A04-00000000BD02}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000342932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:55.197{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AAFB830FA2BC5D65C3939EAE57A4652,SHA256=FFA68FE85EFAAAF5B35EA9C72E5D729D81AFB1956B04D43EF2252CE1040B07F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:56.204{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF4F6057B0883ECC1389D0CF8A6BB355,SHA256=4A2618B360B19F0F7121E7A56080EBE7EDC7D600BC52E86CE03ACA3674F51828,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000342965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:56.428{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:56.428{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:56.428{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B62C-63D3-4C04-00000000BD02}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:56.428{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:56.428{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:56.428{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B62C-63D3-4C04-00000000BD02}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000342959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:56.428{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B62C-63D3-4C04-00000000BD02}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000342958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:56.430{72106695-B62C-63D3-4C04-00000000BD02}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000342957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:56.272{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=578F7098A157E4B612643DAE71A33699,SHA256=711AD5D9166EC95095493237664B880E6ECE9F1591859C6399137F8493533860,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000342956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:56.122{72106695-B62B-63D3-4B04-00000000BD02}49405032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000342975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:57.803{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C94FB1D4D2E4432AE4A47A5B0B5B70C3,SHA256=D218C61BDBCADB825ADD258D5261E6BAF49398C0C13CEF1936170A0E8F26ABA3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000342974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:57.372{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5996ADED3BEEDD9681EB9CD97431802,SHA256=45FAE7B04B380A38125C57BA2770F78ED0F0E4BE4A096D218CA37410CAAE5446,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:57.276{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=966D25A8C285AEB07427EC88F0D8D054,SHA256=13EB727E2D2ADBDC441ED06D8FFA75B623658F4F9C2DC9619BF34874321774AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000342973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:57.041{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B62D-63D3-4D04-00000000BD02}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:57.041{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:57.041{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:57.041{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:57.041{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:57.041{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B62D-63D3-4D04-00000000BD02}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000342967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:57.041{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B62D-63D3-4D04-00000000BD02}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000342966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:57.042{72106695-B62D-63D3-4D04-00000000BD02}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000342976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:58.445{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F936D643730B6DA5A23538B9EEE4B024,SHA256=076DF30D1CCAA67A256158C2CB440FA1030D3092907CDD44A2F51553C0A89933,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:58.355{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2083EE85F38806ADE4DDBEA04481F342,SHA256=9C6DCFF4507FB482985030777EB0B60147E15BEB8C8707F3C62ECEB3D9183CE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:59.524{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4CD07564D78B032A375A8013FA4DD19,SHA256=1BDFA1CC128071B80DB79225D46347FACD6C788A3462571B81BB53A3B40D929F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000450277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:59.528{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000450276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:59.506{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000450275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:59.485{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000450274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:59.480{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000450273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:59.478{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000450272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:59.475{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 23542300x8000000000000000450271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:59.450{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5A929D705835B7F65C285BD000125B3,SHA256=523F97DB1DE8F270835B9439A9D65DEC8ED161C13E92F438FDE512A92B1BBCAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000450270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:59.443{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000450269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:59.436{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000450268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:59.424{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000450267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:59.419{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000450266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:59.411{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000450265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:59.401{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000450264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:59.392{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000450263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:59.380{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000450262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:59.373{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000450261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:59.363{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000450260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:59.353{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000450259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:59.308{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000450258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:59.305{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 354300x8000000000000000450257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:31:55.851{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52809-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000343022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.735{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C769E881D6DFDF1793395DB4E2ABB0A,SHA256=FDB8C193C4B0A9649334ED60BCEBBF6B9AAAD3190053CED7BD8FBA1E527DFE1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000343021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.659{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000343020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.636{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000343019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.632{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000343018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.632{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000343017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.629{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000343016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.619{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000343015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.616{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000343014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.608{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 23542300x8000000000000000450283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:00.479{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF06B893FDC5AFD634267ED298DCEDA,SHA256=718D7688385A1B5652B7443710F7699B1E2EAA7EAE4D8EB2BDC5941A9B467ABA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000343013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.595{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000343012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.568{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000343011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.563{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000343010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.552{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000343009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.548{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000343008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.544{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000343007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.542{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000343006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.541{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000343005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.539{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000343004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.533{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000343003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.531{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000343002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.530{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000343001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.529{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000343000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.528{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.527{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.524{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.516{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.513{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.505{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.503{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.496{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.483{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.481{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.470{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.433{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.427{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.417{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.409{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 354300x8000000000000000342985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:31:58.307{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51154-false10.0.1.12-8000- 10341000x8000000000000000342984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.391{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.384{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.376{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.365{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.351{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.343{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000342978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:00.340{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000450282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:00.125{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000450281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:00.122{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000450280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:00.120{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000450279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:00.118{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000450278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:00.116{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 23542300x8000000000000000343023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:01.696{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1350CD9DA187FBB91E87522F16334F0B,SHA256=BB2147C007924AF493B4AF9E6A787C565896146C83570C837F2D7A07D70554FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:01.572{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F16FB749A9A32DA6FE971C965B0014A,SHA256=7C889583A0816FC98C5F4D6DA4E1078AA5FC678FD7E4F7635D25A871C4958738,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:02.774{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF4C33A6FCA75E3BD86D09B8927690E,SHA256=A7E500073E429549F30FC56C59A6BAE97623CFFD0FA1853CF8927808973B01D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000450304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:02.787{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000450303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:02.769{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000450302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:02.767{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000450301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:02.760{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000450300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:02.750{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000450299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:02.730{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000450298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:02.725{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000450297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:02.717{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000450296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:02.712{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000450295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:02.711{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000450294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:02.708{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000450293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:02.706{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000450292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:02.705{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000450291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:02.702{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 23542300x8000000000000000450290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:02.669{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C25C684805CA110733AB5710D5AF4C5F,SHA256=D34160B595AF9BD30F388B6EFA20CC9116B4AA1DFA5C05508BB4EE721BB80B28,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000450289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:02.184{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000450288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:02.184{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000450287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:02.183{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000450286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:02.170{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000450285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:02.163{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 23542300x8000000000000000343025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:03.858{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A71E6AD3AE4633EB52EA4E96B37687,SHA256=B8EE5BFEA332AFD3CD54E540DAA24E83DC1E21EDC0C0932757DA90C216A9B8AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:03.736{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F81C2882448C339BD42548C69B4D008,SHA256=3A338C978281384632A7FF4F9836FC8776AD13CA03729053839F6F23B81D31C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000450307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:04.818{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BFF54085A5EB0789F94ACB27DA19C55,SHA256=1FFC77A893EC3F6D863F52FCC2BE11E3C4D37F8B4F1E99DCE3FA046BD8185B64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:04.265{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\respondent-20230127093815-110MD5=FAFF531EDF0CFC03BCEBADF518BA5361,SHA256=88BF976C27BC6DB398DABD588375EB870CCDB2E8695A85E73E9E0CF078A2553A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000450306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:00.878{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52810-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000450308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:05.903{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4E3727D1749E28271F94DCDFEB20CB4,SHA256=E65C7A2B8072FB2FF45DDB3FB868E7AF5D717774648791F62E976DE099A45B6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000343029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:03.473{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51155-false10.0.1.12-8000- 23542300x8000000000000000343028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:05.262{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230127093814-111MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000343027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:05.048{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E2D5BD8709438B53A4329110D4F0D83,SHA256=64790CD0F119C49143759D133634F500A84BC1F6B29DFE655F327BC2B6B69F4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:06.993{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCD298001612C405218CA8E3ACA557D8,SHA256=4A836EFC4821B9305BCA616A74E906E17E4F97FC02EFC6173E755135D093BCC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:06.143{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98F58C8433D3B0E5156E6217AD4C968,SHA256=8B4668C21669E95DF7BFE9480BC83FAC6D9A646FC8C938172D9AE8642AC818CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000343031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:07.335{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AD008E048B144FC0B7B3103C12733D3,SHA256=A5BA0D2086C7EE50A43D09E2E276BA25BA3DD52C3EE3EDC64F141DB47D03C447,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000343033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:06.598{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse171.244.61.138-50577-false10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal3389ms-wbt-server 23542300x8000000000000000343032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:08.409{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=933E062C2DEE22872520695C86FD48C8,SHA256=6D2BD7AD607449288691200D7818828ACCE5767A95E69768ACFA361E6EAA2BD1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:08.067{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E765162D40241217323BF812D3BEE1BF,SHA256=ED186EC14C8B6CB8CAB610BB529A091C841B3204C1A8EC08FA880D4F0A54A38F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:09.609{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=651E9E572D9946ACFF78A9060F288F13,SHA256=FD2FC8A3A777BD2FBF65FDA21810EB29610EFDAC6F71699F026A3B704EFB43EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000450312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:06.860{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52811-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000450311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:09.150{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EE51A33D8E9C3E13DD9CCD891A7177A,SHA256=1840E916AAD1F85B57C5BD3AC5FFC362D8261B48AE3C67130634F66F24504CF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000343036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:08.493{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51156-false10.0.1.12-8000- 23542300x8000000000000000343035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:10.702{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C2AF18B611CFBC41140F1991A921862,SHA256=DB3258755FA9E2AA91C77086F38F5716ABDCFD637C014D517DA94EF7D9A6B027,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000450314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:08.014{45AAC21C-9B80-63D3-0100-00000000BC02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse64.62.197.223scan-43l.shadowserver.org35899-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local5986- 23542300x8000000000000000450313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:10.219{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8D0BBF3C3E3D9B9681D843C9CC77210,SHA256=06CD6CF5E69D1E2B7691EE7FA676D52E12BD05810CDF5CA55EB6A23B2684AF26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:11.811{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27BCD3F4DAE120D15CC5BE0D9C9D4BF1,SHA256=9DACECD7E584BABA500BFA513460A6E12B00FA61A366E3C61FB33DF6EE48D88F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:11.288{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7C8878A2D689E1C9BB359DC905A20D3,SHA256=6AF421E34E13A71A8D8EBE6026837833D25A02FC885E8F36305E880084AACEED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:12.890{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=340EF09F768A83DBD909A5ECE47294D7,SHA256=B2C97179E64B46C9109FB70962D621E028014B427A7B1D37134E8637DC25CA8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000450317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:09.281{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local65390- 23542300x8000000000000000450316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:12.371{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0236BDED4F7B85425FC6B0F3102DAE24,SHA256=600DB901942C2D6DDDBE55F398FE9598BD6FFBCE685A22EC51169A5DBBD00C24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000450318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:13.452{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=215190100245954A0E2C705B0A32DDDE,SHA256=748D16F5EB9C236851B9930FC53F94B35BE117095CDCE06E5047D008D1AE7F3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000450319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:14.637{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA89D26288DC78160F05AB688AFBAE02,SHA256=F667DA37A36AA3D4BF3AB8CDA3DAC9E8ABFE27C9E5C085701BE416EC1944CB69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:14.085{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39843944379D320AB51D571E9DB9839B,SHA256=68018B764EC929A2515CFFFAADA5679340D7A25258792FA1677C5C47B9D2DD6C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000343041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:15.262{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC8B5BF75A1CD7227D81AEC3BB36D21D,SHA256=A21A5B40899FBCEC169ED603492B83A3DB50032C802C0860D9C616E995E3E79A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000343040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:15.167{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B74259851C025EA990C17EF43B0B7CEB,SHA256=304193B806DEF0FF7DD5CFC00A34F1EE3633FAE226671D6D76EFB263C6DACAD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:15.725{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A04FDF9D05894A9745784C5433A296E,SHA256=9659D5E4BFE91FF43A339CF0345FA0899C6135B698A589A2A63563339BE226F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000450323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:16.804{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=463FBC88B17DBBA336539438FFA294A7,SHA256=7726E80FE79355D1D0CC6A1A466A2510DAEBFD7EC7751137BE8CE89F57664B23,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000343044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:14.307{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51157-false10.0.1.12-8000- 23542300x8000000000000000343043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:16.358{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA075B522BFBF59F0BB1AC0218CE2063,SHA256=C961D3EA6F6CB70B961785A7925EC77573940340A5F2D2C1A9C148E73ED5EAC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000343042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:16.212{72106695-9B85-63D3-1100-00000000BD02}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B057A33A7D7773F876C3BE76AB661B97,SHA256=436031C40EF86329CA281114528046E39BA26CC9453E27C4C650F57149C6C590,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:16.278{45AAC21C-9B85-63D3-1000-00000000BC02}368NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C8A8E6B341AEDF5BDFF5369A1F3BCF97,SHA256=9C599DFCEBA3CE1701EBC85721320890BEB91637A426DC6704517E31623F5232,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000450321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:12.766{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52812-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000450325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:17.892{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F68009484EEFCF8F6CAA7633FACB0C1D,SHA256=D3A2832EFE5EF59C0F2285448822C633C8D4F09F0F5FEE6B877D04F003DEDDCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:17.443{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F89673526DF5D5015701C47986E5CE3,SHA256=68049D59237EC1ABB57D9183216A8CBC0E6202B4D4F397AA855C60F0C23FD684,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:17.457{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E0382EE621041B022D631FD36EF6955F,SHA256=7CC0EC567CB77A8769F281FFE0A1D4080AE337B679216B099463DA554EE35B79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000450326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:18.968{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33251BF552F8D2A69AC5CF63A09BA4EF,SHA256=ED79F959754384038FEFBC0150AEB303E79AA180455AE4BED78632E921271890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:18.520{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D96B03DBFD9B5AEA4850D4968BA27C22,SHA256=9278838B12163FDD7ED221E96F3AB1E3E32FD7EC5D466400E21A185930A7CFD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000343048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:19.613{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E2D5D5D2560C102A0E0462CF7259D80,SHA256=03F5AC56496DBA980CC6A6D0F612C206010CB42B15FB24B813A83D8B97CF4800,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000450345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:19.605{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:19.586{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:19.573{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:19.564{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:19.557{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:19.553{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:19.488{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:19.476{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:19.448{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:19.439{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:19.431{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:19.418{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:19.406{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:19.392{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:19.382{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:19.370{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:19.360{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:19.311{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:19.308{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 23542300x8000000000000000343047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:19.206{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=61F06B89517FC084CCCC8B78A14B9784,SHA256=A17C326D6BADA71FA323FCBFC4CAEC710451E7CFA11617DC3C55538D3253F04E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000343092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.837{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06232DF948A4EFDA4597520FAB4E2A4D,SHA256=6B324B2594920024068E6580F965956F5596668903A9883C56DECAA883E06F9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000343091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.650{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.628{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.623{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.623{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.621{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000450351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:20.300{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:20.297{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:20.294{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:20.292{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:20.290{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 23542300x8000000000000000450346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:20.011{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2260082DE47173F89323FC73E9151A09,SHA256=85ACC97C385925083C50D289751CA77542EBF1F0F7069609494C9633A1FA1882,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000343086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.611{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.609{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.598{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.587{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.565{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.560{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.549{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.545{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.543{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.540{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.538{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.536{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.532{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.531{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.528{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.527{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.526{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.524{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.521{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.513{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.510{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.504{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.502{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.494{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.482{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.479{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.471{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.442{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.437{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.429{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.422{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.412{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.407{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.399{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.391{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.383{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.357{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.350{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000343093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:21.660{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C6F75804B0F4FCA4ADBC330C687E33A,SHA256=4B766A7DF81DFD1154182376BAF390FEC77E2B8B55D9A9A99E930BBD7E2FC913,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000450353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:18.713{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52813-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000450352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:21.069{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA553C2C2F34EBC56DAF33035FBED9D0,SHA256=2A53CA7E6383FCA5CA96B34D8BFA7F8CFA5DACF2A55B4D61350B1D46183F5C1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000343095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:20.315{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51158-false10.0.1.12-8000- 23542300x8000000000000000343094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:22.833{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05E52F083BBB611299C0FB1F25B4F253,SHA256=3F7A8F84590DF7BB4869DE6C66AB26AD8747B16096CE76B5623406E2ED5A48A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000450374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:22.979{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:22.949{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:22.945{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:22.932{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:22.923{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:22.892{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:22.886{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:22.870{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:22.862{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:22.861{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:22.858{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:22.855{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:22.854{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:22.852{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:22.348{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:22.346{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:22.345{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000450357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:22.335{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 23542300x8000000000000000450356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:22.333{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\respondent-20230127093833-110MD5=ABD21C848C86C8C4C327246443A18885,SHA256=621828FF48080C628607F27990B50D4C7839DD5149D1A5B05A104AE9C04F6CF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000450355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:22.325{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 23542300x8000000000000000450354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:22.149{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB74D8310F29C333044307204882A8C,SHA256=69C840B2D767A2FAE8BA056ECF5BCF69028C9FA8A4287D2926C52ACC7A5A09D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:23.928{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB40E036C310E8C4A355CBB413243F64,SHA256=59359F5FBABED62CD417E40D91937D6DB849FBCD185200C7C06132E138DAAFEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:23.337{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\surveyor-20230127093831-111MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000450375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:23.242{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11C0793705C6E1DF41F2004F94DAA200,SHA256=4455F9EA9783BA2B81E927466AAA58FE54F30273B28478F2804EF8C29AAB442E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000343099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:23.164{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:23.164{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:23.164{72106695-9B84-63D3-0B00-00000000BD02}6283260C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:23.149{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-2000-00000000BD02}2000C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000450377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:24.332{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=961AF4FE83003A8C95938BB10DDA0883,SHA256=847AB5D9598FD6BB6DDE6D6139C6247583822E40340D9245410DA9FFCA1C6693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000450378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:25.420{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06D85BA127EE2CC5BDF3755BF7C1463C,SHA256=AAAD6A8F84EF50247E2F12F670BED756EE10420607EB6346EB80262B5AEDA122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:25.033{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61627F0EBC7AA18040500CE5C3F2A4C8,SHA256=CD0BABC9EDF0C65E7B2BED1BABC53412216C9572A004F0D66055DF3EA9441A8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:26.522{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB870FB93EA2828EEC9398FA8445AE8,SHA256=E534D14021169615FE1F8AAA0EF3D4FD40895537DFEFA37D222A3ED194DE7709,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:26.235{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F1D4B4879EA9867BE97FAA3B9E54586,SHA256=4D5FE20076925A6BCF6C58D2C4AF4C0D36F62DA0EBE6154B44618E2983E71ABC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:27.710{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D6CE3BB8F702292442B3705CB881C8A,SHA256=8AA415BB05011F71E692E5353827AC90E78F6C2146C7CC7F2AFCB9FBDEA91A6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:27.982{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F42379B58855E4D00D35529CF81DEB9C,SHA256=A93A0DA58E9533FBAAD128B563323746F5CC37BA605CA12301572AF1457064BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000343103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:27.310{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00695A8B0DB3735118D97D45E5BD8315,SHA256=8D319B0FFCBC2D51AB967C63B4C161EA58DA1E77325F048B135E654AA5E748FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000450380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:23.932{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52814-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000450382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:28.794{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3D9A9F2D81C5A9DB3C6515D3509F83E,SHA256=54CF787EF886A06F2521720DB8BDDD31606DF5034F9854161A8155AEBA01C3A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:28.618{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=867878E6E82C2D73B310F3D51249C23F,SHA256=BF5D3023AD4ECF6FD8C4BEC1E6B9307205D63C886ECF9697EB3E448D1F910B10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000343105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:25.374{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51159-false10.0.1.12-8000- 23542300x8000000000000000450383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:29.884{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70EB5FBC1A3CF7887BC0F09D0CA753A6,SHA256=6AF0FCC23C68676B70306592429A36F613C6063EF348913CD0B45DA8C4979241,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:29.707{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2DA1C4A392012B50A27A04D4B974C9B,SHA256=AC05F623C70EA46A834A5158B5C8B5FEFD9BE157ECFAE89F7F3AB766DBCDA0A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:30.966{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1E3717FBF168F55AC04D3AAB671629C,SHA256=4F73E02DD7B96ACC1A79A05A07FAF93737859CA06B366B56B9CD8E5DF4419297,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:30.800{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5F5C23092E2638127BDBC44F43F3D9F,SHA256=E458ED52A566DF2E24EDD342DACF64912F95F48D97BC4051CA6B7DB133EE5220,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000343109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:31.889{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20A8F762EA0580A876415C6BD0304939,SHA256=57CED5D807FC58347CAD6D87C6103F205A8F1235786DF894E7A7E5EF91902217,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000343110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:32.983{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A28A912E14FC0009CB75DD1C5CEA11,SHA256=8D2A4BBE8725B598CBB7921C02356716885F09E18E5E9769D76761CBAF0D5823,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000450386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:29.852{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52815-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000450385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:32.050{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2AE3E5CE8F72EF7F29446BC7402AFCA,SHA256=80658B2764AF0B3C1FAEA4CE5BF91F97531F1F0031C5E562FA2ED558FBC86A66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000450387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:33.139{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0C81DD8F7690DFEC5A1650C414C94E9,SHA256=CDE79CC51D77905A39C0C1649708D1754BFB660BD20404AB3FC79D27D06F6287,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000343111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:30.512{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51160-false10.0.1.12-8000- 23542300x8000000000000000450389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:34.304{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000450388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:34.217{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26B6077579401A4CB9DFC33CB02F4A17,SHA256=2F5F8F5704D791AEFEE18E41BF8C67DB99EDA10F273FCF09472D85C9E9DCC0A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:34.069{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29A999E5A844165390B77AD738329B9C,SHA256=0B6D4A350F433A95E3EFAFE6B1DA894D3E64285BAF4CE0D4A0337D4A425AE51F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000343113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:35.375{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F156DC9B6C54FD348BA73042607A67A9,SHA256=0FDEE20C16BBE51D3DFFD282928CE7FDB715044024B29B0F4D95EF3B45B42DC5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000450391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:33.004{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52816-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000450390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:35.289{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2BECD9FB72937975C23CC6D89CF8C62,SHA256=1C4A02AB7C499D276C9BE51AAF84D6061335FD5E4AECAB15641DEDF85550002B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:36.586{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C286FEBAF78E0B2B368E175208D6962,SHA256=E67BBF9DC7DDD06B3BD08FC75B85B1F71A70E09315C4858C8400F5FA82BBCBA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:36.378{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73DEA10C9EC32F6E1169AD36C8892C3F,SHA256=F836338FB9BBFB670229A5E7EC51055168DDF61729390C96E50F283D1E106C37,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000450394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:34.863{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52817-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000450393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:37.479{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D964CD84D4A920A4734742C762335D2,SHA256=864C79A02C116C939FECDFFC90C65BB174C5DA9A3D95BED7B9002D3DCA15562B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000343144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:37.014{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:37.014{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:37.014{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:37.014{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:37.014{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:37.014{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:37.014{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:37.014{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:37.014{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:37.014{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:37.014{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:37.014{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:37.014{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:37.014{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:37.014{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:37.014{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:37.014{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:37.014{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:37.014{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:37.014{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:37.014{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:37.014{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:37.014{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:37.014{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:37.014{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:37.014{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:37.014{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:37.014{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:37.014{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:37.014{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000450395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:38.560{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F1D991A8B79EC283F96F76E8413C2E,SHA256=A3AE71846465B8F2FC134F1E4630ACCD06BE3CC81A66460CEB99136BC3DC2A04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:38.995{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000343145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:38.191{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30A217B6E4640D60F25826CD5D83F33A,SHA256=2FA98335EE7F7464BDEB6389B64DB3C9563FDF043A276AC48EEB3BC65C36F230,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:39.622{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17BF7C8D2E59F7BCCF36FB14E66C5642,SHA256=F1F8B69F1D821E30FDB371F0252B5865CD947B925E257019335D74A1B7EF77A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000450414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:39.579{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000450413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:39.561{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 23542300x8000000000000000343147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:39.293{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1115289E1FF9FCD3F0B76D77CADD500,SHA256=C94798F2DD036A07A95A9E08F88C7064305C2801330AF8DA8E210706E937DEAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000450412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:39.552{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000450411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:39.549{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000450410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:39.546{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000450409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:39.543{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000450408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:39.503{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000450407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:39.493{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000450406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:39.478{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000450405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:39.470{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000450404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:39.454{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000450403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:39.438{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000450402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:39.423{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000450401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:39.408{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000450400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:39.395{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000450399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:39.369{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000450398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:39.360{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000450397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:39.313{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000450396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:39.309{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 23542300x8000000000000000450421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:40.775{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C62F04DE2A0C76525ABCFDFD2F39874,SHA256=B7EF16EF402FE9F8099400ED6F7AE7B18E231260CBB410AEF29AF992578A7706,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000343193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.789{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.761{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.756{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.755{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.754{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.744{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.737{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.730{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.718{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.691{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.679{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.661{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.654{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.651{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.647{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.638{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.638{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.632{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.631{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.627{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.626{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.624{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.621{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.617{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.604{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.596{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.580{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.578{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.566{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.539{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.534{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.518{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.455{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.440{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.421{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.407{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.390{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.382{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.371{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 23542300x8000000000000000343154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.370{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A90720E5FAAD594700CBA31E84E9707,SHA256=BFCEC5554600180EBFCC3DD47E749AC421868D956B20C89BA2A3E448C2EEA903,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000343153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.357{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.346{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.329{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000343150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:40.326{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000450420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:40.267{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000450419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:40.263{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000450418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:40.260{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000450417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:40.257{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000450416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:40.255{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 354300x8000000000000000343149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:38.239{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51162-false10.0.1.12-8089- 354300x8000000000000000343148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:36.352{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51161-false10.0.1.12-8000- 23542300x8000000000000000343194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:41.947{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2D31676F09E2A0D3AC63C9D210ED30A,SHA256=ED2CA4565837475D59A211C94EFBA873D71163F66CF0116B4AB79BD416043995,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:41.936{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0EEB3B683FFE91FCC02CE2EE178D805,SHA256=033A45551217C3F138A1F41F4BD7F1729E043B13F70E53663D701C5B719AEF84,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000450442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:42.917{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000450441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:42.899{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000450440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:42.895{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000450439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:42.887{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000450438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:42.879{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000450437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:42.858{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000450436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:42.853{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000450435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:42.845{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000450434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:42.839{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000450433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:42.837{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000450432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:42.834{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000450431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:42.832{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000450430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:42.831{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000450429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:42.829{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000450428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:42.336{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-3000-00000000BC02}2848C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:42.312{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000450426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:42.311{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000450425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:42.310{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000450424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:42.302{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 10341000x8000000000000000450423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:42.296{45AAC21C-9B96-63D3-3000-00000000BC02}28483452C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108610) 23542300x8000000000000000343195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:43.160{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E8A3E496A730720E7411664E32E1560,SHA256=499ED2241F19443CB73A7949EB5F9AE8BEA73842155539F216F9B653C2D89101,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:43.012{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72424284A11073F3092FFC464AEFA955,SHA256=0986A98A3DD00E0862499AA06B251407E2E9E54678E7F4766D250247029175C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000450445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:40.797{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52818-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000450444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:44.117{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CB8809EB0D5C675165676B88DA36A63,SHA256=62E3C6D400E7B96144751EE189EBFE9444EDC7D70218D2039AFDBDE2501A6338,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:44.260{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14FBF64EF1E4C0A3B3DB1FFEA32D1CB8,SHA256=4DDFB7FD73D482F09B69E99E68F9606E94D5632619062A9508DB6F5C4AB83632,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000343196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:41.379{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51163-false10.0.1.12-8000- 23542300x8000000000000000343198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:45.254{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=907756130B3D6027EE6AC435668344E4,SHA256=AD378E5E1D8BCE81F956B6CD2895A9A942ABB69B834C24B277CA6479CF35A6CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000450454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:45.747{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B65D-63D3-0204-00000000BC02}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:45.747{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:45.747{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:45.747{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:45.747{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B65D-63D3-0204-00000000BC02}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000450449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:45.747{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:45.747{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B65D-63D3-0204-00000000BC02}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000450447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:45.748{45AAC21C-B65D-63D3-0204-00000000BC02}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000450446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:45.309{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8143227FA357CEB8D81DA4BD205C7E7F,SHA256=102D1E0F3C7D630CA2D37FDC2627FD0F94CB4E68F053AFB3C8746FD3B063AC00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000450474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:46.855{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B65E-63D3-0404-00000000BC02}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000450473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:46.855{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC6E4675F73A28721D5C019334679D0C,SHA256=FCE2E000BE1D1446E2A398AE16D5C1F0560231F79B1DAFF62FB50A3844DDB76F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000450472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:46.855{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:46.855{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:46.855{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:46.855{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:46.855{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B65E-63D3-0404-00000000BC02}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000450467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:46.855{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B65E-63D3-0404-00000000BC02}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000450466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:46.856{45AAC21C-B65E-63D3-0404-00000000BC02}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000450465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:46.386{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A29B3B2E06135A26E848609C3BA3DBD,SHA256=753036448FFBD0C8A10F81F96A49FC453896F8220E4B1C96BBB764D6E5F35FB2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000450464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:46.355{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B65E-63D3-0304-00000000BC02}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:46.355{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:46.355{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:46.355{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:46.355{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:46.355{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B65E-63D3-0304-00000000BC02}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000450458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:46.355{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B65E-63D3-0304-00000000BC02}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000450457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:46.356{45AAC21C-B65E-63D3-0304-00000000BC02}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000343199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:46.345{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A551DBADEE1D052AAEEED44D2487D17,SHA256=664E9787F26CBB009979F743A78A497416CF3B36AF2235F2CDA5FB8090DFD02A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:46.205{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=58CB134D6913A383F2BE8ECC4697746E,SHA256=6ADDE3B0187EA6EBEBC5C8A55FF34D46E40E605448EAE4E12E1B9E3FFFA3FD3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000450455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:46.041{45AAC21C-B65D-63D3-0204-00000000BC02}54401900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000450476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:47.900{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=CB8B060AAE1D73248D9A9B4DC74B6644,SHA256=666E53A529113BFD7F928638D5E95E7BE257E7003869353431A5B6AFF41386EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000450475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:47.466{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E8E6833EB13490FE86BE235D192BDD3,SHA256=96AFD6F2014594BCBFD273518A373F23B17B89B66B980C1E06309365C13796E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:47.410{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3A237C52A8B924BE61A845FA33FD3BF,SHA256=FF4ECEFECD1EE1B3CD793480E22A5D9FB9DC3B6D2A217AEDF057A06790873FD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000343201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:48.605{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90259A82A870B63043E7B8581213318D,SHA256=F41997FC2B15CF130BBC38198D028684167F09E7EE15A9841BEFDEA3A3FBB142,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:48.556{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=323D1C93BA598DDFF629C744C90F5926,SHA256=55F7E3B0B385237FB58E2449D3D08D80C9394A550B2E44DDA87FD790E743AB4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:49.802{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=141DE6E6CFB44260EF7AD557F0CFA49B,SHA256=35B2C889B3BFBC7A730EB2B3EB3B67318CE4DC6AB80ECB763BC8322048E8AEE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000450497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:49.900{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B661-63D3-0604-00000000BC02}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:49.900{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:49.900{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:49.900{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:49.900{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:49.900{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B661-63D3-0604-00000000BC02}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000450491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:49.900{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B661-63D3-0604-00000000BC02}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000450490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:49.902{45AAC21C-B661-63D3-0604-00000000BC02}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000450489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:49.854{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7795CD0D37B9BF190C150F730D1BB722,SHA256=3070ECE2FE2D1603895616FAF1DA06EDF08BD0F8C5E7F1BC5F85297B8D749CB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000343202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:46.487{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51164-false10.0.1.12-8000- 354300x8000000000000000450488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:46.353{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52819-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000450487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:46.353{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52819-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 10341000x8000000000000000450486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:49.432{45AAC21C-B661-63D3-0504-00000000BC02}25524304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:49.244{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B661-63D3-0504-00000000BC02}2552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:49.244{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:49.244{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:49.244{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:49.244{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:49.244{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B661-63D3-0504-00000000BC02}2552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000450479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:49.244{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B661-63D3-0504-00000000BC02}2552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000450478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:49.245{45AAC21C-B661-63D3-0504-00000000BC02}2552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000450509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:50.936{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C9767BED5F7EF87EF89EF697BC8B4A9,SHA256=11837C465A9B226E437C864B7753FE34C7B88E0B6E4A979B534477E75F79FF63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:50.895{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AD2142566601223FD0AD62D3DC826CA,SHA256=3AD6F5878055C944D328BF159762983F6C4B50DA91DF35AC5BE6475857CB28A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000450508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:50.764{45AAC21C-B662-63D3-0704-00000000BC02}58161188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000450507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:46.771{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52820-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000450506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:50.515{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B662-63D3-0704-00000000BC02}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:50.515{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:50.515{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:50.515{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:50.515{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:50.515{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B662-63D3-0704-00000000BC02}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000450500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:50.515{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B662-63D3-0704-00000000BC02}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000450499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:50.516{45AAC21C-B662-63D3-0704-00000000BC02}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000450498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:50.104{45AAC21C-B661-63D3-0604-00000000BC02}32565820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000343205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:51.964{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF07B8C09A3DABC69922E730D091FA49,SHA256=50C14F9A26993D5A873F06D699967F9B5D2B1350864814DC48C07CB1984B8D16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000450517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:51.543{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B663-63D3-0804-00000000BC02}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:51.543{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:51.543{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:51.543{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:51.543{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:51.543{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B663-63D3-0804-00000000BC02}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000450511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:51.543{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B663-63D3-0804-00000000BC02}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000450510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:51.544{45AAC21C-B663-63D3-0804-00000000BC02}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000450518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:52.012{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7D60475CF456D862DCB62855AE832BE,SHA256=4BCC5E5E36B6727736C6E53F41974FC7775E132024B0EDFEA9A97659FC6B7A3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000450519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:53.092{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A11020031294B7C4793B8A45FFABC9DB,SHA256=BCDF008B67F8AF022C3A4894920201C351E60106D6D0015D53E1ABFECF393BB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000343216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:53.760{72106695-B665-63D3-4E04-00000000BD02}57484580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000343215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:51.173{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse171.244.61.138-64142-false10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal3389ms-wbt-server 10341000x8000000000000000343214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:53.510{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B665-63D3-4E04-00000000BD02}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:53.510{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:53.510{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:53.510{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:53.510{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:53.510{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B665-63D3-4E04-00000000BD02}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000343208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:53.510{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B665-63D3-4E04-00000000BD02}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000343207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:53.511{72106695-B665-63D3-4E04-00000000BD02}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000343206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:53.025{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88695EA4601FEE5C105D89AB8D2750E3,SHA256=3F1F3634B62C5C0B3D878855E694C62519B7597224578B66E46FBF67773C4A51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000343238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:54.674{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B666-63D3-5004-00000000BD02}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:54.674{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:54.674{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:54.674{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:54.674{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:54.674{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B666-63D3-5004-00000000BD02}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000343232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:54.674{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B666-63D3-5004-00000000BD02}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000343231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:54.675{72106695-B666-63D3-5004-00000000BD02}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000343230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:54.580{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89D8433522FFEC71F85AA380C233BB9E,SHA256=2A6368449CD9B7B75B805C8947940C1298A08686FA7EFA1BE86D8FF697F7D5F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000343229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:54.103{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56CF9696D83D318C713D5E58713170B9,SHA256=0D699CC730174FA07212B1C6623400C7334125B05A5A1444B82D22D45FF5C359,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000343228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:54.096{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B7A1C20B9B67E7D39AE14E669EACB6AB,SHA256=C6C57E79E634D8837314E093458F34CB83C235C2F7685E1FCBD9A05C3282C475,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000343227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:54.073{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B666-63D3-4F04-00000000BD02}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000343226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:54.072{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B666-63D3-4F04-00000000BD02}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000343225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:54.072{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B666-63D3-4F04-00000000BD02}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 354300x8000000000000000450521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:51.932{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52821-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000450520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:54.176{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0437C59F54FBA75B71EFF74A90995EC8,SHA256=AAD104296931934094CBD4ABFA9BE986516B05026B1714CCD9BB7914CF30A143,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000343224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:54.010{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B666-63D3-4F04-00000000BD02}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:54.010{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:54.010{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:54.010{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:54.010{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:54.010{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B666-63D3-4F04-00000000BD02}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000343218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:54.010{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B666-63D3-4F04-00000000BD02}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000343217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:54.011{72106695-B666-63D3-4F04-00000000BD02}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000343249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:55.566{72106695-B667-63D3-5104-00000000BD02}59445744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:55.347{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B667-63D3-5104-00000000BD02}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:55.347{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:55.347{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:55.347{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:55.347{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:55.347{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B667-63D3-5104-00000000BD02}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000343242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:55.347{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B667-63D3-5104-00000000BD02}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000343241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:55.348{72106695-B667-63D3-5104-00000000BD02}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000343240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:52.410{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51165-false10.0.1.12-8000- 23542300x8000000000000000343239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:55.176{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BD36ED31F6C0BEC479E1E70D3F4F1C2,SHA256=4DFF1B12AAD689CA18FAE7B9CDCBAA45C3B20357D85DF9EB4D21E76E9951B381,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:55.265{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=469ABFBB53EFC0A5ADE85087D4A67658,SHA256=3B862F198B901382D3584E563A7D375B4771A80E9157E68FA40C5191A19839AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000450523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:56.344{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1158FEAF3FFDF59604F0AE6FD1EEB3AC,SHA256=E9A376C2D62215523D8F204A82E4A4A2369E141A8C9F80029F93966AB73BB167,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000343271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:56.905{72106695-B668-63D3-5304-00000000BD02}61403564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:56.702{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B668-63D3-5304-00000000BD02}6140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:56.702{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:56.702{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:56.702{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:56.702{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:56.702{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B668-63D3-5304-00000000BD02}6140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000343264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:56.702{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B668-63D3-5304-00000000BD02}6140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000343263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:56.703{72106695-B668-63D3-5304-00000000BD02}6140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000343262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:56.296{72106695-B668-63D3-5204-00000000BD02}61086024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000343261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:56.249{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=979A3D3FB061C2C7C4A335FD4FA83FBF,SHA256=AAE641DB753C532DEDF2F9AB396682C820FA7D5A828F9CB878855E4F14B45652,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000343260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:56.105{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B668-63D3-5204-00000000BD02}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000343259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:56.105{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B668-63D3-5204-00000000BD02}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000343258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:56.104{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B668-63D3-5204-00000000BD02}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000343257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:56.027{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B668-63D3-5204-00000000BD02}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:56.027{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:56.027{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:56.027{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:56.027{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:56.027{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B668-63D3-5204-00000000BD02}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000343251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:56.027{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B668-63D3-5204-00000000BD02}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000343250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:56.028{72106695-B668-63D3-5204-00000000BD02}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000450524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:57.410{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F96831953618B56654ECD091E12A6347,SHA256=A2B1315783283B731AD44D0763390A372A2505F605E7F46B347C1581FFBA7C03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000343280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:57.371{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B669-63D3-5404-00000000BD02}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:57.371{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:57.371{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:57.371{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:57.371{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:57.371{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B669-63D3-5404-00000000BD02}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000343274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:57.371{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B669-63D3-5404-00000000BD02}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000343273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:57.372{72106695-B669-63D3-5404-00000000BD02}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000343272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:57.324{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF607158D6F883DFF59A6B6FA4503FC1,SHA256=55BDEC9A88A099E83BE0CAC676AD1B24AFA910BEB7986143D98DDE01F89C94D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:58.495{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5A5C5C6A43564C7109C3FB20EB7E8F9,SHA256=E2736AB23762BD3BFED511EDBC96F42230038A664A77918D52210F08A50D5248,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:58.451{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2EB171C3D301A87805674EE61E87FAEF,SHA256=CA5BE158BBDF02E33D69CF195752DA48C7F46C73856AA3B8DBDB8746D46D0046,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000343281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:58.404{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5499C2F6F7D4AC11D501709DE4F62E35,SHA256=340207D63488558B180F9721C969148DBBCD8C80C6AE970442515B9E5A031019,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000450545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:59.599{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:59.579{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 23542300x8000000000000000450543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:59.566{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC11EAB6E38AC63690A989631BB8FF0C,SHA256=46E497080D8E6247741D175505A81309F49070ED825459D5F7A99CDA6A0D3680,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000450542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:59.560{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:59.556{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:59.553{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:59.550{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:59.514{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:59.506{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 23542300x8000000000000000343283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:59.589{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7559DAB092890DA859685FC535E48102,SHA256=6AEA7E4C81AB7D716AAF0C817912FCF9605C7762749BA22231B735639563E7A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000450536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:59.491{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:59.486{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:59.476{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:59.455{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:59.438{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:59.407{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:59.386{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:59.355{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:59.345{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:59.302{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:59.299{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 354300x8000000000000000450552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:32:57.911{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52822-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000450551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:00.599{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5079D8189AFD335CBC6EB9852D70F85B,SHA256=3331A780F872CDC454A78D130D5D4967C68F614D26C8B4F5278A386185CC6CDC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000343329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.778{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 23542300x8000000000000000343328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.761{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EFC56DE70F15DF6DC4F205A94463B59,SHA256=E067A311A6A320399249E0ACB89B468779AD897864D858403B3AA487E37757A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000343327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.760{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B67F745EE82C12F257287E5BC145EFF,SHA256=F75DA8D993376AC453C8AE0395BBF58D3497BCAD8F98BAB462C33DB2642DE2D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000343326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.744{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000343325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.739{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D903-00000000BD02}5776C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000343324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.738{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000343323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.736{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000343322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.712{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000343321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.709{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000343320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.697{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000343319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.670{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000343318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.638{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000450550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:00.355{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:00.352{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:00.348{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:00.346{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:00.344{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000343317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.631{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000343316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.621{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000343315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.608{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000343314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.606{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000343313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.601{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000343312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.599{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000343311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.595{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000343310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.585{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000343309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.584{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000343308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.580{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000343307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.580{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000343306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.578{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000343305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.576{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000343304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.574{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000343303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.566{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000343302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.560{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000343301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.554{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000343300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.552{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000343299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.542{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000343298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.525{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000343297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.521{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000343296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.510{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000343295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.465{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 354300x8000000000000000343294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:32:58.343{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51166-false10.0.1.12-8000- 10341000x8000000000000000343293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.452{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000343292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.436{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000343291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.425{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000343290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.406{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000343289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.397{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000343288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.385{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000343287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.371{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000343286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.360{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000343285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.349{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000343284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:00.342{72106695-9B85-63D3-2000-00000000BD02}20002840C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 23542300x8000000000000000450553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:01.683{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63235B094F2063C3ABA391471743F9F5,SHA256=46E5844F596D8131DDCB54FEFB0D309F77219B01D0F089F493597F25BAD6603F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:01.657{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27B0635A1F316217BA55CA7AA70C8D1D,SHA256=70F5B69EF922116475D10C3F24635CDA57FA8B47DD8EC7864597C76560CDA60A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000450570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:02.993{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:02.982{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:02.951{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:02.943{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:02.931{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:02.923{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:02.920{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:02.916{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:02.913{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:02.912{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:02.909{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 23542300x8000000000000000450559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:02.766{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB09CE93D1EBE139746032A5DEFCC532,SHA256=AEEB9B3D4B3D4D83879627E5EEA7454D00B3D1FB88535C378D5D030B5C06109E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:02.754{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56156DABC92EE2870A917125ECFC8D17,SHA256=B2A46B4D5279E05FD8EC05F93D53A585E5644F22003502FA8D74D3C83F301CC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000343331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:02.691{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A93158CA2C633F48C2ED28B19B747C99,SHA256=CB4E80A0D19327447DE9341945165E10F281E2CE4A1F0DD53D1CF9DBC76537A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000450558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:02.400{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:02.398{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:02.396{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:02.384{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:02.372{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 23542300x8000000000000000343333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:03.831{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=245C14F6BF5D3231463806B217295398,SHA256=6ECBFF669C78716F08C43B5FCAAD78DBF0AEA66B557A71B4CEEBEF58916B6BD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000450600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:03.338{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:03.338{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:03.338{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:03.338{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:03.338{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:03.338{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:03.338{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:03.338{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:03.338{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:03.338{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:03.338{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:03.338{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:03.338{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:03.338{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:03.338{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:03.338{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:03.338{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:03.338{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:03.338{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:03.338{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:03.338{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:03.338{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:03.338{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:03.338{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:03.338{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:03.338{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:03.338{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:03.030{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:03.005{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:03.001{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 23542300x8000000000000000343334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:04.940{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FAF5AEAE64FFEBA26DBEDD58A750CAB,SHA256=FD6C4EBCD7AF252A92D8F13096C94AB0F4BA066186E91B111415A3878393E46D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:04.225{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30762C68B471731ACEBEDBF2DE9AD1AE,SHA256=9ABC0373EA90A1D4A1B380C7401D030CAFCC30E64B0F254FACA201CBDC39141F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000450603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:02.919{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52823-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000450602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:05.351{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EF7F6A5B7A81183DD2EDB493309C3B1,SHA256=2F0375B0B194300EE9E0745DF91DC04948BA5EC1288E42D38D14040E5955B155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:05.790{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\respondent-20230127093815-111MD5=FAFF531EDF0CFC03BCEBADF518BA5361,SHA256=88BF976C27BC6DB398DABD588375EB870CCDB2E8695A85E73E9E0CF078A2553A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:06.420{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1CA8E1EF916151BE213C406973FCE76,SHA256=3A2FDAE4199A1CEC1BFE5FA96289E73A45DF3E3950ECA9DD03A28CD7F8812D3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:06.795{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230127093814-112MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000343337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:03.428{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51167-false10.0.1.12-8000- 23542300x8000000000000000343336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:06.015{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09EA0480645B4E049E8D2CB3A781705E,SHA256=07CE1AA8CF20FD0536F3B4C8A2BF5C4CFBFC87FBF39641F05E7229F72B6DDC86,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:07.511{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CF119D8339CD09B33054E4245B97C64,SHA256=5659B6153D3D3BACCBB6ED0F326264CEA059630B88A9A1C300768DF02F032D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:07.095{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBF524F6553F41BC4E245BE3C10CC19E,SHA256=AB451C8123B12656C11EA45C32DD62C69D858E66475DAC8CC5D1DEA42069D242,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:08.613{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D78A99BE3664B3AB18F58EEB55B03A70,SHA256=30718E893A5DF8FCAFED8AEDD86DAAFACBE5094193EA02B0CC1454DDDBEBC8D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:08.301{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1E347F5010E437B36E6D79FE42535AD4,SHA256=535237046AE708BC5AACBC67F582F00CCC76D80A45F807C1175F20453F147800,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000343340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:08.285{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C4E485FD4242AA74920123B38937C2E,SHA256=8505302624DA421C9EC8EFE3B943532B36BF4453AE011D2C4F41820D1B356997,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:09.784{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA3DE197933E7BDF2418DFC816D9853,SHA256=3BDFBFBFDFF37B6175012DAD23145B5955CB02B88B029659133626F35A28D25D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:09.366{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27470CAC8D44FE16A96F510453F4AC0D,SHA256=78AA1862EEE1E65D298058AFE908E0799CCA8A1ABC9B0BA314523E717BC1D5D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000343342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:09.172{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F41FD1B13DD0E3ACD8F1C3535AC367DA,SHA256=B3FB2B574F4999CDD39A2BD7BB6A39A9B0DFD08174C50B7E0951B75FD40ED7FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:10.882{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A748722C0DFB03F89A868941B1233A4,SHA256=1C59400317430A2467BE437E1521C74A12C2D8A43AE3B4CE583D92C4E41C15AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:10.436{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D259FB899EE0DD9B419403406178E17B,SHA256=D598F85DE1DB3D85FD611D9605FC47A057883A63C7DF8A20340DD00AA41A72E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000343346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:08.432{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51168-false10.0.1.12-8000- 23542300x8000000000000000343345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:11.640{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D75D5777006172D058E415897A9E2C7D,SHA256=1FC4C78489F0D46CF6754FF45A224A861585B8082806A6625FA92371722C3BF3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000343347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:12.712{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E696887FF5390E7725B89B909E85DB6,SHA256=B69D955C7519A0B3D8B399F0FAC339A0C039F9A346DC4359D8E26232C1B08584,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000450610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:08.950{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52824-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000450609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:12.053{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=196B2CBC7A46C1212C82B252D7025504,SHA256=6B048316E6DC726C583A0164D958074FBFA8877A861EE6A8D132883D87106F8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:13.889{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2900AB0AAC4F43223C09B715C46F37B,SHA256=25B6830BABFAFA7073F93AF45D5B5C17708ACC3F3DAB4E74F33E9AA96E210F4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:13.145{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C37A00BFB38E1D3AD2BC9821CC96BA18,SHA256=D3F11AD82FB6790A8FB0FB79E87E49DA1677C896A8CB93258609B682C91E1225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000450612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:14.217{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CD4FA37173A826779CB5435297584BE,SHA256=3ADA3E4D81FCBBD2C8E0A5D87FBE8C28AEBB3BDA6A2F781FA3CED26B01D4E432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000450613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:15.298{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5925CC3C108826BB003BC0E82C66CA55,SHA256=897F0DBD84E95F1101EF2432DECD730305CA4A2649A201050748C70FBE8D5BA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:15.083{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=967B3370D2B98B372A9394DE348972B7,SHA256=BA0D22482C1D15F2411C9A8C672F3EB2CDCC01C97A7EB94062B91130834D13A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:16.370{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=123DBD9AE8977382704442F447910D2C,SHA256=30F500DA11F5CE991964DB1940A4D51C0EF0FB0E5310A0317F248824CA5D989D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000343352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:14.400{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51169-false10.0.1.12-8000- 23542300x8000000000000000343351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:16.269{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC46C1873A77828C1CB5F882EC65B15E,SHA256=4B9F98322E7CB338E17D811D1BC5B258F3E869991064F4A25BAC7335CFC9EB3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000343350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:16.222{72106695-9B85-63D3-1100-00000000BD02}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=48CFCE69852EF6BD44538164A63FAB79,SHA256=7D769CA1B213F11103A1BE38200D2A5F0F634CEB70F4736D476513720472B768,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:16.292{45AAC21C-9B85-63D3-1000-00000000BC02}368NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0058073BD52F236C20407D2D3B170220,SHA256=71E888B8945B0E1CEC90A6A148F5F53FD0E1F41FB38F4952E64D9BB1164FA82A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000450626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:17.464{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E514BF1EA0806FCE93EFDF0F4ACF59,SHA256=9F3C4CD05570B982671D2DC30F7726DC0A65AA00245215E989E63EB2A90CA86A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:17.358{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EC95AB9862ECB9367DFE7D2EB147B38,SHA256=315329F0EBCF129C7A508820FA452C2C3719770F7BD08F91A30BE18735484B2E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000450625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:33:17.116{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000450624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:33:17.116{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00696a82) 13241300x8000000000000000450623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:33:17.116{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d9323a-0xc44d42cd) 13241300x8000000000000000450622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:33:17.116{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d93243-0x2611aacd) 13241300x8000000000000000450621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:33:17.116{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d9324b-0x87d612cd) 13241300x8000000000000000450620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:33:17.116{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000450619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:33:17.116{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00696a82) 13241300x8000000000000000450618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:33:17.116{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d9323a-0xc44d42cd) 13241300x8000000000000000450617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:33:17.116{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d93243-0x2611aacd) 13241300x8000000000000000450616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:33:17.116{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d9324b-0x87d612cd) 23542300x8000000000000000450628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:18.568{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E6A1C0622F3E13BB466C869154DEA5F,SHA256=8A37BC14B191701C4E4416EA75343CE0B4B1928C5D52891B590645BAFB062127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:18.559{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AA09AA2DE1457C633FEC904A0224494,SHA256=049DD4AEC29D0B1692416FDC0213BF5DF1BE776FC48151D6CB59E92F9508769D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:18.126{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7374A899083B416C029FA8F75E5987C7,SHA256=E612C02DB39F7FE12D41C57039F90632F12DAAAB98826DA59C45F92F48CCA234,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:19.641{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D5811D42FCA13365C23D0A71128CD4B,SHA256=B69249B6E1424867FC83E0C2DB3C82BBD2D315AC2838CB06208F530C969B13DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:19.831{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61020F11522CEBE507854373C0434C74,SHA256=C16C980D3541087707AC61083072702A258D0E9EB594482CBCD6BA2E0291B01B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000450648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:19.648{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:19.623{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:19.610{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:19.607{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:19.605{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:19.603{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:19.546{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:19.528{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:19.502{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:19.493{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:19.477{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:19.466{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:19.456{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:19.427{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:19.406{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:19.382{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:19.373{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:19.307{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:19.305{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 354300x8000000000000000450629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:14.944{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52825-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000343398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.955{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71227225A3DA01E83472B20F0F5C9B58,SHA256=8C77BFC865898F81070C173145492E92C0724596F5008308260DAC6AF90A191B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000343397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.786{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.742{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.742{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.740{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.728{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.725{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.714{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.700{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.656{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.646{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 23542300x8000000000000000450655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:20.867{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B619C91417684F96DC68CAA559E71354,SHA256=94BE19609A3DAEEFB07720679AC1C8F20F4ABC655506C2636F0157DD1A8E4C5F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000343387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.630{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.622{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.620{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.616{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.612{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.610{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.605{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.604{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.601{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.600{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.599{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.596{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.593{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.578{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.573{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.567{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.565{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.556{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.539{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.536{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.524{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.477{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.469{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.452{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.435{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.406{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.390{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.367{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.354{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.333{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000343357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.330{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000343356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.328{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000450654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:20.294{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:20.290{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:20.288{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:20.285{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:20.283{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 23542300x8000000000000000343399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:21.788{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B4FB404DD64A38DF1A799EEB3FE314C,SHA256=D92840E550FF49405DC89146ED77C1A0A7E3C306BDFF53FBFA63AB4F690684EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000343400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:22.895{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAA0A0CB1D093B2EC584F4E72ACFC510,SHA256=10FA670861B35695A9F7303FA8DB879EFA61462D8058BE51341643191EDA5259,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000450674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:22.966{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:22.963{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:22.953{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:22.938{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:22.908{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:22.900{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:22.889{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:22.881{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:22.879{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:22.872{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:22.869{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:22.868{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:22.864{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:22.350{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:22.347{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:22.345{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:22.333{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000450657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:22.324{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 23542300x8000000000000000450656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:22.054{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD17F889CBE4C44AEFC030721194A7D,SHA256=E53869215384E27D3BC302DCA9DC38D58E439DA1CDBE15FEF0FC29CC7ACB7E42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000450677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:23.848{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\respondent-20230127093833-111MD5=ABD21C848C86C8C4C327246443A18885,SHA256=621828FF48080C628607F27990B50D4C7839DD5149D1A5B05A104AE9C04F6CF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000450676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:23.233{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F7E1A5F2E6155C1DF7C63C64968AD9A,SHA256=A7AAA60F4A884586B613DA435424DA70512486DC37F8AEDC0B4CDC94F2F7F76D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000343402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:20.356{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51170-false10.0.1.12-8000- 10341000x8000000000000000343401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:23.148{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-2000-00000000BD02}2000C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:22.999{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 23542300x8000000000000000450680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:24.850{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\surveyor-20230127093831-112MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000450679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:20.928{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52826-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000450678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:24.302{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9018048DDBACA7D65419F3EFBFA24771,SHA256=8D5FF23B9164B4682243BBAAB66FDC940774B2F2B4B9D1444751ECC50D2ED7BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:24.082{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3636F94FAC6E3104038C2F26A9995EEA,SHA256=DDA26B818835937E5BC341BF9B601A3E195387E3B1C898CEC36021BE470599AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:25.388{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7139BCE69ED1604EFD7C6B7BF607AA4A,SHA256=EB2B457B3FF08AFA2A342C42BAA81B61F2D57A7ED085052A6BAEE876AE19ABD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:25.164{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A3CCA4AD34B8AC41A8AF7909F5CFC6,SHA256=5D0896632543F31F54A90B353DC9C4C97DF83F22F691A45A7412C7E4704A6455,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:26.682{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=473C63DCEF7596DBC7E620B423C095BD,SHA256=624E4F9119911BD9BA8ED4C535B9BB8B75CA32CF740AC51C6F66CA78D55C4C7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:26.245{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C396F0BB64B34DB04229A1358E78CC3A,SHA256=7AD2AD5C2408C3E54EF2340F854ED0542252DB293D0418A5F8B80B2AF538F4A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000450682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:33:26.079{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d93243-0x2ba876ac) 23542300x8000000000000000450684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:27.774{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57311D691EE4690F00C50A1B145E5DDA,SHA256=25D8C9F14C979E7695B35522AB5EB872D20F398246360615BC6AAA5CE80C0A60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:27.632{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0E613D29CC33EEC8A2DF449374607E68,SHA256=D57D64570C6A3533AD3224A60709A3B02709061FD80C13FB3C6B8ADAD7316D31,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000343406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:27.430{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E1FA8C9388CBF8951882F79178B9C9F,SHA256=B6FC1CF4D28415D9B59FE82A12117A5E7BA096469B571EA9B2E56841451D5D12,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:28.867{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A43A06B83FBB02DC480DA0D8ACCEF755,SHA256=6EB887F111C13ED76FCDA198A828FF66EC2934C19DDBA4E9657567D706D8D5A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:28.627{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8F8B8CE8A0C3823DECE204FBC2AAA89,SHA256=7D64667DB2B152A7274FA584B44BBBF741ECBD0331622D4F0BB195B90B8C3E30,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000343408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:25.370{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51171-false10.0.1.12-8000- 23542300x8000000000000000450687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:29.955{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3A68EFD91A0C32F2B628C509382778F,SHA256=9E9C7B26D8710EF2920BE508187437BBEEDF2965628F8ECA233B6A2BBD2C05A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:29.726{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31033D0525ECB8533A41CA2C431036A6,SHA256=A400C9B2E655B6826567EB6AD58984E24A71874F2C820E158B9838753F75AC7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000450686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:26.912{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52827-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000343411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:30.915{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D60BDAAA22BF0CBF57C32E0F53C5234,SHA256=094E1502F6198B4C8E4AF359DD8EF5566892A3218BC0EFF416BC721A63A85B49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:31.032{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DAD3406B5AFEDE45D7C3E407FF01049,SHA256=92519887D0BAA9856848EC9D08B3DFB55C704677CF0B6C596B346E90FA0179FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000450689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:32.232{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D00A56BBF7D09B16C6FCBEF0F1D0EF3,SHA256=8260D9604D6A83C79E200F51CD862EBEC6A9F1F7EBD3EDFB4FC292EDCC108955,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:32.010{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBE79367C8BC8E68C49DEB0F25391832,SHA256=DB14BD07ADB454BB476658D9BE36BCD0861A98834D058A6C560483209E9CACB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:33.317{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0CE3D37D6CB492B6FD8C864DEEF4F90,SHA256=F7685566F5BB9671726A3F1E23BD5B0A474953E88AECC719074BD0AC943421AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:33.310{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89A1F730DCE37D7AE155E1BC52F2A7E0,SHA256=38F4D82EFFC5E2D4AE822A20DE2FEDCCBB43FCA555227E50ED4A371C4D8FFC88,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000343413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:30.419{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51172-false10.0.1.12-8000- 23542300x8000000000000000450692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:34.399{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECB4C034C165D640F8D9B8511A7865A9,SHA256=ADE765EE4BB9F15EB7A93953095637019A7009ACEC9398F1842045314694C5B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:34.393{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=669114BDF58A91FFC16D1819930BC8B6,SHA256=F1F401345B4D22A36399138C97987035150DA413C87570281125E77B17A9A186,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:34.306{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000450694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:32.942{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52828-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000450693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:35.584{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E7B25591A03981C322B7167874571B3,SHA256=A9B22FD9D99278AD9E1ABAEFA060F480DD2722A1C66F4D1441A4B9B516EC8CAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:35.701{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F3E23A6C7EFB9B12579173364A7EF82,SHA256=6A893CDF7403A3071D4D10BB40AA4E5919FADA9E8316BD6E11B56657EB900F53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:36.664{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=046E51497E86DC03EE26372EE868A9E1,SHA256=5B81CF3D71153391B360D98077DC5A2B2BE13E2BBA135F3807EB5378B6ED1F59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:36.879{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D796AAAC4D9567B4554F20F7A3349C58,SHA256=6EA9409E926B3A8992A39032989271A14FECF01E3C1FE7BA2743EFE193569A21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000450695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:33.005{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52829-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000343417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:34.366{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse171.244.61.138-61329-false10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal3389ms-wbt-server 23542300x8000000000000000450697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:37.851{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40D4252F91FFD25A3D8AEB5F7BCE68DD,SHA256=2AF41A8E79D5D93FF12D37A45D6887BA05061B906A8DB501FF2544C215395320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000450698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:38.927{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=159345CBC45A975FFD7FB71BD52C9A47,SHA256=4A37A16D601B57E9523DBCD93AFFBBAD705FA5D61A94F872239A4594DC19B65A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000343420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:36.390{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51173-false10.0.1.12-8000- 23542300x8000000000000000343419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:38.057{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C70A0295D87D8796F36DCD286484BC74,SHA256=1AC568D686CC230E597F541BAD7FB46A84780514F7A70C093F373C056C898A06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:39.967{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C50FA2D2F57C1E7C681052435EB2786,SHA256=C1C2E94816CB46B2671809AF970AFFFF0AB58FD0A32E8BABCB49E47254475B71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:39.149{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C854C8F45FF53693AADF2D552A3CBD33,SHA256=95FA258F1464894BBA613223CCED2450D1B0CA876302DC8A2484D5113B475704,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000450717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:39.675{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:39.655{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:39.647{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:39.636{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:39.630{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:39.623{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:39.562{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:39.550{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:39.531{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:39.519{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:39.497{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:39.483{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:39.469{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:39.448{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:39.424{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:39.410{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:39.395{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:39.320{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:39.314{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 23542300x8000000000000000343421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:39.012{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000450723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:40.314{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:40.311{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:40.302{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:40.297{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:40.295{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000343466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.670{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.648{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.648{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.645{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.630{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.627{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.619{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.608{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.581{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.575{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.566{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.561{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.560{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.556{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.554{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.551{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.547{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.546{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.543{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.542{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.541{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.540{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.537{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.520{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.516{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.511{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.508{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.491{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.475{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.472{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.463{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.431{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.422{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.414{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.407{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.385{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.380{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.369{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.358{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.345{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.336{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.334{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 354300x8000000000000000343424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:38.255{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51174-false10.0.1.12-8089- 23542300x8000000000000000343423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:40.227{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53472D50A27D7FF68D7078DA5B9DA902,SHA256=6F820FF85126D93EC8E39C89DCE08E6A5915760C8F401D21A22407245E76E2E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000343468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:41.562{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42843FF47FFA5B383B612D5E05B0524C,SHA256=325C55D16FF1BFF6535FBB3F5AF6722C09F88A030BE6AE7353D7777A99FDB0FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000343467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:41.484{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=793E3C906FF148FA842751A51A288AE4,SHA256=20E7AFC00781CBCF8779BAD96FFA584E378DCBA5DE7B8836502F81E06EEEC8E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000450725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:38.764{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52830-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000450724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:41.034{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6172147F52BF8ADE586DD3548879D91,SHA256=AF63E0A7E57D4FA9CA75575724B112AE53FAAC00358841995CDB1B50005BE192,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:42.601{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A638709B279715B52680F96DB104B9F,SHA256=8C72EB6F1BD5898F5852DDF8A2A32B108C9E524B498B7F74A41E307C4646C644,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000450748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:42.992{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:42.987{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:42.979{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:42.966{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:42.942{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:42.933{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:42.920{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:42.911{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:42.907{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:42.902{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:42.897{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:42.896{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:42.892{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:42.374{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:42.372{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:42.368{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:42.359{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:42.359{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:42.358{45AAC21C-9B83-63D3-0B00-00000000BC02}632680C:\Windows\system32\lsass.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:42.352{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:42.341{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x8000000000000000450727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:42.341{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-3000-00000000BC02}2848C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000450726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:42.126{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FFDF257D99F83124E3A0475BC508E57,SHA256=CDEFDCE9304388B68C2B2E4491BC61746BCFE0F32633564956E688EED7BD0745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:43.800{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEFEAB71BB0C5F41B932B25A40B85DA3,SHA256=21183A7BBCC1A1B5056B072AC15F25275A12A15DE9FF4C77E02CE149B5A84AD1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:43.192{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E310653F2BDD5FF11CC3E589A3FDF1B5,SHA256=6D44664F0285C182325D4D48731D0E63651DC770321AE635F1364AEEC8D5CCAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000450749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:43.018{45AAC21C-9B96-63D3-3000-00000000BC02}28483456C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 23542300x8000000000000000343472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:44.894{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=894650C1CF176FC8F57FE0C0E52976AF,SHA256=DF5D240788AC4BD117EEE43FFC19F051A6081EC25C792FFE96A134D2B65239D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:44.286{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E4A091A896645E45FCEDA937C132DC7,SHA256=18252DB92B1791B64A9DD60DB69501A07B8A5AD18EF2FC10F17A1E8F46EFD510,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000343471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:41.407{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51175-false10.0.1.12-8000- 23542300x8000000000000000343473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:45.988{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D5B85DCA42671152BFD12346DD02368,SHA256=E37FE7FF75BA261DDB6B161E54FF5266893A8FA707F264455D40D89C4E61CE62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:45.925{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D5300596D564FCA4095123BF4DA85D8C,SHA256=AB85B4266DEDAFAD5CA07A6EEF1BA8E70D23A05FD293DBA00A9F89EA7887BE8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000450763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:45.826{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B699-63D3-0904-00000000BC02}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000450762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:45.825{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B699-63D3-0904-00000000BC02}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000450761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:45.825{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B699-63D3-0904-00000000BC02}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000450760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:45.748{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B699-63D3-0904-00000000BC02}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:45.748{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:45.748{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:45.748{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:45.748{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:45.748{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B699-63D3-0904-00000000BC02}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000450754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:45.748{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B699-63D3-0904-00000000BC02}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000450753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:45.749{45AAC21C-B699-63D3-0904-00000000BC02}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000450752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:45.373{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FF979203F8594D1C96EF118DE969B2B,SHA256=558113492E8D1CE126E8440071284426B4E1A9A48CB7588B8E93B9E0ABB05C9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000450783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:46.920{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B69A-63D3-0B04-00000000BC02}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:46.920{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:46.920{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:46.920{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:46.920{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:46.920{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B69A-63D3-0B04-00000000BC02}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000450777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:46.920{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B69A-63D3-0B04-00000000BC02}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000450776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:46.922{45AAC21C-B69A-63D3-0B04-00000000BC02}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000450775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:46.790{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD60554E67BC47CF1FCBAF77792CCAB5,SHA256=18C5751F1C1A4F515663452D1D934BB23065D6E28B54702BF1086EEEC232A05B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000450774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:46.701{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BBAE9E40D09C743C20D87B5AB1DA930,SHA256=0B7598F74367F01577F4A47CB5F17076114121B534F6C542697057A70F13F991,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000450773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:46.639{45AAC21C-B69A-63D3-0A04-00000000BC02}27525788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:46.420{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B69A-63D3-0A04-00000000BC02}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:46.420{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:46.420{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:46.420{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:46.420{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:46.420{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B69A-63D3-0A04-00000000BC02}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000450766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:46.420{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B69A-63D3-0A04-00000000BC02}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000450765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:46.421{45AAC21C-B69A-63D3-0A04-00000000BC02}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000450786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:44.734{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52831-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000450785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:47.809{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=615AD5CAAFF5F0E3650278C4141E8090,SHA256=8A3961A23D56328643104A64727A7EF3595BA3B0A7C7891931FCB947550425A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:47.190{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=607D3E43080B6A4FBE825111004CEDB4,SHA256=1F090F0206BA60DDCB97722055E58FC9F0DF20DDBB35E86BEF32E7F2BE495747,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:47.276{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BDD4235B6DFE3B95E93DBCA0670D62E5,SHA256=256BEE897987A732CA4D4A6CC9740F6436DEDBAFB171EB07A960A72798F4A1BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000450789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:46.367{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52832-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000450788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:46.366{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52832-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 23542300x8000000000000000450787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:48.885{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9EA4E06725F041419F28E0959E2BDF3,SHA256=92CF2D46A6CCBDAFD020C1978390109241A23E7CB2B10F62036947A4FF32CF36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:48.391{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9FDF336295018B0CB2598F0E61FD10A,SHA256=B2BF04492D506FA868DA057C01138ADC1CA07309EC31865A155850C24BE629EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:49.961{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7929E22F227A5603C5EE06842F60942,SHA256=E39DB527048548B48F5E3588ECEF4EE2ED1F810FB649205C5866BBAB381DF3FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000450812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:49.922{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B69D-63D3-0D04-00000000BC02}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000450811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:49.922{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B69D-63D3-0D04-00000000BC02}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000450810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:49.922{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B69D-63D3-0D04-00000000BC02}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000450809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:49.922{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B69D-63D3-0D04-00000000BC02}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000450808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:49.920{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B69D-63D3-0D04-00000000BC02}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000450807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:49.920{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B69D-63D3-0D04-00000000BC02}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 23542300x8000000000000000343478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:49.706{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBC0792F02F2435C978B1B2F3BA98880,SHA256=A92D3302AB250E6AD38B1253D15C2E646A0EEEA18DD96C9258A55152AF644EF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000450806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:49.670{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B69D-63D3-0D04-00000000BC02}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:49.670{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:49.670{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:49.670{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:49.670{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:49.670{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B69D-63D3-0D04-00000000BC02}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000450800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:49.670{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B69D-63D3-0D04-00000000BC02}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000450799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:49.671{45AAC21C-B69D-63D3-0D04-00000000BC02}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000450798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:49.388{45AAC21C-B69D-63D3-0C04-00000000BC02}41245528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:49.160{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B69D-63D3-0C04-00000000BC02}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:49.160{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:49.160{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:49.160{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B69D-63D3-0C04-00000000BC02}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000450793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:49.160{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:49.160{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:49.160{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B69D-63D3-0C04-00000000BC02}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000450790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:49.161{45AAC21C-B69D-63D3-0C04-00000000BC02}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000343477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:47.420{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51176-false10.0.1.12-8000- 23542300x8000000000000000343476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:49.237{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A7328B8DE5B503AA25DB773C5703A6B2,SHA256=3B54D06E1C3C33DFC3267C1FCA8C2CF77A0945C117D380A30EA906D496CA11EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000343479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:50.783{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=297C319A70A7BBE2D01618D0DE490258,SHA256=2CED7437F2ACC611F98520B357D7D94F531F86AF5925D44B930416317913634E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000450823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:50.494{45AAC21C-B69E-63D3-0E04-00000000BC02}52484720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:50.260{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B69E-63D3-0E04-00000000BC02}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:50.260{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:50.260{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:50.260{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:50.260{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:50.260{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B69E-63D3-0E04-00000000BC02}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000450816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:50.260{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B69E-63D3-0E04-00000000BC02}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000450815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:50.261{45AAC21C-B69E-63D3-0E04-00000000BC02}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000450814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:50.001{45AAC21C-B69D-63D3-0D04-00000000BC02}36125356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000343480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:51.845{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7A5B9D29EEF9E8CD0066E4F4D85EE2E,SHA256=5930D7EFA9B1331D998F4A2DB30EBFB870F4A48ED17C1DCC9CEE9AF91D789EDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000450832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:51.541{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B69F-63D3-0F04-00000000BC02}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:51.541{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:51.541{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:51.541{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:51.541{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:51.541{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B69F-63D3-0F04-00000000BC02}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000450826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:51.541{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B69F-63D3-0F04-00000000BC02}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000450825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:51.542{45AAC21C-B69F-63D3-0F04-00000000BC02}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000450824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:51.066{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6B8900AA5C08D684F8DD58D5CC37DE0,SHA256=A711DA8859C706995AE28E641B593296E8FADB15867FF261A5EC33C783E45C0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000450835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:49.797{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52833-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000450834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:52.626{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=075943A0577D28EC202CFA1C0695FFD2,SHA256=75ADE30D14063B6A42FC3375AB5A5F8CF0F8CF6C9E2C45870F5E301D92EC9920,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000450833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:52.157{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F0A41E62F22C988A916E078E0E74F34,SHA256=6BAAB5A396355662D10378C2D7797884C3EDC3B472768A266DB68035325D0A5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000450836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:53.238{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD9C7CB543899E9BF6AFFD57B59E3418,SHA256=BB253B78812189247EACD347C4ED8EA9D6CFC3452BEF1B69179B140F4AFA119A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000343494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:53.857{72106695-9B85-63D3-0D00-00000000BD02}7963468C:\Windows\system32\svchost.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:53.701{72106695-B6A1-63D3-5504-00000000BD02}9042296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:53.587{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B6A1-63D3-5504-00000000BD02}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000343491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:53.587{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B6A1-63D3-5504-00000000BD02}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000343490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:53.587{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B6A1-63D3-5504-00000000BD02}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000343489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:53.513{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B6A1-63D3-5504-00000000BD02}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:53.513{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:53.513{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:53.513{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:53.513{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:53.513{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B6A1-63D3-5504-00000000BD02}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000343483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:53.513{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B6A1-63D3-5504-00000000BD02}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000343482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:53.513{72106695-B6A1-63D3-5504-00000000BD02}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000343481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:53.025{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6380E4F7CE88BBC4CF9C2B08D7DA83AB,SHA256=DE69A06117959703B29E5AE7CAA0CEC6F066A2BE67720225ABAE69414E3F9793,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000343514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:54.724{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B6A2-63D3-5704-00000000BD02}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:54.724{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:54.724{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:54.724{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:54.724{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:54.724{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B6A2-63D3-5704-00000000BD02}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000343508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:54.724{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B6A2-63D3-5704-00000000BD02}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000343507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:54.725{72106695-B6A2-63D3-5704-00000000BD02}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000343506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:54.662{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20F92AD7298C7B564D372D44190BD818,SHA256=AB81F2948A029B15E4DF3ABE45AF975EA16E522E1B3BF36ECA6DC688E0C9952F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000343505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:54.653{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1EB9050326B30E301FCD8B4F91A4393B,SHA256=606DD8B557522F4B4EAFC6065896994FEC5E6C60FF5624DD66A4DAC97F0CF426,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000343504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:54.367{72106695-B6A2-63D3-5604-00000000BD02}49286052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000343503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:54.211{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC720B615C40E953618800B5FF2B04D3,SHA256=AAE9BD4D05D56F8C3854E9C97823CE3414E71ACC1E569592606201167A397FD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000343502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:54.180{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B6A2-63D3-5604-00000000BD02}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:54.180{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:54.180{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:54.180{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:54.180{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:54.180{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B6A2-63D3-5604-00000000BD02}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000343496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:54.180{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B6A2-63D3-5604-00000000BD02}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000343495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:54.180{72106695-B6A2-63D3-5604-00000000BD02}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000450837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:54.307{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=607552093737C2E8BBECB3E26F409AC0,SHA256=64F8AADC508D208692E5158B102047C0A6D4DFFF5064361F8D619C649CECEB54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000450838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:55.400{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8C8FE68511DA99DA90793B909604FE4,SHA256=D7647DCC2A96731EDDB78FFF9D717971CFEA31C763065BDD0D9C70E209C7A8A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000343525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:53.366{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51177-false10.0.1.12-8000- 10341000x8000000000000000343524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:55.616{72106695-B6A3-63D3-5804-00000000BD02}39764348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000343523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:55.405{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0CE91B4A77C122AB18B31C543181627,SHA256=43702411FEF0EAD51E533EC3755A2DFC9444463C6103530DD64EF704680A5231,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000343522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:55.405{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B6A3-63D3-5804-00000000BD02}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:55.405{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:55.405{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:55.405{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:55.405{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:55.405{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B6A3-63D3-5804-00000000BD02}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000343516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:55.405{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B6A3-63D3-5804-00000000BD02}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000343515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:55.406{72106695-B6A3-63D3-5804-00000000BD02}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000450839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:56.482{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F88F7ABB0AEECF5AC0EB7949AD023CA2,SHA256=152620E2CB2BBEA2B7095C000E710AEAC0CD99885E5B294962FF2801EEAC8F87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000343543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:56.945{72106695-B6A4-63D3-5A04-00000000BD02}38923604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:56.737{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B6A4-63D3-5A04-00000000BD02}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:56.734{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:56.734{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:56.733{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B6A4-63D3-5A04-00000000BD02}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000343538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:56.734{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:56.733{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:56.733{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B6A4-63D3-5A04-00000000BD02}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000343535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:56.733{72106695-B6A4-63D3-5A04-00000000BD02}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000343534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:56.489{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E31F3BE7868FAAB78FEA9F0385D3291,SHA256=9555B00D9FDF8FF7A0A22A0261EEB7825FACF92CFB6F52B1555ABF18571B51D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000343533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:56.073{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B6A4-63D3-5904-00000000BD02}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:56.073{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:56.073{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:56.073{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:56.073{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:56.073{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B6A4-63D3-5904-00000000BD02}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000343527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:56.073{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B6A4-63D3-5904-00000000BD02}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000343526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:56.074{72106695-B6A4-63D3-5904-00000000BD02}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000450840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:57.576{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95ECA63661F8323191C21C318848FE65,SHA256=176E81ED01FD1F653BB1AD1C90542DCBCA32ED9D28A696ACA821F1D00FB3D3DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:57.828{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=16922F3341080EB723FC367968FC8E2D,SHA256=A463EB816D178E4AC91D3D51EDC8CEBE93E6334EEE32F60F7375D9F44299CB43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000343552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:57.666{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7876EF5580DC9ED9CFB56CE52B2EC37,SHA256=2D2775F384CC07077D54F741DEBF2DDB52948878CD6A5980500BF7CD22A3DAFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000343551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:57.405{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B6A5-63D3-5B04-00000000BD02}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:57.405{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:57.405{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:57.405{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:57.405{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:57.405{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B6A5-63D3-5B04-00000000BD02}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000343545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:57.405{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B6A5-63D3-5B04-00000000BD02}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000343544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:57.406{72106695-B6A5-63D3-5B04-00000000BD02}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000450842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:58.675{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C205442AE2FC18AA146513887862800,SHA256=43F9B891353908D8586B650058EEA6EFDC3373AAC58C0371D21E2A914F1F4AF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:58.728{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A1E37F757BD079F4D9618CA6BF74934,SHA256=396DA2C17B94AAAEBCE243243F64B173117C556A57E2993F3B1A6A587CED9242,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000450841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:55.777{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52834-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000450862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:59.718{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F9AB0B98DF2430F2864F1D740B2FD00,SHA256=ACB19AA34023066FBB17D0D9E7ADBEA187008753F3EDEFF054BAAAE43C0BE7B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:59.812{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E556A47D2745BB48C5491FBE090FF386,SHA256=EE6D7331967B554874DEA383DF5FB817FF1A302F1EFF1784049FF2C57103994A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000450861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:59.631{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:59.603{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:59.585{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:59.580{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:59.577{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:59.573{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:59.529{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:59.519{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:59.494{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:59.481{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:59.466{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:59.446{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:59.427{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:59.413{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:59.404{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:59.387{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:59.375{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:59.312{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:33:59.305{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000450868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:00.761{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A3AA053AD4B4FBA148FCF95CA539371,SHA256=149C58943B7E7C7FEB9A216DFA9AA606AC3BB986F2AC3E9A642496AD4EF3C622,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000343599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.974{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000343598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.967{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=164342719F1438D9FF61B357E02FE1A0,SHA256=3957A806DDFD79BB14D511FEB15F6D72465CA3D9AF26A58693E5026C6EFA4E79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000343597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.931{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.930{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.928{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.907{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.904{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.892{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 354300x8000000000000000343591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:33:58.509{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51178-false10.0.1.12-8000- 10341000x8000000000000000343590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.869{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.828{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000450867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:00.364{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:00.361{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:00.358{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:00.355{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:00.352{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000343588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.816{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.790{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.776{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.772{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.762{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.755{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.752{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.743{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.742{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.738{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.735{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.730{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.727{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.723{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.702{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.690{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.675{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.672{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.647{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.616{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.609{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.579{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.486{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.480{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.467{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.451{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.431{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.422{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.407{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.382{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.363{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.336{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000343556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:00.332{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000450869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:01.851{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5A9141DCB2DBE670B347753AEDBCA9A,SHA256=10DBA4449EB4B9F496739070B1EDD4ACD613DC28FB94942BA2DF7946545EBC4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000450886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:02.996{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:02.984{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:02.959{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:02.949{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:02.938{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:02.931{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:02.929{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000450879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:02.928{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FEB90F0B077A21652754D9C997EF646,SHA256=B6C650030A575EF787C6D5FD10081B9EE306D7935B06C131A85DE1244C81AFA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000450878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:02.925{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:02.923{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:02.922{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:02.919{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:02.404{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:02.403{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:02.401{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:02.392{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:02.384{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000343600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:02.041{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E62BC30FCD9BF3EC70F7C1CED2F8681B,SHA256=6E39AEA7C1BDE662DE85601927505702348D9ACBF07E24AA433FABC1FB9F0F60,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000450890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:00.779{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52835-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000450889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:03.030{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:03.008{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:03.004{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000343601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:03.054{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2D9301A2C67E3215670F8435250CFDC,SHA256=10AB212D0DB795E0201E24A1A891C05891F2EBD67472923AF11DFCA2EB434E54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:04.102{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DDBC8FF3A1B21E6F0BB0B6A75027812,SHA256=84606D90F4F37058C74ECD1F5DD4F38C42F9C9CAAFC112F99020004478EEB8ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:04.249{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEEEC77D4F876795BE57053833B79969,SHA256=EAE38536355BE274100ACCC9A2CE5F0A61A3CEC2E52F602E9CE376951C69447B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:05.182{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0421C0A205F68FDF465C55D2925E1764,SHA256=F2D5DE667E15B6EA96EB508B80C96B5B0C1269F1658EDF6F2AB5293EBE1D4C54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:05.438{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C731349EC9AB7628307E3E73B04CC036,SHA256=FA92901BC8615D9B76DA90C3A5AC263DD79E4F0659D47EA0A4BDDAE25236DD19,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000450896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:06.804{45AAC21C-9B83-63D3-0B00-00000000BC02}632796C:\Windows\system32\lsass.exe{45AAC21C-9B80-63D3-0100-00000000BC02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000450895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:06.710{45AAC21C-9B83-63D3-0B00-00000000BC02}632796C:\Windows\system32\lsass.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:06.695{45AAC21C-9B83-63D3-0B00-00000000BC02}632680C:\Windows\system32\lsass.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000450893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:06.354{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3042A5F7B31E0693B11078E140AF1B5E,SHA256=1173C38474E36B2624C3DE5408B58B9B61B0E0162426A37EE60543C1BA638C1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000343605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:04.493{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51179-false10.0.1.12-8000- 23542300x8000000000000000343604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:06.518{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=810ECB1E8B1DD737BD35AFD52F761A9F,SHA256=5F32FC44B8B4943BF719B4C619BE3C1597492684181D45109522C9C3D2B5CF54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:07.747{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65E11C73E17182B53DA66ABAD6F21798,SHA256=8D00AC2ACF229B166916037063EEC115FE6371F17510D01C2D5FD5C2613EF78A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000450897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:07.452{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE149E910C28EAAAD2540A76AFEB4AE7,SHA256=50074656D6AE0216DBE82F27751DC8C07C84BA698C6505549C7A9C1E677552FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:07.582{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F41DD3B5D40C1952D72368BFAACB621C,SHA256=27B5A1FF32ACEB280A3F444C9FE043C6A06C47E4CF2950B6D3AC24822955EEC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000343606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:07.318{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\respondent-20230127093815-112MD5=FAFF531EDF0CFC03BCEBADF518BA5361,SHA256=88BF976C27BC6DB398DABD588375EB870CCDB2E8695A85E73E9E0CF078A2553A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:08.529{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C71FF5821019A4BC1FA2AB1B2E5E0DE6,SHA256=4F302E5CF3AC13E53034F8C3DDC35C87EFE13CB3BA88032078165323119CA0A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:08.663{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9471190FE999D88EBA701E1155AF3C9B,SHA256=86330E89616C0B918B171840C3D2198F5070A37052766162083F7DA90AC3E969,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000450904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:05.508{45AAC21C-9B80-63D3-0100-00000000BC02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local52838-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local445microsoft-ds 354300x8000000000000000450903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:05.508{45AAC21C-9B80-63D3-0100-00000000BC02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local52838-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local445microsoft-ds 354300x8000000000000000450902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:05.414{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52837-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000450901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:05.414{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52837-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000450900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:05.398{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local52836-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000450899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:05.398{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local52836-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local389ldap 23542300x8000000000000000343608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:08.330{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230127093814-113MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:09.599{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3D962E4391C783CF0BCBE40EFA8847A,SHA256=6F156C766DB12BD2213859D35078386B0D9880811CEDFF3AB8EBCB6225B58F4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:09.747{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04FBCAF931D7FFE7068680CD4922E4EA,SHA256=EEAD8D05C0CF985401509AABEFCA87D23A0A7E2BE033962DCCE0A33E8434C6AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000450906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:05.905{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52839-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000343611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:10.831{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB7C071FC87C2F6A83E24635D7A4AB33,SHA256=1A86F4AC0713FAB1859D2B9F8C5A9497A7A9C8098CCA7887A198CA73826A2062,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:10.669{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB87B1D50863AA370C93D97BEA9C07E9,SHA256=EAFF0F401A2876159226A47DAF6BFF4B7B777D2AA5B5676E2C373765A1888F15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:11.915{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98C7633702DF3394ABE2CF5E57587B3E,SHA256=A8E0DF6309938BE48DE2BCF558B47ACAF42BDCFC6217AB1C5212EFB946A395F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000343612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:11.883{72106695-9B85-63D3-0D00-00000000BD02}7963468C:\Windows\system32\svchost.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:11.903{45AAC21C-9B85-63D3-0D00-00000000BC02}8924856C:\Windows\system32\svchost.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000450909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:11.737{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=344BA1C02C6C4D48B1892024DD78B1E0,SHA256=484AB1987E1BDBB77B4A8F0D8E204987E1A3C8C78DBFFF2B8DEDF761DB0379DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:12.994{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F318CB5B4BCF394FA69C94B0243A44B,SHA256=21351519CD72E64E94617631E40D49B7EF7392C01C8171514E29AC396CA5FD17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000343614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:10.412{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51180-false10.0.1.12-8000- 23542300x8000000000000000450911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:12.817{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C6C9BF78BF5145CC89B260D53703920,SHA256=EB3FF445C920960542060DB62C1FEF2BB1591A29A3A2FADBB7AA8C82690759FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:13.977{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE774C35EB7CF85031EDE6FE1EE832D4,SHA256=605F50A1B707F7155DCEBEACDE11B659B95259076753DFDC0AA7488A7D4F773E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:13.895{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C523A9C121DC7617E60BCBAAEC3F84FD,SHA256=84AB9EBEF38464C549D64A53CEC6B1F0EC5837FCF6C6919E580F1831BFC6367B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000450914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:14.990{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=483DF4604F9D82CC722A846B80F648B7,SHA256=1171AA9E9A6E446796A746D376AE866A11B7FB75D0F74E32947401592C12D249,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000450913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:11.948{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52840-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000343617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:15.063{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A029953B6713F9CB737AAF53CB0AE5F5,SHA256=5A98522DCF74444502173D8DF8A07BACE7DBCA86728187954E6D72C93DA0B1C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000343619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:16.254{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A553B3179E1B3E4668F88CED1E51E129,SHA256=7AC7A0542B8049E5091F3B1160C8F8E16E8CA0BF3C660F37F1C7B31C1F46CE81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000343618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:16.222{72106695-9B85-63D3-1100-00000000BD02}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=901DCB45C0772C3741AC9EE1A726F247,SHA256=66C4A709629110E541EEE22A8DD307FFE5C1609934DD720FD920AC6B42C5FF54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:16.307{45AAC21C-9B85-63D3-1000-00000000BC02}368NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=513B48D1A6597B37B5F32E52EB672A8D,SHA256=3348AC076C644A9307D96AE292472CFB39100CC1C314378DD809BC4F08D09DAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000450915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:16.063{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2492A35F364859E06293D94865E6C51,SHA256=CE4265D60491215682E31B777E5006D45B9BBDCCDBB3EA2A5D225EB4466A0DCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:17.430{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BD1F264113007FC8BE09ACF99321240,SHA256=38BBAC7F1AD5534BEB88AE54A8C609A5F54B739441997D51EBD7C3A4044B4D71,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000450926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:17.853{45AAC21C-9B83-63D3-0B00-00000000BC02}6323868C:\Windows\system32\lsass.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:17.853{45AAC21C-9B83-63D3-0B00-00000000BC02}6323868C:\Windows\system32\lsass.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:17.853{45AAC21C-9B83-63D3-0B00-00000000BC02}6323868C:\Windows\system32\lsass.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000450923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:17.400{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=31384960DFADD2C8E93CB82AF5D076C6,SHA256=B8CDFD03E828ED2143FBD7CF3844698F97C7CD24FA2172CED31751880C2E58EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000450922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:17.243{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDF91327A478352BABB8ECAA975B8A7B,SHA256=BE46116C11EA1B2ABEBD3B1469F9CF9F7F28219D99B8C8AD25B3DBBBF008CE0C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000450921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:34:17.018{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\90005E51-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_90005E51-0000-0000-0000-100000000000.XML 13241300x8000000000000000450920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:34:17.018{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\3043171C-3022-4C0A-A8DB-5CE9390B74BF\Config SourceDWORD (0x00000001) 13241300x8000000000000000450919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:34:17.018{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\3043171C-3022-4C0A-A8DB-5CE9390B74BF\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_3043171C-3022-4C0A-A8DB-5CE9390B74BF.XML 10341000x8000000000000000450918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:17.003{45AAC21C-9B83-63D3-0B00-00000000BC02}632796C:\Windows\system32\lsass.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:17.003{45AAC21C-9B83-63D3-0B00-00000000BC02}632796C:\Windows\system32\lsass.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000343622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:18.612{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6B10B0C76C095C38E6E0CAF30B730E3,SHA256=9759095892440C3BF899E9327D6FAE124D695B814C37540B72978A506C6E4E66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000450935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:18.856{45AAC21C-9B83-63D3-0B00-00000000BC02}632756C:\Windows\system32\lsass.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:18.856{45AAC21C-9B83-63D3-0B00-00000000BC02}632756C:\Windows\system32\lsass.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000450933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:15.704{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local52841-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local135epmap 354300x8000000000000000450932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:15.704{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local52841-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local135epmap 10341000x8000000000000000450931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:18.717{45AAC21C-9B83-63D3-0B00-00000000BC02}632796C:\Windows\system32\lsass.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:18.711{45AAC21C-9B83-63D3-0B00-00000000BC02}632796C:\Windows\system32\lsass.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:18.711{45AAC21C-9B83-63D3-0B00-00000000BC02}632796C:\Windows\system32\lsass.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000450928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:18.644{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AE3F40D8BDA34CBC230FCCC7A8AB189,SHA256=ACE0E8B59A285F20FE1C8AF95BEE42445D086E524F5EB4576A521BD0721882FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000450927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:18.331{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3170CD3BE31E55A7E07E383762A90A7,SHA256=D7BA67B6665E7C7113D622A5132BF7382972A3BEDDB82C90050BD3665819B7F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000343621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:15.497{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51181-false10.0.1.12-8000- 23542300x8000000000000000343623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:19.797{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E744DB41F818D92B365C273FA95E032A,SHA256=676DD27E2F3F5C6AC80DAECD085573652D70B7FBCAB70CD2A3DEBF9D7A82AFC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000450958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:16.552{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52842-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000450957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:16.552{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52842-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local389ldap 10341000x8000000000000000450956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:19.619{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:19.600{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:19.590{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:19.585{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:19.581{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:19.578{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:19.530{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:19.513{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:19.490{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:19.478{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:19.469{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:19.454{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:19.438{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:19.422{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:19.412{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000450941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:19.405{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2EDE59C12158A01F3ACD9D6FE9C376D,SHA256=099B931A33AF629120A27719403B27CBCC6CF8DC6BA906B75C9DD835CE9EC4C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000450940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:19.395{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:19.383{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:19.315{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:19.312{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 13241300x8000000000000000450936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-27 11:34:19.036{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d93243-0x4b390773) 10341000x8000000000000000343665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.861{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 354300x8000000000000000450966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:17.405{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52843-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000450965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:17.405{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52843-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local389ldap 23542300x8000000000000000450964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:20.653{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38913EBCA4DEC1D49B8D9BBDD984CE35,SHA256=4B596798989D4F65A4D6F12F723362C2DAB13D532974B49AA0A1C0DA0A03FC16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000343664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.814{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000343663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.811{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000343662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.808{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000343661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.773{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000343660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.759{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000343659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.746{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000343658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.712{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000343657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.667{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000343656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.657{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000343655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.646{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000343654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.639{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000343653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.637{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000343652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.634{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000343651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.631{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000343650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.628{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000343649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.622{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000343648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.621{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000343647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.620{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000343646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.618{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000343645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.616{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000343644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.613{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000343643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.607{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000343642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.589{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000343641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.583{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000343640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.573{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000343639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.572{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000343638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.561{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000343637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.542{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000343636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.541{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000343635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.523{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000343634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.460{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000343633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.447{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000343632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.436{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000343631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.419{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000343630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.401{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000343629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.394{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000343628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.381{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000343627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.363{72106695-9B85-63D3-2000-00000000BD02}20003068C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38F10) 10341000x8000000000000000343626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.349{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000343625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.341{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000343624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:20.335{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000450963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:20.209{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:20.206{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:20.204{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:20.202{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:20.200{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000343667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:21.934{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1B28F0C5B16C24BEFEA2DED91519697,SHA256=C7BB1545385DD5A3D590A2DCF5A46BF11053BB82D08C823F6D544213C97D793A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000450969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:17.893{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52844-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000450968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:17.672{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local123ntpfalse168.61.215.74-123ntp 23542300x8000000000000000450967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:21.764{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D95C3D4C46A292512C57AC60D1BF34B,SHA256=F32F6B0E3B93DA1B96E25A11345AD99531B9052BCCFAD68BD7B6338EA57C7D89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:21.141{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FEAE64E1DDB2200E33552C15D30DF19,SHA256=A3BC5172E72938A3CB0C486AA31913FE8BBC40A83BB48AB04ADCE7619C6D6ABC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000450989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:22.957{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:22.918{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:22.912{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:22.897{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:22.873{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000450984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:22.832{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7AD7122709C7B926A0DFE5F5657CC2E,SHA256=FF8D238172805140F76AA81AE6DF3B9C82B7FA7B538A64ED01ED4EB41AF99705,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000450983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:22.829{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:22.819{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:22.803{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:22.793{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:22.790{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:22.785{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:22.782{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:22.781{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:22.778{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:22.272{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:22.271{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:22.269{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:22.254{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000450970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:22.244{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000343672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:23.162{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:23.162{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:23.162{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:23.148{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-2000-00000000BD02}2000C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000343668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:23.017{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E757D2B28ADB4B59AD5E5DCAA09242E,SHA256=A4F76DA1B52CB12C0910B6A1A91BC4048DE27BD4F4A49DED5694745140C01174,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000343674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:24.114{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10EAA30D30D1E225A20D3BFF7C5E0B78,SHA256=43197ABB8E70E8F325E49221FDC75C9B055B464145FA413559062FA444CEC130,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:24.028{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F342041A3A4EE4729541F772AF22E282,SHA256=8B4955430DDADC53C5EB62D4329E91E2B993B4B6157F825925115927B7BEDD90,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000343673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:21.295{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51182-false10.0.1.12-8000- 23542300x8000000000000000343676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:25.211{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A639AB393D1C0161CC41C4BAC846B44,SHA256=799D153D5BFA4E43A6140C3A6FF754192EE0130260C28E27A32C8897A8E9791A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:25.393{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\respondent-20230127093833-112MD5=ABD21C848C86C8C4C327246443A18885,SHA256=621828FF48080C628607F27990B50D4C7839DD5149D1A5B05A104AE9C04F6CF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000450991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:25.109{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56F0E1B15D1B16F270DF2EF9DF396020,SHA256=8406D136263489F45A39CBF62DFE32C295AEF4D98C5ED187B1657DA460BF0120,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000343675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:23.208{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse171.244.61.138-58520-false10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal3389ms-wbt-server 23542300x8000000000000000343677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:26.297{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01B63F2F25ADB50965C97F066CD8AB4B,SHA256=FD1535615833C58120F3B00F3A8607FC021A1C410EACA09166AA04632E2D0773,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000450995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:23.808{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52845-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000450994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:26.385{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\surveyor-20230127093831-113MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000450993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:26.186{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F945EF9B7FCDED04DC6C2C825817071,SHA256=E7835B04268AB50E0C450A19D2C9B04A37F0B0F4F366E055577D436931A22ACA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:27.383{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7141FA9CF5960B72DF3000FDA857466,SHA256=1E550296BBE7BBCCF5EA670B3D36444E701124CD8304A4A5718462B3296DC5B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:27.260{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E10D350690937833598F935C048C867,SHA256=96A05B8C19FEDBBC564C5311673BD535E6AC19FC4C58D02D53F7402225DD8539,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:28.479{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=308A94E29C6CE77E1CB3E4504365A45E,SHA256=2C4106E137B0EACE975482C54AB6DE157BEF32D67FFF00697B6166FF78EA3D4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:28.360{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F06FCF289CDDE11DEC19EBEE0654E2A1,SHA256=2D63FA1EA8D7B28B13234BF4CF08AFF26222109CD20A3AB98FF47009FB743B9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:28.039{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7DDCDE6336B1C67E48954689D159E335,SHA256=A982DAD4583C335BBF0771D88055E75523DFE95E75E447E9671B05F02B0C556F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000343682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:29.550{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F81497395B01BCD737830228FF6565A,SHA256=C697FCFAF84FF9548F7A3A1698C133F1D2D6E164038CCBCB0A3BD6D960C98758,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000450998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:29.442{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF67F84C50F815469EE07C1623C7996B,SHA256=063CB7C6023C7935B7C13ABDDFFE783F6FDCB62BDBA80D0F57E56DC250425218,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000343681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:26.500{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51183-false10.0.1.12-8000- 23542300x8000000000000000450999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:30.524{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF8D0597E9A05E60A11863A03BF4930A,SHA256=DF619721588BBDC78C2F2B481CBD22B7A7BAFDC4A12D09ED0756268A9BDFE263,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:30.634{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9A6F65DB8C8C7E5ABB4271616910327,SHA256=CCE2BF1FAB92FDE13B9E73DD912D334763F0E1CAAEA54B8BAC32C401DEFA6806,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000451000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:31.617{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAF5D8452334ECCCB8D0ED1A01D862B4,SHA256=98D331341C935D218494CAE155FF060244B374A1C77B42915F962DDCDA4D2BC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:31.707{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A92674F4AB90E043B6F3A07F2AA3DD3,SHA256=DBF412D6AD26AAE9DED7B57BFB3F5BA8B0E2084B00EA5323D98808162F6F19D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000343685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:32.786{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB25E5F13FCD3EF6966906E1D03115F8,SHA256=41F9B37ED5004A877288F0663CDA8A9863FB72B4F673A8C4B1A8135CFA753562,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000451001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:32.713{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B19EF2BBA16BCF603EE8992F61D7E18,SHA256=58A43F6AD726F03A10A32B7B75233110B4449F17CA179BAFA16D2EB9F9437AC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:33.872{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5299130CBEF8359DBCA780B0CC262184,SHA256=1FBF884A7FFD22C51F67F0B431DCCE8A0603D9581B6944B23EF270627F0204A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000451003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:33.799{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6683C4EE22A5BE20EEA0FF25B24A7E0F,SHA256=254F723FAA83E228653817CE5B6C72709E117DC6EC86AC1155DC29580E345FB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:33.164{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5097513EDE8749319DDE84AF6262698,SHA256=5A9E794B245334B235A74F1C4D17D62619DA27CA8290C9A31F0A517931840E55,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000451002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:29.744{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52846-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000343689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:34.965{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1BC78B5F6F280EC2EDE970D73A50D74,SHA256=7535529F3785DF8E6E1489C16A11B8759D296A88BB77AFCDFD8CB89BB8884070,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000451005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:34.884{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF105CE7B4F37D8A94073EDF8B8780C9,SHA256=326ADE00F62EAEB4043829652A7A3DC7E31D8B58059396867E8D89359C8DA934,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000343688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:31.502{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51184-false10.0.1.12-8000- 23542300x8000000000000000451004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:34.322{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000451006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:35.956{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF3F1F783BB195703EA824E3F2434AF6,SHA256=0FDB21368972707FB9C5D6CB209BCD896BB5EBEBF599A7A951435222FE7F3E70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:36.036{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057D141C4ECCE35EA2CCDA816CD1CD8B,SHA256=DCA5018ACCAC4C42A0A0CA45823BC047CBCBBCF5745C88ABF160D0498466D4B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000343691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:36.005{72106695-9B85-63D3-0D00-00000000BD02}7963468C:\Windows\system32\svchost.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:36.005{72106695-9B85-63D3-0D00-00000000BD02}7963468C:\Windows\system32\svchost.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000451007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:33.005{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52847-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000343693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:37.124{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=402FE09FEB08C5F2354B5BCE40CD1AD5,SHA256=3005F00E669CB18B5B023A05404968A310FA78581E53D511BBFB5BDD6835AA0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000451008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:37.041{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B7D17D07CE6E53BD153807E5A2123F2,SHA256=EC728E561F2ECA8D327B71233709952D3E2F539F28FC5456848DD9EA36C9D0D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:38.347{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74FF31CE1913589CAE355554EF6FB3DD,SHA256=AE4C836F15C63DEB79BB8324A37E9B212BE952CBFCFEDF275891DD0469C117D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000451010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:38.135{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C522F879EA158F9D6D6FA1A4FEEDC05,SHA256=E6935A588AFC1F77829776AF71ADA6AF5EBA0E842004B6AC7B21278310C01931,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000451009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:34.749{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52848-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000343721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:38.012{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:38.012{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:38.012{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:38.012{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:38.012{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:38.012{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:38.012{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:38.012{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:38.012{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:38.012{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:38.012{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:38.012{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:38.012{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:38.012{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:38.012{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:38.012{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:38.012{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:38.012{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:38.012{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:38.012{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:38.012{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:38.012{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:38.012{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:38.012{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:38.012{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:38.012{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:38.012{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:38.012{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000343725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:39.412{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1EF9E03159171680856E92E2DAD7E3F,SHA256=A95EFC6745ACE9740608ACEE20312F50E1A2197F67A9CAE2838E8B2685789435,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000451030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:39.610{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000451029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:39.589{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000451028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:39.581{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000451027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:39.576{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000451026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:39.574{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000451025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:39.572{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000451024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:39.538{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000451023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:39.529{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000451022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:39.503{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000451021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:39.486{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000451020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:39.463{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000451019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:39.446{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000451018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:39.433{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000451017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:39.413{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000451016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:39.401{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000451015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:39.389{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000451014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:39.379{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000451013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:39.307{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 10341000x8000000000000000451012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:39.299{45AAC21C-9B96-63D3-3000-00000000BC02}28484732C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019562190) 23542300x8000000000000000451011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:39.217{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=674793990E56162D8EACB9B6C4DCDEBA,SHA256=37DF38C3D05B8C2D8E555FF8E9E29640929BAC876DC4DD857130201D7D649216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:39.240{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=ABB96D9BF7E9DBC0BE9228C769E7F39B,SHA256=ECA32DFFEB3033C5C076973598BE1A91461A52B81E0C6B0B122394F34C00A939,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000343723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:39.034{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000343770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.843{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B60A-63D3-4604-00000000BD02}4032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.815{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B5C3-63D3-3D04-00000000BD02}4200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.814{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-D403-00000000BD02}5156C:\Windows\system32\fontdrvhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.811{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B499-63D3-CB03-00000000BD02}5856C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.797{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.794{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.783{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.757{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.728{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.717{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.686{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.669{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.667{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.664{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.662{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.659{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.654{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.653{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.650{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.648{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.646{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.643{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.639{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.625{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.619{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.609{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.607{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.593{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.570{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.565{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.543{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.492{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 23542300x8000000000000000343738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.490{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C60B72FEC54862AC6DD4B19CE737F922,SHA256=3BC96CF971CFAE38623351099AD35E478CC744D53AD25F1C076C1FCD46A33A27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000343737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.483{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.472{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.459{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.429{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.414{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 23542300x8000000000000000451036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:40.334{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F035B14DFD790F65B867E6978DF34447,SHA256=555BFDB42481EC1FFC5E33BD4A2894526D01C5E799094D610ECA942434EE7F3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000343732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.392{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.376{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.350{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.333{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000343728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:40.329{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 354300x8000000000000000343727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:38.277{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51186-false10.0.1.12-8089- 354300x8000000000000000343726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:37.434{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51185-false10.0.1.12-8000- 10341000x8000000000000000451035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:40.146{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000451034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:40.143{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000451033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:40.140{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000451032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:40.138{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000451031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:40.137{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000451037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:41.420{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DAACF909B24DDEF8F0815E792BCC729,SHA256=FB0DF3B10BA3F304EF9B279B029E8A6CEC9A747575A2C055E8723A0A4AB1BEAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:42.134{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEF0374EB7432EEF90FD5FE8E68A2692,SHA256=D2BB1DB863078184F2B04763C7AF0D9652F10FF8A0112BB9171C4C3D41BC0097,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000451061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:42.841{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000451060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:42.810{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000451059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:42.807{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000451058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:42.798{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000451057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:42.787{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000451056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:42.758{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000451055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:42.751{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000451054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:42.740{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000451053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:42.730{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000451052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:42.726{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000451051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:42.723{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000451050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:42.719{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000451049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:42.718{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000451048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:42.715{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000451047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:42.605{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7D0E1E2ADFC0365793A4295E7490CD8,SHA256=6E8DDC898FCD1BC73478932B441F18BD70D614026E8F0432D6DF94CE1DFE9562,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000451046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:42.355{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000451045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:42.355{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000451044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:42.355{45AAC21C-9B83-63D3-0B00-00000000BC02}632756C:\Windows\system32\lsass.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000451043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:42.337{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-3000-00000000BC02}2848C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000451042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:42.207{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000451041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:42.205{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000451040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:42.204{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000451039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:42.192{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000451038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:42.180{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000343772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:43.300{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85338ED1703A5818ABDA4C096728E835,SHA256=703D369F42530BC1C14B2D46449F92F3033831982D586B32A9A5177F15EA221C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000451063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:43.667{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B79497ECDDD24E1DF167F0F78419575,SHA256=19A96BF5F976345263B5A75EEF99497651C8E528517610870C8C561B65729188,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000451062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:40.737{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52849-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000451064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:44.749{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E55BF21218DFAAA8A7BB285B87CF6E9,SHA256=781E746168A6C97851F21CACB4965BD926CFFD894FA6BDDAF46B066BB06916B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:44.386{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28DB5C1190FB4558EF7EEED6880DA594,SHA256=474D9790453BCB88609C8A69C63247A0CF82F6A4EBB6B8B667AB147A3D8955C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000451073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:45.828{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5E982EF54C177FC174283A2AF7292BB,SHA256=FD6AB283695BE47F6675EB70FB784EFCD4F7D4444800119DE0DC7084BA9EB3E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000343775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:45.480{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D9166BBC8C9563EDA00B3C984070F37,SHA256=408BF63FABFA17F4B91E515D878AEE5A41D5FB21067615143910C8A4349135C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000343774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:34:42.454{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal51187-false10.0.1.12-8000- 10341000x8000000000000000451072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:45.750{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B6D5-63D3-1004-00000000BC02}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000451071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:45.750{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000451070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:45.750{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000451069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:45.750{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000451068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:45.750{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000451067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:45.750{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B6D5-63D3-1004-00000000BC02}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000451066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:45.750{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B6D5-63D3-1004-00000000BC02}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000451065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:45.751{45AAC21C-B6D5-63D3-1004-00000000BC02}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000451083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:46.788{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1859CD0324372C6FC1A97AB40EBB7A6,SHA256=5D94BAD7A914A926F1C887EF25821FE420A0105B9CF27205F46FD50A6FA1FCEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000451082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:46.467{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=4CFA50C902CF1BE2B943F4DC197203EA,SHA256=F297156719101CDCB0E3708C457C25AF3D2D1890F9E22BD8DAE62F1D1A3EEB17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000451081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:46.416{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B6D6-63D3-1104-00000000BC02}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000451080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:46.413{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000451079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:46.413{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000451078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:46.413{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000451077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:46.413{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000451076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:46.412{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B6D6-63D3-1104-00000000BC02}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000451075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:46.412{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B6D6-63D3-1104-00000000BC02}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000451074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:34:46.412{45AAC21C-B6D6-63D3-1104-00000000BC02}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service